Currently, REANA does not sent Kerberos credentials when it dispatches jobs to the CERN HTCondor compute backend for running Singularity unpacked image jobs.

For example, the following open data example accessing public files works:

inputs:
  files:
    - reana.yaml
workflow:
  type: serial
  specification:
    steps:
      - name: list
        environment: /cvmfs/singularity.opensciencegrid.org/opensciencegrid/osgvo-el7:latest
        unpacked_image: true
        compute_backend: htcondorcern
        htcondor_max_runtime: espresso
        kerberos: true
        commands:
          - xrdfs root://eospublic.cern.ch ls -l /eos/opendata/cms/Run2010B/BTau/AOD/Apr21ReReco-v1/0001/
outputs:
  files:
    - output.txt

However, accessing restricted files in the similar way fails due to inaccessible Kerberos credentials.

When creating HTCondor job specification, we'd need to pass along the credentials:

sub['MY.SendCredential'] = True

that also need to be mounted into the singularity call.

Note that we may need to upgrade the HTCondor submission API on the REANA side for this to work.