From 3affafa2e981a906b8eb105229112215486ac1b9 Mon Sep 17 00:00:00 2001 From: Mike Place Date: Thu, 21 Jul 2016 09:51:45 -0600 Subject: [PATCH] Add an option to skip the verification of client_acl users --- conf/master | 5 +++++ salt/config.py | 2 ++ salt/daemons/masterapi.py | 4 ++-- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/conf/master b/conf/master index ac99754a32e..55e1983ba87 100644 --- a/conf/master +++ b/conf/master @@ -301,6 +301,11 @@ CLI option, only sets this to a single file for all salt commands. # running any commands. It would also blacklist any use of the "cmd" # module. This is completely disabled by default. # +# +# Check the list of configured users in client ACL against users on the +# system and throw errors if they do not exist. +#client_acl_verify: True +# #client_acl_blacklist: # users: # - root diff --git a/salt/config.py b/salt/config.py index 74d969b13b6..30f9995ba7d 100644 --- a/salt/config.py +++ b/salt/config.py @@ -542,6 +542,7 @@ VALID_OPTS = { 'syndic_master': (string_types, list), 'runner_dirs': list, 'client_acl': dict, + 'client_acl_verify': bool, 'client_acl_blacklist': dict, 'sudo_acl': bool, 'external_auth': dict, @@ -1095,6 +1096,7 @@ DEFAULT_MASTER_OPTS = { 'runner_dirs': [], 'outputter_dirs': [], 'client_acl': {}, + 'client_acl_verify': True, 'client_acl_blacklist': {}, 'sudo_acl': False, 'external_auth': {}, diff --git a/salt/daemons/masterapi.py b/salt/daemons/masterapi.py index 2a5a42798c4..20ab1149b0d 100644 --- a/salt/daemons/masterapi.py +++ b/salt/daemons/masterapi.py @@ -198,7 +198,7 @@ def access_keys(opts): if opts.get('user'): acl_users.add(opts['user']) acl_users.add(salt.utils.get_user()) - if HAS_PWD: + if opts['client_acl_verify'] and HAS_PWD: for user in pwd.getpwall(): users.append(user.pw_name) for user in acl_users: @@ -208,7 +208,7 @@ def access_keys(opts): ) ) - if HAS_PWD: + if opts['client_acl_verify'] and HAS_PWD: if user not in users: try: user = pwd.getpwnam(user).pw_name