removed administrative namespace path references (#2300)

Signed-off-by: Wojciech Slabosz <wojciech.slabosz@sap.com>

command/server.go

@@ -1290,9 +1290,6 @@ func (c *ServerCommand) Run(args []string) int {
 	infoKeys = append(infoKeys, "go version")
 	info["go version"] = runtime.Version()
 
-	infoKeys = append(infoKeys, "administrative namespace")
-	info["administrative namespace"] = config.AdministrativeNamespacePath
-
 	sort.Strings(infoKeys)
 	c.UI.Output("==> OpenBao server configuration:\n")
 
@@ -2733,7 +2730,6 @@ func createCoreConfig(c *ServerCommand, config *server.Config, backend physical.
 		SecureRandomReader:             secureRandomReader,
 		EnableResponseHeaderHostname:   config.EnableResponseHeaderHostname,
 		EnableResponseHeaderRaftNodeID: config.EnableResponseHeaderRaftNodeID,
-		AdministrativeNamespacePath:    config.AdministrativeNamespacePath,
 		UnsafeCrossNamespaceIdentity:   config.UnsafeCrossNamespaceIdentity,
 	}
 

command/server/config.go

@@ -655,11 +655,6 @@ func (c *Config) Merge(c2 *Config) *Config {
 		}
 	}
 
-	result.AdministrativeNamespacePath = c.AdministrativeNamespacePath
-	if c2.AdministrativeNamespacePath != "" {
-		result.AdministrativeNamespacePath = c2.AdministrativeNamespacePath
-	}
-
 	if len(c.Initialization) > 0 || len(c2.Initialization) > 0 {
 		result.Initialization = make([]*profiles.OuterConfig, len(c.Initialization)+len(c2.Initialization))
 		copy(result.Initialization[0:len(c.Initialization)], c.Initialization)

command/server/config_test.go

@@ -62,12 +62,6 @@ func TestParseStorage(t *testing.T) {
 	testParseStorageTemplate(t)
 }
 
-// TestConfigWithAdministrativeNamespace tests that .hcl and .json configurations are correctly parsed when the administrative_namespace_path is present.
-func TestConfigWithAdministrativeNamespace(t *testing.T) {
-	testConfigWithAdministrativeNamespaceHcl(t)
-	testConfigWithAdministrativeNamespaceJson(t)
-}
-
 func TestUnknownFieldValidation(t *testing.T) {
 	testUnknownFieldValidation(t)
 }

command/server/config_test_helpers.go

@@ -517,28 +517,6 @@ func testUnknownFieldValidationHcl(t *testing.T) {
 	}
 }
 
-// testConfigWithAdministrativeNamespaceJson tests that a config with a valid administrative namespace path is correctly validated and loaded.
-func testConfigWithAdministrativeNamespaceJson(t *testing.T) {
-	config, err := LoadConfigFile("./test-fixtures/config_with_valid_admin_ns.json", nil)
-	require.NoError(t, err)
-
-	configErrors := config.Validate("./test-fixtures/config_with_valid_admin_ns.json")
-	require.Empty(t, configErrors)
-
-	require.NotEmpty(t, config.AdministrativeNamespacePath)
-}
-
-// testConfigWithAdministrativeNamespaceHcl tests that a config with a valid administrative namespace path is correctly validated and loaded.
-func testConfigWithAdministrativeNamespaceHcl(t *testing.T) {
-	config, err := LoadConfigFile("./test-fixtures/config_with_valid_admin_ns.hcl", nil)
-	require.NoError(t, err)
-
-	configErrors := config.Validate("./test-fixtures/config_with_valid_admin_ns.hcl")
-	require.Empty(t, configErrors)
-
-	require.NotEmpty(t, config.AdministrativeNamespacePath)
-}
-
 func testLoadConfigFile_json(t *testing.T) {
 	config, err := LoadConfigFile("./test-fixtures/config.hcl.json", nil)
 	if err != nil {
@@ -786,7 +764,6 @@ func testConfig_Sanitized(t *testing.T) {
 			"num_lease_metrics_buckets":              168,
 			"add_lease_metrics_namespace_labels":     false,
 		},
-		"administrative_namespace_path":   "admin/",
 		"imprecise_lease_role_tracking":   false,
 		"unsafe_cross_namespace_identity": false,
 		"unsafe_allow_api_audit_creation": false,

command/server/test-fixtures/config3.hcl

@@ -53,5 +53,4 @@ cluster_name = "testcluster"
 pid_file = "./pidfile"
 raw_storage_endpoint = true
 disable_sealwrap = true
-disable_sentinel_trace = true
-administrative_namespace_path = "admin/"
+disable_sentinel_trace = true

command/server/test-fixtures/config_with_valid_admin_ns.hcl

@@ -1,19 +0,0 @@
-# Copyright (c) HashiCorp, Inc.
-# SPDX-License-Identifier: MPL-2.0
-
-storage "raft" {
-  path = "/path/to/raft"
-  node_id = "raft_node_1"
-}
-listener "tcp" {
-  address       = "127.0.0.1:8200"
-  tls_cert_file = "/path/to/cert.pem"
-  tls_key_file  = "/path/to/key.key"
-}
-seal "awskms" {
-  kms_key_id       = "alias/kms-unseal-key"
-}
-service_registration "consul" {
-  address       = "127.0.0.1:8500"
-}
-administrative_namespace_path = "admin/"

command/server/test-fixtures/config_with_valid_admin_ns.json

@@ -1,28 +0,0 @@
-{
-  "listener": {
-    "tcp": {
-      "address": "0.0.0.0:8200",
-      "tls_cert_file": "/path/to/cert.pem",
-      "tls_key_file": "/path/to/key.key"
-    }
-  },
-  "seal": {
-    "awskms": {
-      "kms_key_id": "alias/kms-unseal-key"
-    }
-  },
-  "storage": {
-    "raft": {
-      "path": "/path/to/raft",
-      "node_id": "raft_node_1"
-    }
-  },
-  "cluster_addr": "http://127.0.0.1:8201",
-  "api_addr": "http://127.0.0.1:8200",
-  "service_registration": {
-    "consul": {
-      "address": "127.0.0.1:8500"
-    }
-  },
-  "administrative_namespace_path": "admin/"
-}

http/sys_config_state_test.go

@@ -172,7 +172,6 @@ func TestSysConfigState_Sanitized(t *testing.T) {
 					},
 				},
 				"storage":                         tc.expectedStorageOutput,
-				"administrative_namespace_path":   "",
 				"imprecise_lease_role_tracking":   false,
 				"unsafe_cross_namespace_identity": false,
 				"unsafe_allow_api_audit_creation": false,

internalshared/configutil/config.go

@@ -56,8 +56,6 @@ type SharedConfig struct {
 	PidFile string `hcl:"pid_file"`
 
 	ClusterName string `hcl:"cluster_name"`
-
-	AdministrativeNamespacePath string `hcl:"administrative_namespace_path"`
 }
 
 func ParseConfig(d string) (*SharedConfig, error) {
@@ -155,12 +153,11 @@ func (c *SharedConfig) Sanitized() map[string]interface{} {
 	}
 
 	result := map[string]interface{}{
-		"default_max_request_duration":  c.DefaultMaxRequestDuration,
-		"log_level":                     c.LogLevel,
-		"log_format":                    c.LogFormat,
-		"pid_file":                      c.PidFile,
-		"cluster_name":                  c.ClusterName,
-		"administrative_namespace_path": c.AdministrativeNamespacePath,
+		"default_max_request_duration": c.DefaultMaxRequestDuration,
+		"log_level":                    c.LogLevel,
+		"log_format":                   c.LogFormat,
+		"pid_file":                     c.PidFile,
+		"cluster_name":                 c.ClusterName,
 	}
 
 	// Optional log related settings

sdk/helper/testcluster/docker/environment.go

@@ -651,8 +651,6 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
 	vaultCfg["api_addr"] = `https://{{- GetAllInterfaces | exclude "flags" "loopback" | attr "address" -}}:8200`
 	vaultCfg["cluster_addr"] = `https://{{- GetAllInterfaces | exclude "flags" "loopback" | attr "address" -}}:8201`
 
-	vaultCfg["administrative_namespace_path"] = opts.AdministrativeNamespacePath
-
 	systemJSON, err := json.Marshal(vaultCfg)
 	if err != nil {
 		return err

sdk/helper/testcluster/types.go

@@ -94,15 +94,14 @@ type ClusterJson struct {
 }
 
 type ClusterOptions struct {
-	ClusterName                 string
-	KeepStandbysSealed          bool
-	SkipInit                    bool
-	CACert                      []byte
-	NumCores                    int
-	TmpDir                      string
-	Logger                      hclog.Logger
-	VaultNodeConfig             *VaultNodeConfig
-	AdministrativeNamespacePath string
+	ClusterName        string
+	KeepStandbysSealed bool
+	SkipInit           bool
+	CACert             []byte
+	NumCores           int
+	TmpDir             string
+	Logger             hclog.Logger
+	VaultNodeConfig    *VaultNodeConfig
 }
 
 type CA struct {

vault/core.go

@@ -802,10 +802,6 @@ type CoreConfig struct {
 
 	ExpirationRevokeRetryBase time.Duration
 
-	// AdministrativeNamespacePath is used to configure the administrative namespace, which has access to some sys endpoints that are
-	// only accessible in the root namespace, currently sys/audit-hash and sys/monitor.
-	AdministrativeNamespacePath string
-
 	NumRollbackWorkers int
 
 	// UnsafeCrossNamespaceIdentity is used to comply with Vault Enterprise's

vault/testing.go

@@ -197,7 +197,6 @@ func TestCoreWithSealAndUINoCleanup(t testing.T, opts *CoreConfig) *Core {
 	conf.DisableSSCTokens = opts.DisableSSCTokens
 	conf.PluginDirectory = opts.PluginDirectory
 	conf.DetectDeadlocks = opts.DetectDeadlocks
-	conf.AdministrativeNamespacePath = opts.AdministrativeNamespacePath
 	conf.ImpreciseLeaseRoleTracking = opts.ImpreciseLeaseRoleTracking
 	conf.UnsafeCrossNamespaceIdentity = opts.UnsafeCrossNamespaceIdentity
 
@@ -1540,7 +1539,6 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te
 		coreConfig.DisableSentinelTrace = base.DisableSentinelTrace
 		coreConfig.ClusterName = base.ClusterName
 		coreConfig.DisableAutopilot = base.DisableAutopilot
-		coreConfig.AdministrativeNamespacePath = base.AdministrativeNamespacePath
 		coreConfig.ServiceRegistration = base.ServiceRegistration
 		coreConfig.ImpreciseLeaseRoleTracking = base.ImpreciseLeaseRoleTracking
 

website/content/docs/concepts/namespaces/index.mdx

@@ -76,7 +76,7 @@ policies for a child namespace might reference entities or groups from the paren
 namespace. Parent namespaces can also **assert** policies on identities within
 a child namespace. 
 
-## Delegation and administrative namespaces
+## Delegation and namespace administrators
 
 OpenBao system administrators can assign administration rights to delegate
 admins to allow teams to self-manage their namespace. In addition to basic