documentation for redaction configuration on listeners #23568
Conversation
peteski22
added
docs
pr/no-changelog
hashicorp-contributed-pr
peteski22
force-pushed
the
docs/peteski22/VAULT-19863/listener-response-redaction
branch
from
bf8e762
to
8293f3c
Compare
| Please see [redaction settings](/vault/docs/configuration/listener#redaction-settings) | ||
| (below) for details on each redaction setting. |
There was a problem hiding this comment.
🤔 I wonder if it would make sense to provide the settings first so that the reader has further context prior to reading through the examples. What do you think?
There was a problem hiding this comment.
+1, it's generally a better idea to provide instruction before the examples. Examples without context don't necessarily help the reader. Especially if the first sentence encourages the reader to jump to those instructions anyway 😅
There was a problem hiding this comment.
😨 I missed this comment before I just hit merge! 😢 Lemme fix that.
peteski22
deleted the
docs/peteski22/VAULT-19863/listener-response-redaction
branch
| There are four different types of information deemed sensitive that can be returned | ||
| by unauthenticated API endpoints: | ||
|
|
||
| 1. Version number | ||
| 2. Build date | ||
| 3. Cluster name | ||
| 4. IP address |
There was a problem hiding this comment.
| There are four different types of information deemed sensitive that can be returned | |
| by unauthenticated API endpoints: | |
| 1. Version number | |
| 2. Build date | |
| 3. Cluster name | |
| 4. IP address | |
| Unauthenticated API endpoints may return the following sensitive | |
| information: | |
| 1. Version number | |
| 1. Build date | |
| 1. Cluster name | |
| 1. IP address |
Style correction: write in active voice
| There are four different types of information deemed sensitive that can be returned | ||
| by unauthenticated API endpoints: | ||
|
|
||
| 1. Version number |
There was a problem hiding this comment.
Can we elaborate on these items a bit? What does the information belong to? For example, the version and build date of what?
| - [TCP][tcp] | ||
| - [Unix Domain Socket][unix] | ||
|
|
||
| [tcp]: /vault/docs/configuration/listener/tcp | ||
| [unix]: /vault/docs/configuration/listener/unix | ||
|
|
||
| ## Unauthenticated endpoints - sensitive data redaction |
There was a problem hiding this comment.
| ## Unauthenticated endpoints - sensitive data redaction | |
| ## Sensitive data redaction for unauthenticated endpoints |
The key topic here seems to be about the sensitive data redaction, so lets lead with that in the heading
| Vault offers the ability to configure each `listener` stanza such that when appropriate, | ||
| these values will be redacted from responses. | ||
|
|
||
| The following API endpoints support redaction based on `listener` stanza configuration: |
There was a problem hiding this comment.
| Vault offers the ability to configure each `listener` stanza such that when appropriate, | |
| these values will be redacted from responses. | |
| The following API endpoints support redaction based on `listener` stanza configuration: | |
| You can protect sensitive information by configuring your `listener` | |
| stanzas to redact key values in responses for the following API | |
| endpoints: |
| When a value is redacted by Vault, it will be replaced with an empty string (`""`). | ||
|
|
||
| ~> Note: In certain situations, due to an empty string value, the related key may | ||
| no longer be present in the response object returned from the API, as that field is | ||
| omitted when the value is empty (`""`). | ||
|
|
||
| ~> Note: The Vault API is also consumed by the Vault CLI and UI, therefore enabling redaction | ||
| settings will also affect them both. |
There was a problem hiding this comment.
| When a value is redacted by Vault, it will be replaced with an empty string (`""`). | |
| ~> Note: In certain situations, due to an empty string value, the related key may | |
| no longer be present in the response object returned from the API, as that field is | |
| omitted when the value is empty (`""`). | |
| ~> Note: The Vault API is also consumed by the Vault CLI and UI, therefore enabling redaction | |
| settings will also affect them both. | |
| Vault replaces redacted information with an empty string (`""`). APIs that | |
| omit response parameters with empty values also suppress redacted values in | |
| response objects. | |
| <Note title="Redacting values affects all API responses"> | |
| The Vault CLI and UI consume Vault API responses. As a result, your redaction | |
| settings will apply to CLI and UI output in addition to direct API calls. | |
| </Note> |
Style correction: write in active voice, avoid back-to-back asides when possible
| The following options apply to both types of listener (see above), and can be configured | ||
| for each individual listener stanza. | ||
|
|
||
| Please see the [sensitive data redaction](/vault/docs/configuration/listener#unauthenticated-endpoints-sensitive-data-redaction) explanation above for further information. |
There was a problem hiding this comment.
Including this link here doesn't make sense as we're expecting folks to have already skimmed past those sections to get here. In general, we should avoid in-page links unless it's really needed from an accessibility or discoverability perspective.
| Please see the [sensitive data redaction](/vault/docs/configuration/listener#unauthenticated-endpoints-sensitive-data-redaction) explanation above for further information. |
| The following options apply to both types of listener (see above), and can be configured | ||
| for each individual listener stanza. |
There was a problem hiding this comment.
I'm not sure this sentence adds much as folks typically assume a parameter applies unless we say otherwise. Something like "Use the following parameters to configure redaction for your listeners" would be more appropriate.
There was a problem hiding this comment.
I know what you mean, but I was trying to add something that meant the common config options section could be extended later if we had settings that weren't for just redaction (e.g. disabling an endpoint via config here). 🤔
|
|
||
| ### Redaction settings | ||
|
|
||
| - `redact_addresses` `(bool: false)` - If enabled, will redact `leader_address` and `cluster_leader_address` values when applicable. |
There was a problem hiding this comment.
| - `redact_addresses` `(bool: false)` - If enabled, will redact `leader_address` and `cluster_leader_address` values when applicable. | |
| - `redact_addresses` `(bool: false)` - Redacts `leader_address` and `cluster_leader_address` values in applicable API responses when `true`. |
| ### Redaction settings | ||
|
|
||
| - `redact_addresses` `(bool: false)` - If enabled, will redact `leader_address` and `cluster_leader_address` values when applicable. | ||
| - `redact_cluster_name` `(bool: false)` - If enabled, will redact `cluster_name` values when applicable. |
There was a problem hiding this comment.
| - `redact_cluster_name` `(bool: false)` - If enabled, will redact `cluster_name` values when applicable. | |
| - `redact_cluster_name` `(bool: false)` - Redacts `cluster_name` values in applicable API responses when `true`. |
|
|
||
| - `redact_addresses` `(bool: false)` - If enabled, will redact `leader_address` and `cluster_leader_address` values when applicable. | ||
| - `redact_cluster_name` `(bool: false)` - If enabled, will redact `cluster_name` values when applicable. | ||
| - `redact_version` `(bool: false)` - If enabled, will redact `version` and `build_date` values when applicable. |
There was a problem hiding this comment.
| - `redact_version` `(bool: false)` - If enabled, will redact `version` and `build_date` values when applicable. | |
| - `redact_version` `(bool: false)` - Redacts `version` and `build_date` values in applicable API responses when `true`. |
|
In future, please do not merge documentation changes until a member of the EDU team has had a chance to review it. |
Documentation for per-listener redaction configuration (#23534)
Deployed page: https://vault-git-docs-peteski22vault-19863listener-re-abd165-hashicorp.vercel.app/vault/docs/configuration/listener