Use old ALLOW rules for host-based config


To simplify upgrading an existing HTCondor pool from 8.8 to 9.0, we will restore the 8.8 rules for the ALLOW/DENY security settings when the 'use SECURITY : HOST_BASED' metaknob is used. New installations in 9.0 will not set this metaknob, part of making them secure-by-default.

Some settings and behaviors in 8.8 can't be emulated via configuration alone; they require changes to the code. For these instances, we will add a new config knob that the HOST_BASED metaknob will set.

The new config knob will cause the following changes:

  • If a DAEMON-level ALLOW/DENY config parameter is not defined (or is empty), use the equivalent WRITE-level config parameter value.

This knob may also need to restore the 8.8 behavior where most empty ALLOW settings defaults to *.


Todd L Miller
March 4, 2021, 4:35 PM

Code Review

… and a really silly logic error that we could have avoided by copying-and-pasting more code. Patch approved.

Todd L Miller
February 24, 2021, 11:08 PM

Code Review

Patch has a lot of change lines, but it’s just moving a function from the .h to the .cpp file (to allow a call to param_boolean()) and adding back a clause changed in GT#6824 (commit 0ac68034828f45715e9f27a8131d1fcb82039d14).

Looks good to me.

Due date


Time remaining



Jaime Frey