[HTCondor-users] How to use 'local_ips' for ALLOW_ roles?

[KÃhn, Max (SCC) <max.fischer@xxxxxxx>]

Hi all,

Since our multi-home dual-stack machines are a chore to configure properly for âlocalâ authentication, I was happy to discover HTCondor apparently has a concept of âall local IPsâ via {:local_ips:} [0]. However, it turns out our daemons (HTC 25.0.2) donât treat this as expected. Whatâs the proper way to use it?

In the config, I have

    ALLOW_ADMINISTRATOR = $(ALLOW_ADMINISTRATOR) condor@$(UID_DOMAIN)/{:local_ips:}

to let local root administrate the machine no matter the interface used.

Yet, looking into the MasterLog shows the daemon considers this a sinful address and cannot interpret it as a security rule:

    11/03/25 06:17:05 (pid:651900) (D_ALWAYS) WARNING: Not attempting to resolve '{:local_ips:}' from the security list: it looks like a Sinful string.  A Sinful string specifies how to contact a daemon, but not which address it uses when contacting others.  Use the bare hostname of the trusted machine, or an IP address (if known and unique).

How can I make {:local_ips:} work as documented?

Cheers,
Max

[0]
https://htcondor.readthedocs.io/en/25.0/admin-manual/security.html#authorization

> The special value {:local_ips:} can be used to represent all IP addresses that are useable on the local machine. To allow any client that is connecting from the local machine, you would use the following:
>
>     ALLOW_WRITE = */{:local_ips:}

Attachment: smime.p7s
Description: S/MIME cryptographic signature