From 8920495943837834985c0d2b22ff5ae3e52636c4 Mon Sep 17 00:00:00 2001
From: "C. R. Oldham" <cro@ncbt.org>
Date: Mon, 17 Apr 2017 13:12:46 -0600
Subject: [PATCH 1/4] Add config option to prevent minions from revoking their
 own keys.

---
 salt/config/__init__.py | 4 ++++
 salt/master.py          | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/salt/config/__init__.py b/salt/config/__init__.py
index ee996c635d..c795a6afc2 100644
--- a/salt/config/__init__.py
+++ b/salt/config/__init__.py
@@ -868,6 +868,9 @@ VALID_OPTS = {
 
     # Default returners minion should use. List or comma-delimited string
     'return': (str, list),
+
+    # Permit or deny allowing minions to request revoke of its own key
+    'allow_minion_key_revoke': bool,
 }
 
 # default configurations
@@ -1346,6 +1349,7 @@ DEFAULT_MASTER_OPTS = {
     'python2_bin': 'python2',
     'python3_bin': 'python3',
     'thin_extra_mods': '',
+    'allow_minion_key_revoke': True,
 }
 
 
diff --git a/salt/master.py b/salt/master.py
index ecc037b863..40034b99bf 100644
--- a/salt/master.py
+++ b/salt/master.py
@@ -1543,6 +1543,11 @@ class AESFuncs(object):
         :return: True if key was revoked, False if not
         '''
         load = self.__verify_load(load, ('id', 'tok'))
+
+        if not self.opts.get('allow_minion_key_revoke', False):
+            log.debug('Minion {0} requested key revoke, but allow_minion_key_revoke is False'.format(load['id']))
+            return load
+
         if load is False:
             return load
         else:

From 65ea8997b79834776e64ba249b55a72171a6a9c4 Mon Sep 17 00:00:00 2001
From: "C. R. Oldham" <cro@ncbt.org>
Date: Mon, 17 Apr 2017 13:20:45 -0600
Subject: [PATCH 2/4] Add allow_minion_key_revoke config option

---
 conf/master                      |  3 +++
 doc/ref/configuration/master.rst | 16 ++++++++++++++++
 doc/topics/releases/2016.3.7.rst |  6 ++++++
 3 files changed, 25 insertions(+)

diff --git a/conf/master b/conf/master
index 37151650fa..a675a8a2d5 100644
--- a/conf/master
+++ b/conf/master
@@ -175,6 +175,9 @@
 # a previous deleted minion ID.
 #preserve_minion_cache: False
 
+# Allow or deny minions from requesting their own key revocation
+#allow_minion_key_revoke: True
+
 # If max_minions is used in large installations, the master might experience
 # high-load situations because of having to check the number of connected
 # minions for every authentication. This cache provides the minion-ids of
diff --git a/doc/ref/configuration/master.rst b/doc/ref/configuration/master.rst
index a7527e6657..6bfd2d3ab6 100644
--- a/doc/ref/configuration/master.rst
+++ b/doc/ref/configuration/master.rst
@@ -1006,6 +1006,22 @@ Do not disable this unless it is absolutely clear what this does.
     rotate_aes_key: True
 
 
+.. conf_master:: allow_minion_key_revoke
+
+``allow_minion_key_revoke``
+------------------
+
+Default: ``True``
+
+Controls whether a minion can request its own key revocation.  When True
+the master will honor the minion's request and revoke its key.  When False,
+the master will drop the request and the minion's key will remain accepted.
+
+
+.. code-block:: yaml
+
+    rotate_aes_key: True
+
 Master Module Management
 ========================
 
diff --git a/doc/topics/releases/2016.3.7.rst b/doc/topics/releases/2016.3.7.rst
index ccde8c40db..2f10a21dfe 100644
--- a/doc/topics/releases/2016.3.7.rst
+++ b/doc/topics/releases/2016.3.7.rst
@@ -3,3 +3,9 @@ Salt 2016.3.7 Release Notes
 ===========================
 
 Version 2016.3.7 is a bugfix release for :ref:`2016.3.0 <release-2016-3-0>`.
+
+New master configuration option `allow_minion_key_revoke`, defaults to True.  This option
+controls whether a minion can request that the master revoke its key.  When True, a minion
+can request a key revocation and the master will comply.  If it is False, the key will not
+be revoked by the msater.
+

From cbc70195c03fabd7df2c743bb5b49a77493a3b4f Mon Sep 17 00:00:00 2001
From: "C. R. Oldham" <cro@ncbt.org>
Date: Mon, 17 Apr 2017 14:10:47 -0600
Subject: [PATCH 3/4] Change message level when minion requests key revoke and
 feature is turned off.

---
 salt/master.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/master.py b/salt/master.py
index 40034b99bf..9012c73620 100644
--- a/salt/master.py
+++ b/salt/master.py
@@ -1545,7 +1545,7 @@ class AESFuncs(object):
         load = self.__verify_load(load, ('id', 'tok'))
 
         if not self.opts.get('allow_minion_key_revoke', False):
-            log.debug('Minion {0} requested key revoke, but allow_minion_key_revoke is False'.format(load['id']))
+            log.warning('Minion {0} requested key revoke, but allow_minion_key_revoke is False'.format(load['id']))
             return load
 
         if load is False:

From dfbbeb5946b473b15f62488913749919452dedbc Mon Sep 17 00:00:00 2001
From: Erik Johnson <palehose@gmail.com>
Date: Fri, 28 Apr 2017 09:32:04 -0500
Subject: [PATCH 4/4] Fix documentation for docker login function in
 pre-nitrogen release branches

These should be referencing ``dockerng.login``, not ``docker.login``.
---
 salt/modules/dockerng.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/salt/modules/dockerng.py b/salt/modules/dockerng.py
index bf926fa3d5..0ba7855e90 100644
--- a/salt/modules/dockerng.py
+++ b/salt/modules/dockerng.py
@@ -93,14 +93,14 @@ in the ``docker-registries`` Pillar key, as well as any key ending in
         username: foo
         password: s3cr3t
 
-To login to the configured registries, use the :py:func:`docker.login
-<salt.modules.dockermod.login>` function. This only needs to be done once for a
+To login to the configured registries, use the :py:func:`dockerng.login
+<salt.modules.dockerng.login>` function. This only needs to be done once for a
 given registry, and it will store/update the credentials in
 ``~/.docker/config.json``.
 
 .. note::
-    For Salt releases before 2016.3.7 and 2016.11.4, :py:func:`docker.login
-    <salt.modules.dockermod.login>` is not available. Instead, Salt will try to
+    For Salt releases before 2016.3.7 and 2016.11.4, :py:func:`dockerng.login
+    <salt.modules.dockerng.login>` is not available. Instead, Salt will try to
     authenticate using each of your configured registries for each push/pull,
     behavior which is not correct and has been resolved in newer releases.
 
@@ -1776,9 +1776,9 @@ def login(*registries):
 
     .. code-block:: bash
 
-        salt myminion docker.login
-        salt myminion docker.login hub
-        salt myminion docker.login hub https://mydomain.tld/registry/
+        salt myminion dockerng.login
+        salt myminion dockerng.login hub
+        salt myminion dockerng.login hub https://mydomain.tld/registry/
     '''
     # NOTE: This function uses the "docker login" CLI command so that login
     # information is added to the config.json, since docker-py isn't designed