valitydev/salt
14
0
Fork 0
mirror of https://github.com/valitydev/salt.git synced 2024-11-07 08:58:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #41033 from rallytime/merge-nitrogen

Browse Source 
[nitrogen] Merge forward from 2016.11 to nitrogen
This commit is contained in:
Mike Place 2017-05-03 11:13:42 -06:00 committed by GitHub
commit a1f83ebb1e
6 changed files with 40 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
conf/master
View File

@ -194,6 +194,9 @@
# a previous deleted minion ID. # a previous deleted minion ID.
#preserve_minion_cache: False #preserve_minion_cache: False
# Allow or deny minions from requesting their own key revocation
#allow_minion_key_revoke: True
# If max_minions is used in large installations, the master might experience # If max_minions is used in large installations, the master might experience
# high-load situations because of having to check the number of connected # high-load situations because of having to check the number of connected
# minions for every authentication. This cache provides the minion-ids of # minions for every authentication. This cache provides the minion-ids of

15
doc/ref/configuration/master.rst
View File

@ -1258,6 +1258,21 @@ constant names without ssl module prefix: ``CERT_REQUIRED`` or ``PROTOCOL_SSLv23
certfile: <path_to_certfile> certfile: <path_to_certfile>
ssl_version: PROTOCOL_TLSv1_2 ssl_version: PROTOCOL_TLSv1_2
.. conf_master:: allow_minion_key_revoke
``allow_minion_key_revoke``
------------------
Default: ``True``
Controls whether a minion can request its own key revocation. When True
the master will honor the minion's request and revoke its key. When False,
the master will drop the request and the minion's key will remain accepted.
.. code-block:: yaml
rotate_aes_key: True
Master Module Management Master Module Management
======================== ========================

6
doc/topics/releases/2016.3.7.rst
View File

@ -3,3 +3,9 @@ Salt 2016.3.7 Release Notes
=========================== ===========================
Version 2016.3.7 is a bugfix release for :ref:`2016.3.0 <release-2016-3-0>`. Version 2016.3.7 is a bugfix release for :ref:`2016.3.0 <release-2016-3-0>`.
New master configuration option `allow_minion_key_revoke`, defaults to True. This option
controls whether a minion can request that the master revoke its key. When True, a minion
can request a key revocation and the master will comply. If it is False, the key will not
be revoked by the msater.

4
salt/config/__init__.py
View File

@ -1039,6 +1039,9 @@ VALID_OPTS = {
# Number of times to try to auth with the master on a reconnect with the # Number of times to try to auth with the master on a reconnect with the
# tcp transport # tcp transport
'tcp_authentication_retries': int, 'tcp_authentication_retries': int,
# Permit or deny allowing minions to request revoke of its own key
'allow_minion_key_revoke': bool,
} }
# default configurations # default configurations
@ -1594,6 +1597,7 @@ DEFAULT_MASTER_OPTS = {
'clean_dynamic_modules': True, 'clean_dynamic_modules': True,
'django_auth_path': '', 'django_auth_path': '',
'django_auth_settings': '', 'django_auth_settings': '',
'allow_minion_key_revoke': True,
} }

5
salt/master.py
View File

@ -1577,6 +1577,11 @@ class AESFuncs(object):
:return: True if key was revoked, False if not :return: True if key was revoked, False if not
''' '''
load = self.__verify_load(load, ('id', 'tok')) load = self.__verify_load(load, ('id', 'tok'))
if not self.opts.get('allow_minion_key_revoke', False):
log.warning('Minion {0} requested key revoke, but allow_minion_key_revoke is False'.format(load['id']))
return load
if load is False: if load is False:
return load return load
else: else:

14
salt/modules/dockermod.py
View File

@ -83,14 +83,14 @@ in the ``docker-registries`` Pillar key, as well as any key ending in
username: foo username: foo
password: s3cr3t password: s3cr3t
To login to the configured registries, use the :py:func:`docker.login To login to the configured registries, use the :py:func:`dockerng.login
<salt.modules.dockermod.login>` function. This only needs to be done once for a <salt.modules.dockerng.login>` function. This only needs to be done once for a
given registry, and it will store/update the credentials in given registry, and it will store/update the credentials in
``~/.docker/config.json``. ``~/.docker/config.json``.
.. note:: .. note::
For Salt releases before 2016.3.7 and 2016.11.4, :py:func:`docker.login For Salt releases before 2016.3.7 and 2016.11.4, :py:func:`dockerng.login
<salt.modules.dockermod.login>` is not available. Instead, Salt will try to <salt.modules.dockerng.login>` is not available. Instead, Salt will try to
authenticate using each of your configured registries for each push/pull, authenticate using each of your configured registries for each push/pull,
behavior which is not correct and has been resolved in newer releases. behavior which is not correct and has been resolved in newer releases.
@ -921,9 +921,9 @@ def login(*registries):
.. code-block:: bash .. code-block:: bash
salt myminion docker.login salt myminion dockerng.login
salt myminion docker.login hub salt myminion dockerng.login hub
salt myminion docker.login hub https://mydomain.tld/registry/ salt myminion dockerng.login hub https://mydomain.tld/registry/
''' '''
# NOTE: This function uses the "docker login" CLI command so that login # NOTE: This function uses the "docker login" CLI command so that login
# information is added to the config.json, since docker-py isn't designed # information is added to the config.json, since docker-py isn't designed