Docs guidance secrets, avoid grains storage

doc/_incl/grains_passwords.rst

@@ -0,0 +1,6 @@
+.. warning::
+
+   Grains can be set by users that have access to the minion configuration files on
+   the local system, making them less secure than other identifiers in Salt. Avoid
+   storing sensitive data, such as passwords or keys, on minions. Instead, make
+   use of :ref:`pillar` and/or :ref:`sdb`.

doc/faq.rst

@@ -456,6 +456,8 @@ state could be done the same way as for the Salt minion described :ref:`above
 Is Targeting using Grain Data Secure?
 -------------------------------------
 
+.. include:: _incl/grains_passwords.rst
+
 Because grains can be set by users that have access to the minion configuration
 files on the local system, grains are considered less secure than other
 identifiers in Salt. Use caution when targeting sensitive operations or setting

doc/topics/best_practices.rst

@@ -22,6 +22,7 @@ General rules
 5. Don't use grains for matching in your pillar top file for any sensitive
    pillars.
 
+   .. include:: ../_incl/grains_passwords.rst
 
 Structuring States and Formulas
 -------------------------------

doc/topics/grains/index.rst

@@ -125,6 +125,8 @@ For this example to work, you would need to have defined the grain
 Writing Grains
 ==============
 
+.. include:: ../../_incl/grains_passwords.rst
+
 The grains are derived by executing all of the "public" functions (i.e. those
 which do not begin with an underscore) found in the modules located in the
 Salt's core grains code, followed by those in any custom grains modules. The

doc/topics/hardening.rst

@@ -50,6 +50,8 @@ General hardening tips
 Salt hardening tips
 ===================
 
+.. include:: ../_incl/grains_passwords.rst
+
 - Subscribe to `salt-users`_ or `salt-announce`_ so you know when new Salt
   releases are available.
 - Keep your systems up-to-date with the latest patches.