From fbe4fa81d54b5ecd31becc2a563082670e2cfb69 Mon Sep 17 00:00:00 2001
From: Benedikt Werner <1benediktwerner@gmail.com>
Date: Tue, 10 Oct 2017 02:36:54 +0200
Subject: [PATCH] Added docs for autoaccepting grains

---
 conf/master                                |  6 +++-
 conf/minion                                |  6 ++++
 conf/suse/master                           |  6 +++-
 doc/ref/configuration/master.rst           | 24 +++++++++++++
 doc/ref/configuration/minion.rst           | 19 ++++++++++
 doc/topics/tutorials/autoaccept_grains.rst | 42 ++++++++++++++++++++++
 doc/topics/tutorials/index.rst             |  1 +
 7 files changed, 102 insertions(+), 2 deletions(-)
 create mode 100644 doc/topics/tutorials/autoaccept_grains.rst

diff --git a/conf/master b/conf/master
index a2c7888989f..50aba9f03b6 100644
--- a/conf/master
+++ b/conf/master
@@ -345,6 +345,11 @@
 # the autosign_file and the auto_accept setting.
 #autoreject_file: /etc/salt/autoreject.conf
 
+# If the autosign_grains_dir is specified, incoming keys from minons with grain
+# values matching those defined in files in this directory will be accepted
+# automatically. This is insecure. Minions need to be configured to send the grains.
+#autosign_grains_dir: /etc/salt/autosign_grains
+
 # Enable permissive access to the salt keys. This allows you to run the
 # master or minion as root, but have a non-root group be given access to
 # your pki_dir. To make the access explicit, root must belong to the group
@@ -1274,4 +1279,3 @@
 # use OS defaults, typically 75 seconds on Linux, see
 # /proc/sys/net/ipv4/tcp_keepalive_intvl.
 #tcp_keepalive_intvl: -1
-
diff --git a/conf/minion b/conf/minion
index d6ccf7f72e9..c83c2d65d56 100644
--- a/conf/minion
+++ b/conf/minion
@@ -666,6 +666,12 @@
 #    certfile: <path_to_certfile>
 #    ssl_version: PROTOCOL_TLSv1_2
 
+# Grains to be sent to the master on authentication to check if the minion's key
+# will be accepted automatically. Needs to be configured on the master.
+#autosign_grains:
+#  - uuid
+#  - server_id
+
 
 ######        Reactor Settings        #####
 ###########################################
diff --git a/conf/suse/master b/conf/suse/master
index 2cf12fd9333..3a52ea0a4dc 100644
--- a/conf/suse/master
+++ b/conf/suse/master
@@ -319,6 +319,11 @@ syndic_user: salt
 # the autosign_file and the auto_accept setting.
 #autoreject_file: /etc/salt/autoreject.conf
 
+# If the autosign_grains_dir is specified, incoming keys from minons with grain
+# values matching those defined in files in this directory will be accepted
+# automatically. This is insecure. Minions need to be configured to send the grains.
+#autosign_grains_dir: /etc/salt/autosign_grains
+
 # Enable permissive access to the salt keys. This allows you to run the
 # master or minion as root, but have a non-root group be given access to
 # your pki_dir. To make the access explicit, root must belong to the group
@@ -1230,4 +1235,3 @@ syndic_user: salt
 # use OS defaults, typically 75 seconds on Linux, see
 # /proc/sys/net/ipv4/tcp_keepalive_intvl.
 #tcp_keepalive_intvl: -1
-
diff --git a/doc/ref/configuration/master.rst b/doc/ref/configuration/master.rst
index 21aac67e05b..05949b1cd2a 100644
--- a/doc/ref/configuration/master.rst
+++ b/doc/ref/configuration/master.rst
@@ -1292,6 +1292,30 @@ minion IDs for which keys will automatically be rejected. Will override both
 membership in the :conf_master:`autosign_file` and the
 :conf_master:`auto_accept` setting.
 
+.. conf_master:: autosign_grains_dir
+
+``autosign_grains_dir``
+-----------------
+
+Default: ``not defined``
+
+If the ``autosign_grains_dir`` is specified, incoming keys from minions with
+grain values that match those defined in files in the autosign_grains_dir
+will be accepted automatically. Grain values that should be accepted automatically
+can be defined by creating a file named like the corresponding grain in the
+autosign_grains_dir and writing the values into that file, one value per line.
+Lines starting with a ``#`` will be ignored.
+Minion must be configured to send the corresponding grains on authentication.
+This should still be considered a less than secure option, due to the fact
+that trust is based on just the requesting minion.
+
+Please see the :ref:`Autoaccept Minions from Grains <tutorial-autoaccept-grains>`
+documentation for more infomation.
+
+.. code-block:: yaml
+
+    autosign_grains_dir: /etc/salt/autosign_grains
+
 .. conf_master:: permissive_pki_access
 
 ``permissive_pki_access``
diff --git a/doc/ref/configuration/minion.rst b/doc/ref/configuration/minion.rst
index 695b956a63d..26b257ef671 100644
--- a/doc/ref/configuration/minion.rst
+++ b/doc/ref/configuration/minion.rst
@@ -2252,6 +2252,25 @@ minion's pki directory.
 
     master_sign_key_name: <filename_without_suffix>
 
+.. conf_minion:: autosign_grains
+
+``autosign_grains``
+------------------------
+
+Default: ``not defined``
+
+The grains that should be sent to the master on authentication to decide if
+the minion's key should be accepted automatically.
+
+Please see the :ref:`Autoaccept Minions from Grains <tutorial-autoaccept-grains>`
+documentation for more infomation.
+
+.. code-block:: yaml
+
+    autosign_grains:
+      - uuid
+      - server_id
+
 .. conf_minion:: always_verify_signature
 
 ``always_verify_signature``
diff --git a/doc/topics/tutorials/autoaccept_grains.rst b/doc/topics/tutorials/autoaccept_grains.rst
new file mode 100644
index 00000000000..fc87015cf18
--- /dev/null
+++ b/doc/topics/tutorials/autoaccept_grains.rst
@@ -0,0 +1,42 @@
+.. _tutorial-autoaccept-grains:
+
+==============================
+Autoaccept minions from Grains
+==============================
+
+To automatically accept minions based on certain characteristics, e.g. the ``uuid``
+you can specify certain grain values on the salt master. Minions with matching grains
+will have their keys automatically accepted.
+
+1. Configure the autosign_grains_dir in the master config file:
+
+.. code-block:: yaml
+
+    autosign_grains_dir: /etc/salt/autosign_grains
+
+
+2. Configure the grain values to be accepted
+
+Place a file named like the grain in the autosign_grains_dir and write the values that
+should be accepted automatically inside that file. For example to automatically
+accept minions based on their ``uuid`` create a file named ``/etc/salt/autosign_grains/uuid``:
+
+.. code-block:: none
+
+    8f7d68e2-30c5-40c6-b84a-df7e978a03ee
+    1d3c5473-1fbc-479e-b0c7-877705a0730f
+
+The master is now setup to accept minions with either of the two specified uuids.
+Multiple values must always be written into separate lines.
+Lines starting with a ``#`` are ignored.
+
+
+3. Configure the minion to send the specific grains to the master in the minion config file:
+
+.. code-block:: yaml
+
+    autosign_grains:
+      - uuid
+
+Now you should be able to start salt-minion and run ``salt-call
+state.apply`` or any other salt commands that require master authentication.
diff --git a/doc/topics/tutorials/index.rst b/doc/topics/tutorials/index.rst
index 985edffaf10..7ff571f9450 100644
--- a/doc/topics/tutorials/index.rst
+++ b/doc/topics/tutorials/index.rst
@@ -35,3 +35,4 @@ Tutorials Index
 * :ref:`Multi-cloud orchestration with Apache Libcloud <tutorial-libcloud>`
 * :ref:`Running Salt States and Commands in Docker Containers <docker-sls>`
 * :ref:`Preseed Minion with Accepted Key <tutorial-preseed-key>`
+* :ref:`Autoaccept Minions from Grains <tutorial-autoaccept-grains>`