Mailing List Archives Authenticated access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] How to use 'local_ips' for ALLOW_ roles?

Date: Mon, 3 Nov 2025 10:02:45 +0000
From: KÃhn, Max (SCC) <max.fischer@xxxxxxx>
Subject: Re: [HTCondor-users] How to use 'local_ips' for ALLOW_ roles?

Hi all,

After experimenting some more with this, it looks like the Daemons do allow local authorisation properly just based on `{:local_ips:}`. Probably its just the warning that isnât ware of {:local_ips:} but lets it through anyways.

Cheers,
Max

> On 3. Nov 2025, at 09:20, KÃhn, Max (SCC) <max.fischer@xxxxxxx> wrote:
> 
> Hi all,
> 
> Since our multi-home dual-stack machines are a chore to configure properly for âlocalâ authentication, I was happy to discover HTCondor apparently has a concept of âall local IPsâ via {:local_ips:} [0]. However, it turns out our daemons (HTC 25.0.2) donât treat this as expected. Whatâs the proper way to use it?
> 
> In the config, I have
> 
>    ALLOW_ADMINISTRATOR = $(ALLOW_ADMINISTRATOR) condor@$(UID_DOMAIN)/{:local_ips:}
> 
> to let local root administrate the machine no matter the interface used.
> 
> Yet, looking into the MasterLog shows the daemon considers this a sinful address and cannot interpret it as a security rule:
> 
>    11/03/25 06:17:05 (pid:651900) (D_ALWAYS) WARNING: Not attempting to resolve '{:local_ips:}' from the security list: it looks like a Sinful string.  A Sinful string specifies how to contact a daemon, but not which address it uses when contacting others.  Use the bare hostname of the trusted machine, or an IP address (if known and unique).
> 
> How can I make {:local_ips:} work as documented?
> 
> Cheers,
> Max
> 
> [0]
> https://htcondor.readthedocs.io/en/25.0/admin-manual/security.html#authorization
> 
>> The special value {:local_ips:} can be used to represent all IP addresses that are useable on the local machine. To allow any client that is connecting from the local machine, you would use the following:
>> 
>>    ALLOW_WRITE = */{:local_ips:}
> 
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> 
> The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References:
- [HTCondor-users] How to use 'local_ips' for ALLOW_ roles?
  - From: KÃhn, Max (SCC)

Prev by Date: [HTCondor-users] How to use 'local_ips' for ALLOW_ roles?
Next by Date: [HTCondor-users] Upgrading old Condor pool to modern times
Previous by thread: [HTCondor-users] How to use 'local_ips' for ALLOW_ roles?
Next by thread: [HTCondor-users] Upgrading old Condor pool to modern times
Index(es):
- Date
- Thread

Mailing List Archives

Authenticated access

Re: [HTCondor-users] How to use 'local_ips' for ALLOW_ roles?