Eric clarified the various EOS access details with Andreas, Jan and Elvin on file accesses from CTA to EOS
The authentication should be done with SSS. Kerberos could be an options, but deemed too cumbersome by Jan. SSS does not have a client-side mechanism to choose the key. The key is inside a file, pointed to by an environment variable. In order to validate that our client talks to the intended EOS instance, we could use the xrootd query() client call.
The files will always be referenced by ID, never by path.
We could validate the file is the one we expect for reading by adding CGI parameters ?eos.checksum=XXXXX&eos.size=YYYYYY on open. Open will fail if the file does not match (for example if the file was modified between archive request and execution).
When retrieving a file, we will add a replica to the file (CGI parameters again). If EOS detects the replica is not right, the transmitted data will not be considered. The user cannot see wrong data and the file cannot be smashed if modified by the user in the meantime.