Add revoke-prefix changelog/website info

CHANGELOG.md

@@ -1,5 +1,29 @@
 ## 0.6.0 (Unreleased)
 
+SECURITY:
+
+ * Although `sys/revoke-prefix` was intended to revoke prefixes of secrets (via
+   lease IDs, which incorporate path information) and
+   `auth/token/revoke-prefix` was intended to revoke prefixes of tokens (using
+   the tokens' paths and, since 0.5.2, role information), in implementation
+   they both behaved exactly the same way since a single component in Vault is
+   responsible for managing lifetimes of both, and the type of the tracked
+   lifetime was not being checked. The end result was that either endpoint
+   could revoke both secret leases and tokens. We consider this a very minor
+   security issue as there are a number of mitigating factors: both endpoints
+   require `sudo` capability in addition to write capability, preventing
+   blanket ACL path globs from providing access; both work by using the prefix
+   to revoke as a part of the endpoint path, allowing them to be properly
+   ACL'd; and both are intended for emergency scenarios and users should
+   already not generally have access to either one. In order to prevent
+   confusion, we have simply removed `auth/token/revoke-prefix` in 0.6, and
+   `sys/revoke-prefix` will be meant for both leases and tokens instead.
+
+DEPRECATIONS/BREAKING CHANGES:
+
+ * `auth/token/revoke-prefix` has been removed. See the security notice for
+   details. [GH-1280]
+
 IMPROVEMENTS:
 
  * command/auth: Restore the previous authenticated token if the `auth` command

website/source/docs/http/sys-revoke-force.html.md

@@ -3,7 +3,7 @@ layout: "http"
 page_title: "HTTP API: /sys/revoke-force"
 sidebar_current: "docs-http-lease-revoke-force"
 description: |-
-  The `/sys/revoke-force` endpoint is used to revoke secrets based on prefix while ignoring backend errors.
+  The `/sys/revoke-force` endpoint is used to revoke secrets or tokens based on prefix while ignoring backend errors.
 ---
 
 # /sys/revoke-force
@@ -11,12 +11,12 @@ description: |-
 <dl>
   <dt>Description</dt>
   <dd>
-    Revoke all secrets generated under a given prefix immediately. Unlike
-    `/sys/revoke-prefix`, this path ignores backend errors encountered during
-    revocation. This is <i>potentially very dangerous</i> and should only be
-    used in specific emergency situations where errors in the backend or the
-    connected backend service prevent normal revocation. <i>By ignoring these
-    errors, Vault abdicates responsibility for ensuring that the issued
+    Revoke all secrets or tokens generated under a given prefix immediately.
+    Unlike `/sys/revoke-prefix`, this path ignores backend errors encountered
+    during revocation. This is <i>potentially very dangerous</i> and should
+    only be used in specific emergency situations where errors in the backend
+    or the connected backend service prevent normal revocation. <i>By ignoring
+    these errors, Vault abdicates responsibility for ensuring that the issued
     credentials or secrets are properly revoked and/or cleaned up. Access to
     this endpoint should be tightly controlled.</i>
   </dd>

website/source/docs/http/sys-revoke-prefix.html.md

@@ -3,7 +3,7 @@ layout: "http"
 page_title: "HTTP API: /sys/revoke-prefix"
 sidebar_current: "docs-http-lease-revoke-prefix"
 description: |-
-  The `/sys/revoke-prefix` endpoint is used to revoke secrets based on prefix.
+  The `/sys/revoke-prefix` endpoint is used to revoke secrets or tokens based on prefix.
 ---
 
 # /sys/revoke-prefix
@@ -11,7 +11,10 @@ description: |-
 <dl>
   <dt>Description</dt>
   <dd>
-    Revoke all secrets generated under a given prefix immediately.
+    Revoke all secrets (via a lease ID prefix) or tokens (via the tokens' path
+    property) generated under a given prefix immediately. This requires `sudo`
+    capability and access to it should be tightly controlled as it can be used
+    to revoke very large numbers of secrets/tokens at once.
   </dd>
 
   <dt>Method</dt>