From cae6791a4a23b39fcc51dd1e66756b703b811043 Mon Sep 17 00:00:00 2001 From: Bruno Souza Date: Thu, 30 Oct 2025 18:37:28 -0300 Subject: [PATCH 1/2] reference opt-in new list evaluation for denied_params in old versions --- .../global/partials/policies/list-allowed-parameters.mdx | 8 -------- content/vault/v1.16.x/content/docs/concepts/policies.mdx | 9 +++++++++ content/vault/v1.17.x/content/docs/concepts/policies.mdx | 9 +++++++++ content/vault/v1.18.x/content/docs/concepts/policies.mdx | 9 +++++++++ content/vault/v1.19.x/content/docs/concepts/policies.mdx | 9 +++++++++ content/vault/v1.20.x/content/docs/concepts/policies.mdx | 9 +++++++++ 6 files changed, 45 insertions(+), 8 deletions(-) diff --git a/content/vault/global/partials/policies/list-allowed-parameters.mdx b/content/vault/global/partials/policies/list-allowed-parameters.mdx index 3abf79ddff..de7aa94499 100644 --- a/content/vault/global/partials/policies/list-allowed-parameters.mdx +++ b/content/vault/global/partials/policies/list-allowed-parameters.mdx @@ -29,11 +29,3 @@ Additionally, Vault does not treat comma-separated strings in request parameters as lists when evaluating `allowed_parameters` and `denied_parameters`. For instance, configuring `denied_parameters` as `"Z": ["C", "D", ["C"], ["D"], ["C", "D"], ["D", "C"]]` does not block requests that set `"Z": "C,D"` or `"Z": "D,C"` - - - -Vault addressed the unexpected behavior of -`allowed_parameters` and `denied_parameters` in 1.21.x with -more intuitive list processing. - - diff --git a/content/vault/v1.16.x/content/docs/concepts/policies.mdx b/content/vault/v1.16.x/content/docs/concepts/policies.mdx index bf5fe2c42b..a3af63a9c8 100644 --- a/content/vault/v1.16.x/content/docs/concepts/policies.mdx +++ b/content/vault/v1.16.x/content/docs/concepts/policies.mdx @@ -575,6 +575,15 @@ path "secret/foo" { @include '../../../global/partials/policies/list-allowed-parameters.mdx' + + +Vault 1.21.x or later defaults to a more intuitive list processing for +`allowed_parameters` and `denied_parameters`. In Vault 1.16, this new behavior can +be enabled starting on 1.16.28 by setting the environment variable +`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`. + + + ### Required response wrapping TTLs These parameters can be used to set minimums/maximums on TTLs set by clients diff --git a/content/vault/v1.17.x/content/docs/concepts/policies.mdx b/content/vault/v1.17.x/content/docs/concepts/policies.mdx index 4bc39149ab..37ac362d8e 100644 --- a/content/vault/v1.17.x/content/docs/concepts/policies.mdx +++ b/content/vault/v1.17.x/content/docs/concepts/policies.mdx @@ -582,6 +582,15 @@ path "secret/foo" { @include '../../../global/partials/policies/list-allowed-parameters.mdx' + + +Vault 1.21.x or later defaults to a more intuitive list processing for +`allowed_parameters` and `denied_parameters`. In Vault 1.19, this new behavior can +be enabled starting on 1.19.12 by setting the environment variable +`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`. + + + ### Required response wrapping TTLs These parameters can be used to set minimums/maximums on TTLs set by clients diff --git a/content/vault/v1.18.x/content/docs/concepts/policies.mdx b/content/vault/v1.18.x/content/docs/concepts/policies.mdx index 4bc39149ab..37ac362d8e 100644 --- a/content/vault/v1.18.x/content/docs/concepts/policies.mdx +++ b/content/vault/v1.18.x/content/docs/concepts/policies.mdx @@ -582,6 +582,15 @@ path "secret/foo" { @include '../../../global/partials/policies/list-allowed-parameters.mdx' + + +Vault 1.21.x or later defaults to a more intuitive list processing for +`allowed_parameters` and `denied_parameters`. In Vault 1.19, this new behavior can +be enabled starting on 1.19.12 by setting the environment variable +`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`. + + + ### Required response wrapping TTLs These parameters can be used to set minimums/maximums on TTLs set by clients diff --git a/content/vault/v1.19.x/content/docs/concepts/policies.mdx b/content/vault/v1.19.x/content/docs/concepts/policies.mdx index 4bc39149ab..37ac362d8e 100644 --- a/content/vault/v1.19.x/content/docs/concepts/policies.mdx +++ b/content/vault/v1.19.x/content/docs/concepts/policies.mdx @@ -582,6 +582,15 @@ path "secret/foo" { @include '../../../global/partials/policies/list-allowed-parameters.mdx' + + +Vault 1.21.x or later defaults to a more intuitive list processing for +`allowed_parameters` and `denied_parameters`. In Vault 1.19, this new behavior can +be enabled starting on 1.19.12 by setting the environment variable +`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`. + + + ### Required response wrapping TTLs These parameters can be used to set minimums/maximums on TTLs set by clients diff --git a/content/vault/v1.20.x/content/docs/concepts/policies.mdx b/content/vault/v1.20.x/content/docs/concepts/policies.mdx index 79aac1e1db..96c5441b2f 100644 --- a/content/vault/v1.20.x/content/docs/concepts/policies.mdx +++ b/content/vault/v1.20.x/content/docs/concepts/policies.mdx @@ -584,6 +584,15 @@ path "secret/foo" { @include '../../../global/partials/policies/list-allowed-parameters.mdx' + + +Vault 1.21.x or later defaults to a more intuitive list processing for +`allowed_parameters` and `denied_parameters`. In Vault 1.20, this new behavior can +be enabled starting on 1.20.6 by setting the environment variable +`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`. + + + ### Required response wrapping TTLs These parameters can be used to set minimums/maximums on TTLs set by clients From 5d299d86fdcd2e38d42efffbf60f27edc2339721 Mon Sep 17 00:00:00 2001 From: Bruno Souza Date: Tue, 11 Nov 2025 12:35:30 -0300 Subject: [PATCH 2/2] address comments --- content/vault/v1.16.x/content/docs/concepts/policies.mdx | 8 ++++---- content/vault/v1.17.x/content/docs/concepts/policies.mdx | 8 ++++---- content/vault/v1.18.x/content/docs/concepts/policies.mdx | 8 ++++---- content/vault/v1.19.x/content/docs/concepts/policies.mdx | 8 ++++---- content/vault/v1.20.x/content/docs/concepts/policies.mdx | 8 ++++---- 5 files changed, 20 insertions(+), 20 deletions(-) diff --git a/content/vault/v1.16.x/content/docs/concepts/policies.mdx b/content/vault/v1.16.x/content/docs/concepts/policies.mdx index a3af63a9c8..a8b92e8acf 100644 --- a/content/vault/v1.16.x/content/docs/concepts/policies.mdx +++ b/content/vault/v1.16.x/content/docs/concepts/policies.mdx @@ -577,10 +577,10 @@ path "secret/foo" { -Vault 1.21.x or later defaults to a more intuitive list processing for -`allowed_parameters` and `denied_parameters`. In Vault 1.16, this new behavior can -be enabled starting on 1.16.28 by setting the environment variable -`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`. +Vault 1.21.x introduced a more intuitive list processing for `allowed_parameters` +and `denied_parameters`. You can enable the intuitive list processing behavior +for Vault 1.16.x by upgrading to 1.16.28 or later and setting the +`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST` environment variable. diff --git a/content/vault/v1.17.x/content/docs/concepts/policies.mdx b/content/vault/v1.17.x/content/docs/concepts/policies.mdx index 37ac362d8e..dd7db13e37 100644 --- a/content/vault/v1.17.x/content/docs/concepts/policies.mdx +++ b/content/vault/v1.17.x/content/docs/concepts/policies.mdx @@ -584,10 +584,10 @@ path "secret/foo" { -Vault 1.21.x or later defaults to a more intuitive list processing for -`allowed_parameters` and `denied_parameters`. In Vault 1.19, this new behavior can -be enabled starting on 1.19.12 by setting the environment variable -`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`. +Vault 1.21.x introduced a more intuitive list processing for `allowed_parameters` +and `denied_parameters`. You can enable the intuitive list processing behavior +for Vault by upgrading to 1.19.12 or later and setting the +`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST` environment variable. diff --git a/content/vault/v1.18.x/content/docs/concepts/policies.mdx b/content/vault/v1.18.x/content/docs/concepts/policies.mdx index 37ac362d8e..dd7db13e37 100644 --- a/content/vault/v1.18.x/content/docs/concepts/policies.mdx +++ b/content/vault/v1.18.x/content/docs/concepts/policies.mdx @@ -584,10 +584,10 @@ path "secret/foo" { -Vault 1.21.x or later defaults to a more intuitive list processing for -`allowed_parameters` and `denied_parameters`. In Vault 1.19, this new behavior can -be enabled starting on 1.19.12 by setting the environment variable -`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`. +Vault 1.21.x introduced a more intuitive list processing for `allowed_parameters` +and `denied_parameters`. You can enable the intuitive list processing behavior +for Vault by upgrading to 1.19.12 or later and setting the +`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST` environment variable. diff --git a/content/vault/v1.19.x/content/docs/concepts/policies.mdx b/content/vault/v1.19.x/content/docs/concepts/policies.mdx index 37ac362d8e..4960d513f9 100644 --- a/content/vault/v1.19.x/content/docs/concepts/policies.mdx +++ b/content/vault/v1.19.x/content/docs/concepts/policies.mdx @@ -584,10 +584,10 @@ path "secret/foo" { -Vault 1.21.x or later defaults to a more intuitive list processing for -`allowed_parameters` and `denied_parameters`. In Vault 1.19, this new behavior can -be enabled starting on 1.19.12 by setting the environment variable -`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`. +Vault 1.21.x introduced a more intuitive list processing for `allowed_parameters` +and `denied_parameters`. You can enable the intuitive list processing behavior +for Vault 1.19.x by upgrading to 1.19.12 or later and setting the +`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST` environment variable. diff --git a/content/vault/v1.20.x/content/docs/concepts/policies.mdx b/content/vault/v1.20.x/content/docs/concepts/policies.mdx index 96c5441b2f..8e8d9316ce 100644 --- a/content/vault/v1.20.x/content/docs/concepts/policies.mdx +++ b/content/vault/v1.20.x/content/docs/concepts/policies.mdx @@ -586,10 +586,10 @@ path "secret/foo" { -Vault 1.21.x or later defaults to a more intuitive list processing for -`allowed_parameters` and `denied_parameters`. In Vault 1.20, this new behavior can -be enabled starting on 1.20.6 by setting the environment variable -`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`. +Vault 1.21.x introduced a more intuitive list processing for `allowed_parameters` +and `denied_parameters`. You can enable the intuitive list processing behavior +for Vault 1.20.x by upgrading to 1.20.6 or later and setting the +`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST` environment variable.