Showing with 40 additions and 7 deletions.
  1. +3 −0 conf/master
  2. +15 −0 doc/ref/configuration/master.rst
  3. +6 −0 doc/topics/releases/2016.3.7.rst
  4. +4 −0 salt/config/__init__.py
  5. +5 −0 salt/master.py
  6. +7 −7 salt/modules/dockerng.py
3 conf/master
View file
@@ -194,6 +194,9 @@
# a previous deleted minion ID.
#preserve_minion_cache: False

# Allow or deny minions from requesting their own key revocation
#allow_minion_key_revoke: True

# If max_minions is used in large installations, the master might experience
# high-load situations because of having to check the number of connected
# minions for every authentication. This cache provides the minion-ids of
15 doc/ref/configuration/master.rst
View file
@@ -1159,6 +1159,21 @@ constant names without ssl module prefix: ``CERT_REQUIRED`` or ``PROTOCOL_SSLv23
certfile: <path_to_certfile>
ssl_version: PROTOCOL_TLSv1_2
.. conf_master:: allow_minion_key_revoke

``allow_minion_key_revoke``
------------------

Default: ``True``

Controls whether a minion can request its own key revocation. When True
the master will honor the minion's request and revoke its key. When False,
the master will drop the request and the minion's key will remain accepted.


.. code-block:: yaml
rotate_aes_key: True
Master Module Management
========================
6 doc/topics/releases/2016.3.7.rst
View file
@@ -3,3 +3,9 @@ Salt 2016.3.7 Release Notes
===========================

Version 2016.3.7 is a bugfix release for :ref:`2016.3.0 <release-2016-3-0>`.

New master configuration option `allow_minion_key_revoke`, defaults to True. This option
controls whether a minion can request that the master revoke its key. When True, a minion
can request a key revocation and the master will comply. If it is False, the key will not
be revoked by the msater.

4 salt/config/__init__.py
View file
@@ -955,6 +955,9 @@ def _gather_buffer_space():
# Number of times to try to auth with the master on a reconnect with the
# tcp transport
'tcp_authentication_retries': int,

# Permit or deny allowing minions to request revoke of its own key
'allow_minion_key_revoke': bool,
}

# default configurations
@@ -1474,6 +1477,7 @@ def _gather_buffer_space():
'ssl': None,
'django_auth_path': '',
'django_auth_settings': '',
'allow_minion_key_revoke': True,
}


5 salt/master.py
View file
@@ -1572,6 +1572,11 @@ def revoke_auth(self, load):
:return: True if key was revoked, False if not
'''
load = self.__verify_load(load, ('id', 'tok'))

if not self.opts.get('allow_minion_key_revoke', False):
log.warning('Minion {0} requested key revoke, but allow_minion_key_revoke is False'.format(load['id']))
return load

if load is False:
return load
else:
14 salt/modules/dockerng.py
View file
@@ -93,14 +93,14 @@
username: foo
password: s3cr3t
To login to the configured registries, use the :py:func:`docker.login
<salt.modules.dockermod.login>` function. This only needs to be done once for a
To login to the configured registries, use the :py:func:`dockerng.login
<salt.modules.dockerng.login>` function. This only needs to be done once for a
given registry, and it will store/update the credentials in
``~/.docker/config.json``.
.. note::
For Salt releases before 2016.3.7 and 2016.11.4, :py:func:`docker.login
<salt.modules.dockermod.login>` is not available. Instead, Salt will try to
For Salt releases before 2016.3.7 and 2016.11.4, :py:func:`dockerng.login
<salt.modules.dockerng.login>` is not available. Instead, Salt will try to
authenticate using each of your configured registries for each push/pull,
behavior which is not correct and has been resolved in newer releases.
@@ -1842,9 +1842,9 @@ def login(*registries):
.. code-block:: bash
salt myminion docker.login
salt myminion docker.login hub
salt myminion docker.login hub https://mydomain.tld/registry/
salt myminion dockerng.login
salt myminion dockerng.login hub
salt myminion dockerng.login hub https://mydomain.tld/registry/
'''
# NOTE: This function uses the "docker login" CLI command so that login
# information is added to the config.json, since docker-py isn't designed