Skip to content

VAULT-40584 reference opt-in new list evaluation for denied_params in old versions #1219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Nov 17, 2025
Merged

VAULT-40584 reference opt-in new list evaluation for denied_params in old versions #1219

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
cae6791
reference opt-in new list evaluation for denied_params in old versions
bosouza Oct 30, 2025
541fd0c
Merge branch 'main' into bosouza/denied-params-backport
bosouza Nov 3, 2025
96ec229
Merge branch 'vault/202511' into bosouza/denied-params-backport
bosouza Nov 10, 2025
5d299d8
address comments
bosouza Nov 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 0 additions & 8 deletions content/vault/global/partials/policies/list-allowed-parameters.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,3 @@ Additionally, Vault does not treat comma-separated strings in request
parameters as lists when evaluating `allowed_parameters` and `denied_parameters`.
For instance, configuring `denied_parameters` as `"Z": ["C", "D", ["C"], ["D"], ["C", "D"], ["D", "C"]]`
does not block requests that set `"Z": "C,D"` or `"Z": "D,C"`

<Tip title="Consider upgrading to 1.21.x or later">

Vault addressed the unexpected behavior of
`allowed_parameters` and `denied_parameters` in 1.21.x with
more intuitive list processing.

</Tip>
9 changes: 9 additions & 0 deletions content/vault/v1.16.x/content/docs/concepts/policies.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -575,6 +575,15 @@ path "secret/foo" {

@include '../../../global/partials/policies/list-allowed-parameters.mdx'

<Tip title="Consider upgrading to a fixed version">

Vault 1.21.x or later defaults to a more intuitive list processing for
`allowed_parameters` and `denied_parameters`. In Vault 1.16, this new behavior can
be enabled starting on 1.16.28 by setting the environment variable
`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`.
Copy link
Contributor

@schavis schavis Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Vault 1.21.x or later defaults to a more intuitive list processing for
`allowed_parameters` and `denied_parameters`. In Vault 1.16, this new behavior can
be enabled starting on 1.16.28 by setting the environment variable
`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`.
Vault 1.21.x introduced a more intuitive list processing for `allowed_parameters`
and `denied_parameters`. You can enable the intuitive list processing behavior
for Vault 1.16.x by upgrading to 1.16.28 or later and setting the
`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST` environment variable.

Style correction: avoid "this" as a pronoun


</Tip>

### Required response wrapping TTLs

These parameters can be used to set minimums/maximums on TTLs set by clients
Expand Down
9 changes: 9 additions & 0 deletions content/vault/v1.17.x/content/docs/concepts/policies.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -582,6 +582,15 @@ path "secret/foo" {

@include '../../../global/partials/policies/list-allowed-parameters.mdx'

<Tip title="Consider upgrading to a fixed version">

Vault 1.21.x or later defaults to a more intuitive list processing for
`allowed_parameters` and `denied_parameters`. In Vault 1.19, this new behavior can
be enabled starting on 1.19.12 by setting the environment variable
`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`.
Copy link
Contributor

@schavis schavis Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Vault 1.21.x or later defaults to a more intuitive list processing for
`allowed_parameters` and `denied_parameters`. In Vault 1.19, this new behavior can
be enabled starting on 1.19.12 by setting the environment variable
`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`.
Vault 1.21.x introduced a more intuitive list processing for `allowed_parameters`
and `denied_parameters`. You can enable the intuitive list processing behavior
for Vault by upgrading to Vault 1.19.12 or later and setting the
`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST` environment variable.

Edited to use language similar to 1.16

Copy link
Contributor

@schavis schavis Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason we recommend moving to 1.19 instead of upgrading to 1.21? I'm assuming it's because 1.18 to 1.19 is a simpler upgrade path, but wanted to confirm.

Copy link
Contributor Author

@bosouza bosouza Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, my goal was to make them aware of the smallest upgrade path possible to fix the issue, but definitely the main recommendation should be to upgrade to 1.21, in which case setting the additional env var is not necessary. Do you have any thoughts on how that should be communicated?


</Tip>

### Required response wrapping TTLs

These parameters can be used to set minimums/maximums on TTLs set by clients
Expand Down
9 changes: 9 additions & 0 deletions content/vault/v1.18.x/content/docs/concepts/policies.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -582,6 +582,15 @@ path "secret/foo" {

@include '../../../global/partials/policies/list-allowed-parameters.mdx'

<Tip title="Consider upgrading to a fixed version">

Vault 1.21.x or later defaults to a more intuitive list processing for
`allowed_parameters` and `denied_parameters`. In Vault 1.19, this new behavior can
be enabled starting on 1.19.12 by setting the environment variable
`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`.
Copy link
Contributor

@schavis schavis Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Vault 1.21.x or later defaults to a more intuitive list processing for
`allowed_parameters` and `denied_parameters`. In Vault 1.19, this new behavior can
be enabled starting on 1.19.12 by setting the environment variable
`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`.
Vault 1.21.x introduced a more intuitive list processing for `allowed_parameters`
and `denied_parameters`. You can enable the intuitive list processing behavior
for Vault by upgrading to Vault 1.19.12 or later and setting the
`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST` environment variable.

Edited to use language similar to 1.16

Copy link
Contributor

@schavis schavis Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment re: upgrade path here


</Tip>

### Required response wrapping TTLs

These parameters can be used to set minimums/maximums on TTLs set by clients
Expand Down
9 changes: 9 additions & 0 deletions content/vault/v1.19.x/content/docs/concepts/policies.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -582,6 +582,15 @@ path "secret/foo" {

@include '../../../global/partials/policies/list-allowed-parameters.mdx'

<Tip title="Consider upgrading to a fixed version">

Vault 1.21.x or later defaults to a more intuitive list processing for
`allowed_parameters` and `denied_parameters`. In Vault 1.19, this new behavior can
be enabled starting on 1.19.12 by setting the environment variable
`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`.
Copy link
Contributor

@schavis schavis Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Vault 1.21.x or later defaults to a more intuitive list processing for
`allowed_parameters` and `denied_parameters`. In Vault 1.19, this new behavior can
be enabled starting on 1.19.12 by setting the environment variable
`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`.
Vault 1.21.x introduced a more intuitive list processing for `allowed_parameters`
and `denied_parameters`. You can enable the intuitive list processing behavior
for Vault 1.19.x by upgrading to 1.19.12 or later and setting the
`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST` environment variable.

Edited to use language similar to 1.16


</Tip>

### Required response wrapping TTLs

These parameters can be used to set minimums/maximums on TTLs set by clients
Expand Down
9 changes: 9 additions & 0 deletions content/vault/v1.20.x/content/docs/concepts/policies.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -584,6 +584,15 @@ path "secret/foo" {

@include '../../../global/partials/policies/list-allowed-parameters.mdx'

<Tip title="Consider upgrading to a fixed version">

Vault 1.21.x or later defaults to a more intuitive list processing for
`allowed_parameters` and `denied_parameters`. In Vault 1.20, this new behavior can
be enabled starting on 1.20.6 by setting the environment variable
`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`.
Copy link
Contributor

@schavis schavis Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Vault 1.21.x or later defaults to a more intuitive list processing for
`allowed_parameters` and `denied_parameters`. In Vault 1.20, this new behavior can
be enabled starting on 1.20.6 by setting the environment variable
`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST`.
Vault 1.21.x introduced a more intuitive list processing for `allowed_parameters`
and `denied_parameters`. You can enable the intuitive list processing behavior
for Vault 1.20.x by upgrading to 1.20.6 or later and setting the
`VAULT_NEW_PER_ELEMENT_MATCHING_ON_LIST` environment variable.

Edited to use language similar to 1.16


</Tip>

### Required response wrapping TTLs

These parameters can be used to set minimums/maximums on TTLs set by clients
Expand Down
Loading