Merge pull request #560 from hashicorp/refactor-lease-ttl

Refactor Lease names internally for logical consistency
2025-08-25 08:31:09 +02:00 · 2015-08-20 23:30:31 -07:00 · 2015-08-20 23:30:31 -07:00 · 654a9797fe
commit 654a9797fe
parent 8281965d7c e7f2a54720
28 changed files with 145 additions and 153 deletions
--- a/audit/hashstructure_test.go
+++ b/audit/hashstructure_test.go
@ -14,8 +14,8 @@ func TestCopy_auth(t *testing.T) {
 	// Make a non-pointer one so that it can't be modified directly
 	expected := logical.Auth{
 		LeaseOptions: logical.LeaseOptions{
-			Lease:      1 * time.Hour,
+			TTL:       1 * time.Hour,
-			LeaseIssue: time.Now().UTC(),
+			IssueTime: time.Now().UTC(),
 		},
 		ClientToken: "foo",
@ -121,16 +121,16 @@ func TestHash(t *testing.T) {
 		{
 			&logical.Auth{
 				LeaseOptions: logical.LeaseOptions{
-					Lease:      1 * time.Hour,
+					TTL:       1 * time.Hour,
-					LeaseIssue: now,
+					IssueTime: now,
 				},
 				ClientToken: "foo",
 			},
 			&logical.Auth{
 				LeaseOptions: logical.LeaseOptions{
-					Lease:      1 * time.Hour,
+					TTL:       1 * time.Hour,
-					LeaseIssue: now,
+					IssueTime: now,
 				},
 				ClientToken: "sha1:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33",
--- a/builtin/credential/cert/backend_test.go
+++ b/builtin/credential/cert/backend_test.go
@ -64,7 +64,7 @@ func testAccStepLogin(t *testing.T, connState tls.ConnectionState) logicaltest.T
 		Unauthenticated: true,
 		ConnState:       &connState,
 		Check: func(resp *logical.Response) error {
-			if resp.Auth.Lease != 1000*time.Second {
+			if resp.Auth.TTL != 1000*time.Second {
 				t.Fatalf("bad lease length: %#v", resp.Auth)
 			}
--- a/builtin/credential/cert/path_certs.go
+++ b/builtin/credential/cert/path_certs.go
@ -129,7 +129,7 @@ func (b *backend) pathCertWrite(
 		Certificate: certificate,
 		DisplayName: displayName,
 		Policies:    policies,
-		Lease:       leaseDur,
+		TTL:         leaseDur,
 	})
 	if err != nil {
 		return nil, err
@ -145,7 +145,7 @@ type CertEntry struct {
 	Certificate string
 	DisplayName string
 	Policies    []string
-	Lease       time.Duration
+	TTL         time.Duration
 }
 const pathCertHelpSyn = `
--- a/builtin/credential/cert/path_login.go
+++ b/builtin/credential/cert/path_login.go
@ -66,7 +66,7 @@ func (b *backend) pathLogin(
 			},
 			LeaseOptions: logical.LeaseOptions{
 				Renewable: true,
-				Lease:     matched.Entry.Lease,
+				TTL:       matched.Entry.TTL,
 			},
 		},
 	}
@ -187,5 +187,5 @@ func (b *backend) pathLoginRenew(
 		return nil, nil
 	}
-	return framework.LeaseExtend(cert.Lease, 0, false)(req, d)
+	return framework.LeaseExtend(cert.TTL, 0, false)(req, d)
 }
--- a/builtin/logical/cassandra/path_creds_create.go
+++ b/builtin/logical/cassandra/path_creds_create.go
@ -77,8 +77,8 @@ func (b *backend) pathCredsCreateRead(
 		"username": username,
 		"role":     name,
 	})
-	resp.Secret.Lease = role.Lease
+	resp.Secret.TTL = role.Lease
-	resp.Secret.LeaseGracePeriod = role.LeaseGracePeriod
+	resp.Secret.GracePeriod = role.LeaseGracePeriod
 	return resp, nil
 }
--- a/builtin/logical/mysql/path_role_create.go
+++ b/builtin/logical/mysql/path_role_create.go
@ -101,7 +101,7 @@ func (b *backend) pathRoleCreateRead(
 	}, map[string]interface{}{
 		"username": username,
 	})
-	resp.Secret.Lease = lease.Lease
+	resp.Secret.TTL = lease.Lease
 	return resp, nil
 }
--- a/builtin/logical/pki/path_issue.go
+++ b/builtin/logical/pki/path_issue.go
@ -177,7 +177,7 @@ func (b *backend) pathIssueCert(
 			"serial_number": cb.SerialNumber,
 		})
-	resp.Secret.Lease = lease
+	resp.Secret.TTL = lease
 	err = req.Storage.Put(&logical.StorageEntry{
 		Key:   "certs/" + cb.SerialNumber,
--- a/builtin/logical/postgresql/path_role_create.go
+++ b/builtin/logical/postgresql/path_role_create.go
@ -105,7 +105,7 @@ func (b *backend) pathRoleCreateRead(
 	}, map[string]interface{}{
 		"username": username,
 	})
-	resp.Secret.Lease = lease.Lease
+	resp.Secret.TTL = lease.Lease
 	return resp, nil
 }
--- a/builtin/logical/ssh/path_creds_create.go
+++ b/builtin/logical/ssh/path_creds_create.go
@ -155,14 +155,14 @@ func (b *backend) pathCredsCreateWrite(
 	// If the lease information is set, update it in secret.
 	if lease != nil {
-		result.Secret.Lease = lease.Lease
+		result.Secret.TTL = lease.Lease
-		result.Secret.LeaseGracePeriod = lease.LeaseMax
+		result.Secret.GracePeriod = lease.LeaseMax
 	}
 	// If lease information is not set, set it to 10 minutes.
 	if lease == nil {
-		result.Secret.Lease = 10 * time.Minute
+		result.Secret.TTL = 10 * time.Minute
-		result.Secret.LeaseGracePeriod = 2 * time.Minute
+		result.Secret.GracePeriod = 2 * time.Minute
 	}
 	return result, nil
@ -257,7 +257,7 @@ Creates a credential for establishing SSH connection with the remote host.
 const pathCredsCreateHelpDesc = `
 This path will generate a new key for establishing SSH session with
 target host. The key can either be a long lived dynamic key or a One
-Time Password (OTP), using 'key_type' parameter being 'dynamic' or 
+Time Password (OTP), using 'key_type' parameter being 'dynamic' or
 'otp' respectively. For dynamic keys, a named key should be supplied.
 Create named key using the 'keys/' endpoint, and this represents the
 shared SSH key of target host. If this backend is mounted at 'ssh',
--- a/http/logical.go
+++ b/http/logical.go
@ -101,7 +101,7 @@ func respondLogical(w http.ResponseWriter, r *http.Request, path string, dataOnl
 		if resp.Secret != nil {
 			logicalResp.LeaseID = resp.Secret.LeaseID
 			logicalResp.Renewable = resp.Secret.Renewable
-			logicalResp.LeaseDuration = int(resp.Secret.Lease.Seconds())
+			logicalResp.LeaseDuration = int(resp.Secret.TTL.Seconds())
 		}
 		// If we have authentication information, then set the cookie
@ -129,7 +129,7 @@ func respondLogical(w http.ResponseWriter, r *http.Request, path string, dataOnl
 				ClientToken:   resp.Auth.ClientToken,
 				Policies:      resp.Auth.Policies,
 				Metadata:      resp.Auth.Metadata,
-				LeaseDuration: int(resp.Auth.Lease.Seconds()),
+				LeaseDuration: int(resp.Auth.TTL.Seconds()),
 				Renewable:     resp.Auth.Renewable,
 			}
 		}
--- a/logical/framework/backend_test.go
+++ b/logical/framework/backend_test.go
@ -105,7 +105,6 @@ func TestBackendHandleRequest_badwrite(t *testing.T) {
 		Path:      "foo/bar",
 		Data:      map[string]interface{}{"value": "3false3"},
 	})
 	if err == nil {
 		t.Fatalf("should have thrown a conversion error")
@ -259,8 +258,8 @@ func TestBackendHandleRequest_renewExtend(t *testing.T) {
 	}
 	req := logical.RenewRequest("/foo", secret.Response(nil, nil).Secret, nil)
-	req.Secret.LeaseIssue = time.Now().UTC()
+	req.Secret.IssueTime = time.Now().UTC()
-	req.Secret.LeaseIncrement = 1 * time.Hour
+	req.Secret.Increment = 1 * time.Hour
 	resp, err := b.HandleRequest(req)
 	if err != nil {
 		t.Fatalf("err: %s", err)
@ -269,8 +268,8 @@ func TestBackendHandleRequest_renewExtend(t *testing.T) {
 		t.Fatal("should have secret")
 	}
-	if resp.Secret.Lease < 60*time.Minute || resp.Secret.Lease > 70*time.Minute {
+	if resp.Secret.TTL < 60*time.Minute || resp.Secret.TTL > 70*time.Minute {
-		t.Fatalf("bad: %s", resp.Secret.Lease)
+		t.Fatalf("bad: %s", resp.Secret.TTL)
 	}
 }
--- a/logical/framework/lease.go
+++ b/logical/framework/lease.go
@ -20,26 +20,26 @@ import (
 // lease duration.
 func LeaseExtend(max, maxSession time.Duration, maxFromLease bool) OperationFunc {
 	return func(req *logical.Request, data *FieldData) (*logical.Response, error) {
-		lease := detectLease(req)
+		leaseOpts := detectLease(req)
-		if lease == nil {
+		if leaseOpts == nil {
 			return nil, fmt.Errorf("no lease options for request")
 		}
 		// Check if we should limit max
 		if maxFromLease {
-			max = lease.Lease
+			max = leaseOpts.TTL
 		}
 		// Sanity check the desired increment
 		switch {
 		// Protect against negative leases
-		case lease.LeaseIncrement < 0:
+		case leaseOpts.Increment < 0:
 			return logical.ErrorResponse(
 				"increment must be greater than 0"), logical.ErrInvalidRequest
-		// If no lease increment, or too large of an increment, use the max
+			// If no lease increment, or too large of an increment, use the max
-		case max > 0 && lease.LeaseIncrement == 0, max > 0 && lease.LeaseIncrement > max:
+		case max > 0 && leaseOpts.Increment == 0, max > 0 && leaseOpts.Increment > max:
-			lease.LeaseIncrement = max
+			leaseOpts.Increment = max
 		}
 		// Get the current time
@ -48,7 +48,7 @@ func LeaseExtend(max, maxSession time.Duration, maxFromLease bool) OperationFunc
 		// Check if we're passed the issue limit
 		var maxSessionTime time.Time
 		if maxSession > 0 {
-			maxSessionTime = lease.LeaseIssue.Add(maxSession)
+			maxSessionTime = leaseOpts.IssueTime.Add(maxSession)
 			if maxSessionTime.Before(now) {
 				return logical.ErrorResponse(fmt.Sprintf(
 					"lease can only be renewed up to %s past original issue",
@ -56,9 +56,9 @@ func LeaseExtend(max, maxSession time.Duration, maxFromLease bool) OperationFunc
 			}
 		}
-		// The new lease is the minimum of the requested LeaseIncrement
+		// The new lease is the minimum of the requested Increment
 		// or the maxSessionTime
-		requestedLease := now.Add(lease.LeaseIncrement)
+		requestedLease := now.Add(leaseOpts.Increment)
 		if !maxSessionTime.IsZero() && requestedLease.After(maxSessionTime) {
 			requestedLease = maxSessionTime
 		}
@ -67,7 +67,8 @@ func LeaseExtend(max, maxSession time.Duration, maxFromLease bool) OperationFunc
 		newLeaseDuration := requestedLease.Sub(now)
 		// Set the lease
-		lease.Lease = newLeaseDuration
+		leaseOpts.TTL = newLeaseDuration
 		return &logical.Response{Auth: req.Auth, Secret: req.Secret}, nil
 	}
 }
--- a/logical/framework/lease_test.go
+++ b/logical/framework/lease_test.go
@ -75,9 +75,9 @@ func TestLeaseExtend(t *testing.T) {
 		req := &logical.Request{
 			Auth: &logical.Auth{
 				LeaseOptions: logical.LeaseOptions{
-					Lease:          1 * time.Hour,
+					TTL:       1 * time.Hour,
-					LeaseIssue:     now,
+					IssueTime: now,
-					LeaseIncrement: tc.Request,
+					Increment: tc.Request,
 				},
 			},
 		}
@ -92,7 +92,7 @@ func TestLeaseExtend(t *testing.T) {
 		}
 		// Round it to the nearest hour
-		lease := now.Add(resp.Auth.Lease).Round(time.Hour).Sub(now)
+		lease := now.Add(resp.Auth.TTL).Round(time.Hour).Sub(now)
 		if lease != tc.Result {
 			t.Fatalf("bad: %s\nlease: %s", name, lease)
 		}
--- a/logical/framework/secret.go
+++ b/logical/framework/secret.go
@ -51,9 +51,9 @@ func (s *Secret) Response(
 	return &logical.Response{
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease:            s.DefaultDuration,
+				TTL:         s.DefaultDuration,
-				LeaseGracePeriod: s.DefaultGracePeriod,
+				GracePeriod: s.DefaultGracePeriod,
-				Renewable:        s.Renewable(),
+				Renewable:   s.Renewable(),
 			},
 			InternalData: internalData,
 		},
--- a/logical/lease.go
+++ b/logical/lease.go
@ -7,41 +7,40 @@ import "time"
 type LeaseOptions struct {
 	// Lease is the duration that this secret is valid for. Vault
 	// will automatically revoke it after the duration + grace period.
-	Lease            time.Duration `json:"lease,omitempty"`
+	TTL         time.Duration `json:"lease"`
-	TTL              time.Duration `json:"ttl,omitempty"`
+	GracePeriod time.Duration `json:"lease_grace_period"`
 	LeaseGracePeriod time.Duration `json:"lease_grace_period"`
 	// Renewable, if true, means that this secret can be renewed.
 	Renewable bool `json:"renewable"`
-	// LeaseIncrement will be the lease increment that the user requested.
+	// Increment will be the lease increment that the user requested.
 	// This is only available on a Renew operation and has no effect
 	// when returning a response.
-	LeaseIncrement time.Duration `json:"-"`
+	Increment time.Duration `json:"-"`
-	// LeaseIssue is the time of issue for the original lease. This is
+	// IssueTime is the time of issue for the original lease. This is
 	// only available on a Renew operation and has no effect when returning
 	// a response. It can be used to enforce maximum lease periods by
 	// a logical backend. This time will always be in UTC.
-	LeaseIssue time.Time `json:"-"`
+	IssueTime time.Time `json:"-"`
 }
 // LeaseEnabled checks if leasing is enabled
 func (l *LeaseOptions) LeaseEnabled() bool {
-	return l.Lease > 0
+	return l.TTL > 0
 }
 // LeaseTotal is the total lease time including the grace period
 func (l *LeaseOptions) LeaseTotal() time.Duration {
-	if l.Lease <= 0 {
+	if l.TTL <= 0 {
 		return 0
 	}
-	if l.LeaseGracePeriod < 0 {
+	if l.GracePeriod < 0 {
-		return l.Lease
+		return l.TTL
 	}
-	return l.Lease + l.LeaseGracePeriod
+	return l.TTL + l.GracePeriod
 }
 // ExpirationTime computes the time until expiration including the grace period
--- a/logical/lease_test.go
+++ b/logical/lease_test.go
@ -7,10 +7,10 @@ import (
 func TestLeaseOptionsLeaseTotal(t *testing.T) {
 	var l LeaseOptions
-	l.Lease = 1 * time.Hour
+	l.TTL = 1 * time.Hour
 	actual := l.LeaseTotal()
-	expected := l.Lease
+	expected := l.TTL
 	if actual != expected {
 		t.Fatalf("bad: %s", actual)
 	}
@ -18,11 +18,11 @@ func TestLeaseOptionsLeaseTotal(t *testing.T) {
 func TestLeaseOptionsLeaseTotal_grace(t *testing.T) {
 	var l LeaseOptions
-	l.Lease = 1 * time.Hour
+	l.TTL = 1 * time.Hour
-	l.LeaseGracePeriod = 30 * time.Minute
+	l.GracePeriod = 30 * time.Minute
 	actual := l.LeaseTotal()
-	expected := l.Lease + l.LeaseGracePeriod
+	expected := l.TTL + l.GracePeriod
 	if actual != expected {
 		t.Fatalf("bad: %s", actual)
 	}
@ -30,8 +30,8 @@ func TestLeaseOptionsLeaseTotal_grace(t *testing.T) {
 func TestLeaseOptionsLeaseTotal_negLease(t *testing.T) {
 	var l LeaseOptions
-	l.Lease = -1 * 1 * time.Hour
+	l.TTL = -1 * 1 * time.Hour
-	l.LeaseGracePeriod = 30 * time.Minute
+	l.GracePeriod = 30 * time.Minute
 	actual := l.LeaseTotal()
 	expected := time.Duration(0)
@ -42,11 +42,11 @@ func TestLeaseOptionsLeaseTotal_negLease(t *testing.T) {
 func TestLeaseOptionsLeaseTotal_negGrace(t *testing.T) {
 	var l LeaseOptions
-	l.Lease = 1 * time.Hour
+	l.TTL = 1 * time.Hour
-	l.LeaseGracePeriod = -1 * 30 * time.Minute
+	l.GracePeriod = -1 * 30 * time.Minute
 	actual := l.LeaseTotal()
-	expected := l.Lease
+	expected := l.TTL
 	if actual != expected {
 		t.Fatalf("bad: %s", actual)
 	}
@ -54,7 +54,7 @@ func TestLeaseOptionsLeaseTotal_negGrace(t *testing.T) {
 func TestLeaseOptionsExpirationTime(t *testing.T) {
 	var l LeaseOptions
-	l.Lease = 1 * time.Hour
+	l.TTL = 1 * time.Hour
 	limit := time.Now().UTC().Add(time.Hour)
 	exp := l.ExpirationTime()
@ -65,8 +65,8 @@ func TestLeaseOptionsExpirationTime(t *testing.T) {
 func TestLeaseOptionsExpirationTime_grace(t *testing.T) {
 	var l LeaseOptions
-	l.Lease = 1 * time.Hour
+	l.TTL = 1 * time.Hour
-	l.LeaseGracePeriod = 30 * time.Minute
+	l.GracePeriod = 30 * time.Minute
 	limit := time.Now().UTC().Add(time.Hour + 30*time.Minute)
 	actual := l.ExpirationTime()
@ -77,8 +77,8 @@ func TestLeaseOptionsExpirationTime_grace(t *testing.T) {
 func TestLeaseOptionsExpirationTime_graceNegative(t *testing.T) {
 	var l LeaseOptions
-	l.Lease = 1 * time.Hour
+	l.TTL = 1 * time.Hour
-	l.LeaseGracePeriod = -1 * 30 * time.Minute
+	l.GracePeriod = -1 * 30 * time.Minute
 	limit := time.Now().UTC().Add(time.Hour)
 	actual := l.ExpirationTime()
--- a/logical/secret.go
+++ b/logical/secret.go
@ -18,11 +18,11 @@ type Secret struct {
 }
 func (s *Secret) Validate() error {
-	if s.Lease < 0 {
+	if s.TTL < 0 {
-		return fmt.Errorf("lease duration must not be less than zero")
+		return fmt.Errorf("ttl duration must not be less than zero")
 	}
-	if s.LeaseGracePeriod < 0 {
+	if s.GracePeriod < 0 {
-		return fmt.Errorf("lease grace period must not be less than zero")
+		return fmt.Errorf("grace period must not be less than zero")
 	}
 	return nil
--- a/vault/audit_test.go
+++ b/vault/audit_test.go
@ -8,9 +8,10 @@ import (
 	"testing"
 	"time"
 	"errors"
 	"github.com/hashicorp/vault/audit"
 	"github.com/hashicorp/vault/logical"
 	"errors"
 )
 type NoopAudit struct {
@ -261,7 +262,7 @@ func TestAuditBroker_LogResponse(t *testing.T) {
 	resp := &logical.Response{
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease: 1 * time.Hour,
+				TTL: 1 * time.Hour,
 			},
 		},
 		Data: map[string]interface{}{
--- a/vault/core.go
+++ b/vault/core.go
@ -452,13 +452,13 @@ func (c *Core) handleRequest(req *logical.Request) (retResp *logical.Response, r
 	// We exclude renewal of a lease, since it does not need to be re-registered
 	if resp != nil && resp.Secret != nil && !strings.HasPrefix(req.Path, "sys/renew/") {
 		// Apply the default lease if none given
-		if resp.Secret.Lease == 0 {
+		if resp.Secret.TTL == 0 {
-			resp.Secret.Lease = c.defaultLeaseDuration
+			resp.Secret.TTL = c.defaultLeaseDuration
 		}
 		// Limit the lease duration
-		if resp.Secret.Lease > c.maxLeaseDuration {
+		if resp.Secret.TTL > c.maxLeaseDuration {
-			resp.Secret.Lease = c.maxLeaseDuration
+			resp.Secret.TTL = c.maxLeaseDuration
 		}
 		// Register the lease
@ -484,13 +484,13 @@ func (c *Core) handleRequest(req *logical.Request) (retResp *logical.Response, r
 		}
 		// Set the default lease if non-provided, root tokens are exempt
-		if resp.Auth.Lease == 0 && !strListContains(resp.Auth.Policies, "root") {
+		if resp.Auth.TTL == 0 && !strListContains(resp.Auth.Policies, "root") {
-			resp.Auth.Lease = c.defaultLeaseDuration
+			resp.Auth.TTL = c.defaultLeaseDuration
 		}
 		// Limit the lease duration
-		if resp.Auth.Lease > c.maxLeaseDuration {
+		if resp.Auth.TTL > c.maxLeaseDuration {
-			resp.Auth.Lease = c.maxLeaseDuration
+			resp.Auth.TTL = c.maxLeaseDuration
 		}
 		// Register with the expiration manager
@ -556,13 +556,13 @@ func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, *log
 		resp.Auth.ClientToken = te.ID
 		// Set the default lease if non-provided, root tokens are exempt
-		if auth.Lease == 0 && !strListContains(auth.Policies, "root") {
+		if auth.TTL == 0 && !strListContains(auth.Policies, "root") {
-			auth.Lease = c.defaultLeaseDuration
+			auth.TTL = c.defaultLeaseDuration
 		}
 		// Limit the lease duration
-		if resp.Auth.Lease > c.maxLeaseDuration {
+		if resp.Auth.TTL > c.maxLeaseDuration {
-			resp.Auth.Lease = c.maxLeaseDuration
+			resp.Auth.TTL = c.maxLeaseDuration
 		}
 		// Register with the expiration manager
--- a/vault/core_test.go
+++ b/vault/core_test.go
@ -401,7 +401,7 @@ func TestCore_HandleRequest_Lease(t *testing.T) {
 	if resp == nil || resp.Secret == nil || resp.Data == nil {
 		t.Fatalf("bad: %#v", resp)
 	}
-	if resp.Secret.Lease != time.Hour {
+	if resp.Secret.TTL != time.Hour {
 		t.Fatalf("bad: %#v", resp.Secret)
 	}
 	if resp.Secret.LeaseID == "" {
@ -442,7 +442,7 @@ func TestCore_HandleRequest_Lease_MaxLength(t *testing.T) {
 	if resp == nil || resp.Secret == nil || resp.Data == nil {
 		t.Fatalf("bad: %#v", resp)
 	}
-	if resp.Secret.Lease != c.maxLeaseDuration {
+	if resp.Secret.TTL != c.maxLeaseDuration {
 		t.Fatalf("bad: %#v", resp.Secret)
 	}
 	if resp.Secret.LeaseID == "" {
@ -483,7 +483,7 @@ func TestCore_HandleRequest_Lease_DefaultLength(t *testing.T) {
 	if resp == nil || resp.Secret == nil || resp.Data == nil {
 		t.Fatalf("bad: %#v", resp)
 	}
-	if resp.Secret.Lease != c.defaultLeaseDuration {
+	if resp.Secret.TTL != c.defaultLeaseDuration {
 		t.Fatalf("bad: %#v", resp.Secret)
 	}
 	if resp.Secret.LeaseID == "" {
@ -829,7 +829,7 @@ func TestCore_HandleLogin_Token(t *testing.T) {
 	}
 	// Check that we have a lease with default duration
-	if lresp.Auth.Lease != c.defaultLeaseDuration {
+	if lresp.Auth.TTL != c.defaultLeaseDuration {
 		t.Fatalf("bad: %#v", lresp.Auth)
 	}
 }
@ -904,7 +904,7 @@ func TestCore_HandleLogin_AuditTrail(t *testing.T) {
 		Response: &logical.Response{
 			Auth: &logical.Auth{
 				LeaseOptions: logical.LeaseOptions{
-					Lease: time.Hour,
+					TTL: time.Hour,
 				},
 				Policies: []string{"foo", "bar"},
 				Metadata: map[string]string{
@ -1016,7 +1016,7 @@ func TestCore_HandleRequest_CreateToken_Lease(t *testing.T) {
 	}
 	// Check that we have a lease with default duration
-	if resp.Auth.Lease != c.defaultLeaseDuration {
+	if resp.Auth.TTL != c.defaultLeaseDuration {
 		t.Fatalf("bad: %#v", resp.Auth)
 	}
 }
--- a/vault/expiration.go
+++ b/vault/expiration.go
@ -337,7 +337,7 @@ func (m *ExpirationManager) RenewToken(source string, token string,
 	// Attach the ClientToken
 	resp.Auth.ClientToken = token
-	resp.Auth.LeaseIncrement = 0
+	resp.Auth.Increment = 0
 	// Update the lease entry
 	le.Auth = resp.Auth
@ -492,8 +492,8 @@ func (m *ExpirationManager) revokeEntry(le *leaseEntry) error {
 // renewEntry is used to attempt renew of an internal entry
 func (m *ExpirationManager) renewEntry(le *leaseEntry, increment time.Duration) (*logical.Response, error) {
 	secret := *le.Secret
-	secret.LeaseIssue = le.IssueTime
+	secret.IssueTime = le.IssueTime
-	secret.LeaseIncrement = increment
+	secret.Increment = increment
 	secret.LeaseID = ""
 	req := logical.RenewRequest(le.Path, &secret, le.Data)
@ -507,8 +507,8 @@ func (m *ExpirationManager) renewEntry(le *leaseEntry, increment time.Duration)
 // renewAuthEntry is used to attempt renew of an auth entry
 func (m *ExpirationManager) renewAuthEntry(le *leaseEntry, increment time.Duration) (*logical.Response, error) {
 	auth := *le.Auth
-	auth.LeaseIssue = le.IssueTime
+	auth.IssueTime = le.IssueTime
-	auth.LeaseIncrement = increment
+	auth.Increment = increment
 	auth.ClientToken = ""
 	req := logical.RenewAuthRequest(le.Path, &auth, nil)
--- a/vault/expiration_test.go
+++ b/vault/expiration_test.go
@ -37,7 +37,7 @@ func TestExpiration_Restore(t *testing.T) {
 		resp := &logical.Response{
 			Secret: &logical.Secret{
 				LeaseOptions: logical.LeaseOptions{
-					Lease: 20 * time.Millisecond,
+					TTL: 20 * time.Millisecond,
 				},
 			},
 			Data: map[string]interface{}{
@ -92,7 +92,7 @@ func TestExpiration_Register(t *testing.T) {
 	resp := &logical.Response{
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease: time.Hour,
+				TTL: time.Hour,
 			},
 		},
 		Data: map[string]interface{}{
@ -125,7 +125,7 @@ func TestExpiration_RegisterAuth(t *testing.T) {
 	auth := &logical.Auth{
 		ClientToken: root.ID,
 		LeaseOptions: logical.LeaseOptions{
-			Lease: time.Hour,
+			TTL: time.Hour,
 		},
 	}
@ -184,7 +184,7 @@ func TestExpiration_Revoke(t *testing.T) {
 	resp := &logical.Response{
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease: time.Hour,
+				TTL: time.Hour,
 			},
 		},
 		Data: map[string]interface{}{
@ -222,7 +222,7 @@ func TestExpiration_RevokeOnExpire(t *testing.T) {
 	resp := &logical.Response{
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease: 20 * time.Millisecond,
+				TTL: 20 * time.Millisecond,
 			},
 		},
 		Data: map[string]interface{}{
@ -277,7 +277,7 @@ func TestExpiration_RevokePrefix(t *testing.T) {
 		resp := &logical.Response{
 			Secret: &logical.Secret{
 				LeaseOptions: logical.LeaseOptions{
-					Lease: 20 * time.Millisecond,
+					TTL: 20 * time.Millisecond,
 				},
 			},
 			Data: map[string]interface{}{
@ -338,7 +338,7 @@ func TestExpiration_RevokeByToken(t *testing.T) {
 		resp := &logical.Response{
 			Secret: &logical.Secret{
 				LeaseOptions: logical.LeaseOptions{
-					Lease: 20 * time.Millisecond,
+					TTL: 20 * time.Millisecond,
 				},
 			},
 			Data: map[string]interface{}{
@ -389,7 +389,7 @@ func TestExpiration_RenewToken(t *testing.T) {
 	auth := &logical.Auth{
 		ClientToken: root.ID,
 		LeaseOptions: logical.LeaseOptions{
-			Lease:     time.Hour,
+			TTL:       time.Hour,
 			Renewable: true,
 		},
 	}
@ -420,7 +420,7 @@ func TestExpiration_RenewToken_NotRenewable(t *testing.T) {
 	auth := &logical.Auth{
 		ClientToken: root.ID,
 		LeaseOptions: logical.LeaseOptions{
-			Lease:     time.Hour,
+			TTL:       time.Hour,
 			Renewable: false,
 		},
 	}
@ -450,7 +450,7 @@ func TestExpiration_Renew(t *testing.T) {
 	resp := &logical.Response{
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease:     20 * time.Millisecond,
+				TTL:       20 * time.Millisecond,
 				Renewable: true,
 			},
 		},
@ -468,7 +468,7 @@ func TestExpiration_Renew(t *testing.T) {
 	noop.Response = &logical.Response{
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease: 20 * time.Millisecond,
+				TTL: 20 * time.Millisecond,
 			},
 		},
 		Data: map[string]interface{}{
@ -512,7 +512,7 @@ func TestExpiration_Renew_NotRenewable(t *testing.T) {
 	resp := &logical.Response{
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease:     20 * time.Millisecond,
+				TTL:       20 * time.Millisecond,
 				Renewable: false,
 			},
 		},
@ -554,7 +554,7 @@ func TestExpiration_Renew_RevokeOnExpire(t *testing.T) {
 	resp := &logical.Response{
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease:     20 * time.Millisecond,
+				TTL:       20 * time.Millisecond,
 				Renewable: true,
 			},
 		},
@ -572,7 +572,7 @@ func TestExpiration_Renew_RevokeOnExpire(t *testing.T) {
 	noop.Response = &logical.Response{
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease: 20 * time.Millisecond,
+				TTL: 20 * time.Millisecond,
 			},
 		},
 		Data: map[string]interface{}{
@ -623,7 +623,7 @@ func TestExpiration_revokeEntry(t *testing.T) {
 		},
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease: time.Minute,
+				TTL: time.Minute,
 			},
 		},
 		IssueTime:  time.Now(),
@ -662,7 +662,7 @@ func TestExpiration_revokeEntry_token(t *testing.T) {
 		Auth: &logical.Auth{
 			ClientToken: root.ID,
 			LeaseOptions: logical.LeaseOptions{
-				Lease: time.Minute,
+				TTL: time.Minute,
 			},
 		},
 		Path:       "foo/bar",
@ -692,7 +692,7 @@ func TestExpiration_renewEntry(t *testing.T) {
 			Secret: &logical.Secret{
 				LeaseOptions: logical.LeaseOptions{
 					Renewable: true,
-					Lease:     time.Hour,
+					TTL:       time.Hour,
 				},
 			},
 			Data: map[string]interface{}{
@ -712,7 +712,7 @@ func TestExpiration_renewEntry(t *testing.T) {
 		},
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease: time.Minute,
+				TTL: time.Minute,
 			},
 		},
 		IssueTime:  time.Now(),
@ -741,10 +741,10 @@ func TestExpiration_renewEntry(t *testing.T) {
 	if !reflect.DeepEqual(req.Data, le.Data) {
 		t.Fatalf("Bad: %v", req)
 	}
-	if req.Secret.LeaseIncrement != time.Second {
+	if req.Secret.Increment != time.Second {
 		t.Fatalf("Bad: %v", req)
 	}
-	if req.Secret.LeaseIssue.IsZero() {
+	if req.Secret.IssueTime.IsZero() {
 		t.Fatalf("Bad: %v", req)
 	}
 }
@ -757,7 +757,7 @@ func TestExpiration_renewAuthEntry(t *testing.T) {
 			Auth: &logical.Auth{
 				LeaseOptions: logical.LeaseOptions{
 					Renewable: true,
-					Lease:     time.Hour,
+					TTL:       time.Hour,
 				},
 			},
 		},
@ -772,7 +772,7 @@ func TestExpiration_renewAuthEntry(t *testing.T) {
 		Auth: &logical.Auth{
 			LeaseOptions: logical.LeaseOptions{
 				Renewable: true,
-				Lease:     time.Minute,
+				TTL:       time.Minute,
 			},
 			InternalData: map[string]interface{}{
 				"MySecret": "secret",
@ -801,10 +801,10 @@ func TestExpiration_renewAuthEntry(t *testing.T) {
 	if req.Path != "login" {
 		t.Fatalf("Bad: %v", req)
 	}
-	if req.Auth.LeaseIncrement != time.Second {
+	if req.Auth.Increment != time.Second {
 		t.Fatalf("Bad: %v", req)
 	}
-	if req.Auth.LeaseIssue.IsZero() {
+	if req.Auth.IssueTime.IsZero() {
 		t.Fatalf("Bad: %v", req)
 	}
 	if req.Auth.InternalData["MySecret"] != "secret" {
@ -822,7 +822,7 @@ func TestExpiration_PersistLoadDelete(t *testing.T) {
 		},
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease: time.Minute,
+				TTL: time.Minute,
 			},
 		},
 		IssueTime:  time.Now().UTC(),
@ -863,7 +863,7 @@ func TestLeaseEntry(t *testing.T) {
 		},
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease: time.Minute,
+				TTL: time.Minute,
 			},
 		},
 		IssueTime:  time.Now().UTC(),
--- a/vault/logical_passthrough.go
+++ b/vault/logical_passthrough.go
@ -93,21 +93,15 @@ func (b *PassthroughBackend) handleRead(
 	resp := b.Secret("generic").Response(rawData, nil)
 	resp.Secret.Renewable = false
-	// Check if there is a lease key
+	// Check if there is a ttl key
-	leaseVal, ok := rawData["lease"].(string)
+	var ttl string
-	if ok {
+	ttl, _ = rawData["lease"].(string)
-		leaseDuration, err := time.ParseDuration(leaseVal)
+	if len(ttl) == 0 {
-		if err == nil {
+		ttl, _ = rawData["ttl"].(string)
 			resp.Secret.Renewable = true
 			resp.Secret.Lease = leaseDuration
 			resp.Secret.TTL = leaseDuration
 		}
 	}
-	// Check if there is a ttl key
+	if len(ttl) != 0 {
-	ttlVal, ok := rawData["ttl"].(string)
+		ttlDuration, err := time.ParseDuration(ttl)
 	if ok {
 		ttlDuration, err := time.ParseDuration(ttlVal)
 		if err == nil {
 			resp.Secret.Renewable = true
 			resp.Secret.TTL = ttlDuration
--- a/vault/logical_passthrough_test.go
+++ b/vault/logical_passthrough_test.go
@ -61,7 +61,6 @@ func TestPassthroughBackend_Read_Lease(t *testing.T) {
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
 				Renewable: true,
 				Lease:     time.Hour,
 				TTL:       time.Hour,
 			},
 		},
--- a/vault/mount_test.go
+++ b/vault/mount_test.go
@ -139,7 +139,7 @@ func TestCore_Unmount_Cleanup(t *testing.T) {
 	resp := &logical.Response{
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease: time.Hour,
+				TTL: time.Hour,
 			},
 		},
 		Data: map[string]interface{}{
@ -256,7 +256,7 @@ func TestCore_Remount_Cleanup(t *testing.T) {
 	resp := &logical.Response{
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease: time.Hour,
+				TTL: time.Hour,
 			},
 		},
 		Data: map[string]interface{}{
--- a/vault/token_store.go
+++ b/vault/token_store.go
@ -554,9 +554,9 @@ func (ts *TokenStore) handleCreate(
 			Policies:    te.Policies,
 			Metadata:    te.Meta,
 			LeaseOptions: logical.LeaseOptions{
-				Lease:            leaseDuration,
+				TTL:         leaseDuration,
-				LeaseGracePeriod: leaseDuration / 10,
+				GracePeriod: leaseDuration / 10,
-				Renewable:        leaseDuration > 0,
+				Renewable:   leaseDuration > 0,
 			},
 			ClientToken: te.ID,
 		},
--- a/vault/token_store_test.go
+++ b/vault/token_store_test.go
@ -235,7 +235,7 @@ func TestTokenStore_Revoke_Leases(t *testing.T) {
 	resp := &logical.Response{
 		Secret: &logical.Secret{
 			LeaseOptions: logical.LeaseOptions{
-				Lease: 20 * time.Millisecond,
+				TTL: 20 * time.Millisecond,
 			},
 		},
 		Data: map[string]interface{}{
@ -633,7 +633,7 @@ func TestTokenStore_HandleRequest_CreateToken_Lease(t *testing.T) {
 	if resp.Auth.ClientToken == "" {
 		t.Fatalf("bad: %#v", resp)
 	}
-	if resp.Auth.Lease != time.Hour {
+	if resp.Auth.TTL != time.Hour {
 		t.Fatalf("bad: %#v", resp)
 	}
 	if !resp.Auth.Renewable {
@ -743,7 +743,7 @@ func TestTokenStore_HandleRequest_RevokePrefix(t *testing.T) {
 	auth := &logical.Auth{
 		ClientToken: root.ID,
 		LeaseOptions: logical.LeaseOptions{
-			Lease: time.Hour,
+			TTL: time.Hour,
 		},
 	}
 	err = exp.RegisterAuth("auth/github/login", auth)
@ -808,7 +808,7 @@ func TestTokenStore_HandleRequest_Renew(t *testing.T) {
 	auth := &logical.Auth{
 		ClientToken: root.ID,
 		LeaseOptions: logical.LeaseOptions{
-			Lease:     time.Hour,
+			TTL:       time.Hour,
 			Renewable: true,
 		},
 	}
--- a/website/source/docs/secrets/generic/index.html.md
+++ b/website/source/docs/secrets/generic/index.html.md
@ -32,8 +32,7 @@ Also note that setting `ttl` does not actually expire the data; it is
 informational only.
 N.B.: Prior to version 0.3, the `ttl` parameter was called `lease`. Both will
-work for 0.3, but in 0.4 `lease` will be removed. When providing a `lease` value
+work for 0.3, but in 0.4 `lease` will be removed.
 in 0.3, both `lease` and `ttl` will be returned with the same data.
 As an example, we can write a new key "foo" to the generic backend
 mounted at "secret/" by default: