Hi, there,
We are now trying to set up CTA for grid WAN access like Dirac. And grid sites use GSI authentication. So does CTA support GSI authentication now? Or is there any way for public access to CTA?
Hi,
This depends on which system you use to manage incoming namespace requests. If it is EOS, which is what we use at RAL, the answer is yes: it can support GSI.
George
EOS does support GSI, and we’ve used in JUNO EOS. When a client use GSI auth to write file to CTA EOS, could CTA recognize the client successfully? Is there any configuration needed for CTA?
Nothing related to GSI authentication is needed on the CTA side: everything happens on the eoscta instance in front of the tape infrastructure.
The GSI authenticated user is mapped to a unix account on the EOS side with the gridmap file and then EOS and CTA have just to deal with this unix account (in EOS dirs/files ACLs…). This resolved unix account is the one you use on CTA side to configure requestermountrule and other user account related concepts: CTA does never interact with X509.