Merge pull request #34847 from cachedout/pwall

Add an option to skip the verification of client_acl users
2024-11-08 09:23:56 +00:00 · 2016-07-21 11:55:55 -06:00 · 2016-07-21 11:55:55 -06:00 · 5d91139bc9
commit 5d91139bc9
parent 07d1d36653 2c8298dc6e
3 changed files with 13 additions and 2 deletions
--- a/conf/master
+++ b/conf/master
@ -301,6 +301,11 @@ CLI option, only sets this to a single file for all salt commands.
 # running any commands. It would also blacklist any use of the "cmd"
 # module. This is completely disabled by default.
 #
+#
+# Check the list of configured users in client ACL against users on the
+# system and throw errors if they do not exist.
+#client_acl_verify: True
+#
 #client_acl_blacklist:
 #  users:
 #    - root
--- a/salt/config.py
+++ b/salt/config.py
@ -542,6 +542,7 @@ VALID_OPTS = {
    'syndic_master': (string_types, list),
    'runner_dirs': list,
    'client_acl': dict,
+    'client_acl_verify': bool,
    'client_acl_blacklist': dict,
    'sudo_acl': bool,
    'external_auth': dict,
@ -1095,6 +1096,7 @@ DEFAULT_MASTER_OPTS = {
    'runner_dirs': [],
    'outputter_dirs': [],
    'client_acl': {},
+    'client_acl_verify': True,
    'client_acl_blacklist': {},
    'sudo_acl': False,
    'external_auth': {},
--- a/salt/daemons/masterapi.py
+++ b/salt/daemons/masterapi.py
@ -198,9 +198,11 @@ def access_keys(opts):
    if opts.get('user'):
        acl_users.add(opts['user'])
    acl_users.add(salt.utils.get_user())
-    if HAS_PWD:
+    if opts['client_acl_verify'] and HAS_PWD:
+        log.profile('Beginning pwd.getpwall() call in masterarpi acess_keys function')
        for user in pwd.getpwall():
            users.append(user.pw_name)
+        log.profile('End pwd.getpwall() call in masterarpi acess_keys function')
    for user in acl_users:
        log.info(
            'Preparing the {0} key for local communication'.format(
@ -208,10 +210,12 @@ def access_keys(opts):
            )
        )

-        if HAS_PWD:
+        if opts['client_acl_verify'] and HAS_PWD:
            if user not in users:
                try:
+                    log.profile('Beginning pwd.getpnam() call in masterarpi acess_keys function')
                    user = pwd.getpwnam(user).pw_name
+                    log.profile('Beginning pwd.getpwnam() call in masterarpi acess_keys function')
                except KeyError:
                    log.error('ACL user {0} is not available'.format(user))
                    continue