[BACKPORT] Manual cherry-pick of failed release/1.14.x backport PRs (#…

…26994) * [docs] fix lack of space character (#26830) * fix lack of space char https://developer.hashicorp.com/vault/docs/concepts/policies#ui-policy-requirements `to the ui/mountsand ui/resultant-acl` needs a space after mounts * add nonbreaking space to help parser add nonbreaking space to help parser Co-authored-by: Sarah Chavis <[email protected]> --------- Co-authored-by: Sarah Chavis <[email protected]> * Add reading guide for designing Vault clusters (#26947) * Remove duplicate nav entry * fix url to anti patterns (#26975) --------- Co-authored-by: CJ <[email protected]>
hashicorp · May 13, 2024 · 7cc55f0 · 7cc55f0
1 parent f6f6b03
commit 7cc55f0
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/website/content/docs/enterprise/cluster-design.mdx b/website/content/docs/enterprise/cluster-design.mdx
@@ -36,7 +36,7 @@ You can help keep your Vault environments healthy by avoiding established
 anti-patterns.
 
 The Hashicorp Well-architected framework documentation provides in-depth
-[Vault anti-patterns](/well-architected-framework/operational-excellence/operational-excellence-managing-vault-with-terraform) guidance based on
+[Vault anti-patterns](/well-architected-framework/operational-excellence/security-vault-anti-patterns) guidance based on
 lessons learned by customers operating Vault in the field.
 
 ## Step 3: Plan for maintenance at scale

diff --git a/website/content/partials/ui/policy-requirements.mdx b/website/content/partials/ui/policy-requirements.mdx
@@ -0,0 +1,27 @@
+<Warning title="Set UI policies before enabling the UI"> 
+
+  You cannot make policy adjustments or overwrites to the <code>ui/mounts</code>&nbsp;
+  and <code>ui/resultant-acl</code> endpoints once you enable the Vault UI. Vault
+  ignores policy updates that target these paths
+  with <a href="/vault/docs/concepts/policies#deny">explicit <code>deny</code></a> capabilities.
+
+</Warning>
+
+Depending on your Vault configuration, you may need to define UI policies
+with different ACL capabilities from the permissions provided by your Vault CLI
+policies.
+
+The `default` UI policy includes two paths, **which cannot be modified with
+additional policies** once you
+[enable](/vault/docs/configuration/ui#activating-the-vault-ui) the UI:
+
+- [/sys/internal/ui/mounts](/vault/api-docs/system/internal-ui-mounts) -
+  provides a list of currently visible mounts based on the
+  [`listing_visibility`](/vault/api-docs/system/mounts#listing_visibility)
+  parameter. `sys/internal/ui/mounts` is an unauthenticated, internal endpoint
+  used for UI and CLI preflight checks. Requests that include an `X-Vault-Token`
+  will return all mounts the token has path capabilities on.
+- [/sys/internal/ui/resultant-acl](/vault/api-docs/system/internal-ui-resultant-acl) -
+  repackages authentication information used by the UI. **If you do not have have
+  permission to call the `ui/resultant-acl` endpoint, you may receive warnings or
+  errors in the UI**.