From 0fec3965e1ddd8ae5bb244614cf62884e1696f0d Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Thu, 8 Mar 2018 15:47:47 -0500 Subject: [PATCH] Update text around default policy to make it clear that it is user-modifiable --- website/source/docs/concepts/policies.html.md | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/website/source/docs/concepts/policies.html.md b/website/source/docs/concepts/policies.html.md index eaffadb2e1..6573db38dc 100644 --- a/website/source/docs/concepts/policies.html.md +++ b/website/source/docs/concepts/policies.html.md @@ -368,9 +368,9 @@ wrapping mandatory for a particular path. wrapped response. If both are specified, the minimum value must be less than the maximum. In -addition, if paths are merged from different stanzas, the lowest value specified -for each is the value that will result, in line with the idea of keeping token -lifetimes as short as possible. +addition, if paths are merged from different stanzas, the lowest value +specified for each is the value that will result, in line with the idea of +keeping token lifetimes as short as possible. ## Builtin Policies @@ -379,10 +379,17 @@ the two builtin policies. ### Default Policy -The `default` policy is a builtin Vault policy that cannot be modified or -removed. By default, it is attached to all tokens, but may be explicitly -detached at creation time. The policy contains basic functionality such as the -ability for the token to lookup data about itself and to use its cubbyhole data. +The `default` policy is a builtin Vault policy that cannot be removed. By +default, it is attached to all tokens, but may be explicitly excluded at token +creation time by supporting authentication methods. + +The policy contains basic functionality such as the ability for the token to +look up data about itself and to use its cubbyhole data. However, Vault is not +proscriptive about its contents. It can be modified to suit your needs; Vault +will never overwrite your modifications. If you want to stay up-to-date with +the latest upstream version of the `default` policy, simply read the contents +of the policy from an up-to-date `dev` server, and write those contents into +your Vault's `default` policy. To view all permissions granted by the default policy on your Vault installation, run: