Authentication¶
Globally, we rely on two different kinds of authentication: SSS (Simple Shared Secret) and Kerberos. In CTA we distinguish between three different catagories of authentication:
- The authentication between the disk buffer and the CTA frontend. The disk buffer will send workflow events to the frontend and needs to be authenticated in order to do so.
- The authentication between the tape servers and the disk buffer. The tape servers need to be able to read/write data from/to the Disk buffer directly.
- The authentication of users interacting with CTA via the
cta-admintool.
The first two rely on SSS authentication, whereas the user authentication happens via Kerberos. In addition to the Kerberos authentication for the admin-client, the client is also expected to be registered in the Catalogue before they are authorized to execute commands. The primary motivation behind using SSS is that this is the authentication method of choice for the disk buffer we are currently using (EOS). However, additional authentication options may be investigated in the future.
An overview of this can be seen in the diagram below:
flowchart TB
disk["Disk Buffer"]
subgraph CTA
frontend["CTA Frontend"]
tpsrv["CTA Tape Server"]
end
ctacli["CTA Admin Client"]
disk -- SSS --> frontend
tpsrv -- SSS --> disk
ctacli -- KRB5 --> frontend