Add more docs around list paths in policies.

CC #4199
2026-05-05 04:16:31 +02:00 · 2018-03-26 11:30:58 -04:00 · 2018-03-26 11:30:58 -04:00 · 43e9bcd948
commit 43e9bcd948
parent 77c5239dc8
2 changed files with 15 additions and 1 deletions
--- a/vault/token_store.go
+++ b/vault/token_store.go
@ -159,7 +159,7 @@ func NewTokenStore(ctx context.Context, c *Core, config *logical.BackendConfig)
 			},

 			&framework.Path{
-				Pattern: "accessors/?$",
+				Pattern: "accessors/$",

 				Callbacks: map[logical.Operation]framework.OperationFunc{
 					logical.ListOperation: t.tokenStoreAccessorList,
--- a/website/source/docs/concepts/policies.html.md
+++ b/website/source/docs/concepts/policies.html.md
@ -161,6 +161,20 @@ policy for `"secret/foo*"`, the policy would also match `"secret/foobar"`.
 !> The glob character is only supported as the **last character of the path**,
 and **is not a regular expression**!

+When providing `list` capability, it is important to note that since listing
+always operates on a prefix, policies must operate on a prefix because Vault
+will sanitize request paths to be prefixes:
+
+```ruby
+path "secret/foo" {
+  capabilities = ["read"]
+}
+
+path "secret/foo/" {
+  capabilities = ["list"]
+}
+```
+
 ### Capabilities

 Each path must define one or more capabilities which provide fine-grained