Change default TTL from 30 to 32 to accommodate monthly operations (#1942)

2025-10-30 18:17:55 +00:00 · 2016-09-28 18:32:49 -04:00
parent d178d1d26d
commit c748ff322f
32 changed files with 50 additions and 50 deletions
--- a/api/sys_mounts_test.go
+++ b/api/sys_mounts_test.go
@@ -37,13 +37,13 @@ func TestSysMountConfig(t *testing.T) {
 		t.Fatal(err)
 	}

-	expectedDefaultTTL := 2592000
+	expectedDefaultTTL := 2764800
 	if mountConfig.DefaultLeaseTTL != expectedDefaultTTL {
 		t.Fatalf("Expected default lease TTL: %d, got %d",
 			expectedDefaultTTL, mountConfig.DefaultLeaseTTL)
 	}

-	expectedMaxTTL := 2592000
+	expectedMaxTTL := 2764800
 	if mountConfig.MaxLeaseTTL != expectedMaxTTL {
 		t.Fatalf("Expected default lease TTL: %d, got %d",
 			expectedMaxTTL, mountConfig.MaxLeaseTTL)
--- a/builtin/credential/app-id/backend_test.go
+++ b/builtin/credential/app-id/backend_test.go
@@ -162,7 +162,7 @@ func testAccStepMapUserIdCidr(t *testing.T, cidr string) logicaltest.TestStep {

 func testAccLogin(t *testing.T, display string) logicaltest.TestStep {
 	checkTTL := func(resp *logical.Response) error {
-		if resp.Auth.LeaseOptions.TTL.String() != "720h0m0s" {
+		if resp.Auth.LeaseOptions.TTL.String() != "768h0m0s" {
 			return fmt.Errorf("invalid TTL")
 		}
 		return nil
@@ -186,7 +186,7 @@ func testAccLogin(t *testing.T, display string) logicaltest.TestStep {

 func testAccLoginAppIDInPath(t *testing.T, display string) logicaltest.TestStep {
 	checkTTL := func(resp *logical.Response) error {
-		if resp.Auth.LeaseOptions.TTL.String() != "720h0m0s" {
+		if resp.Auth.LeaseOptions.TTL.String() != "768h0m0s" {
 			return fmt.Errorf("invalid TTL")
 		}
 		return nil
--- a/builtin/credential/cert/test-fixtures/generate.txt
+++ b/builtin/credential/cert/test-fixtures/generate.txt
@@ -9,7 +9,7 @@ backend "inmem" {
 }
 disable_mlock = true
 default_lease_ttl = "700h"
-max_lease_ttl = "720h"
+max_lease_ttl = "768h"
 listener "tcp" {
  address = "127.0.0.1:8200"
  tls_cert_file = "./cacert.pem"
--- a/builtin/credential/github/backend_test.go
+++ b/builtin/credential/github/backend_test.go
@@ -92,7 +92,7 @@ func testConfigWrite(t *testing.T, d map[string]interface{}) logicaltest.TestSte

 func TestBackend_basic(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
--- a/builtin/credential/ldap/backend_test.go
+++ b/builtin/credential/ldap/backend_test.go
@@ -29,7 +29,7 @@ import (
 */
 func factory(t *testing.T) logical.Backend {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
@@ -38,7 +38,7 @@ var (
 // Uses the RSA CA key
 func TestBackend_RSAKey(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
@@ -68,7 +68,7 @@ func TestBackend_RSAKey(t *testing.T) {
 // Uses the EC CA key
 func TestBackend_ECKey(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
@@ -96,7 +96,7 @@ func TestBackend_ECKey(t *testing.T) {

 func TestBackend_CSRValues(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
@@ -124,7 +124,7 @@ func TestBackend_CSRValues(t *testing.T) {

 func TestBackend_URLsCRUD(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
@@ -155,7 +155,7 @@ func TestBackend_URLsCRUD(t *testing.T) {
 // Uses the RSA CA key
 func TestBackend_RSARoles(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
@@ -197,7 +197,7 @@ func TestBackend_RSARoles(t *testing.T) {
 // Uses the RSA CA key
 func TestBackend_RSARoles_CSR(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
@@ -239,7 +239,7 @@ func TestBackend_RSARoles_CSR(t *testing.T) {
 // Uses the EC CA key
 func TestBackend_ECRoles(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
@@ -281,7 +281,7 @@ func TestBackend_ECRoles(t *testing.T) {
 // Uses the EC CA key
 func TestBackend_ECRoles_CSR(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
--- a/command/rekey_test.go
+++ b/command/rekey_test.go
@@ -174,7 +174,7 @@ func TestRekey_init_pgp(t *testing.T) {
 		Logger: nil,
 		System: logical.StaticSystemView{
 			DefaultLeaseTTLVal: time.Hour * 24,
-			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
 		},
 	}
 	sysBackend := vault.NewSystemBackend(core, bc)
--- a/command/server/config.go
+++ b/command/server/config.go
@@ -62,8 +62,8 @@ func DevConfig(ha bool) *Config {

 		Telemetry: &Telemetry{},

-		MaxLeaseTTL:     30 * 24 * time.Hour,
-		DefaultLeaseTTL: 30 * 24 * time.Hour,
+		MaxLeaseTTL:     32 * 24 * time.Hour,
+		DefaultLeaseTTL: 32 * 24 * time.Hour,
 	}

 	if ha {
--- a/http/logical_test.go
+++ b/http/logical_test.go
@@ -38,7 +38,7 @@ func TestLogical(t *testing.T) {
 	var nilWarnings interface{}
 	expected := map[string]interface{}{
 		"renewable":      false,
-		"lease_duration": json.Number(strconv.Itoa(int((30 * 24 * time.Hour) / time.Second))),
+		"lease_duration": json.Number(strconv.Itoa(int((32 * 24 * time.Hour) / time.Second))),
 		"data": map[string]interface{}{
 			"data": "bar",
 		},
--- a/vault/core_test.go
+++ b/vault/core_test.go
@@ -878,7 +878,7 @@ func TestCore_HandleRequest_CreateToken_Lease(t *testing.T) {
 		Path:         "auth/token/create",
 		DisplayName:  "token",
 		CreationTime: te.CreationTime,
-		TTL:          time.Hour * 24 * 30,
+		TTL:          time.Hour * 24 * 32,
 	}
 	if !reflect.DeepEqual(te, expect) {
 		t.Fatalf("Bad: %#v expect: %#v", te, expect)
@@ -923,7 +923,7 @@ func TestCore_HandleRequest_CreateToken_NoDefaultPolicy(t *testing.T) {
 		Path:         "auth/token/create",
 		DisplayName:  "token",
 		CreationTime: te.CreationTime,
-		TTL:          time.Hour * 24 * 30,
+		TTL:          time.Hour * 24 * 32,
 	}
 	if !reflect.DeepEqual(te, expect) {
 		t.Fatalf("Bad: %#v expect: %#v", te, expect)
--- a/vault/expiration.go
+++ b/vault/expiration.go
@@ -37,7 +37,7 @@ const (
 	minRevokeDelay = 5 * time.Second

 	// maxLeaseDuration is the default maximum lease duration
-	maxLeaseTTL = 30 * 24 * time.Hour
+	maxLeaseTTL = 32 * 24 * time.Hour

 	// defaultLeaseDuration is the default lease duration used when no lease is specified
 	defaultLeaseTTL = maxLeaseTTL
--- a/vault/logical_cubbyhole_test.go
+++ b/vault/logical_cubbyhole_test.go
@@ -267,7 +267,7 @@ func testCubbyholeBackend() logical.Backend {
 		Logger: nil,
 		System: logical.StaticSystemView{
 			DefaultLeaseTTLVal: time.Hour * 24,
-			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
 		},
 	})
 	return b
--- a/vault/logical_passthrough_test.go
+++ b/vault/logical_passthrough_test.go
@@ -190,7 +190,7 @@ func testPassthroughBackend() logical.Backend {
 		Logger: nil,
 		System: logical.StaticSystemView{
 			DefaultLeaseTTLVal: time.Hour * 24,
-			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
 		},
 	})
 	return b
@@ -201,7 +201,7 @@ func testPassthroughLeasedBackend() logical.Backend {
 		Logger: nil,
 		System: logical.StaticSystemView{
 			DefaultLeaseTTLVal: time.Hour * 24,
-			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
 		},
 	})
 	return b
--- a/vault/logical_system_test.go
+++ b/vault/logical_system_test.go
@@ -506,7 +506,7 @@ func TestSystemBackend_revokePrefixAuth(t *testing.T) {
 		Logger: core.logger,
 		System: logical.StaticSystemView{
 			DefaultLeaseTTLVal: time.Hour * 24,
-			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
 		},
 	}
 	b := NewSystemBackend(core, bc)
@@ -1035,7 +1035,7 @@ func testSystemBackend(t *testing.T) logical.Backend {
 		Logger: c.logger,
 		System: logical.StaticSystemView{
 			DefaultLeaseTTLVal: time.Hour * 24,
-			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
 		},
 	}
 	return NewSystemBackend(c, bc)
@@ -1047,7 +1047,7 @@ func testCoreSystemBackend(t *testing.T) (*Core, logical.Backend, string) {
 		Logger: c.logger,
 		System: logical.StaticSystemView{
 			DefaultLeaseTTLVal: time.Hour * 24,
-			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
 		},
 	}
 	return c, NewSystemBackend(c, bc), root
--- a/vault/router_test.go
+++ b/vault/router_test.go
@@ -49,7 +49,7 @@ func (n *NoopBackend) SpecialPaths() *logical.Paths {
 func (n *NoopBackend) System() logical.SystemView {
 	return logical.StaticSystemView{
 		DefaultLeaseTTLVal: time.Hour * 24,
-		MaxLeaseTTLVal:     time.Hour * 24 * 30,
+		MaxLeaseTTLVal:     time.Hour * 24 * 32,
 	}
 }

--- a/vault/testing.go
+++ b/vault/testing.go
@@ -369,7 +369,7 @@ func (n *rawHTTP) SpecialPaths() *logical.Paths {
 func (n *rawHTTP) System() logical.SystemView {
 	return logical.StaticSystemView{
 		DefaultLeaseTTLVal: time.Hour * 24,
-		MaxLeaseTTLVal:     time.Hour * 24 * 30,
+		MaxLeaseTTLVal:     time.Hour * 24 * 32,
 	}
 }

--- a/vault/token_store_test.go
+++ b/vault/token_store_test.go
@@ -183,7 +183,7 @@ func getBackendConfig(c *Core) *logical.BackendConfig {
 		Logger: c.logger,
 		System: logical.StaticSystemView{
 			DefaultLeaseTTLVal: time.Hour * 24,
-			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
 		},
 	}
 }
--- a/website/source/docs/auth/cert.html.md
+++ b/website/source/docs/auth/cert.html.md
@@ -175,7 +175,7 @@ of the header should be "X-Vault-Token" and the value should be the token.
        "certificate": "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----",
        "display_name": "test",
        "policies": "",
-        "ttl": 2592000
+        "ttl": 2764800
      },
      "warnings": null,
      "auth": null
--- a/website/source/docs/auth/token.html.md
+++ b/website/source/docs/auth/token.html.md
@@ -318,7 +318,7 @@ of the header should be "X-Vault-Token" and the value should be the token.
      "lease_duration": 0,
      "data": {
        "creation_time": 1457533232,
-        "creation_ttl": 2592000,
+        "creation_ttl": 2764800,
        "display_name": "token",
        "id": "",
        "meta": null,
--- a/website/source/docs/commands/read-write.html.md
+++ b/website/source/docs/commands/read-write.html.md
@@ -103,7 +103,7 @@ Data can be read using `vault read`. This command is very simple:
 $ vault read secret/password
 Key             Value
 lease_id        secret/password/76c844fb-aeba-a766-0a50-2b907072233a
-lease_duration  2592000
+lease_duration  2764800
 value           itsasecret
 ```

--- a/website/source/docs/concepts/tokens.html.md
+++ b/website/source/docs/concepts/tokens.html.md
@@ -146,7 +146,7 @@ compared to the maximum TTL. This maximum TTL value is dynamically generated
 and can change from renewal to renewal, so the value cannot be displayed when a
 token's information is looked up. It is based on a combination of factors:

-1. The system max TTL, which is 30 days but can be changed in Vault's
+1. The system max TTL, which is 32 days but can be changed in Vault's
   configuration file
 2. The max TTL set on a mount using [mount
   tuning](https://www.vaultproject.io/docs/http/sys-mounts.html). This value
--- a/website/source/docs/config/index.html.md
+++ b/website/source/docs/config/index.html.md
@@ -66,12 +66,12 @@ sending a SIGHUP to the server process. These are denoted below.
  (see below).

 * `default_lease_ttl` (optional) - Configures the default lease duration
-  for tokens and secrets. This is a string value using a suffix, e.g. "720h".
-  Default value is 30 days. This value cannot be larger than `max_lease_ttl`.
+  for tokens and secrets. This is a string value using a suffix, e.g. "768h".
+  Default value is 32 days. This value cannot be larger than `max_lease_ttl`.

 * `max_lease_ttl` (optional) - Configures the maximum possible
  lease duration for tokens and secrets. This is a string value using a suffix,
-  e.g. "720h". Default value is 30 days.
+  e.g. "768h". Default value is 32 days.

 In production it is a risk to run Vault on systems where `mlock` is
 unavailable or the setting has been disabled via the `disable_mlock`.
--- a/website/source/docs/secrets/cubbyhole/index.html.md
+++ b/website/source/docs/secrets/cubbyhole/index.html.md
@@ -159,7 +159,7 @@ As expected, the value previously set is returned to us.
    "data": {
      "keys": ["foo", "foo/"]
    },
-    "lease_duration": 2592000,
+    "lease_duration": 2764800,
    "lease_id": "",
    "renewable": false
  }
--- a/website/source/docs/secrets/generic/index.html.md
+++ b/website/source/docs/secrets/generic/index.html.md
@@ -98,7 +98,7 @@ seconds (one hour) as specified.
    "data": {
      "foo": "bar"
    },
-    "lease_duration": 2592000,
+    "lease_duration": 2764800,
    "lease_id": "",
    "renewable": false
  }
@@ -142,7 +142,7 @@ seconds (one hour) as specified.
    "data": {
      "keys": ["foo", "foo/"]
    },
-    "lease_duration": 2592000,
+    "lease_duration": 2764800,
    "lease_id": "",
    "renewable": false
  }
--- a/website/source/docs/secrets/mssql/index.html.md
+++ b/website/source/docs/secrets/mssql/index.html.md
@@ -299,7 +299,7 @@ allowed to read.
    "data": {
      "keys": ["dev", "prod"]
    },
-    "lease_duration": 2592000,
+    "lease_duration": 2764800,
    "lease_id": "",
    "renewable": false
  }
--- a/website/source/docs/secrets/mysql/index.html.md
+++ b/website/source/docs/secrets/mysql/index.html.md
@@ -346,7 +346,7 @@ the default on versions prior to that.
    "data": {
      "keys": ["dev", "prod"]
    },
-    "lease_duration": 2592000,
+    "lease_duration": 2764800,
    "lease_id": "",
    "renewable": false
  }
--- a/website/source/docs/secrets/pki/index.html.md
+++ b/website/source/docs/secrets/pki/index.html.md
@@ -1304,7 +1304,7 @@ subpath for interactive help output.
    "data": {
      "keys": ["dev", "prod"]
    },
-    "lease_duration": 2592000,
+    "lease_duration": 2764800,
    "lease_id": "",
    "renewable": false
  }
--- a/website/source/docs/secrets/postgresql/index.html.md
+++ b/website/source/docs/secrets/postgresql/index.html.md
@@ -317,7 +317,7 @@ subpath for interactive help output.
    "data": {
      "keys": ["dev", "prod"]
    },
-    "lease_duration": 2592000,
+    "lease_duration": 2764800,
    "lease_id": "",
    "renewable": false
  }
--- a/website/source/docs/secrets/ssh/index.html.md
+++ b/website/source/docs/secrets/ssh/index.html.md
@@ -536,7 +536,7 @@ username@<IP of remote host>:~$
    "data": {
      "keys": ["dev", "prod"]
    },
-    "lease_duration": 2592000,
+    "lease_duration": 2764800,
    "lease_id": "",
    "renewable": false
  }
@@ -728,7 +728,7 @@ username@<IP of remote host>:~$
 {
  "lease_id": "sshs/creds/c3c2e60c-5a48-415a-9d5a-a41e0e6cdec5/3ee6ad28-383f-d482-2427-70498eba4d96",
  "renewable": false,
-  "lease_duration": 2592000,
+  "lease_duration": 2764800,
  "data": {
            "ip": "127.0.0.1",
            "key": "6d6411fd-f622-ea0a-7e2c-989a745cbbb2",
--- a/website/source/intro/getting-started/acl.html.md
+++ b/website/source/intro/getting-started/acl.html.md
@@ -80,7 +80,7 @@ $ vault token-create -policy="secret"
 Key            	Value
 token           d97ef000-48cf-45d9-1907-3ea6ce298a29
 token_accessor  71770cc5-14da-f0af-c6ce-17a0ae398d67
-token_duration  2592000
+token_duration  2764800
 token_renewable true
 token_policies  [default secret]

--- a/website/source/intro/getting-started/apis.html.md
+++ b/website/source/intro/getting-started/apis.html.md
@@ -189,7 +189,7 @@ This should return a response like this:
 {
  "lease_id": "secret/foo/cc529d06-36c8-be27-31f5-2390e1f6e2ae",
  "renewable": false,
-  "lease_duration": 2592000,
+  "lease_duration": 2764800,
  "data": {
    "bar": "baz"
  },
--- a/website/source/intro/getting-started/first-secret.html.md
+++ b/website/source/intro/getting-started/first-secret.html.md
@@ -63,7 +63,7 @@ As you might expect, secrets can be read with `vault read`:
 ```
 $ vault read secret/hello
 Key             Value
-lease_duration  2592000
+lease_duration  2764800
 excited         yes
 value           world
 ```