Added docs for autoaccepting grains

conf/master

@@ -345,6 +345,11 @@
 # the autosign_file and the auto_accept setting.
 #autoreject_file: /etc/salt/autoreject.conf
 
+# If the autosign_grains_dir is specified, incoming keys from minons with grain
+# values matching those defined in files in this directory will be accepted
+# automatically. This is insecure. Minions need to be configured to send the grains.
+#autosign_grains_dir: /etc/salt/autosign_grains
+
 # Enable permissive access to the salt keys. This allows you to run the
 # master or minion as root, but have a non-root group be given access to
 # your pki_dir. To make the access explicit, root must belong to the group
@@ -1274,4 +1279,3 @@
 # use OS defaults, typically 75 seconds on Linux, see
 # /proc/sys/net/ipv4/tcp_keepalive_intvl.
 #tcp_keepalive_intvl: -1
-

conf/minion

@@ -666,6 +666,12 @@
 #    certfile: <path_to_certfile>
 #    ssl_version: PROTOCOL_TLSv1_2
 
+# Grains to be sent to the master on authentication to check if the minion's key
+# will be accepted automatically. Needs to be configured on the master.
+#autosign_grains:
+#  - uuid
+#  - server_id
+
 
 ######        Reactor Settings        #####
 ###########################################

conf/suse/master

@@ -319,6 +319,11 @@ syndic_user: salt
 # the autosign_file and the auto_accept setting.
 #autoreject_file: /etc/salt/autoreject.conf
 
+# If the autosign_grains_dir is specified, incoming keys from minons with grain
+# values matching those defined in files in this directory will be accepted
+# automatically. This is insecure. Minions need to be configured to send the grains.
+#autosign_grains_dir: /etc/salt/autosign_grains
+
 # Enable permissive access to the salt keys. This allows you to run the
 # master or minion as root, but have a non-root group be given access to
 # your pki_dir. To make the access explicit, root must belong to the group
@@ -1230,4 +1235,3 @@ syndic_user: salt
 # use OS defaults, typically 75 seconds on Linux, see
 # /proc/sys/net/ipv4/tcp_keepalive_intvl.
 #tcp_keepalive_intvl: -1
-

doc/ref/configuration/master.rst

@@ -1292,6 +1292,30 @@ minion IDs for which keys will automatically be rejected. Will override both
 membership in the :conf_master:`autosign_file` and the
 :conf_master:`auto_accept` setting.
 
+.. conf_master:: autosign_grains_dir
+
+``autosign_grains_dir``
+-----------------
+
+Default: ``not defined``
+
+If the ``autosign_grains_dir`` is specified, incoming keys from minions with
+grain values that match those defined in files in the autosign_grains_dir
+will be accepted automatically. Grain values that should be accepted automatically
+can be defined by creating a file named like the corresponding grain in the
+autosign_grains_dir and writing the values into that file, one value per line.
+Lines starting with a ``#`` will be ignored.
+Minion must be configured to send the corresponding grains on authentication.
+This should still be considered a less than secure option, due to the fact
+that trust is based on just the requesting minion.
+
+Please see the :ref:`Autoaccept Minions from Grains <tutorial-autoaccept-grains>`
+documentation for more infomation.
+
+.. code-block:: yaml
+
+    autosign_grains_dir: /etc/salt/autosign_grains
+
 .. conf_master:: permissive_pki_access
 
 ``permissive_pki_access``

doc/ref/configuration/minion.rst

@@ -2252,6 +2252,25 @@ minion's pki directory.
 
     master_sign_key_name: <filename_without_suffix>
 
+.. conf_minion:: autosign_grains
+
+``autosign_grains``
+------------------------
+
+Default: ``not defined``
+
+The grains that should be sent to the master on authentication to decide if
+the minion's key should be accepted automatically.
+
+Please see the :ref:`Autoaccept Minions from Grains <tutorial-autoaccept-grains>`
+documentation for more infomation.
+
+.. code-block:: yaml
+
+    autosign_grains:
+      - uuid
+      - server_id
+
 .. conf_minion:: always_verify_signature
 
 ``always_verify_signature``

doc/topics/tutorials/autoaccept_grains.rst

@@ -0,0 +1,42 @@
+.. _tutorial-autoaccept-grains:
+
+==============================
+Autoaccept minions from Grains
+==============================
+
+To automatically accept minions based on certain characteristics, e.g. the ``uuid``
+you can specify certain grain values on the salt master. Minions with matching grains
+will have their keys automatically accepted.
+
+1. Configure the autosign_grains_dir in the master config file:
+
+.. code-block:: yaml
+
+    autosign_grains_dir: /etc/salt/autosign_grains
+
+
+2. Configure the grain values to be accepted
+
+Place a file named like the grain in the autosign_grains_dir and write the values that
+should be accepted automatically inside that file. For example to automatically
+accept minions based on their ``uuid`` create a file named ``/etc/salt/autosign_grains/uuid``:
+
+.. code-block:: none
+
+    8f7d68e2-30c5-40c6-b84a-df7e978a03ee
+    1d3c5473-1fbc-479e-b0c7-877705a0730f
+
+The master is now setup to accept minions with either of the two specified uuids.
+Multiple values must always be written into separate lines.
+Lines starting with a ``#`` are ignored.
+
+
+3. Configure the minion to send the specific grains to the master in the minion config file:
+
+.. code-block:: yaml
+
+    autosign_grains:
+      - uuid
+
+Now you should be able to start salt-minion and run ``salt-call
+state.apply`` or any other salt commands that require master authentication.

doc/topics/tutorials/index.rst

@@ -35,3 +35,4 @@ Tutorials Index
 * :ref:`Multi-cloud orchestration with Apache Libcloud <tutorial-libcloud>`
 * :ref:`Running Salt States and Commands in Docker Containers <docker-sls>`
 * :ref:`Preseed Minion with Accepted Key <tutorial-preseed-key>`
+* :ref:`Autoaccept Minions from Grains <tutorial-autoaccept-grains>`