Identity dupe resolution guide first draft

[banks]

Description

First draft of the Idenity duplicate resolution docs. The features described are not all merged yet but this document is so important we want to start getting feedback on it ASAP.

TODO only if you're a HashiCorp employee

• Backport Labels: If this fix needs to be backported, use the appropriate backport/ label that matches the desired release branch. Note that in the CE repo, the latest release branch will look like backport/x.x.x, but older release branches will be backport/ent/x.x.x+ent.
  • LTS: If this fixes a critical security vulnerability or severity 1 bug, it will also need to be backported to the current LTS versions of Vault. To ensure this, use all available enterprise labels.
• ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
  of a public function, even if that change is in a CE file, double check that
  applying the patch for this PR to the ENT repo and running tests doesn't
  break any tests. Sometimes ENT only tests rely on public functions in CE
  files.
• Jira: If this change has an associated Jira, it's referenced either
  in the PR description, commit message, or branch name.
• RFC: If this change has an associated RFC, please link it in the description.
• ENT PR: If this change has an associated ENT PR, please link it in the
  description. Also, make sure the changelog is in this PR, not in your ENT PR.

[digital-content-events]

📄 Content Checks

Updated: Tue, 07 Jan 2025 17:04:30 GMT

Found 3 error(s)

content/docs/upgrading/identity-deduplication.mdx

Position	Description	Rule
137:5-138:117	Unexpected fully-qualified link to developer.hashicorp.com: https://developer.hashicorp.com/vault/api-docs/secret/identity/entity-alias#delete-entity-alias-by-id. Replace with a relative path internal to Developer. Possibly: /vault/api-docs/secret/identity/entity-alias#delete-entity-alias-by-id.	ensure-valid-link-format
233:12-234:22	Unexpected folder-relative link found: . Ensure this link is an absolute Developer path.	ensure-valid-link-format

content/docs/upgrading/upgrade-to-1.19.x.mdx

Position	Description	Rule
58:55-58:75	Unexpected folder-relative link found: . Ensure this link is an absolute Developer path.	ensure-valid-link-format

[github-actions]

CI Results:
All Go tests succeeded! ✅

[digivava]

How about linking the word "identity" to the introductory identity docs page, so that people who come to this page from the 1.19 upgrade guide and aren't very familiar with entities/aliases/groups can do some initial reading to remind themselves what these things are first before they continue.

[digivava]

I assume this is meant to link to the other page and you mean to fill it in later, but here's a comment so you don't forget!

[digivava]

You explained the 1.19 changes/recommendations in this section in a simple and concise way, great job! 😀

Only recommendation I have is that I don't think we need this bold part because we already essentially say the same thing down below in the "also includes improved reporting" paragraph, or if you want to keep it, at least just moving it to inside or after that paragraph, so all mention of the server logs is in the same place.

Otherwise the bolded line coming first kind of looks like we're saying we've added identity duplicates to 1.19 as some kind of regression.

[digivava]

Y'know, I wrote this comment at the beginning of my review, and now I'm seeing it again after having read the rest of the doc, and I'm not sure I agree with my own recommendation. Choose what makes the most sense to you!

[digivava]

nit: clarity around "these" and "they" here--maybe:

"Having duplicates can cause unexpected behavior, as Vault expects there to be just one of an entity, alias, or group with a given name."

[digivava]

it's -> its

[digivava]

great callout! PR clusters would be easy to miss

[digivava]

nit: just because using "type" without a qualifier in the land of computers can be kinda unclear, I might slightly revise this to "... address each reported duplicate using the guidance specific to each duplicate type below"

(in this and the other spots that phrasing is used -- I won't be offended if you think "type-specific" is clear enough though)

[digivava]

Maybe you were already going to do this and just hadn't yet, but I recommend linking this to the Activating the flag heading you've got below so there's an immediate direction after people read it and go "wha, how do I do that though!"

[digivava]

Just a question: Feel free to take this offline as it's not related to this PR and probably more to my overall noobery, but I'm just curious what a canonical ID is vs the regular ID. In this example log line I was first trying to find the corresponding entity 7da7 and didn't realize it was the canonical_id I was supposed to be looking at, not the id.

Is there a way for users to query identity resources by canonical ID to inspect them, and see "aha, they're right, it's merged"? Or can you only query by id? I'm just curious from a UX perspective.

[digivava]

My guess is no, but is there not a way to make these h3-level headings show up on the right navigation sidebar?

[digivava]

I'll defer to what @schavis thinks but I think given the length of this page and that there's so many headings, most of which are worth being aware of and able to jump to quickly, I'd recommend doing the unorthodox thing of bumping the h2s to h1s, and h3s to h2s.

[digivava]

As in, because of potential increases in permissions that were given to one entity's policy but not the other? Is it worth spelling out somewhere (maybe we do, still reading) that activating the flag should be paired with a review of the policies that apply to the detected duplicates shown in the server logs?

[banks]

Yeah, this whole guide is basically trying to say what you said? The overview of the process at the start was my attempt at introducing the idea that you need to review the report first before using the feature but if that wasn't clear enough then I'll take another look.

[digivava]

Are this and the Terraform section only relevant to the previous section, and that's why it's a subsection? If it's relevant to all duplicate types, it may be best they're the same level of heading as the other "Resolving" ones.

[banks]

It was meant to be a subsection since this is the "detail" part of the more general overview directly above for those who are impacted... but open to feedback - the point you made about h3 headings not showing in the overview was something I noticed too and didn't love.

[digivava]

What happens to same-case entity alias duplicates? I don't see a section for that. Is it so simple that it can be covered right away before jumping into all these different-case scenarios? Or is there no such thing?

[banks]

Yeah I left it out because it's nuanced: basically those are already auto-merged. I've alluded to the alias merging in a few places but was kinda trying to avoid spelling out the complicated history of that here for brevity. I guess it's a natural question though so I'll see if I can work in a simple statement to indicate that they won't been found without going into the details.

[digivava]

Why is "will" italicized here?

[banks]

Originally because this is a list of "unexpected behavior" and this item on it's own is not unexpected it's more meant to clarify since the other forms of lookup don't work as expected. I think it might be better just to leave it out though.

[digivava]

What is IS in this context? Is this a typo for ID?

[banks]

A typo for ID 😄

[digivava]

know -> known

[digivava]

link missing to the section below

[digivava]

loose -> lose

[digivava]

"that has been reintroduced in more recent versions of Vault", right? (for clarity and a typo there)

[banks]

Good call! In this case it means "reintroduced when you activated the flag because that's what this flag does". But agree that's not obvious and I'll call it out.

[digivava]

I know it was said somewhere way up above, but once you write this part I think it might be good to make sure there's another warning here that this is a one-time thing, so they should review the resolution information for their relevant duplicate types above before activating the flag.