[Condor-users] 'Could not create new cluster' when using SOAP SSL w/o QUEUE_ALL_USERS_TRUSTED

["David E. Konerding" <dekonerding@xxxxxxx>]

Hi,

I am proceeding to truly secure, authenticated web service job 
submission to Condor.

The latest snag I've hit is this.  I am trying to submit a job with 
SOAP/SSL enabled.  I have authenticated
with the web service using my client certificate.  However, even though 
I have SOAP/SSL enabled,
if I have QUEUE_ALL_USERS_TRUSTED=False, I get 'Could not create new 
cluster'.
when I try to create a new cluster.

From my reading of Erik Paulson's message:

> If set to True, then unauthenticated users are
>   allowed to write to the queue, and also we always trust whatever the
>   Owner value is set to be by the client in the job ad.

it seems that since I'm coming in as an authenticated user, I should be 
able to create a new cluster
without this variable set to True.

My config includes:

ETWORK_INTERFACE = 131.243.2.15
CONDOR_HOST=oliver.lbl.gov
ENABLE_SOAP=TRUE
ENABLE_WEB_SERVER = TRUE
ALLOW_SOAP= */131.243.2.255
WEB_ROOT_DIR = /home/portnoy/dsd/Linux/condor/condor-6.8.1/lib/webservice
ALLOW_WRITE=* ## this needs to be tightened
#QUEUE_ALL_USERS_TRUSTED=TRUE ## this is required for people to submit 
jobs via http but not https
COLLECTOR_SOAP_SSL_PORT=9619
SOAP_SSL_SERVER_KEYFILE = /var/condor/condor-6.8.1/private/key
SOAP_SSL_CA_DIR = /etc/condor/certificates
## condor-6.8.1 misnamed these two files
CERTIFICATE_MAPFILE     = /etc/condor/canonical_map
USER_MAPFILE    = /etc/condor/user_map
SEC_CANONICAL_MAPFILE   = /etc/condor/canonical_map
SEC_USER_MAPFILE        = /etc/condor/user_map
ENABLE_SOAP_SSL = TRUE