backport of commit 6685565b7e (#23341)

Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
2025-11-02 03:27:54 +00:00 · 2023-09-27 16:41:03 -04:00
parent 97ea4969a0
commit 8835db2484
8 changed files with 37 additions and 3 deletions
--- a/website/content/api-docs/system/config-group-policy-application.mdx
+++ b/website/content/api-docs/system/config-group-policy-application.mdx
@@ -10,6 +10,17 @@ description: The '/sys/config/group-policy-application' endpoint is used to conf
@include 'alerts/restricted-root.mdx'
 <Warning>
  The group policy application mode only applies to ACL policies and no longer
  affects Vault sentinel role governing policies (RGPs) for the following Vault
  versions:
  - `1.15.0+`
  - `1.14.4+`
  - `1.13.8+`
 </Warning>
 The `sys/config/group-policy-application` endpoint can be used to configure the
 mode of policy application for identity groups in Vault. This setting dictates
 the behavior across all groups in all namespaces in Vault.
--- a/website/content/docs/enterprise/sentinel/index.mdx
+++ b/website/content/docs/enterprise/sentinel/index.mdx
@@ -87,15 +87,38 @@ a step-by-step instruction.
 </Tip>
-Consider the following scenario. 
+<Warning>
  As of the following versions, Vault only applies RPGs derived from identity
  group membership to entities in child namespaces:
  - `1.15.0+`
  - `1.14.4+`
  - `1.13.8+`
 </Warning>
 The scenarios below describe the relevant changes in more detail.
 #### Versions 1.15.0, 1.14.4, 1.13.8, and later
 The training namespace is a child namespace of the education namespace. The "Sun
 Shine" entity created in the training namespace is a member of the "Tester"
 group which is defined in the education namespace. The group members inherit the
 group-level policy.
 ![Relationship](/img/diagram-rgp-namespace-post-115_light.png#light-theme-only)
 ![Relationship](/img/diagram-rgp-namespace-post-115_dark.png#dark-theme-only)
 #### Versions 1.15.0-rc1, 1.14.3, 1.13.7, and earlier
 The training namespace is a child namespace of the education namespace. The "Sun
 Shine" entity created in the education namespace is a member of the "Tester"
 group which is defined in the training namespace. The group members inherit the
 group-level policy.
-![Relationship](/img/diagram-rgp-namespace_light.png#light-theme-only)
+![Relationship](/img/diagram-rgp-namespace-pre-115_light.png#light-theme-only)
-![Relationship](/img/diagram-rgp-namespace_dark.png#dark-theme-only)
+![Relationship](/img/diagram-rgp-namespace-pre-115_dark.png#dark-theme-only)
 While ACL policies and EGPs set rules on a specific path, an RGP does not
 specify a target path. RGPs are tied to tokens, identity entities, or identity
--- a/website/public/img/diagram-rgp-namespace-post-115_dark.png
+++ b/website/public/img/diagram-rgp-namespace-post-115_dark.png
--- a/website/public/img/diagram-rgp-namespace-post-115_light.png
+++ b/website/public/img/diagram-rgp-namespace-post-115_light.png
--- a/website/public/img/diagram-rgp-namespace-pre-115_dark.png
+++ b/website/public/img/diagram-rgp-namespace-pre-115_dark.png
--- a/website/public/img/diagram-rgp-namespace-pre-115_light.png
+++ b/website/public/img/diagram-rgp-namespace-pre-115_light.png
--- a/website/public/img/diagram-rgp-namespace_dark.png
+++ b/website/public/img/diagram-rgp-namespace_dark.png
--- a/website/public/img/diagram-rgp-namespace_light.png
+++ b/website/public/img/diagram-rgp-namespace_light.png