Pass through custom ttl #45
Description
Hi,
I've looked through the code for this plugin to see if I could see a way to limit the TTL of the kerberos login session token, but don't think it's currently possible. The use-case for a custom TTL is that I'm going to run a short-lived script on a regular basis, and I know I only need the login token to be valid for a minute, but I don't think there's a way to request this? By default the kerberos token is valid for 32d, so will consume vault/consul resources for far longer than is necessary.
I know I can manually revoke my session token when the script is done, but I think it would still be useful to create a deliberately short-lived ticket so as to not leave any unnecessary tokens in vault in case the script crashes or is killed.
Also, I note that the session token returned is valid for the system max ttl. Should this be constrained to be valid for no longer than the kerberos ticket is valid for (either the current ticket expiry time, or if possible to determine, the maximum TGT renewable lifetime)? Is there enough information in the presented service ticket to determine this?
Thanks,
Ben