update OpenAPI output to use DisplayAttributes struct (#6928)

builtin/credential/github/path_config.go

@@ -25,17 +25,24 @@ func pathConfig(b *backend) *framework.Path {
 				Description: `The API endpoint to use. Useful if you
 are running GitHub Enterprise or an
 API-compatible authentication server.`,
-				DisplayName: "Base URL",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name:  "Base URL",
+					Group: "GitHub Options",
+				},
 			},
 			"ttl": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: `Duration after which authentication will be expired`,
-				DisplayName: "TTL",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "TTL",
+				},
 			},
 			"max_ttl": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: `Maximum duration after which authentication will be expired`,
-				DisplayName: "Max TTL",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Max TTL",
+				},
 			},
 		},
 

builtin/credential/ldap/path_groups.go

@@ -19,6 +19,9 @@ func pathGroupsList(b *backend) *framework.Path {
 
 		HelpSynopsis:    pathGroupHelpSyn,
 		HelpDescription: pathGroupHelpDesc,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Navigation: true,
+		},
 	}
 }
 

builtin/credential/ldap/path_users.go

@@ -20,6 +20,9 @@ func pathUsersList(b *backend) *framework.Path {
 
 		HelpSynopsis:    pathUserHelpSyn,
 		HelpDescription: pathUserHelpDesc,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Navigation: true,
+		},
 	}
 }
 

builtin/credential/okta/path_config.go

@@ -30,7 +30,9 @@ func pathConfig(b *backend) *framework.Path {
 			"org_name": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "Name of the organization to be used in the Okta API.",
-				DisplayName: "Organization Name",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Organization Name",
+				},
 			},
 			"token": &framework.FieldSchema{
 				Type:        framework.TypeString,
@@ -40,12 +42,16 @@ func pathConfig(b *backend) *framework.Path {
 			"api_token": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "Okta API key.",
-				DisplayName: "API Token",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "API Token",
+				},
 			},
 			"base_url": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: `The base domain to use for the Okta API. When not specified in the configuration, "okta.com" is used.`,
-				DisplayName: "Base URL",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Base URL",
+				},
 			},
 			"production": &framework.FieldSchema{
 				Type:        framework.TypeBool,
@@ -55,15 +61,23 @@ func pathConfig(b *backend) *framework.Path {
 			"ttl": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
 				Description: `Duration after which authentication will be expired`,
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "TTL",
+				},
 			},
 			"max_ttl": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
 				Description: `Maximum duration after which authentication will be expired`,
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Max TTL",
+				},
 			},
 			"bypass_okta_mfa": &framework.FieldSchema{
 				Type:        framework.TypeBool,
 				Description: `When set true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.`,
-				DisplayName: "Bypass Okta MFA",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Bypass Okta MFA",
+				},
 			},
 		},
 

builtin/credential/radius/path_config.go

@@ -15,13 +15,18 @@ func pathConfig(b *backend) *framework.Path {
 			"host": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "RADIUS server host",
-				DisplayName: "Host",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Host",
+				},
 			},
 
 			"port": &framework.FieldSchema{
 				Type:        framework.TypeInt,
 				Default:     1812,
 				Description: "RADIUS server port (default: 1812)",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Value: 1812,
+				},
 			},
 			"secret": &framework.FieldSchema{
 				Type:        framework.TypeString,
@@ -31,29 +36,42 @@ func pathConfig(b *backend) *framework.Path {
 				Type:        framework.TypeString,
 				Default:     "",
 				Description: "Comma-separated list of policies to grant upon successful RADIUS authentication of an unregisted user (default: empty)",
-				DisplayName: "Policies for unregistered users",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Policies for unregistered users",
+				},
 			},
 			"dial_timeout": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
 				Default:     10,
 				Description: "Number of seconds before connect times out (default: 10)",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Value: 10,
+				},
 			},
 			"read_timeout": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
 				Default:     10,
 				Description: "Number of seconds before response times out (default: 10)",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Value: 10,
+				},
 			},
 			"nas_port": &framework.FieldSchema{
 				Type:        framework.TypeInt,
 				Default:     10,
 				Description: "RADIUS NAS port field (default: 10)",
-				DisplayName: "NAS Port",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name:  "NAS Port",
+					Value: 10,
+				},
 			},
 			"nas_identifier": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Default:     "",
 				Description: "RADIUS NAS Identifier field (optional)",
-				DisplayName: "NAS Identifier",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "NAS Identifier",
+				},
 			},
 		},
 

builtin/logical/aws/path_roles.go

@@ -41,7 +41,9 @@ func pathRoles(b *backend) *framework.Path {
 			"name": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "Name of the policy",
-				DisplayName: "Policy Name",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Policy Name",
+				},
 			},
 
 			"credential_type": &framework.FieldSchema{
@@ -52,13 +54,17 @@ func pathRoles(b *backend) *framework.Path {
 			"role_arns": &framework.FieldSchema{
 				Type:        framework.TypeCommaStringSlice,
 				Description: "ARNs of AWS roles allowed to be assumed. Only valid when credential_type is " + assumedRoleCred,
-				DisplayName: "Role ARNs",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Role ARNs",
+				},
 			},
 
 			"policy_arns": &framework.FieldSchema{
 				Type:        framework.TypeCommaStringSlice,
 				Description: "ARNs of AWS policies to attach to IAM users. Only valid when credential_type is " + iamUserCred,
-				DisplayName: "Policy ARNs",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Policy ARNs",
+				},
 			},
 
 			"policy_document": &framework.FieldSchema{
@@ -73,13 +79,17 @@ GetFederationToken API call, acting as a filter on permissions available.`,
 			"default_sts_ttl": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
 				Description: fmt.Sprintf("Default TTL for %s and %s credential types when no TTL is explicitly requested with the credentials", assumedRoleCred, federationTokenCred),
-				DisplayName: "Default TTL",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Default TTL",
+				},
 			},
 
 			"max_sts_ttl": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
 				Description: fmt.Sprintf("Max allowed TTL for %s and %s credential types", assumedRoleCred, federationTokenCred),
-				DisplayName: "Max TTL",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Max TTL",
+				},
 			},
 
 			"arn": &framework.FieldSchema{
@@ -98,7 +108,10 @@ or IAM role to assume`,
 			"user_path": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "Path for IAM User. Only valid when credential_type is " + iamUserCred,
-				DisplayName: "User Path",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name:  "User Path",
+					Value: "/",
+				},
 				Default: "/",
 			},
 		},

builtin/logical/pki/fields.go

@@ -11,7 +11,9 @@ func addIssueAndSignCommonFields(fields map[string]*framework.FieldSchema) map[s
 		Description: `If true, the Common Name will not be
 included in DNS or Email Subject Alternate Names.
 Defaults to false (CN is included).`,
-		DisplayName: "Exclude Common Name from Subject Alternative Names (SANs)",
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "Exclude Common Name from Subject Alternative Names (SANs)",
+		},
 	}
 
 	fields["format"] = &framework.FieldSchema{
@@ -22,6 +24,9 @@ or "pem_bundle". If "pem_bundle" any private
 key and issuing cert will be appended to the
 certificate pem. Defaults to "pem".`,
 		AllowedValues: []interface{}{"pem", "der", "pem_bundle"},
+		DisplayAttrs: &framework.DisplayAttributes{
+			Value: "pem",
+		},
 	}
 
 	fields["private_key_format"] = &framework.FieldSchema{
@@ -34,27 +39,36 @@ However, this can be set to "pkcs8" to have the returned
 private key contain base64-encoded pkcs8 or PEM-encoded
 pkcs8 instead. Defaults to "der".`,
 		AllowedValues: []interface{}{"", "der", "pem", "pkcs8"},
+		DisplayAttrs: &framework.DisplayAttributes{
+			Value: "der",
+		},
 	}
 
 	fields["ip_sans"] = &framework.FieldSchema{
 		Type: framework.TypeCommaStringSlice,
 		Description: `The requested IP SANs, if any, in a
 comma-delimited list`,
-		DisplayName: "IP Subject Alternative Names (SANs)",
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "IP Subject Alternative Names (SANs)",
+		},
 	}
 
 	fields["uri_sans"] = &framework.FieldSchema{
 		Type: framework.TypeCommaStringSlice,
 		Description: `The requested URI SANs, if any, in a
 comma-delimited list.`,
-		DisplayName: "URI Subject Alternative Names (SANs)",
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "URI Subject Alternative Names (SANs)",
+		},
 	}
 
 	fields["other_sans"] = &framework.FieldSchema{
 		Type: framework.TypeCommaStringSlice,
 		Description: `Requested other SANs, in an array with the format
 <oid>;UTF8:<utf8 string value> for each entry.`,
-		DisplayName: "Other SANs",
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "Other SANs",
+		},
 	}
 
 	return fields
@@ -85,7 +99,9 @@ in the role, this may be an email address.`,
 in a comma-delimited list. If email protection
 is enabled for the role, this may contain
 email addresses.`,
-		DisplayName: "DNS/Email Subject Alternative Names (SANs)",
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "DNS/Email Subject Alternative Names (SANs)",
+		},
 	}
 
 	fields["serial_number"] = &framework.FieldSchema{
@@ -102,7 +118,9 @@ sets the expiration date. If not specified
 the role default, backend default, or system
 default TTL is used, in that order. Cannot
 be larger than the role max TTL.`,
-		DisplayName: "TTL",
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "TTL",
+		},
 	}
 
 	return fields
@@ -118,7 +136,9 @@ func addCACommonFields(fields map[string]*framework.FieldSchema) map[string]*fra
 		Description: `The requested Subject Alternative Names, if any,
 in a comma-delimited list. May contain both
 DNS names and email addresses.`,
-		DisplayName: "DNS/Email Subject Alternative Names (SANs)",
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "DNS/Email Subject Alternative Names (SANs)",
+		},
 	}
 
 	fields["common_name"] = &framework.FieldSchema{
@@ -140,14 +160,18 @@ be larger than the mount max TTL. Note:
 this only has an effect when generating
 a CA cert or signing a CA cert, not when
 generating a CSR for an intermediate CA.`,
-		DisplayName: "TTL",
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "TTL",
+		},
 	}
 
 	fields["ou"] = &framework.FieldSchema{
 		Type: framework.TypeCommaStringSlice,
 		Description: `If set, OU (OrganizationalUnit) will be set to
 this value.`,
-		DisplayName: "OU (Organizational Unit)",
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "OU (Organizational Unit)",
+		},
 	}
 
 	fields["organization"] = &framework.FieldSchema{
@@ -166,28 +190,36 @@ this value.`,
 		Type: framework.TypeCommaStringSlice,
 		Description: `If set, Locality will be set to
 this value.`,
-		DisplayName: "Locality/City",
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "Locality/City",
+		},
 	}
 
 	fields["province"] = &framework.FieldSchema{
 		Type: framework.TypeCommaStringSlice,
 		Description: `If set, Province will be set to
 this value.`,
-		DisplayName: "Province/State",
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "Province/State",
+		},
 	}
 
 	fields["street_address"] = &framework.FieldSchema{
 		Type: framework.TypeCommaStringSlice,
 		Description: `If set, Street Address will be set to
 this value.`,
-		DisplayName: "Street Address",
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "Street Address",
+		},
 	}
 
 	fields["postal_code"] = &framework.FieldSchema{
 		Type: framework.TypeCommaStringSlice,
 		Description: `If set, Postal Code will be set to
 this value.`,
-		DisplayName: "Postal Code",
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "Postal Code",
+		},
 	}
 
 	fields["serial_number"] = &framework.FieldSchema{
@@ -217,6 +249,9 @@ the private key!`,
 		Description: `The number of bits to use. You will almost
 certainly want to change this if you adjust
 the key_type.`,
+		DisplayAttrs: &framework.DisplayAttributes{
+			Value: 2048,
+		},
 	}
 
 	fields["key_type"] = &framework.FieldSchema{
@@ -225,6 +260,9 @@ the key_type.`,
 		Description: `The type of key to use; defaults to RSA. "rsa"
 and "ec" are the only valid values.`,
 		AllowedValues: []interface{}{"rsa", "ec"},
+		DisplayAttrs: &framework.DisplayAttributes{
+			Value: "rsa",
+		},
 	}
 	return fields
 }
@@ -241,7 +279,9 @@ func addCAIssueFields(fields map[string]*framework.FieldSchema) map[string]*fram
 	fields["permitted_dns_domains"] = &framework.FieldSchema{
 		Type:        framework.TypeCommaStringSlice,
 		Description: `Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).`,
-		DisplayName: "Permitted DNS Domains",
+		DisplayAttrs: &framework.DisplayAttributes{
+			Name: "Permitted DNS Domains",
+		},
 	}
 
 	return fields

builtin/logical/pki/path_roles.go

@@ -48,13 +48,17 @@ func pathRoles(b *backend) *framework.Path {
 requested. The lease duration controls the expiration
 of certificates issued by this backend. Defaults to
 the value of max_ttl.`,
-				DisplayName: "TTL",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "TTL",
+				},
 			},
 
 			"max_ttl": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
 				Description: "The maximum allowed lease duration",
-				DisplayName: "Max TTL",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Max TTL",
+				},
 			},
 
 			"allow_localhost": &framework.FieldSchema{
@@ -62,6 +66,9 @@ the value of max_ttl.`,
 				Default: true,
 				Description: `Whether to allow "localhost" as a valid common
 name in a request`,
+				DisplayAttrs: &framework.DisplayAttributes{
+					Value: true,
+				},
 			},
 
 			"allowed_domains": &framework.FieldSchema{
@@ -108,6 +115,9 @@ information.`,
 				Default: true,
 				Description: `If set, only valid host names are allowed for
 CN and SANs. Defaults to true.`,
+				DisplayAttrs: &framework.DisplayAttributes{
+					Value: true,
+				},
 			},
 
 			"allow_ip_sans": &framework.FieldSchema{
@@ -115,20 +125,27 @@ CN and SANs. Defaults to true.`,
 				Default: true,
 				Description: `If set, IP Subject Alternative Names are allowed.
 Any valid IP is accepted.`,
-				DisplayName: "Allow IP Subject Alternative Names",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name:  "Allow IP Subject Alternative Names",
+					Value: true,
+				},
 			},
 
 			"allowed_uri_sans": &framework.FieldSchema{
 				Type: framework.TypeCommaStringSlice,
 				Description: `If set, an array of allowed URIs to put in the URI Subject Alternative Names.
 Any valid URI is accepted, these values support globbing.`,
-				DisplayName: "Allowed URI Subject Alternative Names",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Allowed URI Subject Alternative Names",
+				},
 			},
 
 			"allowed_other_sans": &framework.FieldSchema{
 				Type:        framework.TypeCommaStringSlice,
 				Description: `If set, an array of allowed other names to put in SANs. These values support globbing and must be in the format <oid>;<type>:<value>. Currently only "utf8" is a valid type. All values, including globbing values, must use this syntax, with the exception being a single "*" which allows any OID and any value (but type must still be utf8).`,
-				DisplayName: "Allowed Other Subject Alternative Names",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Allowed Other Subject Alternative Names",
+				},
 			},
 
 			"allowed_serial_numbers": &framework.FieldSchema{
@@ -141,6 +158,9 @@ Any valid URI is accepted, these values support globbing.`,
 				Default: true,
 				Description: `If set, certificates are flagged for server auth use.
 Defaults to true.`,
+				DisplayAttrs: &framework.DisplayAttributes{
+					Value: true,
+				},
 			},
 
 			"client_flag": &framework.FieldSchema{
@@ -148,6 +168,9 @@ Defaults to true.`,
 				Default: true,
 				Description: `If set, certificates are flagged for client auth use.
 Defaults to true.`,
+				DisplayAttrs: &framework.DisplayAttributes{
+					Value: true,
+				},
 			},
 
 			"code_signing_flag": &framework.FieldSchema{
@@ -187,7 +210,9 @@ https://golang.org/pkg/crypto/x509/#KeyUsage
 -- simply drop the "KeyUsage" part of the name.
 To remove all key usages from being set, set
 this value to an empty list.`,
-				DisplayValue: "DigitalSignature,KeyAgreement,KeyEncipherment",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Value: "DigitalSignature,KeyAgreement,KeyEncipherment",
+				},
 			},
 
 			"ext_key_usage": &framework.FieldSchema{
@@ -198,13 +223,17 @@ https://golang.org/pkg/crypto/x509/#ExtKeyUsage
 -- simply drop the "ExtKeyUsage" part of the name.
 To remove all key usages from being set, set
 this value to an empty list.`,
-				DisplayName: "Extended Key Usage",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Extended Key Usage",
+				},
 			},
 
 			"ext_key_usage_oids": &framework.FieldSchema{
 				Type:        framework.TypeCommaStringSlice,
 				Description: `A comma-separated string or list of extended key usage oids.`,
-				DisplayName: "Extended Key Usage OIDs",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Extended Key Usage OIDs",
+				},
 			},
 
 			"use_csr_common_name": &framework.FieldSchema{
@@ -214,7 +243,10 @@ this value to an empty list.`,
 the common name in the CSR will be used. This
 does *not* include any requested Subject Alternative
 Names. Defaults to true.`,
-				DisplayName: "Use CSR Common Name",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name:  "Use CSR Common Name",
+					Value: true,
+				},
 			},
 
 			"use_csr_sans": &framework.FieldSchema{
@@ -223,14 +255,19 @@ Names. Defaults to true.`,
 				Description: `If set, when used with a signing profile,
 the SANs in the CSR will be used. This does *not*
 include the Common Name (cn). Defaults to true.`,
-				DisplayName: "Use CSR Subject Alternative Names",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name:  "Use CSR Subject Alternative Names",
+					Value: true,
+				},
 			},
 
 			"ou": &framework.FieldSchema{
 				Type: framework.TypeCommaStringSlice,
 				Description: `If set, OU (OrganizationalUnit) will be set to
 this value in certificates issued by this role.`,
-				DisplayName: "Organizational Unit",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Organizational Unit",
+				},
 			},
 
 			"organization": &framework.FieldSchema{
@@ -249,14 +286,18 @@ this value in certificates issued by this role.`,
 				Type: framework.TypeCommaStringSlice,
 				Description: `If set, Locality will be set to
 this value in certificates issued by this role.`,
-				DisplayName: "Locality/City",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Locality/City",
+				},
 			},
 
 			"province": &framework.FieldSchema{
 				Type: framework.TypeCommaStringSlice,
 				Description: `If set, Province will be set to
 this value in certificates issued by this role.`,
-				DisplayName: "Province/State",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Province/State",
+				},
 			},
 
 			"street_address": &framework.FieldSchema{
@@ -299,7 +340,9 @@ for "generate_lease".`,
 				Type:        framework.TypeBool,
 				Default:     true,
 				Description: `If set to false, makes the 'common_name' field optional while generating a certificate.`,
-				DisplayName: "Use CSR Common Name",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Require Common Name",
+				},
 			},
 
 			"policy_identifiers": &framework.FieldSchema{
@@ -310,12 +353,17 @@ for "generate_lease".`,
 			"basic_constraints_valid_for_non_ca": &framework.FieldSchema{
 				Type:        framework.TypeBool,
 				Description: `Mark Basic Constraints valid when issuing non-CA certificates.`,
-				DisplayName: "Basic Constraints Valid for Non-CA",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Basic Constraints Valid for Non-CA",
+				},
 			},
 			"not_before_duration": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
 				Default:     30,
 				Description: `The duration before now the cert needs to be created / signed.`,
+				DisplayAttrs: &framework.DisplayAttributes{
+					Value: 30,
+				},
 			},
 		},
 

builtin/logical/ssh/path_roles.go

@@ -93,7 +93,9 @@ func pathRoles(b *backend) *framework.Path {
 				credential is being generated for other users, Vault uses this admin
 				username to login to remote host and install the generated credential
 				for the other user.`,
-				DisplayName: "Admin Username",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Admin Username",
+				},
 			},
 			"default_user": &framework.FieldSchema{
 				Type: framework.TypeString,
@@ -102,7 +104,9 @@ func pathRoles(b *backend) *framework.Path {
 				Default username for which a credential will be generated.
 				When the endpoint 'creds/' is used without a username, this
 				value will be used as default username.`,
-				DisplayName: "Default Username",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Default Username",
+				},
 			},
 			"cidr_list": &framework.FieldSchema{
 				Type: framework.TypeString,
@@ -110,7 +114,9 @@ func pathRoles(b *backend) *framework.Path {
 				[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type]
 				Comma separated list of CIDR blocks for which the role is applicable for.
 				CIDR blocks can belong to more than one role.`,
-				DisplayName: "CIDR List",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "CIDR List",
+				},
 			},
 			"exclude_cidr_list": &framework.FieldSchema{
 				Type: framework.TypeString,
@@ -119,7 +125,9 @@ func pathRoles(b *backend) *framework.Path {
 				Comma separated list of CIDR blocks. IP addresses belonging to these blocks are not
 				accepted by the role. This is particularly useful when big CIDR blocks are being used
 				by the role and certain parts of it needs to be kept out.`,
-				DisplayName: "Exclude CIDR List",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Exclude CIDR List",
+				},
 			},
 			"port": &framework.FieldSchema{
 				Type: framework.TypeInt,
@@ -129,7 +137,9 @@ func pathRoles(b *backend) *framework.Path {
 				play any role in creation of OTP. For 'otp' type, this is just a way
 				to inform client about the port number to use. Port number will be
 				returned to client by Vault server along with OTP.`,
-				DisplayValue: 22,
+				DisplayAttrs: &framework.DisplayAttributes{
+					Value: 22,
+				},
 			},
 			"key_type": &framework.FieldSchema{
 				Type: framework.TypeString,
@@ -138,7 +148,9 @@ func pathRoles(b *backend) *framework.Path {
 				Type of key used to login to hosts. It can be either 'otp', 'dynamic' or 'ca'.
 				'otp' type requires agent to be installed in remote hosts.`,
 				AllowedValues: []interface{}{"otp", "dynamic", "ca"},
-				DisplayValue:  "ca",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Value: "ca",
+				},
 			},
 			"key_bits": &framework.FieldSchema{
 				Type: framework.TypeInt,
@@ -195,7 +207,9 @@ func pathRoles(b *backend) *framework.Path {
 				requested. The lease duration controls the expiration
 				of certificates issued by this backend. Defaults to
 				the value of max_ttl.`,
-				DisplayName: "TTL",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "TTL",
+				},
 			},
 			"max_ttl": &framework.FieldSchema{
 				Type: framework.TypeDurationSecond,
@@ -203,7 +217,9 @@ func pathRoles(b *backend) *framework.Path {
 				[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
 				The maximum allowed lease duration
 				`,
-				DisplayName: "Max TTL",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Value: "Max TTL",
+				},
 			},
 			"allowed_critical_options": &framework.FieldSchema{
 				Type: framework.TypeString,
@@ -281,7 +297,9 @@ func pathRoles(b *backend) *framework.Path {
 				When false, the key ID will always be the token display name.
 				The key ID is logged by the SSH server and can be useful for auditing.
 				`,
-				DisplayName: "Allow User Key IDs",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Allow User Key IDs",
+				},
 			},
 			"key_id_format": &framework.FieldSchema{
 				Type: framework.TypeString,
@@ -292,7 +310,9 @@ func pathRoles(b *backend) *framework.Path {
 				the token used to make the request. '{{role_name}}' - The name of the role signing the request.
 				'{{public_key_hash}}' - A SHA256 checksum of the public key that is being signed.
 				`,
-				DisplayName: "Key ID Format",
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Key ID Format",
+				},
 			},
 			"allowed_user_key_lengths": &framework.FieldSchema{
 				Type: framework.TypeMap,

sdk/framework/backend.go

@@ -529,20 +529,6 @@ type FieldSchema struct {
 	// dynamic UI generation.
 	AllowedValues []interface{}
 
-	// Display* members are available to provide hints for UI and documentation
-	// generators. They will be included in OpenAPI output if set.
-
-	// DisplayName is the name of the field suitable as a label or documentation heading.
-	DisplayName string
-
-	// DisplayValue is a sample value to display for this field. This may be used
-	// to indicate a default value, but it is for display only and completely separate
-	// from any Default member handling.
-	DisplayValue interface{}
-
-	// DisplaySensitive indicates that the value should be masked by default in the UI.
-	DisplaySensitive bool
-
 	// DisplayAttrs provides hints for UI and documentation generators. They
 	// will be included in OpenAPI output if set.
 	DisplayAttrs *DisplayAttributes

sdk/framework/openapi.go

@@ -103,6 +103,8 @@ type OASPathItem struct {
 	Sudo              bool               `json:"x-vault-sudo,omitempty" mapstructure:"x-vault-sudo"`
 	Unauthenticated   bool               `json:"x-vault-unauthenticated,omitempty" mapstructure:"x-vault-unauthenticated"`
 	CreateSupported   bool               `json:"x-vault-createSupported,omitempty" mapstructure:"x-vault-createSupported"`
+	DisplayNavigation bool               `json:"x-vault-displayNavigation,omitempty" mapstructure:"x-vault-displayNavigation"`
+	DisplayAttrs      *DisplayAttributes `json:"x-vault-displayAttrs,omitempty" mapstructure:"x-vault-displayAttrs"`
 
 	Get    *OASOperation `json:"get,omitempty"`
 	Post   *OASOperation `json:"post,omitempty"`
@@ -163,9 +165,11 @@ type OASSchema struct {
 	Default    interface{}   `json:"default,omitempty"`
 	Example    interface{}   `json:"example,omitempty"`
 	Deprecated bool          `json:"deprecated,omitempty"`
-	DisplayName      string        `json:"x-vault-displayName,omitempty" mapstructure:"x-vault-displayName,omitempty"`
+	//DisplayName      string             `json:"x-vault-displayName,omitempty" mapstructure:"x-vault-displayName,omitempty"`
 	DisplayValue     interface{}        `json:"x-vault-displayValue,omitempty" mapstructure:"x-vault-displayValue,omitempty"`
 	DisplaySensitive bool               `json:"x-vault-displaySensitive,omitempty" mapstructure:"x-vault-displaySensitive,omitempty"`
+	DisplayGroup     string             `json:"x-vault-displayGroup,omitempty" mapstructure:"x-vault-displayGroup,omitempty"`
+	DisplayAttrs     *DisplayAttributes `json:"x-vault-displayAttrs,omitempty" mapstructure:"x-vault-displayAttrs,omitempty"`
 }
 
 type OASResponse struct {
@@ -230,6 +234,7 @@ func documentPath(p *Path, specialPaths *logical.Paths, backendType logical.Back
 
 		pi.Sudo = specialPathMatch(path, sudoPaths)
 		pi.Unauthenticated = specialPathMatch(path, unauthPaths)
+		pi.DisplayAttrs = p.DisplayAttrs
 
 		// If the newer style Operations map isn't defined, create one from the legacy fields.
 		operations := p.Operations
@@ -267,9 +272,7 @@ func documentPath(p *Path, specialPaths *logical.Paths, backendType logical.Back
 					Pattern:      t.pattern,
 					Enum:         field.AllowedValues,
 					Default:      field.Default,
-					DisplayName:      field.DisplayName,
+					DisplayAttrs: field.DisplayAttrs,
-					DisplayValue:     field.DisplayValue,
-					DisplaySensitive: field.DisplaySensitive,
 				},
 				Required:   required,
 				Deprecated: field.Deprecated,
@@ -332,9 +335,7 @@ func documentPath(p *Path, specialPaths *logical.Paths, backendType logical.Back
 						Enum:         field.AllowedValues,
 						Default:      field.Default,
 						Deprecated:   field.Deprecated,
-						DisplayName:      field.DisplayName,
+						DisplayAttrs: field.DisplayAttrs,
-						DisplayValue:     field.DisplayValue,
-						DisplaySensitive: field.DisplaySensitive,
 					}
 					if openapiField.baseType == "array" {
 						p.Items = &OASSchema{

sdk/framework/openapi_test.go

@@ -339,9 +339,12 @@ func TestOpenAPI_Paths(t *testing.T) {
 					Description:   "the age",
 					AllowedValues: []interface{}{1, 2, 3},
 					Required:      true,
-					DisplayName:      "Age",
+					DisplayAttrs: &DisplayAttributes{
-					DisplayValue:     7,
+						Name:      "Age",
-					DisplaySensitive: true,
+						Sensitive: true,
+						Group:     "Some Group",
+						Value:     7,
+					},
 				},
 				"x-abc-token": {
 					Type:          TypeHeader,
@@ -378,6 +381,9 @@ func TestOpenAPI_Paths(t *testing.T) {
 					Unpublished: true,
 				},
 			},
+			DisplayAttrs: &DisplayAttributes{
+				Navigation: true,
+			},
 		}
 
 		sp := &logical.Paths{

sdk/framework/testdata/operations.json

@@ -14,6 +14,9 @@
       "description": "Synopsis",
       "x-vault-createSupported": true,
       "x-vault-sudo": true,
+      "x-vault-displayAttrs": {
+        "navigation": true
+      },
       "parameters": [
         {
           "name": "format",
@@ -77,9 +80,12 @@
                     "type": "integer",
                     "description": "the age",
                     "enum": [1, 2, 3],
-                    "x-vault-displayName": "Age",
+                    "x-vault-displayAttrs": {
-                    "x-vault-displayValue": 7,
+                      "name": "Age",
-                    "x-vault-displaySensitive": true
+                      "sensitive": true,
+                      "group": "Some Group",
+                      "value": 7
+                    }
                   },
                   "name": {
                     "type": "string",

sdk/helper/ldaputil/config.go

@@ -22,31 +22,41 @@ func ConfigFields() map[string]*framework.FieldSchema {
 			Type:        framework.TypeString,
 			Default:     "ldap://127.0.0.1",
 			Description: "LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.",
-			DisplayName: "URL",
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name: "URL",
+			},
 		},
 
 		"userdn": {
 			Type:        framework.TypeString,
 			Description: "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)",
-			DisplayName: "User DN",
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name: "User DN",
+			},
 		},
 
 		"binddn": {
 			Type:        framework.TypeString,
 			Description: "LDAP DN for searching for the user DN (optional)",
-			DisplayName: "Name of Object to bind (binddn)",
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name: "Name of Object to bind (binddn)",
+			},
 		},
 
 		"bindpass": {
 			Type:        framework.TypeString,
 			Description: "LDAP password for searching for the user DN (optional)",
-			DisplaySensitive: true,
+			DisplayAttrs: &framework.DisplayAttributes{
+				Sensitive: true,
+			},
 		},
 
 		"groupdn": {
 			Type:        framework.TypeString,
 			Description: "LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)",
-			DisplayName: "Group DN",
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name: "Group DN",
+			},
 		},
 
 		"groupfilter": {
@@ -56,6 +66,9 @@ func ConfigFields() map[string]*framework.FieldSchema {
 The template can access the following context variables: UserDN, Username
 Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))
 Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))`,
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name: "Group Filter",
+			},
 		},
 
 		"groupattr": {
@@ -65,20 +78,28 @@ Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}
 in order to enumerate user group membership.
 Examples: "cn" or "memberOf", etc.
 Default: cn`,
-			DisplayName: "Group Attribute",
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name:  "Group Attribute",
+				Value: "cn",
+			},
 		},
 
 		"upndomain": {
 			Type:        framework.TypeString,
 			Description: "Enables userPrincipalDomain login with [username]@UPNDomain (optional)",
-			DisplayName: "User Principal (UPN) Domain",
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name: "User Principal (UPN) Domain",
+			},
 		},
 
 		"userattr": {
 			Type:        framework.TypeString,
 			Default:     "cn",
 			Description: "Attribute used for users (default: cn)",
-			DisplayName: "User Attribute",
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name:  "User Attribute",
+				Value: "cn",
+			},
 		},
 
 		"certificate": {
@@ -89,26 +110,34 @@ Default: cn`,
 		"discoverdn": {
 			Type:        framework.TypeBool,
 			Description: "Use anonymous bind to discover the bind DN of a user (optional)",
-			DisplayName: "Discover DN",
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name: "Discover DN",
+			},
 		},
 
 		"insecure_tls": {
 			Type:        framework.TypeBool,
 			Description: "Skip LDAP server SSL Certificate verification - VERY insecure (optional)",
-			DisplayName: "Insecure TLS",
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name: "Insecure TLS",
+			},
 		},
 
 		"starttls": {
 			Type:        framework.TypeBool,
 			Description: "Issue a StartTLS command after establishing unencrypted connection (optional)",
-			DisplayName: "Issue StartTLS command after establishing an unencrypted connection",
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name: "Issue StartTLS",
+			},
 		},
 
 		"tls_min_version": {
 			Type:        framework.TypeString,
 			Default:     "tls12",
 			Description: "Minimum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
-			DisplayName:   "Minimum TLS Version",
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name: "Minimum TLS Version",
+			},
 			AllowedValues: []interface{}{"tls10", "tls11", "tls12"},
 		},
 
@@ -116,7 +145,9 @@ Default: cn`,
 			Type:        framework.TypeString,
 			Default:     "tls12",
 			Description: "Maximum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
-			DisplayName:   "Maximum TLS Version",
+			DisplayAttrs: &framework.DisplayAttributes{
+				Name: "Maximum TLS Version",
+			},
 			AllowedValues: []interface{}{"tls10", "tls11", "tls12"},
 		},