From 705e9d2e49a0fc968863ab428ef40f4d183b2acc Mon Sep 17 00:00:00 2001
From: Michael Davis <michael.davis@cern.ch>
Date: Thu, 26 Nov 2020 15:01:32 +0100
Subject: [PATCH] [frontend] Allow cta-admin to authenticate using SSS

---
 xroot_plugins/XrdSsiCtaRequestMessage.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/xroot_plugins/XrdSsiCtaRequestMessage.cpp b/xroot_plugins/XrdSsiCtaRequestMessage.cpp
index e4c4da5161..e5d710b053 100644
--- a/xroot_plugins/XrdSsiCtaRequestMessage.cpp
+++ b/xroot_plugins/XrdSsiCtaRequestMessage.cpp
@@ -72,9 +72,9 @@ void RequestMessage::process(const cta::xrd::Request &request, cta::xrd::Respons
 
       case Request::kAdmincmd: {
         
-         // Validate that the Kerberos user is an authorized CTA Admin user
-         if(m_protocol != Protocol::KRB5) {
-            throw cta::exception::UserError("[ERROR] Admin commands must be authenticated using the Kerberos 5 protocol.");
+         // Check that the user is authorized
+         if(!(m_protocol == Protocol::KRB5 || m_protocol == Protocol::SSS)) {
+            throw cta::exception::UserError("[ERROR] Admin commands must be authenticated using Kerberos 5 or SSS");
          }
          m_scheduler.authorizeAdmin(m_cliIdentity, m_lc);
          
-- 
GitLab