From 3affafa2e981a906b8eb105229112215486ac1b9 Mon Sep 17 00:00:00 2001
From: Mike Place <mp@saltstack.com>
Date: Thu, 21 Jul 2016 09:51:45 -0600
Subject: [PATCH 1/2] Add an option to skip the verification of client_acl
 users

---
 conf/master               | 5 +++++
 salt/config.py            | 2 ++
 salt/daemons/masterapi.py | 4 ++--
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/conf/master b/conf/master
index ac99754a32..55e1983ba8 100644
--- a/conf/master
+++ b/conf/master
@@ -301,6 +301,11 @@ CLI option, only sets this to a single file for all salt commands.
 # running any commands. It would also blacklist any use of the "cmd"
 # module. This is completely disabled by default.
 #
+#
+# Check the list of configured users in client ACL against users on the
+# system and throw errors if they do not exist.
+#client_acl_verify: True
+#
 #client_acl_blacklist:
 #  users:
 #    - root
diff --git a/salt/config.py b/salt/config.py
index 74d969b13b..30f9995ba7 100644
--- a/salt/config.py
+++ b/salt/config.py
@@ -542,6 +542,7 @@ VALID_OPTS = {
     'syndic_master': (string_types, list),
     'runner_dirs': list,
     'client_acl': dict,
+    'client_acl_verify': bool,
     'client_acl_blacklist': dict,
     'sudo_acl': bool,
     'external_auth': dict,
@@ -1095,6 +1096,7 @@ DEFAULT_MASTER_OPTS = {
     'runner_dirs': [],
     'outputter_dirs': [],
     'client_acl': {},
+    'client_acl_verify': True,
     'client_acl_blacklist': {},
     'sudo_acl': False,
     'external_auth': {},
diff --git a/salt/daemons/masterapi.py b/salt/daemons/masterapi.py
index 2a5a42798c..20ab1149b0 100644
--- a/salt/daemons/masterapi.py
+++ b/salt/daemons/masterapi.py
@@ -198,7 +198,7 @@ def access_keys(opts):
     if opts.get('user'):
         acl_users.add(opts['user'])
     acl_users.add(salt.utils.get_user())
-    if HAS_PWD:
+    if opts['client_acl_verify'] and HAS_PWD:
         for user in pwd.getpwall():
             users.append(user.pw_name)
     for user in acl_users:
@@ -208,7 +208,7 @@ def access_keys(opts):
             )
         )
 
-        if HAS_PWD:
+        if opts['client_acl_verify'] and HAS_PWD:
             if user not in users:
                 try:
                     user = pwd.getpwnam(user).pw_name

From 2c8298dc6ebda6a25ffd4b78816b4a13ade7c8e1 Mon Sep 17 00:00:00 2001
From: Mike Place <mp@saltstack.com>
Date: Thu, 21 Jul 2016 09:54:52 -0600
Subject: [PATCH 2/2] Profile logging

---
 salt/daemons/masterapi.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/salt/daemons/masterapi.py b/salt/daemons/masterapi.py
index 20ab1149b0..29def444f3 100644
--- a/salt/daemons/masterapi.py
+++ b/salt/daemons/masterapi.py
@@ -199,8 +199,10 @@ def access_keys(opts):
         acl_users.add(opts['user'])
     acl_users.add(salt.utils.get_user())
     if opts['client_acl_verify'] and HAS_PWD:
+        log.profile('Beginning pwd.getpwall() call in masterarpi acess_keys function')
         for user in pwd.getpwall():
             users.append(user.pw_name)
+        log.profile('End pwd.getpwall() call in masterarpi acess_keys function')
     for user in acl_users:
         log.info(
             'Preparing the {0} key for local communication'.format(
@@ -211,7 +213,9 @@ def access_keys(opts):
         if opts['client_acl_verify'] and HAS_PWD:
             if user not in users:
                 try:
+                    log.profile('Beginning pwd.getpnam() call in masterarpi acess_keys function')
                     user = pwd.getpwnam(user).pw_name
+                    log.profile('Beginning pwd.getpwnam() call in masterarpi acess_keys function')
                 except KeyError:
                     log.error('ACL user {0} is not available'.format(user))
                     continue