Merge pull request #41033 from rallytime/merge-nitrogen

[nitrogen] Merge forward from 2016.11 to nitrogen
2024-11-07 00:55:19 +00:00 · 2017-05-03 11:13:42 -06:00 · 2017-05-03 11:13:42 -06:00 · a1f83ebb1e
commit a1f83ebb1e
parent 3626258f50 19a3ecd5b8
6 changed files with 40 additions and 7 deletions
--- a/conf/master
+++ b/conf/master
@ -194,6 +194,9 @@
 # a previous deleted minion ID.
 #preserve_minion_cache: False

+# Allow or deny minions from requesting their own key revocation
+#allow_minion_key_revoke: True
+
 # If max_minions is used in large installations, the master might experience
 # high-load situations because of having to check the number of connected
 # minions for every authentication. This cache provides the minion-ids of
--- a/doc/ref/configuration/master.rst
+++ b/doc/ref/configuration/master.rst
@ -1258,6 +1258,21 @@ constant names without ssl module prefix: ``CERT_REQUIRED`` or ``PROTOCOL_SSLv23
        certfile: <path_to_certfile>
        ssl_version: PROTOCOL_TLSv1_2

+.. conf_master:: allow_minion_key_revoke
+
+``allow_minion_key_revoke``
+------------------
+
+Default: ``True``
+
+Controls whether a minion can request its own key revocation.  When True
+the master will honor the minion's request and revoke its key.  When False,
+the master will drop the request and the minion's key will remain accepted.
+
+
+.. code-block:: yaml
+
+    rotate_aes_key: True

 Master Module Management
 ========================
--- a/doc/topics/releases/2016.3.7.rst
+++ b/doc/topics/releases/2016.3.7.rst
@ -3,3 +3,9 @@ Salt 2016.3.7 Release Notes
 ===========================

 Version 2016.3.7 is a bugfix release for :ref:`2016.3.0 <release-2016-3-0>`.
+
+New master configuration option `allow_minion_key_revoke`, defaults to True.  This option
+controls whether a minion can request that the master revoke its key.  When True, a minion
+can request a key revocation and the master will comply.  If it is False, the key will not
+be revoked by the msater.
+
--- a/salt/config/init.py
+++ b/salt/config/init.py
@ -1039,6 +1039,9 @@ VALID_OPTS = {
    # Number of times to try to auth with the master on a reconnect with the
    # tcp transport
    'tcp_authentication_retries': int,
+
+    # Permit or deny allowing minions to request revoke of its own key
+    'allow_minion_key_revoke': bool,
 }

 # default configurations
@ -1594,6 +1597,7 @@ DEFAULT_MASTER_OPTS = {
    'clean_dynamic_modules': True,
    'django_auth_path': '',
    'django_auth_settings': '',
+    'allow_minion_key_revoke': True,
 }


--- a/salt/master.py
+++ b/salt/master.py
@ -1577,6 +1577,11 @@ class AESFuncs(object):
        :return: True if key was revoked, False if not
        '''
        load = self.__verify_load(load, ('id', 'tok'))
+
+        if not self.opts.get('allow_minion_key_revoke', False):
+            log.warning('Minion {0} requested key revoke, but allow_minion_key_revoke is False'.format(load['id']))
+            return load
+
        if load is False:
            return load
        else:
--- a/salt/modules/dockermod.py
+++ b/salt/modules/dockermod.py
@ -83,14 +83,14 @@ in the ``docker-registries`` Pillar key, as well as any key ending in
        username: foo
        password: s3cr3t

-To login to the configured registries, use the :py:func:`docker.login
-<salt.modules.dockermod.login>` function. This only needs to be done once for a
+To login to the configured registries, use the :py:func:`dockerng.login
+<salt.modules.dockerng.login>` function. This only needs to be done once for a
 given registry, and it will store/update the credentials in
 ``~/.docker/config.json``.

 .. note::
-    For Salt releases before 2016.3.7 and 2016.11.4, :py:func:`docker.login
-    <salt.modules.dockermod.login>` is not available. Instead, Salt will try to
+    For Salt releases before 2016.3.7 and 2016.11.4, :py:func:`dockerng.login
+    <salt.modules.dockerng.login>` is not available. Instead, Salt will try to
    authenticate using each of your configured registries for each push/pull,
    behavior which is not correct and has been resolved in newer releases.

@ -921,9 +921,9 @@ def login(*registries):

    .. code-block:: bash

-        salt myminion docker.login
-        salt myminion docker.login hub
-        salt myminion docker.login hub https://mydomain.tld/registry/
+        salt myminion dockerng.login
+        salt myminion dockerng.login hub
+        salt myminion dockerng.login hub https://mydomain.tld/registry/
    '''
    # NOTE: This function uses the "docker login" CLI command so that login
    # information is added to the config.json, since docker-py isn't designed