From 7fb1dba1823e41e4cda59a49eb0391222a643f09 Mon Sep 17 00:00:00 2001
From: Steve Hajducko <steven_hajducko@intuit.com>
Date: Thu, 8 Sep 2016 11:11:06 -0700
Subject: [PATCH] Skip extra traversals of minion cache for auth

With a large amount of minions and large ACL sets, check_minions starts
to become rather expensive.  The master's publish was already obtaining
this list ( albeit later in execution ), but by moving it up and passing
it to CkMinion's auth_check, it allows CkMinion's validate_tgt to skip a
cache traversal. Related to #33948
---
 salt/master.py | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/salt/master.py b/salt/master.py
index 3aabc5ef020c..4ec3545fc756 100644
--- a/salt/master.py
+++ b/salt/master.py
@@ -1980,6 +1980,14 @@ def publish(self, clear_load):
             )
             return ''
 
+        # Retrieve the minions list
+        delimiter = clear_load.get('kwargs', {}).get('delimiter', DEFAULT_TARGET_DELIM)
+        minions = self.ckminions.check_minions(
+            clear_load['tgt'],
+            clear_load.get('tgt_type', 'glob'),
+            delimiter
+        )
+
         # Check for external auth calls
         if extra.get('token', False):
             # A token was passed, check it
@@ -2041,7 +2049,8 @@ def publish(self, clear_load):
                 clear_load['fun'],
                 clear_load['arg'],
                 clear_load['tgt'],
-                clear_load.get('tgt_type', 'glob'))
+                clear_load.get('tgt_type', 'glob'),
+                minions=minions)
             if not good:
                 # Accept find_job so the CLI will function cleanly
                 if clear_load['fun'] != 'saltutil.find_job':
@@ -2138,7 +2147,8 @@ def publish(self, clear_load):
                 clear_load['fun'],
                 clear_load['arg'],
                 clear_load['tgt'],
-                clear_load.get('tgt_type', 'glob')
+                clear_load.get('tgt_type', 'glob'),
+                minions=minions
                 )
             if not good:
                 # Accept find_job so the CLI will function cleanly
@@ -2170,7 +2180,8 @@ def publish(self, clear_load):
                                 clear_load['fun'],
                                 clear_load['arg'],
                                 clear_load['tgt'],
-                                clear_load.get('tgt_type', 'glob'))
+                                clear_load.get('tgt_type', 'glob'),
+                                minions=minions)
                     if not good:
                         # Accept find_job so the CLI will function cleanly
                         if clear_load['fun'] != 'saltutil.find_job':
@@ -2215,7 +2226,8 @@ def publish(self, clear_load):
                         clear_load['fun'],
                         clear_load['arg'],
                         clear_load['tgt'],
-                        clear_load.get('tgt_type', 'glob'))
+                        clear_load.get('tgt_type', 'glob'),
+                        minions=minions)
                     if not good:
                         # Accept find_job so the CLI will function cleanly
                         if clear_load['fun'] != 'saltutil.find_job':
@@ -2235,14 +2247,7 @@ def publish(self, clear_load):
                     'Authentication failure of type "other" occurred.'
                 )
                 return ''
-        # FIXME Needs additional refactoring
-        # Retrieve the minions list
-        delimiter = clear_load.get('kwargs', {}).get('delimiter', DEFAULT_TARGET_DELIM)
-        minions = self.ckminions.check_minions(
-            clear_load['tgt'],
-            clear_load.get('tgt_type', 'glob'),
-            delimiter
-        )
+
         # If we order masters (via a syndic), don't short circuit if no minions
         # are found
         if not self.opts.get('order_masters'):