Should DELETE artifactory/config/admin cleanup all leased tokens?

[TJM]

If you DISABLE the plugin mount, vault will try to cleanup all the leased tokens.

However, if you vault delete artifactory/config/admin, we could potentially leave behind a bunch of leased (generated) tokens in Artifactory, which by default, never expire.

Should the plugin be cleaning all of those up?

I am wondering if we provide this "DELETE" endpoint, if that means that we need to code in the cleanup?

[alexhung]

On first read, this make senses. I'm trying to think through if there're other scenarios in which deleting any tokens in Artifactory is undesirable.

[TJM]

Right, I am not sure if it is even possible to do. I am not sure if we should even provide the endpoint. We should probably look at other plugins?

• https://github.com/hashicorp/vault-plugin-secrets-gcp/blob/main/plugin/path_config.go (no delete)
• https://github.com/hashicorp/vault-plugin-secrets-mongodbatlas/blob/main/path_config.go (no delete)
• https://github.com/hashicorp/vault-plugin-secrets-azure/blob/main/path_config.go#L207 (yes delete, no cleanup)
• https://github.com/hashicorp/vault-plugin-secrets-alicloud/blob/main/path_config.go#L104 (yes delete, no cleanup)

🤷

[TJM]

I think that any token it creates should be cleaned up, before deleting the admin config, there could maybe be an option to not do that?