Add config option for allowing users to set the expiry of eauth tokens

conf/master

@@ -321,6 +321,9 @@
 #
 # Time (in seconds) for a newly generated token to live. Default: 12 hours
 #token_expire: 43200
+#
+# Allow eauth users to specify the expiry time of the tokens they generate.
+#token_expire_user_override: False
 
 # Allow minions to push files to the master. This is disabled by default, for
 # security purposes.

doc/ref/configuration/master.rst

@@ -874,6 +874,12 @@ Default: 12 hours
 
     token_expire: 43200
 
+.. conf_master:: token_expire_user_override
+
+Default: ``False``
+
+Allow eauth users to specify the expiry time of the tokens they generate.
+
 .. conf_master:: file_recv
 
 ``file_recv``

salt/auth/__init__.py

@@ -154,7 +154,12 @@ class LoadAuth(object):
         fcall = salt.utils.format_call(self.auth[fstr],
                                        load,
                                        expected_extra_kws=AUTH_INTERNAL_KEYWORDS)
-        token_expire = load.pop('token_expire', self.opts['token_expire'])
+
+        if self.opts.get('token_expire_user_override', False):
+            token_expire = load.pop('token_expire', self.opts['token_expire'])
+        else:
+            token_expire = self.opts['token_expire']
+
         tdata = {'start': time.time(),
                  'expire': time.time() + token_expire,
                  'name': fcall['args'][0],

salt/config/__init__.py

@@ -571,6 +571,7 @@ VALID_OPTS = {
     'sudo_acl': bool,
     'external_auth': dict,
     'token_expire': int,
+    'token_expire_user_override': bool,
     'file_recv': bool,
     'file_recv_max_size': int,
     'file_ignore_regex': (list, string_types),
@@ -1179,6 +1180,7 @@ DEFAULT_MASTER_OPTS = {
     'sudo_acl': False,
     'external_auth': {},
     'token_expire': 43200,
+    'token_expire_user_override': False,
     'extension_modules': os.path.join(salt.syspaths.CACHE_DIR, 'master', 'extmods'),
     'file_recv': False,
     'file_recv_max_size': 100,