From 827bb275bebc1fefb1079cb9dc0050fa2c7dbe27 Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Wed, 27 Sep 2023 13:31:00 -0700
Subject: [PATCH] [DOCS] Fix restricted endpoint info (#23333)
* Update restricted API list and alert tags
* add cli commands w/o public endpoints
---
.../api-docs/system/internal-counters.mdx | 10 +-
.../partials/api/restricted-endpoints.mdx | 109 +++++++++++-------
2 files changed, 73 insertions(+), 46 deletions(-)
diff --git a/website/content/api-docs/system/internal-counters.mdx b/website/content/api-docs/system/internal-counters.mdx
index 0f0a861c05..90243aad08 100644
--- a/website/content/api-docs/system/internal-counters.mdx
+++ b/website/content/api-docs/system/internal-counters.mdx
@@ -7,8 +7,6 @@ description: >-
# `/sys/internal/counters`
-@include 'alerts/restricted-root.mdx'
-
The `/sys/internal/counters` endpoints are used to return data about the number of Tokens and Entities in Vault. They return information for the entire cluster.
## Entities
@@ -331,6 +329,8 @@ is unknown.
This endpoint was added in Vault 1.6.
+@include 'alerts/restricted-root.mdx'
+
| Method | Path |
| :----- | :-------------------------------- |
| `GET` | `/sys/internal/counters/activity` |
@@ -733,6 +733,8 @@ loading of client data has completed.
This endpoint was added in Vault 1.7.
+@include 'alerts/restricted-root.mdx'
+
| Method | Path |
| :----- | :---------------------------------------- |
| `GET` | `/sys/internal/counters/activity/monthly` |
@@ -863,6 +865,8 @@ $ curl \
## Update the client count configuration
+@include 'alerts/restricted-root.mdx'
+
The `/sys/internal/counters/config` endpoint is used to configure logging of active clients.
| Method | Path |
@@ -957,6 +961,8 @@ it may be up to 20 minutes delayed.
This endpoint was added in Vault 1.11.
+@include 'alerts/restricted-root.mdx'
+
| Method | Path |
| :----- | :---------------------------------------- |
| `GET` | `/sys/internal/counters/activity/export` |
diff --git a/website/content/partials/api/restricted-endpoints.mdx b/website/content/partials/api/restricted-endpoints.mdx
index 0a6e186763..8fbf80d87e 100644
--- a/website/content/partials/api/restricted-endpoints.mdx
+++ b/website/content/partials/api/restricted-endpoints.mdx
@@ -1,46 +1,67 @@
-API path | Root | Admin
-------------------------------------- | -------- | -----
-`sys/audit` | YES | NO
-`sys/audit-hash` | YES | YES
-`sys/config/auditing/*` | YES | NO
-`sys/config/cors` | YES | NO
-`sys/config/group-policy-application` | YES | NO
-`sys/config/reload` | YES | NO
-`sys/config/state` | YES | NO
-`sys/config/ui` | YES | NO
-`sys/decode-token` | YES | NO
-`sys/experiments` | YES | NO
-`sys/generate-recovery-token` | YES | NO
-`sys/generate-root` | YES | NO
-`sys/health` | YES | NO
-`sys/host-info` | YES | NO
-`sys/in-flight-req` | YES | NO
-`sys/init` | YES | NO
-`sys/internal/counters/*` | YES | NO
-`sys/internal/inspect/router/*` | YES | NO
-`sys/key-status` | YES | NO
-`sys/loggers` | YES | NO
-`sys/managed-keys/*` | YES | NO
-`sys/metrics` | YES | NO
-`sys/mfa/method/*` | YES | NO
-`sys/monitor` | YES | YES
-`sys/pprof` | YES | NO
-`sys/pprof/*` | YES | NO
-`sys/quotas/config` | YES | NO
-`sys/quotas/lease-count` | YES | NO
-`sys/quotas/rate-limit` | YES | NO
-`sys/raw` | YES | NO
-`sys/rekey/*` | YES | NO
-`sys/rekey-recovery-key` | YES | NO
-`sys/replication/recover` | YES | NO
-`sys/replication/reindex` | YES | NO
-`sys/replication/status` | YES | NO
-`sys/rotate` | YES | NO
-`sys/rotate/config` | YES | NO
-`sys/seal` | YES | NO
-`sys/sealwrap/rewrap` | YES | NO
-`sys/step-down` | YES | NO
-`sys/storage/*` | YES | NO
-`sys/unseal` | YES | NO
+
+ The CLI commands associated with restricted API paths are also restricted.
+
+
+API path | Root | Admin
+----------------------------------------- | ---- | -----
+`sys/audit` | YES | NO
+`sys/audit-hash/` | YES | YES
+`sys/config/auditing/*` | YES | NO
+`sys/config/cors` | YES | NO
+`sys/config/group-policy-application` | YES | NO
+`sys/config/reload` | YES | NO
+`sys/config/state` | YES | NO
+`sys/config/ui` | YES | NO
+`sys/decode-token` | YES | NO
+`sys/experiments` | YES | NO
+`sys/generate-recovery-token` | YES | NO
+`sys/generate-root` | YES | NO
+`sys/health` | YES | NO
+`sys/host-info` | YES | NO
+`sys/in-flight-req` | YES | NO
+`sys/init` | YES | NO
+`sys/internal/inspect/router` | YES | NO
+`sys/key-status` | YES | NO
+`sys/loggers` | YES | NO
+`sys/metrics` | YES | NO
+`sys/monitor` | YES | YES
+`sys/pprof` | YES | NO
+`sys/pprof/allocs` | YES | NO
+`sys/pprof/block` | YES | NO
+`sys/pprof/cmdline` | YES | NO
+`sys/pprof/goroutine` | YES | NO
+`sys/pprof/heap` | YES | NO
+`sys/pprof/mutex` | YES | NO
+`sys/pprof/profile` | YES | NO
+`sys/pprof/symbol` | YES | NO
+`sys/pprof/threadcreate` | YES | NO
+`sys/pprof/trace` | YES | NO
+`sys/quotas/config` | YES | NO
+`sys/quotas/lease-count` | YES | NO
+`sys/quotas/rate-limit` | YES | NO
+`sys/raw` | YES | NO
+`sys/rekey/*` | YES | NO
+`sys/rekey-recovery-key` | YES | NO
+`sys/replication` | YES | NO
+`sys/rotate` | YES | NO
+`sys/rotate/config` | YES | NO
+`sys/seal` | YES | NO
+`sys/sealwrap/rewrap` | YES | NO
+`sys/managed-keys/*` | YES | NO
+`sys/step-down` | YES | NO
+`sys/storage` | YES | NO
+`sys/unseal` | YES | NO
+`sys/internal/counters/activity` | YES | NO
+`sys/internal/counters/activity/monthly` | YES | NO
+`sys/internal/counters/config` | YES | NO
+`sys/internal/counters/activity/export` | YES | NO
+`sys/internal/inspect/router/*` | YES | NO
+`sys/mfa/method/*` | YES | NO
+
+Privileged CLI commands without public API endpoints:
+
+CLI command | Root | Admin
+----------------------- | ---- | -----
+`vault plugin runtime` | YES | NO