Salt: Blackout mode

Since version 2016.3.0 salt supports minion blackouts. There is a documentation about that mode. When a minion is in blackout mode, all remote execution commands are disabled. This allows production minions to be put "on hold", eliminating the risk of an untimely configuration change. Salt also supports an explicit whitelist of additional functions that will be allowed during blackout. This is configured with the special pillar key minion_blackout_whitelist, which is formed as a list:

minion_blackout_whitelist:
  - test.ping
  - pillar.get

Since that pull request was merged blackout mode could be configured in a grains on a minion side. That means that we can configure a minion (/etc/salt/minion) that way:

file_client: local
use_master_when_local: True
minion_blackout: True
minion_blackout_whitelist:
  - state.apply

and then we will get a minion node that will only allow master to call state.apply command that will be search for a state files localy on that minion. Before that patch it was possible that commands are listed in minion_blackout_whitelist in a pillar will override minion_blackout_whitelist in a grains.