Add an option to skip the verification of client_acl users

conf/master

@@ -301,6 +301,11 @@ CLI option, only sets this to a single file for all salt commands.
 # running any commands. It would also blacklist any use of the "cmd"
 # module. This is completely disabled by default.
 #
+#
+# Check the list of configured users in client ACL against users on the
+# system and throw errors if they do not exist.
+#client_acl_verify: True
+#
 #client_acl_blacklist:
 #  users:
 #    - root

salt/config.py

@@ -542,6 +542,7 @@ VALID_OPTS = {
     'syndic_master': (string_types, list),
     'runner_dirs': list,
     'client_acl': dict,
+    'client_acl_verify': bool,
     'client_acl_blacklist': dict,
     'sudo_acl': bool,
     'external_auth': dict,
@@ -1095,6 +1096,7 @@ DEFAULT_MASTER_OPTS = {
     'runner_dirs': [],
     'outputter_dirs': [],
     'client_acl': {},
+    'client_acl_verify': True,
     'client_acl_blacklist': {},
     'sudo_acl': False,
     'external_auth': {},

salt/daemons/masterapi.py

@@ -198,7 +198,7 @@ def access_keys(opts):
     if opts.get('user'):
         acl_users.add(opts['user'])
     acl_users.add(salt.utils.get_user())
-    if HAS_PWD:
+    if opts['client_acl_verify'] and HAS_PWD:
         for user in pwd.getpwall():
             users.append(user.pw_name)
     for user in acl_users:
@@ -208,7 +208,7 @@ def access_keys(opts):
             )
         )
 
-        if HAS_PWD:
+        if opts['client_acl_verify'] and HAS_PWD:
             if user not in users:
                 try:
                     user = pwd.getpwnam(user).pw_name