From 095df6e163afa4f4d5aac2151c5f8109c58fcf4e Mon Sep 17 00:00:00 2001 From: Loann Le <84412881+taoism4504@users.noreply.github.com> Date: Wed, 16 Mar 2022 16:29:56 -0700 Subject: [PATCH] new vault docs (#14546) --- website/content/docs/auth/login-mfa/faq.mdx | 123 ++++++++++++++++++ .../{login-mfa.mdx => login-mfa/index.mdx} | 79 +++++------ .../docs/concepts/client-count/faq.mdx | 2 +- website/content/docs/deprecation/faq.mdx | 12 +- website/content/docs/deprecation/index.mdx | 18 +-- .../content/docs/enterprise/license/faq.mdx | 2 +- website/content/docs/faq/index.mdx | 11 ++ website/data/docs-nav-data.json | 39 +++++- 8 files changed, 231 insertions(+), 55 deletions(-) create mode 100644 website/content/docs/auth/login-mfa/faq.mdx rename website/content/docs/auth/{login-mfa.mdx => login-mfa/index.mdx} (65%) create mode 100644 website/content/docs/faq/index.mdx diff --git a/website/content/docs/auth/login-mfa/faq.mdx b/website/content/docs/auth/login-mfa/faq.mdx new file mode 100644 index 0000000000..cea8f10082 --- /dev/null +++ b/website/content/docs/auth/login-mfa/faq.mdx @@ -0,0 +1,123 @@ +--- +layout: docs +page_title: Login MFA FAQ +description: An FAQ page to answer the most commonly asked questions about login mfa. +--- + +# Login MFA FAQ + +This FAQ section contains frequently asked questions about the Login MFA feature. + +- [Q: What MFA features can I access if I upgrade to Vault version 1.10?](#q-what-mfa-features-can-i-access-if-i-upgrade-to-vault-version-1-10) +- [Q: What are the various MFA workflows that are available to me as a Vault user as of Vault version 1.10, and how are they different?](#q-what-are-the-various-mfa-workflows-that-are-available-to-me-as-a-vault-user-as-of-vault-version-1-10-and-how-are-they-different) +- [Q: What is the Legacy MFA feature?](#q-what-is-the-legacy-mfa-feature) +- [Q: Will HCP Vault support MFA?](#q-will-hcp-vault-support-mfa) +- [Q: What is Single-Phase MFA vs. Two-Phase MFA?](#q-what-is-single-phase-mfa-vs-two-phase-mfa) +- [Q: Are there new MFA API endpoints introduced as part of the new Vault version 1.10 MFA for login functionality?](#q-are-there-new-mfa-api-endpoints-introduced-as-part-of-the-new-vault-version-1-10-mfa-for-login-functionality) +- [Q: How do MFA configurations differ between the Login MFA and Step-up Enterprise MFA?](#q-how-do-mfa-configurations-differ-between-the-login-mfa-and-step-up-enterprise-mfa) +- [Q: What are the ways to configure the various MFA workflows?](#q-what-are-the-ways-to-configure-the-various-mfa-workflows) +- [Q: What MFA mechanism is used with the different MFA workflows in Vault version 1.10?](#q-which-mfa-mechanism-is-used-with-the-different-mfa-workflows-in-vault-version-1-10) +- [Q: Are namespaces supported with the MFA workflows that Vault has as of Vault version 1.10?](#q-are-namespaces-supported-with-the-mfa-workflows-that-vault-has-as-of-vault-version-1-10) +- [Q: I use the Vault Agent. Does MFA pose any challenges for me?](#q-i-use-the-vault-agent-does-mfa-pose-any-challenges-for-me) +- [Q: I am a Step-up Enterprise MFA user using MFA for login. Should I migrate to the new Login MFA?](#q-i-am-a-step-up-enterprise-mfa-user-using-mfa-for-login-should-i-migrate-to-the-new-login-mfa) +- [Q: I am a Step-up Enterprise MFA user using MFA for login. What are the steps to migrate to Login MFA?](#q-i-am-a-step-up-enterprise-mfa-user-using-mfa-for-login-what-are-the-steps-to-migrate-to-login-mfa) + +### Q: What MFA features can I access if I upgrade to Vault version 1.10? + +Vault supports Step-up Enterprise MFA as part of our Enterprise edition. The Step-up Enterprise MFA provides MFA on login, or for step-up access to sensitive resources in Vault using ACL and Sentinel policies, and is configurable through the CLI/API. + +Starting with Vault version 1.10, Vault OSS provides [MFA on login](/docs/auth/login-mfa) only. This is also available with Vault Enterprise and configurable through the CLI/API. + +The Step-up Enterprise MFA will co-exist with the newly introduced Login MFA starting with Vault version 1.10. + +### Q: What are the various MFA workflows that are available to me as a Vault user as of Vault version 1.10, and how are they different? + +| MFA workflow | What does it do? | Who manages the MFA? | OSS vs. Enterprise Support | +| ---------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | ----------------------------- | +| [Login MFA](/docs/auth/login-mfa) | MFA in Vault OSS provides MFA on login. CLI, API, and UI-based login are supported. | MFA is managed by Vault | Supported in Vault OSS | +| [Okta Auth MFA](/docs/auth/okta#mfa) | This is MFA as part of [Okta Auth method](/docs/auth/okta) in Vault OSS, where MFA is enforced by Okta on login. MFA must be satisfied for authentication to be successful. This is different from the Okta MFA method used with Login MFA and Step-up Enterprise MFA. CLI/API login are supported. | MFA is managed externally by Okta | Supported in Vault OSS | +| [Step-up Enterprise MFA](/docs/enterprise/mfa) | MFA in Vault Enterprise provides MFA for login and for step-up access to sensitive resources in Vault. Supports CLI/API based login, and ACL/Sentinel policies. | MFA is managed by Vault | Supported in Vault Enterprise | + +~> **Note**: [The Legacy MFA](/docs/auth/mfa) is a **deprecated** MFA workflow in Vault OSS. Refer to the [Q: What is the Legacy MFA feature?](#q-what-is-the-legacy-mfa-feature) for more details. + +### Q: What is the Legacy MFA feature? + +[Legacy MFA](/docs/auth/mfa) is functionality that was available in Vault OSS, prior to introducing MFA in the Enterprise version. This is now a deprecated feature. Please see the [Vault Feature Deprecation Notice and Plans](/docs/deprecation) for detailed product plans around deprecated features. We plan to remove Legacy MFA in 1.11. + +### Q: Will HCP Vault support MFA? + +Yes, HCP Vault will support MFA across all tiers and offering as part of the April 2022 release. + +### Q: What is Single-Phase MFA vs. Two-Phase MFA? + +- **Single-Phase MFA:** This is a single request mechanism where the required MFA information, such as MFA method ID, is provided via the X-Vault-MFA header in a single MFA request that is used to authenticate into Vault. + +~> **Note**: If the configured MFA methods need a passcode, it needs to be provided in the request, such as in the case of TOTP or Duo. +If the configured MFA methods, such as PingID, Okta, or Duo, do not require a passcode and have out of band mechanisms for verifying the extra factor, Vault will send an inquiry to the other service's APIs to determine whether the MFA request has yet been verified. + +- **Two-Phase MFA:** This is a two-request MFA method that is more conventionally used. + - The MFA passcode required for the configured MFA method is not provided in a header of the login request that is MFA-restricted. Instead, the user first authenticates to the auth method, and on successful authentication to the auth method, an MFA requirement is returned to the user. The MFA requirement contains the MFA RequestID and constraints applicable to the MFA as configured by the operator. + - The user then must make a second request to the new endpoint `sys/mfa/validate`, providing the MFA RequestID in the request, and an MFA payload which includes the MFA methodIDs passcode (if applicable). If MFA validation passes, the new Vault token will be persisted and returned to the user in the response, just like a regular Vault token created using a non-MFA-restricted auth method. + +### Q: Are there new MFA API endpoints introduced as part of the new Vault version 1.10 MFA for login functionality? + +Yes, this feature adds the following new MFA configuration endpoints: `identity/mfa/method`, `identity/mfa/login-enforcement`, and `sys/mfa/validate`. Refer to the [documentation](/api-docs/secret/identity/mfa/duo) for more details. + +### Q: How do MFA configurations differ between the Login MFA and Step-up Enterprise MFA? + +All MFA methods supported with the Step-up Enterprise MFA are supported with the Login MFA, but they use different API endpoints: + +- Step-up Enterprise MFA: `sys/mfa/method/:type/:/name` +- Login MFA: `identity/mfa/method/:type` + +There are also two differences in how methods are defined in the two systems. +The Step-up Enterprise MFA expects the method creator to specify a name for the method; Login MFA does not, and instead returns an ID when a method is created. +The Step-up Enterprise MFA uses the combination of mount accessors plus a `username_format` template string, whereas in Login MFA, these are combined into a single field `username_template`, which uses the same identity [templating format](/docs/concepts/policies#templated-policies) as used in policies. + +### Q: What are the ways to configure the various MFA workflows? + +| MFA workflow | Configuration methods | Details | +| ---------------------------------------------- | ----------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [Login MFA](/docs/auth/login-mfa) | CLI/API. The UI does not support the configuration of Login MFA as of Vault version 1.10. | Configured using the `identity/mfa/method` endpoints, then passing those method IDs to the `identity/mfa/login-enforcement` endpoint. MFA methods supported: TOTP, Okta, Duo, PingID. | +| [Okta Auth MFA](/docs/auth/okta) | CLI/API | MFA methods supported: [TOTP](https://help.okta.com/en/prod/Content/Topics/Security/mfa-totp-seed.htm) , [Okta Verify Push](https://help.okta.com/en/prod/Content/Topics/Mobile/ov-admin-config.htm). Note that Vault does not support Okta Verify Push with Number Challenge at this time. | +| [Step-up Enterprise MFA](/docs/enterprise/mfa) | CLI/API | [Configured](/api/system/mfa) using the `sys/mfa/method` endpoints and by referencing those methods in policies. MFA Methods supported: TOTP, Okta, Duo, PingID | + +### Q: Which MFA mechanism is used with the different MFA workflows in Vault version 1.10? + +| MFA workflow | UI | CLI/API | Single-Phase | Two-Phase | +| ---------------------------------------------- | --------- | ----------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | --------------------------- | +| [Login MFA](/docs/auth/login-mfa) | Supported | Supported. You can select single-phase MFA by supplying the X-Vault-MFA header. In the absence of this header, the Two- Phase MFA is used | N/A | Supported | +| [Okta Auth MFA](/docs/auth/okta) | N/A | N/A | MFA is not managed by Vault | MFA is not managed by Vault | +| [Step-up Enterprise MFA](/docs/enterprise/mfa) | N/A | Supported | Supported | N/A | + +### Q: Are namespaces supported with the MFA workflows that Vault has as of Vault version 1.10? + +The Step-up Enterprise MFA configurations can only be configured in the root [namespace](/docs/enterprise/mfa#namespaces), although they can be referenced in other namespaces via the policies. +The Login MFA supports namespaces awareness. Users will need a Vault Enterprise license to user or configure Login MFA with namespaces. MFA method configurations can be defined per namespace with Login MFA, and used in enforcements defined in that namespace and its children. Everything operates in the root namespace in Vault OSS. MFA login enforcements can also be defined per namespace, and applied to that namespace and its children. + +### Q: I use the Vault Agent. Does MFA pose any challenges for me? + +The Vault Agent should not use MFA to authenticate to Vault; it should be able to relay requests with MFA-related headers to Vault successfully. + +### Q: I am a Step-up Enterprise MFA user using MFA for login. Should I migrate to the new Login MFA? + +If you are currently using Enterprise MFA, evaluate your MFA specific use cases to determine whether or not you should migrate to [Login MFA](/docs/auth/login-mfa). + +Here are some considerations: + +- If you use the Step-up Enterprise MFA for login (with Sentinel EGP), you may find value in the simpler Login MFA workflow. We recommend that you to test this out to evaluate if this meets all your requirements. +- If you use the Step-up Enterprise MFA for more than login, please be aware that the new MFA workflow only supports the login use case. You will still need to use the Step-up Enterprise MFA for non-login use cases. + +### Q: I am a Step-up Enterprise MFA user using MFA for login. What are the steps to migrate to Login MFA? + +Refer to the question [Q: I am a Step-up Enterprise MFA user using MFA for login. Should I migrate to the new Login MFA?](#q-i-am-a-step-up-enterprise-mfa-user-using-mfa-for-login-should-i-migrate-to-the-new-login-mfa) to evaluate whether or not you should migrate. + +If you wish to migrate to Login MFA, follow these steps and guidelines to migrate successfully. + +1. First, create new MFA methods using the `identity/mfa/method` endpoints. These should mostly use the same fields as the MFA methods you defined using the `sys/mfa` method while keeping the following in mind: + + -the new endpoints yield an ID instead of allowing you to define a name + + -the new non-TOTP endpoints have a user_name field instead of username_format+mount_accessor fields; see [Templated Policies](/docs/concepts/policies#templated-policies) for the username_template format. + +1. Instead of writing sentinel EGP rules to require that logins use MFA, use the `identity/mfa/login_enforcement` endpoint to specify the MFA methods. diff --git a/website/content/docs/auth/login-mfa.mdx b/website/content/docs/auth/login-mfa/index.mdx similarity index 65% rename from website/content/docs/auth/login-mfa.mdx rename to website/content/docs/auth/login-mfa/index.mdx index 1bc8955807..9336d0ff22 100644 --- a/website/content/docs/auth/login-mfa.mdx +++ b/website/content/docs/auth/login-mfa/index.mdx @@ -5,6 +5,7 @@ description: |- Multi-factor authentication (MFA) is supported for several authentication methods. --- + # Login MFA Vault supports Multi-factor Authentication (MFA) for authenticating to @@ -33,7 +34,7 @@ MFA in Vault includes the following login types: - `PingID` - If PingID push is configured and enabled on a login path, the enrolled device of the user will receive a push notification to either approve or deny -access to the API. The PingID username will be derived from the caller + access to the API. The PingID username will be derived from the caller identity's alias. ## Login MFA Procedure @@ -49,41 +50,43 @@ such as a one-time passcode, before being authenticated. There are two ways to validate a login request that is subject to MFA validation. - ### Single-Phase Login - In the Single-phase login, the required MFA information is embeds in a login request using - the `X-Vault-MFA` header. In this case, the MFA validation is done - as a part of the login request. +### Single-Phase Login - MFA credentials are retrieved from the `X-Vault-MFA` HTTP header. The format of - the header is `mfa_method_id[:passcode]`. The item in the `[]` is optional. If there are multiple MFA methods that need to be validated, a user can pass in multiple `X-Vault-MFA` HTTP headers. +In the Single-phase login, the required MFA information is embeds in a login request using +the `X-Vault-MFA` header. In this case, the MFA validation is done +as a part of the login request. - #### Sample Request +MFA credentials are retrieved from the `X-Vault-MFA` HTTP header. The format of +the header is `mfa_method_id[:passcode]`. The item in the `[]` is optional. If there are multiple MFA methods that need to be validated, a user can pass in multiple `X-Vault-MFA` HTTP headers. - ```shell-session +#### Sample Request + +```shell-session +$ curl \ + --header "X-Vault-Token: ..." \ + --header "X-Vault-MFA: d16fd3c2-50de-0b9b-eed3-0301dadeca10:695452" \ + http://127.0.0.1:8200/v1/auth/userpass/login/alice +``` + +If an MFA method does not require a passcode, the login request MFA header only contains the method ID. + +```shell-session $ curl \ --header "X-Vault-Token: ..." \ - --header "X-Vault-MFA: d16fd3c2-50de-0b9b-eed3-0301dadeca10:695452" \ + --header "X-Vault-MFA: d16fd3c2-50de-0b9b-eed3-0301dadeca10" \ http://127.0.0.1:8200/v1/auth/userpass/login/alice - ``` +``` - If an MFA method does not require a passcode, the login request MFA header only contains the method ID. +### Two-Phase Login - ```shell-session - $ curl \ - --header "X-Vault-Token: ..." \ - --header "X-Vault-MFA: d16fd3c2-50de-0b9b-eed3-0301dadeca10" \ - http://127.0.0.1:8200/v1/auth/userpass/login/alice - ``` - - ### Two-Phase Login - The more conventional and prevalent MFA method is a two-request mechanism, also referred to as Two-phase Login MFA. - In Two-phase login, the `X-Vault-MFA` header is not provided in the request. In this case, after sending a regular login request, - the user receives an auth response in which MFA requirements are included. MFA requirements contain an MFA request ID - which identifies the login request that needs validation. In addition, MFA requirements contain MFA constraints - that determine which MFA types should be used to validate the request, the corresponding method IDs, and - a boolean value showing whether the MFA method uses passcodes or not. MFA constraints form a nested map in MFA Requirement - and represent all MFA enforcements that match a login request. While the example below is for the userpass login, - note that this can affect the login response on any auth mount protected by MFA validation. +The more conventional and prevalent MFA method is a two-request mechanism, also referred to as Two-phase Login MFA. +In Two-phase login, the `X-Vault-MFA` header is not provided in the request. In this case, after sending a regular login request, +the user receives an auth response in which MFA requirements are included. MFA requirements contain an MFA request ID +which identifies the login request that needs validation. In addition, MFA requirements contain MFA constraints +that determine which MFA types should be used to validate the request, the corresponding method IDs, and +a boolean value showing whether the MFA method uses passcodes or not. MFA constraints form a nested map in MFA Requirement +and represent all MFA enforcements that match a login request. While the example below is for the userpass login, +note that this can affect the login response on any auth mount protected by MFA validation. #### Sample Two-Phase Login Response @@ -126,15 +129,15 @@ There are two ways to validate a login request that is subject to MFA validation } ``` - Note that the `uses_passcode` boolean value is always set to true for TOTP, and must always be set to false for Okta and PingID. - For Duo method, the value can be configured as part of the method configuration. - Please see [Duo API](/api/secret/identity/mfa/duo) for details - on how to configure the boolean value for Duo. +Note that the `uses_passcode` boolean value is always set to true for TOTP, and must always be set to false for Okta and PingID. +For Duo method, the value can be configured as part of the method configuration. +Please see [Duo API](/api/secret/identity/mfa/duo) for details +on how to configure the boolean value for Duo. - To validate the MFA restricted login request, the user sends a second request to the [validate](/api/system/mfa/validate) - endpoint including the MFA request ID and MFA payload. MFA payload contains a map of methodIDs and their associated credentials. - If the configured MFA methods, such as PingID, Okta, and Duo, do not require a passcode, the associated - credentials will be a list with one empty string. +To validate the MFA restricted login request, the user sends a second request to the [validate](/api/system/mfa/validate) +endpoint including the MFA request ID and MFA payload. MFA payload contains a map of methodIDs and their associated credentials. +If the configured MFA methods, such as PingID, Okta, and Duo, do not require a passcode, the associated +credentials will be a list with one empty string. #### Sample Payload @@ -142,7 +145,7 @@ There are two ways to validate a login request that is subject to MFA validation { "mfa_request_id": "5879c74a-1418-1948-7be9-97b209d693a7", "mfa_payload": { - "d16fd3c2-50de-0b9b-eed3-0301dadeca10": ["910201"] + "d16fd3c2-50de-0b9b-eed3-0301dadeca10": ["910201"] } } ``` @@ -158,6 +161,7 @@ $ curl \ ``` #### Sample CLI Request + A user is also able to use the CLI write command to validate the login request. ```shell-session @@ -165,6 +169,7 @@ $ vault write sys/mfa/validate -format=json @payload.json ``` #### Interactive CLI for Login MFA + Vault supports an interactive way of authenticating to an auth method using CLI only if the login request is subject to a single MFA method validation. In this situation, if the MFA method is configured to use passcodes, after sending a regular login request, the user is prompted to diff --git a/website/content/docs/concepts/client-count/faq.mdx b/website/content/docs/concepts/client-count/faq.mdx index ee731330a0..673d4f58f3 100644 --- a/website/content/docs/concepts/client-count/faq.mdx +++ b/website/content/docs/concepts/client-count/faq.mdx @@ -4,7 +4,7 @@ page_title: FAQ description: An FAQ page to answer the most commonly asked questions about client count. --- -# Frequently Asked Questions (FAQ) +# Client Count FAQ This FAQ section contains frequently asked questions about the client count feature. diff --git a/website/content/docs/deprecation/faq.mdx b/website/content/docs/deprecation/faq.mdx index 6abbdb1600..b514ee5ce1 100644 --- a/website/content/docs/deprecation/faq.mdx +++ b/website/content/docs/deprecation/faq.mdx @@ -6,7 +6,7 @@ description: |- An FAQ page to communicate frequently asked questions concering feature deprecations. --- -# Frequently Asked Questions (FAQ) +# Feature Deprecatoin FAQ This page provides frequently asked questions concerning decisions made about Vault feature deprecations. If you are looking for information about Vault licensing, refer to the [Licensing FAQ](/docs/enterprise/license/faq) page. Pleaser refer to the [Feature Deprecation Notice and Plans](/docs/deprecation) document for up-to-date information on Vault feature deprecations and notice. @@ -30,8 +30,8 @@ If you are an Enterprise user, we recommend that you consider migrating to Hashi These features were deprecated in prior releases of Vault. We are targeting the removal of these features from the product in the Vault 1.11 release. Please plan to upgrade to these features before the release of Vault 1.11. Refer to the table below for a list of alternative features. -| Deprecated Feature | Alternative Feature | -| -----------------------| --------------------| -| Mount Filters | [Path Filters](https://www.vaultproject.io/api-docs/system/replication/replication-performance#create-paths-filter)| -| AppID | [AppRole auth method](/docs/auth/approle)| -| Standalone DB engines | [Combined DB engines](/docs/secrets/databases)| +| Deprecated Feature | Alternative Feature | +| --------------------- | ------------------------------------------------------------------------------------------------------------------- | +| Mount Filters | [Path Filters](https://www.vaultproject.io/api-docs/system/replication/replication-performance#create-paths-filter) | +| AppID | [AppRole auth method](/docs/auth/approle) | +| Standalone DB engines | [Combined DB engines](/docs/secrets/databases) | diff --git a/website/content/docs/deprecation/index.mdx b/website/content/docs/deprecation/index.mdx index 42616b326a..de2dd1e22c 100644 --- a/website/content/docs/deprecation/index.mdx +++ b/website/content/docs/deprecation/index.mdx @@ -18,12 +18,12 @@ This announcement page is maintained and updated periodically to communicate imp ~> **Note**: All specified targeted version announcements for End of Support and Feature Removal may be subject to change. - -| Feature | Deprecation announcement | End of Support | Feature Removal | Migration Path/Impact | Resources | -| -----------------------| ------------------------ | --------------- |---------------- | -| --------- | -| End of Support: Etcd V2 API (OSS) | v1.9 | N/A | v1.10 | The Etcd v2 has been deprecated with the release of Etcd v3.5, and will be decomissioned by Etcd v3.6. Etcd v2 API will be removed in Vaut 1.10. Users of Etcd storage backend should prepare to migrate Vault storage to an Etcd V3 cluster prior to upgrading to Vault 1.10. All storage migrations should be backed up prior to migration. | [Etcd Storage Backend](/docs/configuration/storage/etcd) -| End of Support: Licenses in storage (ENT) | v1.8 | v1.10 | v1.11 | Migrate to [Autoloading](/docs/enterprise/license/autoloading) by v1.11.| [Vault License](/docs/enterprise/license) [System Backend](https://www.vaultproject.io/api-docs/system/license) [FAQ](/docs/enterprise/license/faq) -| Feature Removal: Mount Filters (ENT) | v1.3 | v1.10 | v1.11 | Use the alternative feature: [Path Filters](https://www.vaultproject.io/api-docs/system/replication/replication-performance#create-paths-filter) | [API Deprecation Notice](https://www.vaultproject.io/api-docs/system/replication/replication-performance#create-mounts-filter-deprecated) [Filter Mount Replication Deprecation Notice](/docs/upgrading/upgrade-to-1.3.0#filtered-mount-replication-deprecation) -| Feature Removal: Legacy MFA (OSS) | v1.0 | N/A | v1.11 | Support for MFA in Vault OSS planned in v1.10 | [Multi-Factor Authentication](/docs/auth/mfa) -| Feature Removal: Standalone DB Engines (OSS) | v0.8 | N/A | v1.11 | Use the alternative DB secrets engine feature | [DB secrets engine](/docs/secrets/databases) -| Feature Removal: AppID (OSS) | v0.6 | N/A | v1.11 | Use the alternative feature: [AppRole auth method](https://www.vaultproject.io/docs/auth/approle) | [AppID Auth Method Deprecation Notice](/docs/auth/app-id) +| Feature | Deprecation announcement | End of Support | Feature Removal | Migration Path/Impact | Resources | +| ------------------------------------------------- | ------------------------ | -------------- | --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| End of Support: AAD Graph on Azure Secrets Engine | v1.10 | 1.11 | v1.12 | Microsoft will end its support of the [AAD Graph API on June 30, 2022](https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview). Support for Microsoft Graph API was introduced in Vault 1.9. If your Vault deployment is on a prior release, you may use the Azure Secrets Engine as an external plugin while you plan to upgrade. | N/A | +| End of Support: Etcd V2 API (OSS) | v1.9 | N/A | v1.10 | The Etcd v2 has been deprecated with the release of Etcd v3.5, and will be decomissioned by Etcd v3.6. Etcd v2 API has been removed in Vaut 1.10. Users of Etcd storage backend must migrate Vault storage to an Etcd V3 cluster prior to upgrading to Vault 1.10. All storage migrations should be backed up prior to migration. | [Etcd Storage Backend](/docs/configuration/storage/etcd) | +| End of Support: Licenses in storage (ENT) | v1.8 | v1.10 | v1.11 | Migrate to [Autoloading](/docs/enterprise/license/autoloading) by v1.11. | [Vault License](/docs/enterprise/license) [System Backend](https://www.vaultproject.io/api-docs/system/license) [FAQ](/docs/enterprise/license/faq) | +| Feature Removal: Mount Filters (ENT) | v1.3 | v1.10 | v1.11 | Use the alternative feature: [Path Filters](https://www.vaultproject.io/api-docs/system/replication/replication-performance#create-paths-filter) | [API Deprecation Notice](https://www.vaultproject.io/api-docs/system/replication/replication-performance#create-mounts-filter-deprecated) [Filter Mount Replication Deprecation Notice](/docs/upgrading/upgrade-to-1.3.0#filtered-mount-replication-deprecation) | +| Feature Removal: Legacy MFA (OSS) | v1.0 | N/A | v1.11 | Based on your use case, use the Policy-based Enterprise MFA or Login MFA supported in Vault OSS as of v1.10 | [Multi-Factor Authentication](/docs/auth/mfa) | +| Feature Removal: Standalone DB Engines (OSS) | v0.8 | N/A | v1.11 | Use the alternative DB secrets engine feature | [DB secrets engine](/docs/secrets/databases) | +| Feature Removal: AppID (OSS) | v0.6 | N/A | v1.11 | Use the alternative feature: [AppRole auth method](https://www.vaultproject.io/docs/auth/approle) | [AppID Auth Method Deprecation Notice](/docs/auth/app-id) | diff --git a/website/content/docs/enterprise/license/faq.mdx b/website/content/docs/enterprise/license/faq.mdx index dafe38d55c..227a4ad236 100644 --- a/website/content/docs/enterprise/license/faq.mdx +++ b/website/content/docs/enterprise/license/faq.mdx @@ -4,7 +4,7 @@ page_title: Frequently Asked Questions (FAQ) description: An overview of license. --- -# Frequently Asked Questions (FAQ) +# License FAQ This FAQ section is for the license changes introduced in Vault Enterprise 1.8. diff --git a/website/content/docs/faq/index.mdx b/website/content/docs/faq/index.mdx new file mode 100644 index 0000000000..a83e3bd59a --- /dev/null +++ b/website/content/docs/faq/index.mdx @@ -0,0 +1,11 @@ +--- +layout: docs +page_title: Product Features FAQ +sidebar_title: FAQ for product and features +description: |- + An FAQ page for product and features. +--- + +# Product Features FAQ + +You can access a number of different FAQ pages to get answers to questions about our product and features. These FAQ pages are updated periodically so please check back for the latest updates and new FAQ questions. diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 6ba40bfdb8..a17571ecab 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -1211,7 +1211,16 @@ }, { "title": "Login MFA", - "path": "auth/login-mfa" + "routes": [ + { + "title": "Overview", + "path": "auth/login-mfa" + }, + { + "title": "FAQ", + "path": "auth/login-mfa/faq" + } + ] }, { "title": "Oracle Cloud Infrastructure", @@ -1775,6 +1784,34 @@ { "divider": true }, + { + "title": "FAQ", + "routes": [ + { + "title": "Overview", + "path": "faq" + }, + { + "title": "Feature Deprecation Notice and Plans", + "href": "https://www.vaultproject.io/docs/deprecation/faq" + }, + { + "title": "License", + "href": "https://www.vaultproject.io/docs/enterprise/license/faq" + }, + { + "title": "Client Count", + "href": "https://www.vaultproject.io/docs/concepts/client-count/faq" + }, + { + "title": "Login MFA", + "href": "https://www.vaultproject.io/docs/auth/login-mfa/faq" + } + ] + }, + { + "divider": true + }, { "title": "Glossary", "path": "glossary"