Skip to content

Commit

Permalink
Add additional endpoints, remove non-protected endpoints (#20669) (#2…
Browse files Browse the repository at this point in the history 
…0765)

* Add additional endpoints, remove non-protected endpoints

* Add step-down per engineering

* Match HTTP verb to individual doc pages

* Add /sys/internal/inspect/router to table

* Apply additional suggestions

* Updates based on engineering feedback

* Adding unsaved changes

Co-authored-by: Jonathan Frappier <92055993+jonathanfrappier@users.noreply.github.com>
  • Loading branch information
@yhyakuna @jonathanfrappier
yhyakuna and jonathanfrappier authored May 24, 2023
1 parent 14d6fb5 commit ee93c26
Showing 1 changed file with 42 additions and 0 deletions.
42 changes: 42 additions & 0 deletions website/content/docs/concepts/policies.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -741,6 +741,48 @@ If the provided information is correct, Vault will generate a token, assign the
list of configured policies to the token, and return that token to the
authenticated user.

## Root protected API endpoints

~> **Note:** Vault treats the HTTP POST and PUT verbs as equivalent, so for each mention
of POST in the table above, PUT may also be used. Vault uses the non-standard LIST HTTP
verb, but also allows list requests to be made using the GET verb along with `?list=true`
as a query parameter, so for each mention of LIST in the table above, GET with `?list=true`
may also be used.

The following paths requires a root token or `sudo` capability in the policy:

| Path | HTTP verb | Description |
| -------------------------------------------------------------------------------------------------------------------------------------------------------| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
| [auth/token/accessors](/vault/api-docs/auth/token#list-accessors) | LIST | List token accessors for all current Vault service tokens |
| [auth/token/create](/vault/api-docs/auth/token#create-token) | POST | Create a periodic or an orphan token (`period` or `no_parent`) option |
| [pki/root](/vault/api-docs/secret/pki#delete-all-issuers-and-keys) | DELETE | Delete the current CA key ([pki secrets engine](/vault/docs/secrets/pki)) |
| [pki/root/sign-self-issued](/vault/api-docs/secret/pki#sign-self-issued) | POST | Use the configured CA certificate to sign a self-issued certificate ([pki secrets engine](/vault/docs/secrets/pki)) |
| [sys/audit](/vault/api-docs/system/audit) | GET | List enabled audit devices |
| [sys/audit/:path](/vault/api-docs/system/audit) | POST, DELETE | Enable or remove an audit device |
| [sys/auth/:path](/vault/api-docs/system/auth) | GET, POST, DELETE | Manage the auth methods (enable, read, and delete) |
| [sys/auth/:path/tune](/vault/api-docs/system/auth#tune-auth-method) | GET, POST | Manage the auth methods (enable, read, delete, and tune) |
| [sys/config/auditing/request-headers](/vault/api-docs/system/config-auditing) | GET | List the request headers that are configured to be audited |
| [sys/config/auditing/request-headers/:name](/vault/api-docs/system/config-auditing) | GET, POST, DELETE | Manage the auditing headers (create, update, read and delete) |
| [sys/config/cors](/vault/api-docs/system/config-cors) | GET, POST, DELETE | Configure CORS setting |
| [sys/config/ui/headers](/vault/api-docs/system/config-ui) | GET, LIST | Configure the UI settings |
| [sys/config/ui/headers/:name](/vault/api-docs/system/config-ui#name) | POST, DELETE | Configure custom HTTP headers to be served with the UI |
| [sys/internal/inspect/router/:tag](/vault/api-docs/system/inspect/router) | GET | Inspect the internal components of Vault's router. `tag` must be one of root, uuid, accessor, or storage |
| [sys/leases/lookup/:prefix](/vault/api-docs/system/leases#list-leases) | LIST | List lease IDs |
| [sys/leases/revoke-force/:prefix](/vault/api-docs/system/leases#revoke-force) | POST | Revoke all secrets or tokens ignoring backend errors |
| [sys/leases/revoke-prefix/:prefix](/vault/api-docs/system/leases#revoke-prefix) | POST | Revoke all secrets generated under a given prefix |
| [sys/plugins/catalog/:type/:name](/vault/api-docs/system/plugins-catalog#register-plugin) | GET, POST, DELETE | Register a new plugin, or read/remove an existing plugin |
| [sys/raw:path](/vault/api-docs/system/raw) | GET, POST, DELETE | Used to access the raw underlying store in Vault |
| [sys/raw:prefix](/vault/api-docs/system/raw#list-raw) | GET, LIST | Returns a list keys for a given path prefix |
| [sys/remount](/vault/api-docs/system/remount) | POST | Moves an already-mounted backend to a new mount point |
| [sys/replication/reindex](/vault/api-docs/system/replication#reindex-replication) | POST | Reindex the local data storage |
| [sys/replication/performance/primary/secondary-token](/vault/api-docs/system/replication/replication-performance#generate-performance-secondary-token) | POST | Generate a performance secondary activation token |
| [sys/replication/dr/primary/secondary-token](/vault/api-docs/system/replication/replication-dr#generate-dr-secondary-token) | POST | Generate a DR secondary activation token |
| [sys/rotate](/vault/api-docs/system/rotate) | POST | Trigger a rotation of the backend encryption key |
| [sys/seal](/vault/api-docs/system/seal) | POST | Seals the Vault |
| [sys/step-down](/vault/api-docs/system/step-down) | POST | Forces a node to give up active status |
| [sys/storage/raft/snapshot-auto/config](/vault/api-docs/system/storage/raftautosnapshots#list-automated-snapshots-configs) | LIST | Lists named configurations |
| [sys/storage/raft/snapshot-auto/config/:name](/vault/api-docs/system/storage/raftautosnapshots) | GET, POST, DELETE | Creates or updates a named configuration |

### Tokens

Tokens have two sets of policies: identity policies, which are computed
Expand Down

0 comments on commit ee93c26

Please sign in to comment.