Allow whitelisting only certain users

conf/master

@@ -323,6 +323,15 @@
 #token_expire: 43200
 #
 # Allow eauth users to specify the expiry time of the tokens they generate.
+# A boolean applies to all users or a dictionary of whitelisted eauth backends
+# and usernames may be given.
+# token_expire_user_override:
+#   pam:
+#     - fred
+#     - tom
+#   ldap:
+#     - gary
+#
 #token_expire_user_override: False
 
 # Allow minions to push files to the master. This is disabled by default, for

doc/ref/configuration/master.rst

@@ -876,10 +876,25 @@ Default: 12 hours
 
 .. conf_master:: token_expire_user_override
 
+``token_expire_user_override``
+------------------------------
+
 Default: ``False``
 
 Allow eauth users to specify the expiry time of the tokens they generate.
 
+A boolean applies to all users or a dictionary of whitelisted eauth backends
+and usernames may be given:
+
+.. code-block:: yaml
+
+    token_expire_user_override:
+      pam:
+        - fred
+        - tom
+      ldap:
+        - gary
+
 .. conf_master:: file_recv
 
 ``file_recv``

salt/auth/__init__.py

@@ -18,6 +18,7 @@ from __future__ import absolute_import
 # Import python libs
 from __future__ import print_function
 import os
+import collections
 import hashlib
 import time
 import logging
@@ -137,6 +138,23 @@ class LoadAuth(object):
         except Exception:
             return None
 
+    def _allow_custom_expire(self, load):
+        '''
+        Return bool if requesting user is allowed to set custom expire
+        '''
+        expire_override = self.opts.get('token_expire_user_override', False)
+
+        if expire_override is True:
+            return True
+
+        if isinstance(expire_override, collections.Mapping):
+            expire_whitelist = expire_override.get(load['eauth'], [])
+            if isinstance(expire_whitelist, collections.Iterable):
+                if load.get('username') in expire_whitelist:
+                    return True
+
+        return False
+
     def mk_token(self, load):
         '''
         Run time_auth and create a token. Return False or the token
@@ -155,9 +173,10 @@ class LoadAuth(object):
                                        load,
                                        expected_extra_kws=AUTH_INTERNAL_KEYWORDS)
 
-        if self.opts.get('token_expire_user_override', False):
+        if self._allow_custom_expire(load):
             token_expire = load.pop('token_expire', self.opts['token_expire'])
         else:
+            _ = load.pop('token_expire', None)
             token_expire = self.opts['token_expire']
 
         tdata = {'start': time.time(),

salt/config/__init__.py

@@ -571,7 +571,7 @@ VALID_OPTS = {
     'sudo_acl': bool,
     'external_auth': dict,
     'token_expire': int,
-    'token_expire_user_override': bool,
+    'token_expire_user_override': (bool, dict),
     'file_recv': bool,
     'file_recv_max_size': int,
     'file_ignore_regex': (list, string_types),