Document module whitelisting. Remove FIXME comments for disable_modules and disable_returners as they are definitely implemented. (#35717)

conf/minion

@@ -403,10 +403,23 @@
 #####   Minion module management     #####
 ##########################################
 # Disable specific modules. This allows the admin to limit the level of
-# access the master has to the minion.
-#disable_modules: [cmdmod,test]
+# access the master has to the minion.  The default here is the empty list,
+# below is an example of how this needs to be formatted in the config file
+#disable_modules:
+#  - cmdmod
+#  - test
 #disable_returners: []
-#
+
+# This is the reverse of disable_modules.  The default, like disable_modules, is the empty list,
+# but if this option is set to *anything* then *only* those modules will load.
+# Note that this is a very large hammer and it can be quite difficult to keep the minion working
+# the way you think it should since Salt uses many modules internally itself.  At a bare minimum
+# you need the following enabled or else the minion won't start.
+whitelist_modules:
+#  - cmdmod
+#  - test
+#  - config
+
 # Modules can be loaded from arbitrary paths. This enables the easy deployment
 # of third party modules. Modules for returners and minions can be loaded.
 # Specify a list of extra directories to search for minion modules and

doc/ref/configuration/minion.rst

@@ -998,6 +998,30 @@ If certain returners should be disabled, this is the place
     disable_returners:
       - mongo_return
 
+
+.. conf_minion:: enable_whitelist_modules
+
+``whitelist_modules``
+----------------------------
+
+Default: ``[]`` (Module whitelisting is disabled.  Adding anything to the config option
+will cause only the listed modules to be enabled.  Modules not in the list will
+not be loaded.)
+
+This option is the reverse of disable_modules.
+
+Note that this is a very large hammer and it can be quite difficult to keep the minion working
+the way you think it should since Salt uses many modules internally itself.  At a bare minimum
+you need the following enabled or else the minion won't start.
+
+.. code-block:: yaml
+
+    whitelist_modules:
+      - cmdmod
+      - test
+      - config
+
+
 .. conf_minion:: module_dirs
 
 ``module_dirs``

salt/config/__init__.py

@@ -255,10 +255,10 @@ VALID_OPTS = {
     # The type of hashing algorithm to use when doing file comparisons
     'hash_type': str,
 
-    # FIXME Does not appear to be implemented
+    # Refuse to load these modules
     'disable_modules': list,
 
-    # FIXME Does not appear to be implemented
+    # Refuse to load these returners
     'disable_returners': list,
 
     # Tell the loader to only load modules in this list