Fire an event on AES key rotate.

Also setup a config file option for ping-on-rotate.

conf/master

@@ -122,6 +122,16 @@
 # master event bus. The value is expressed in bytes.
 #max_event_size: 1048576
 
+# By default, the master AES key rotates every 24 hours. By default,
+# a key rotatation triggers a test.ping of all connected minions so that
+# they immediately reconnect. To disable this behaviour, set ping_on_rotate
+# to False.
+#
+# If diabled, it is recommended to handle this event by listening for the 
+# 'aes_key_rotate' event with the 'key' tag and acting appropriately.
+#
+# ping_on_rotate: True
+
 # The master can include configuration from other files. To enable this,
 # pass a list of paths to this option. The paths can be either relative or
 # absolute; if relative, they are considered to be relative to the directory

salt/config.py

@@ -182,6 +182,7 @@ VALID_OPTS = {
     'pillar_version': int,
     'pillar_opts': bool,
     'pillar_source_merging_strategy': str,
+    'ping_on_key_rotate': bool,
     'peer': dict,
     'syndic_master': str,
     'runner_dirs': list,
@@ -438,6 +439,7 @@ DEFAULT_MASTER_OPTS = {
     'pillar_version': 2,
     'pillar_opts': True,
     'pillar_source_merging_strategy': 'smart',
+    'ping_on_key_rotate': True,
     'peer': {},
     'syndic_master': '',
     'runner_dirs': [],

salt/crypt.py

@@ -37,7 +37,7 @@ from salt.exceptions import (
 log = logging.getLogger(__name__)
 
 
-def dropfile(cachedir, user=None):
+def dropfile(cachedir, user=None, sock_dir=None):
     '''
     Set an AES dropfile to update the publish session key
 
@@ -88,6 +88,9 @@ def dropfile(cachedir, user=None):
 
     shutil.move(dfnt, dfn)
     os.umask(mask)
+    if sock_dir:
+        event = salt.utils.event.SaltEvent('master', sock_dir)
+        event.fire_event({'rotate_aes_key': True}, tag='key')
 
 
 def gen_keys(keydir, keyname, keysize, user=None):

salt/key.py

@@ -682,7 +682,7 @@ class Key(object):
                     pass
         self.check_minion_cache()
         if self.opts.get('key_no_rotate'):
-            salt.crypt.dropfile(self.opts['cachedir'], self.opts['user'])
+            salt.crypt.dropfile(self.opts['cachedir'], self.opts['user'], self.opts['sock_dir'])
         return (
             self.name_match(match) if match is not None
             else self.dict_match(matches)
@@ -704,7 +704,7 @@ class Key(object):
                     pass
         self.check_minion_cache()
         if self.opts.get('key_no_rotate'):
-            salt.crypt.dropfile(self.opts['cachedir'], self.opts['user'])
+            salt.crypt.dropfile(self.opts['cachedir'], self.opts['user'], self.opts['sock_dir'])
         return self.list_keys()
 
     def reject(self, match=None, match_dict=None, include_accepted=False):
@@ -742,7 +742,7 @@ class Key(object):
                     pass
         self.check_minion_cache()
         if self.opts.get('key_no_rotate'):
-            salt.crypt.dropfile(self.opts['cachedir'], self.opts['user'])
+            salt.crypt.dropfile(self.opts['cachedir'], self.opts['user'], self.opts['sock_dir'])
         return (
             self.name_match(match) if match is not None
             else self.dict_match(matches)
@@ -773,7 +773,7 @@ class Key(object):
                 pass
         self.check_minion_cache()
         if self.opts.get('key_no_rotate'):
-            salt.crypt.dropfile(self.opts['cachedir'], self.opts['user'])
+            salt.crypt.dropfile(self.opts['cachedir'], self.opts['user'], self.opts['sock_dir'])
         return self.list_keys()
 
     def finger(self, match):

salt/master.py

@@ -183,7 +183,8 @@ class Master(SMaster):
                 if now - rotate >= self.opts['publish_session']:
                     salt.crypt.dropfile(
                         self.opts['cachedir'],
-                        self.opts['user'])
+                        self.opts['user'],
+                        self.opts['sock_dir'])
                     rotate = now
             if self.opts.get('search'):
                 if now - last >= self.opts['search_index_interval']: