Update OpenAPI responses to include information the UI can use (#6204)

CHANGELOG.md

@@ -1,4 +1,4 @@
-## Next
+## 1.0.3 (February 12th, 2019)
 
 CHANGES:
 
@@ -9,6 +9,11 @@ CHANGES:
    entity either by name or by id [GH-6105]
  * The Vault UI's navigation and onboarding wizard now only displays items that
    are permitted in a users' policy [GH-5980, GH-6094]
+ * An issue was fixed that caused recovery keys to not work on secondary 
+   clusters when using a different unseal mechanism/key than the primary. This 
+   would be hit if the cluster was rekeyed or initialized after 1.0. We recommend
+   rekeying the recovery keys on the primary cluster if you meet the above 
+   requirements.
 
 FEATURES:
 
@@ -47,6 +52,8 @@ BUG FIXES:
    a performance standby very quickly, before an associated entity has been
    replicated. If the entity is not found in this scenario, the request will
    forward to the active node.
+ * replication: Fix issue where recovery keys would not work on secondary 
+   clusters if using a different unseal mechanism than the primary.
  * replication: Fix a "failed to register lease" error when using performance
    standbys
  * storage/postgresql: The `Get` method will now return an Entry object with

builtin/credential/github/path_config.go

@@ -25,14 +25,17 @@ func pathConfig(b *backend) *framework.Path {
 				Description: `The API endpoint to use. Useful if you
 are running GitHub Enterprise or an
 API-compatible authentication server.`,
+				DisplayName: "Base URL",
 			},
 			"ttl": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: `Duration after which authentication will be expired`,
+				DisplayName: "TTL",
 			},
 			"max_ttl": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: `Maximum duration after which authentication will be expired`,
+				DisplayName: "Max TTL",
 			},
 		},
 

builtin/credential/okta/path_config.go

@@ -25,26 +25,32 @@ func pathConfig(b *backend) *framework.Path {
 			"organization": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "(DEPRECATED) Okta organization to authenticate against. Use org_name instead.",
+				Deprecated:  true,
 			},
 			"org_name": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "Name of the organization to be used in the Okta API.",
+				DisplayName: "Organization Name",
 			},
 			"token": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "(DEPRECATED) Okta admin API token.  Use api_token instead.",
+				Deprecated:  true,
 			},
 			"api_token": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "Okta API key.",
+				DisplayName: "API Token",
 			},
 			"base_url": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: `The base domain to use for the Okta API. When not specified in the configuration, "okta.com" is used.`,
+				DisplayName: "Base URL",
 			},
 			"production": &framework.FieldSchema{
 				Type:        framework.TypeBool,
 				Description: `(DEPRECATED) Use base_url.`,
+				Deprecated:  true,
 			},
 			"ttl": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
@@ -57,6 +63,7 @@ func pathConfig(b *backend) *framework.Path {
 			"bypass_okta_mfa": &framework.FieldSchema{
 				Type:        framework.TypeBool,
 				Description: `When set true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.`,
+				DisplayName: "Bypass Okta MFA",
 			},
 		},
 

builtin/credential/radius/path_config.go

@@ -15,6 +15,7 @@ func pathConfig(b *backend) *framework.Path {
 			"host": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "RADIUS server host",
+				DisplayName: "Host",
 			},
 
 			"port": &framework.FieldSchema{
@@ -30,6 +31,7 @@ func pathConfig(b *backend) *framework.Path {
 				Type:        framework.TypeString,
 				Default:     "",
 				Description: "Comma-separated list of policies to grant upon successful RADIUS authentication of an unregisted user (default: emtpy)",
+				DisplayName: "Policies for unregistered users",
 			},
 			"dial_timeout": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
@@ -45,11 +47,13 @@ func pathConfig(b *backend) *framework.Path {
 				Type:        framework.TypeInt,
 				Default:     10,
 				Description: "RADIUS NAS port field (default: 10)",
+				DisplayName: "NAS Port",
 			},
 			"nas_identifier": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Default:     "",
 				Description: "RADIUS NAS Identifier field (optional)",
+				DisplayName: "NAS Identifier",
 			},
 		},
 

builtin/logical/aws/path_roles.go

@@ -36,6 +36,7 @@ func pathRoles(b *backend) *framework.Path {
 			"name": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "Name of the policy",
+				DisplayName: "Policy Name",
 			},
 
 			"credential_type": &framework.FieldSchema{
@@ -46,11 +47,13 @@ func pathRoles(b *backend) *framework.Path {
 			"role_arns": &framework.FieldSchema{
 				Type:        framework.TypeCommaStringSlice,
 				Description: "ARNs of AWS roles allowed to be assumed. Only valid when credential_type is " + assumedRoleCred,
+				DisplayName: "Role ARNs",
 			},
 
 			"policy_arns": &framework.FieldSchema{
 				Type:        framework.TypeCommaStringSlice,
 				Description: "ARNs of AWS policies to attach to IAM users. Only valid when credential_type is " + iamUserCred,
+				DisplayName: "Policy ARNs",
 			},
 
 			"policy_document": &framework.FieldSchema{
@@ -65,22 +68,26 @@ GetFederationToken API call, acting as a filter on permissions available.`,
 			"default_sts_ttl": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
 				Description: fmt.Sprintf("Default TTL for %s and %s credential types when no TTL is explicitly requested with the credentials", assumedRoleCred, federationTokenCred),
+				DisplayName: "Default TTL",
 			},
 
 			"max_sts_ttl": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
 				Description: fmt.Sprintf("Max allowed TTL for %s and %s credential types", assumedRoleCred, federationTokenCred),
+				DisplayName: "Max TTL",
 			},
 
 			"arn": &framework.FieldSchema{
 				Type: framework.TypeString,
 				Description: `Deprecated; use role_arns or policy_arns instead. ARN Reference to a managed policy
 or IAM role to assume`,
+				Deprecated: true,
 			},
 
 			"policy": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "Deprecated; use policy_document instead. IAM policy document",
+				Deprecated: true,
 			},
 		},
 

builtin/logical/pki/fields.go

@@ -11,6 +11,7 @@ func addIssueAndSignCommonFields(fields map[string]*framework.FieldSchema) map[s
 		Description: `If true, the Common Name will not be
 included in DNS or Email Subject Alternate Names.
 Defaults to false (CN is included).`,
+		DisplayName: "Exclude Common Name from Subject Alternative Names (SANs)",
 	}
 
 	fields["format"] = &framework.FieldSchema{
@@ -20,6 +21,7 @@ Defaults to false (CN is included).`,
 or "pem_bundle". If "pem_bundle" any private
 key and issuing cert will be appended to the
 certificate pem. Defaults to "pem".`,
+		AllowedValues: []interface{}{"pem", "der", "pem_bundle"},
 	}
 
 	fields["private_key_format"] = &framework.FieldSchema{
@@ -31,24 +33,28 @@ parameter as either base64-encoded DER or PEM-encoded DER.
 However, this can be set to "pkcs8" to have the returned
 private key contain base64-encoded pkcs8 or PEM-encoded
 pkcs8 instead. Defaults to "der".`,
+		AllowedValues: []interface{}{"", "der", "pem", "pkcs8"},
 	}
 
 	fields["ip_sans"] = &framework.FieldSchema{
 		Type: framework.TypeCommaStringSlice,
 		Description: `The requested IP SANs, if any, in a
 comma-delimited list`,
+		DisplayName: "IP Subject Alternative Names (SANs)",
 	}
 
 	fields["uri_sans"] = &framework.FieldSchema{
 		Type: framework.TypeCommaStringSlice,
 		Description: `The requested URI SANs, if any, in a
 comma-delimited list.`,
+		DisplayName: "URI Subject Alternative Names (SANs)",
 	}
 
 	fields["other_sans"] = &framework.FieldSchema{
 		Type: framework.TypeCommaStringSlice,
 		Description: `Requested other SANs, in an array with the format
 <oid>;UTF8:<utf8 string value> for each entry.`,
+		DisplayName: "Other SANs",
 	}
 
 	return fields
@@ -79,6 +85,7 @@ in the role, this may be an email address.`,
 in a comma-delimited list. If email protection
 is enabled for the role, this may contain
 email addresses.`,
+		DisplayName: "DNS/Email Subject Alternative Names (SANs)",
 	}
 
 	fields["serial_number"] = &framework.FieldSchema{
@@ -95,6 +102,7 @@ sets the expiration date. If not specified
 the role default, backend default, or system
 default TTL is used, in that order. Cannot
 be larger than the role max TTL.`,
+		DisplayName: "TTL",
 	}
 
 	return fields
@@ -110,6 +118,7 @@ func addCACommonFields(fields map[string]*framework.FieldSchema) map[string]*fra
 		Description: `The requested Subject Alternative Names, if any,
 in a comma-delimited list. May contain both
 DNS names and email addresses.`,
+		DisplayName: "DNS/Email Subject Alternative Names (SANs)",
 	}
 
 	fields["common_name"] = &framework.FieldSchema{
@@ -131,12 +140,14 @@ be larger than the mount max TTL. Note:
 this only has an effect when generating
 a CA cert or signing a CA cert, not when
 generating a CSR for an intermediate CA.`,
+		DisplayName: "TTL",
 	}
 
 	fields["ou"] = &framework.FieldSchema{
 		Type: framework.TypeCommaStringSlice,
 		Description: `If set, OU (OrganizationalUnit) will be set to
 this value.`,
+		DisplayName: "OU (Organizational Unit)",
 	}
 
 	fields["organization"] = &framework.FieldSchema{
@@ -155,24 +166,28 @@ this value.`,
 		Type: framework.TypeCommaStringSlice,
 		Description: `If set, Locality will be set to
 this value.`,
+		DisplayName: "Locality/City",
 	}
 
 	fields["province"] = &framework.FieldSchema{
 		Type: framework.TypeCommaStringSlice,
 		Description: `If set, Province will be set to
 this value.`,
+		DisplayName: "Province/State",
 	}
 
 	fields["street_address"] = &framework.FieldSchema{
 		Type: framework.TypeCommaStringSlice,
 		Description: `If set, Street Address will be set to
 this value.`,
+		DisplayName: "Street Address",
 	}
 
 	fields["postal_code"] = &framework.FieldSchema{
 		Type: framework.TypeCommaStringSlice,
 		Description: `If set, Postal Code will be set to
 this value.`,
+		DisplayName: "Postal Code",
 	}
 
 	fields["serial_number"] = &framework.FieldSchema{
@@ -209,8 +224,8 @@ the key_type.`,
 		Default: "rsa",
 		Description: `The type of key to use; defaults to RSA. "rsa"
 and "ec" are the only valid values.`,
+		AllowedValues: []interface{}{"rsa", "ec"},
 	}
-
 	return fields
 }
 
@@ -226,6 +241,7 @@ func addCAIssueFields(fields map[string]*framework.FieldSchema) map[string]*fram
 	fields["permitted_dns_domains"] = &framework.FieldSchema{
 		Type:        framework.TypeCommaStringSlice,
 		Description: `Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).`,
+		DisplayName: "Permitted DNS Domains",
 	}
 
 	return fields

builtin/logical/pki/path_roles.go

@@ -31,6 +31,11 @@ func pathRoles(b *backend) *framework.Path {
 	return &framework.Path{
 		Pattern: "roles/" + framework.GenericNameRegex("name"),
 		Fields: map[string]*framework.FieldSchema{
+			"backend": &framework.FieldSchema{
+				Type:        framework.TypeString,
+				Description: "Backend Type",
+			},
+
 			"name": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: "Name of the role",
@@ -42,11 +47,13 @@ func pathRoles(b *backend) *framework.Path {
 requested. The lease duration controls the expiration
 of certificates issued by this backend. Defaults to
 the value of max_ttl.`,
+				DisplayName: "TTL",
 			},
 
 			"max_ttl": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,
 				Description: "The maximum allowed lease duration",
+				DisplayName: "Max TTL",
 			},
 
 			"allow_localhost": &framework.FieldSchema{
@@ -107,17 +114,20 @@ CN and SANs. Defaults to true.`,
 				Default: true,
 				Description: `If set, IP Subject Alternative Names are allowed.
 Any valid IP is accepted.`,
+				DisplayName: "Allow IP Subject Alternative Names",
 			},
 
 			"allowed_uri_sans": &framework.FieldSchema{
 				Type: framework.TypeCommaStringSlice,
 				Description: `If set, an array of allowed URIs to put in the URI Subject Alternative Names.
 Any valid URI is accepted, these values support globbing.`,
+				DisplayName: "Allowed URI Subject Alternative Names",
 			},
 
 			"allowed_other_sans": &framework.FieldSchema{
 				Type:        framework.TypeCommaStringSlice,
 				Description: `If set, an array of allowed other names to put in SANs. These values support globbing and must be in the format <oid>;<type>:<value>. Currently only "utf8" is a valid type. All values, including globbing values, must use this syntax, with the exception being a single "*" which allows any OID and any value (but type must still be utf8).`,
+				DisplayName: "Allowed Other Subject Alternative Names",
 			},
 
 			"allowed_serial_numbers": &framework.FieldSchema{
@@ -156,6 +166,7 @@ protection use. Defaults to false.`,
 				Default: "rsa",
 				Description: `The type of key to use; defaults to RSA. "rsa"
 and "ec" are the only valid values.`,
+				AllowedValues: []interface{}{"rsa", "ec"},
 			},
 
 			"key_bits": &framework.FieldSchema{
@@ -175,6 +186,7 @@ https://golang.org/pkg/crypto/x509/#KeyUsage
 -- simply drop the "KeyUsage" part of the name.
 To remove all key usages from being set, set
 this value to an empty list.`,
+				DisplayValue: "DigitalSignature,KeyAgreement,KeyEncipherment",
 			},
 
 			"ext_key_usage": &framework.FieldSchema{
@@ -185,11 +197,13 @@ https://golang.org/pkg/crypto/x509/#ExtKeyUsage
 -- simply drop the "ExtKeyUsage" part of the name.
 To remove all key usages from being set, set
 this value to an empty list.`,
+				DisplayName: "Extended Key Usage",
 			},
 
 			"ext_key_usage_oids": &framework.FieldSchema{
 				Type:        framework.TypeCommaStringSlice,
 				Description: `A comma-separated string or list of extended key usage oids.`,
+				DisplayName: "Extended Key Usage OIDs",
 			},
 
 			"use_csr_common_name": &framework.FieldSchema{
@@ -199,6 +213,7 @@ this value to an empty list.`,
 the common name in the CSR will be used. This
 does *not* include any requested Subject Alternative
 Names. Defaults to true.`,
+				DisplayName: "Use CSR Common Name",
 			},
 
 			"use_csr_sans": &framework.FieldSchema{
@@ -207,12 +222,14 @@ Names. Defaults to true.`,
 				Description: `If set, when used with a signing profile,
 the SANs in the CSR will be used. This does *not*
 include the Common Name (cn). Defaults to true.`,
+				DisplayName: "Use CSR Subject Alternative Names",
 			},
 
 			"ou": &framework.FieldSchema{
 				Type: framework.TypeCommaStringSlice,
 				Description: `If set, OU (OrganizationalUnit) will be set to
 this value in certificates issued by this role.`,
+				DisplayName: "Organizational Unit",
 			},
 
 			"organization": &framework.FieldSchema{
@@ -231,12 +248,14 @@ this value in certificates issued by this role.`,
 				Type: framework.TypeCommaStringSlice,
 				Description: `If set, Locality will be set to
 this value in certificates issued by this role.`,
+				DisplayName: "Locality/City",
 			},
 
 			"province": &framework.FieldSchema{
 				Type: framework.TypeCommaStringSlice,
 				Description: `If set, Province will be set to
 this value in certificates issued by this role.`,
+				DisplayName: "Province/State",
 			},
 
 			"street_address": &framework.FieldSchema{
@@ -263,6 +282,7 @@ to the CRL.  When large number of certificates are generated with long
 lifetimes, it is recommended that lease generation be disabled, as large amount of
 leases adversely affect the startup time of Vault.`,
 			},
+
 			"no_store": &framework.FieldSchema{
 				Type: framework.TypeBool,
 				Description: `
@@ -273,18 +293,23 @@ or revoked, so this option is recommended only for certificates that are
 non-sensitive, or extremely short-lived. This option implies a value of "false"
 for "generate_lease".`,
 			},
+
 			"require_cn": &framework.FieldSchema{
 				Type:        framework.TypeBool,
 				Default:     true,
 				Description: `If set to false, makes the 'common_name' field optional while generating a certificate.`,
+				DisplayName: "Use CSR Common Name",
 			},
+
 			"policy_identifiers": &framework.FieldSchema{
 				Type:        framework.TypeCommaStringSlice,
 				Description: `A comma-separated string or list of policy oids.`,
 			},
+
 			"basic_constraints_valid_for_non_ca": &framework.FieldSchema{
 				Type:        framework.TypeBool,
 				Description: `Mark Basic Constraints valid when issuing non-CA certificates.`,
+				DisplayName: "Basic Constraints Valid for Non-CA",
 			},
 			"not_before_duration": &framework.FieldSchema{
 				Type:        framework.TypeDurationSecond,

builtin/logical/ssh/path_roles.go

@@ -93,6 +93,7 @@ func pathRoles(b *backend) *framework.Path {
 				credential is being generated for other users, Vault uses this admin
 				username to login to remote host and install the generated credential
 				for the other user.`,
+				DisplayName: "Admin Username",
 			},
 			"default_user": &framework.FieldSchema{
 				Type: framework.TypeString,
@@ -101,6 +102,7 @@ func pathRoles(b *backend) *framework.Path {
 				Default username for which a credential will be generated.
 				When the endpoint 'creds/' is used without a username, this
 				value will be used as default username.`,
+				DisplayName: "Default Username",
 			},
 			"cidr_list": &framework.FieldSchema{
 				Type: framework.TypeString,
@@ -108,6 +110,7 @@ func pathRoles(b *backend) *framework.Path {
 				[Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type]
 				Comma separated list of CIDR blocks for which the role is applicable for.
 				CIDR blocks can belong to more than one role.`,
+				DisplayName: "CIDR List",
 			},
 			"exclude_cidr_list": &framework.FieldSchema{
 				Type: framework.TypeString,
@@ -116,6 +119,7 @@ func pathRoles(b *backend) *framework.Path {
 				Comma separated list of CIDR blocks. IP addresses belonging to these blocks are not
 				accepted by the role. This is particularly useful when big CIDR blocks are being used
 				by the role and certain parts of it needs to be kept out.`,
+				DisplayName: "Exclude CIDR List",
 			},
 			"port": &framework.FieldSchema{
 				Type: framework.TypeInt,
@@ -125,6 +129,7 @@ func pathRoles(b *backend) *framework.Path {
 				play any role in creation of OTP. For 'otp' type, this is just a way
 				to inform client about the port number to use. Port number will be
 				returned to client by Vault server along with OTP.`,
+				DisplayValue: 22,
 			},
 			"key_type": &framework.FieldSchema{
 				Type: framework.TypeString,
@@ -132,6 +137,8 @@ func pathRoles(b *backend) *framework.Path {
 				[Required for all types]
 				Type of key used to login to hosts. It can be either 'otp', 'dynamic' or 'ca'.
 				'otp' type requires agent to be installed in remote hosts.`,
+				AllowedValues: []interface{}{"otp", "dynamic","ca"},
+				DisplayValue:  "ca",
 			},
 			"key_bits": &framework.FieldSchema{
 				Type: framework.TypeInt,
@@ -188,6 +195,7 @@ func pathRoles(b *backend) *framework.Path {
 				requested. The lease duration controls the expiration
 				of certificates issued by this backend. Defaults to
 				the value of max_ttl.`,
+				DisplayName: "TTL",
 			},
 			"max_ttl": &framework.FieldSchema{
 				Type: framework.TypeDurationSecond,
@@ -195,6 +203,7 @@ func pathRoles(b *backend) *framework.Path {
 				[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
 				The maximum allowed lease duration
 				`,
+				DisplayName: "Max TTL",
 			},
 			"allowed_critical_options": &framework.FieldSchema{
 				Type: framework.TypeString,
@@ -202,7 +211,7 @@ func pathRoles(b *backend) *framework.Path {
 				[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
 				A comma-separated list of critical options that certificates can have when signed.
  				To allow any critical options, set this to an empty string.
- 				`,
+				 `,
 			},
 			"allowed_extensions": &framework.FieldSchema{
 				Type: framework.TypeString,
@@ -238,7 +247,7 @@ func pathRoles(b *backend) *framework.Path {
 				[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
 				If set, certificates are allowed to be signed for use as a 'user'.
 				`,
-				Default: false,
+				Default:     false,
 			},
 			"allow_host_certificates": &framework.FieldSchema{
 				Type: framework.TypeBool,
@@ -246,7 +255,7 @@ func pathRoles(b *backend) *framework.Path {
 				[Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type]
 				If set, certificates are allowed to be signed for use as a 'host'.
 				`,
-				Default: false,
+				Default:     false,
 			},
 			"allow_bare_domains": &framework.FieldSchema{
 				Type: framework.TypeBool,
@@ -272,6 +281,7 @@ func pathRoles(b *backend) *framework.Path {
 				When false, the key ID will always be the token display name.
 				The key ID is logged by the SSH server and can be useful for auditing.
 				`,
+				DisplayName: "Allow User Key IDs",
 			},
 			"key_id_format": &framework.FieldSchema{
 				Type: framework.TypeString,
@@ -282,6 +292,7 @@ func pathRoles(b *backend) *framework.Path {
 				the token used to make the request. '{{role_name}}' - The name of the role signing the request.
 				'{{public_key_hash}}' - A SHA256 checksum of the public key that is being signed.
 				`,
+				DisplayName: "Key ID Format",
 			},
 			"allowed_user_key_lengths": &framework.FieldSchema{
 				Type: framework.TypeMap,

helper/ldaputil/config.go

@@ -22,26 +22,31 @@ func ConfigFields() map[string]*framework.FieldSchema {
 			Type:        framework.TypeString,
 			Default:     "ldap://127.0.0.1",
 			Description: "LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.",
+			DisplayName: "URL",
 		},
 
 		"userdn": {
 			Type:        framework.TypeString,
 			Description: "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)",
+			DisplayName: "User DN",
 		},
 
 		"binddn": {
 			Type:        framework.TypeString,
 			Description: "LDAP DN for searching for the user DN (optional)",
+			DisplayName: "Name of Object to bind (binddn)",
 		},
 
 		"bindpass": {
-			Type:        framework.TypeString,
-			Description: "LDAP password for searching for the user DN (optional)",
+			Type:             framework.TypeString,
+			Description:      "LDAP password for searching for the user DN (optional)",
+			DisplaySensitive: true,
 		},
 
 		"groupdn": {
 			Type:        framework.TypeString,
 			Description: "LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)",
+			DisplayName: "Group DN",
 		},
 
 		"groupfilter": {
@@ -60,17 +65,20 @@ Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}
 in order to enumerate user group membership.
 Examples: "cn" or "memberOf", etc.
 Default: cn`,
+			DisplayName: "Group Attribute",
 		},
 
 		"upndomain": {
 			Type:        framework.TypeString,
 			Description: "Enables userPrincipalDomain login with [username]@UPNDomain (optional)",
+			DisplayName: "User Principal (UPN) Domain",
 		},
 
 		"userattr": {
 			Type:        framework.TypeString,
 			Default:     "cn",
 			Description: "Attribute used for users (default: cn)",
+			DisplayName: "User Attribute",
 		},
 
 		"certificate": {
@@ -81,28 +89,35 @@ Default: cn`,
 		"discoverdn": {
 			Type:        framework.TypeBool,
 			Description: "Use anonymous bind to discover the bind DN of a user (optional)",
+			DisplayName: "Discover DN",
 		},
 
 		"insecure_tls": {
 			Type:        framework.TypeBool,
 			Description: "Skip LDAP server SSL Certificate verification - VERY insecure (optional)",
+			DisplayName: "Insecure TLS",
 		},
 
 		"starttls": {
 			Type:        framework.TypeBool,
 			Description: "Issue a StartTLS command after establishing unencrypted connection (optional)",
+			DisplayName: "Issue StartTLS command after establishing an unencrypted connection",
 		},
 
 		"tls_min_version": {
-			Type:        framework.TypeString,
-			Default:     "tls12",
-			Description: "Minimum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
+			Type:          framework.TypeString,
+			Default:       "tls12",
+			Description:   "Minimum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
+			DisplayName:   "Minimum TLS Version",
+			AllowedValues: []interface{}{"tls10", "tls11", "tls12"},
 		},
 
 		"tls_max_version": {
-			Type:        framework.TypeString,
-			Default:     "tls12",
-			Description: "Maximum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
+			Type:          framework.TypeString,
+			Default:       "tls12",
+			Description:   "Maximum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'",
+			DisplayName:   "Maxumum TLS Version",
+			AllowedValues: []interface{}{"tls10", "tls11", "tls12"},
 		},
 
 		"deny_null_bind": {

terraform/aws/variables.tf

@@ -3,7 +3,7 @@
 //-------------------------------------------------------------------
 
 variable "download-url" {
-    default = "https://releases.hashicorp.com/vault/1.0.2/vault_1.0.2_linux_amd64.zip"
+    default = "https://releases.hashicorp.com/vault/1.0.3/vault_1.0.3_linux_amd64.zip"
     description = "URL to download Vault"
 }
 

vendor/github.com/hashicorp/vault-plugin-auth-azure/Gopkg.lock

@@ -216,7 +216,7 @@
 
 [[projects]]
   branch = "master"
-  digest = "1:450803219e484669ba680c777ecac629dac92abde2bc83009beaa630f5368e71"
+  digest = "1:606c7307ae83d1adc0901aa8909b700489d7f1294533344453436a8dbff0091b"
   name = "github.com/hashicorp/vault"
   packages = [
     "api",
@@ -226,6 +226,7 @@
     "helper/errutil",
     "helper/hclutil",
     "helper/jsonutil",
+    "helper/license",
     "helper/locksutil",
     "helper/logging",
     "helper/mlock",
@@ -245,7 +246,7 @@
     "version",
   ]
   pruneopts = "UT"
-  revision = "8655d167084028d627f687ddc25d0c71307eb5be"
+  revision = "c0739a0f2367d5fdd20cef502b628e01bdb90470"
 
 [[projects]]
   branch = "master"
@@ -287,6 +288,17 @@
   revision = "4dadeb3030eda0273a12382bb2348ffc7c9d1a39"
   version = "v1.0.0"
 
+[[projects]]
+  digest = "1:c7a5e79396b6eb570159df7a1d487ce5775bf43b7907976fbef6de544ea160ad"
+  name = "github.com/pierrec/lz4"
+  packages = [
+    ".",
+    "internal/xxh32",
+  ]
+  pruneopts = "UT"
+  revision = "473cd7ce01a1113208073166464b98819526150e"
+  version = "v2.0.8"
+
 [[projects]]
   branch = "master"
   digest = "1:bd9efe4e0b0f768302a1e2f0c22458149278de533e521206e5ddc71848c269a0"

vendor/github.com/hashicorp/vault-plugin-auth-azure/path_config.go

@@ -16,26 +16,31 @@ func pathConfig(b *azureAuthBackend) *framework.Path {
 				Description: `The tenant id for the Azure Active Directory.  This is sometimes
 				referred to as Directory ID in AD.  This value can also be provided with the 
 				AZURE_TENANT_ID environment variable.`,
+				DisplayName: "Tenant ID",
 			},
 			"resource": &framework.FieldSchema{
 				Type: framework.TypeString,
 				Description: `The resource URL for the vault application in Azure Active Directory.
 				This value can also be provided with the AZURE_AD_RESOURCE environment variable.`,
+				DisplayName: "Resource",
 			},
 			"environment": &framework.FieldSchema{
 				Type: framework.TypeString,
 				Description: `The Azure environment name. If not provided, AzurePublicCloud is used.
 				This value can also be provided with the AZURE_ENVIRONMENT environment variable.`,
+				DisplayName: "Environment",
 			},
 			"client_id": &framework.FieldSchema{
 				Type: framework.TypeString,
 				Description: `The OAuth2 client id to connection to Azure.
 				This value can also be provided with the AZURE_CLIENT_ID environment variable.`,
+				DisplayName: "Client ID",
 			},
 			"client_secret": &framework.FieldSchema{
 				Type: framework.TypeString,
 				Description: `The OAuth2 client secret to connection to Azure.
 				This value can also be provided with the AZURE_CLIENT_SECRET environment variable.`,
+				DisplayName: "Client Secret",
 			},
 		},
 		Callbacks: map[logical.Operation]framework.OperationFunc{

vendor/github.com/hashicorp/vault-plugin-auth-gcp/plugin/path_config.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 
 	"encoding/json"
+
 	"github.com/hashicorp/go-gcp-common/gcputil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
@@ -20,11 +21,13 @@ func pathConfig(b *GcpAuthBackend) *framework.Path {
 				Description: `
 Google credentials JSON that Vault will use to verify users against GCP APIs.
 If not specified, will use application default credentials`,
+				DisplayName: "Credentials",
 			},
 			"google_certs_endpoint": {
 				Type: framework.TypeString,
 				Description: `
 Deprecated. This field does nothing and be removed in a future release`,
+				Deprecated: true,
 			},
 		},
 		Callbacks: map[logical.Operation]framework.OperationFunc{

vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go

@@ -174,6 +174,15 @@ func (b *jwtAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Reque
 			}
 		}
 
+	case len(config.JWTSupportedAlgs) != 0:
+		for _, a := range config.JWTSupportedAlgs {
+			switch a {
+			case oidc.RS256, oidc.RS384, oidc.RS512, oidc.ES256, oidc.ES384, oidc.ES512, oidc.PS256, oidc.PS384, oidc.PS512:
+			default:
+				return logical.ErrorResponse(fmt.Sprintf("Invalid supported algorithm: %s", a)), nil
+			}
+		}
+
 	default:
 		return nil, errors.New("unknown condition")
 	}

vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/Gopkg.lock

@@ -203,7 +203,7 @@
 
 [[projects]]
   branch = "master"
-  digest = "1:d00de8725219a569ffbb5dd1042e4ced1f3b5ccee2b07218371f71026cc7609a"
+  digest = "1:7be65468c591c5e836ec7ff70b6e7665452a6e700d5f0d5bb9edec8aa57b58e2"
   name = "github.com/hashicorp/vault"
   packages = [
     "api",
@@ -214,6 +214,7 @@
     "helper/errutil",
     "helper/hclutil",
     "helper/jsonutil",
+    "helper/license",
     "helper/locksutil",
     "helper/logging",
     "helper/mlock",
@@ -233,7 +234,7 @@
     "version",
   ]
   pruneopts = "UT"
-  revision = "add60e6dc7ff7b94487f3b5b680d00d7c05fe621"
+  revision = "c0739a0f2367d5fdd20cef502b628e01bdb90470"
 
 [[projects]]
   branch = "master"
@@ -275,6 +276,17 @@
   revision = "4dadeb3030eda0273a12382bb2348ffc7c9d1a39"
   version = "v1.0.0"
 
+[[projects]]
+  digest = "1:c7a5e79396b6eb570159df7a1d487ce5775bf43b7907976fbef6de544ea160ad"
+  name = "github.com/pierrec/lz4"
+  packages = [
+    ".",
+    "internal/xxh32",
+  ]
+  pruneopts = "UT"
+  revision = "473cd7ce01a1113208073166464b98819526150e"
+  version = "v2.0.8"
+
 [[projects]]
   digest = "1:0e792eea6c96ec55ff302ef33886acbaa5006e900fefe82689e88d96439dcd84"
   name = "github.com/ryanuber/go-glob"

vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go

@@ -22,16 +22,20 @@ func pathConfig(b *kubeAuthBackend) *framework.Path {
 			"kubernetes_host": {
 				Type:        framework.TypeString,
 				Description: "Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.",
+				DisplayName: "Kubernetes Host",
 			},
+
 			"kubernetes_ca_cert": {
 				Type:        framework.TypeString,
 				Description: "PEM encoded CA cert for use by the TLS client used to talk with the API.",
+				DisplayName: "Kubernetes CA Certificate",
 			},
 			"token_reviewer_jwt": {
 				Type: framework.TypeString,
 				Description: `A service account JWT used to access the
 TokenReview API to validate other JWTs during login. If not set
 the JWT used for login will be used to access the API.`,
+				DisplayName: "Token Reviewer JWT",
 			},
 			"pem_keys": {
 				Type: framework.TypeCommaStringSlice,
@@ -39,6 +43,7 @@ the JWT used for login will be used to access the API.`,
 used to verify the signatures of kubernetes service account
 JWTs. If a certificate is given, its public key will be
 extracted. Not every installation of Kuberentes exposes these keys.`,
+				DisplayName: "Service account verification keys",
 			},
 		},
 		Callbacks: map[logical.Operation]framework.OperationFunc{

vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/clients/sts.go

@@ -23,9 +23,9 @@ type STSClient struct {
 	client *sts.Client
 }
 
-func (c *STSClient) AssumeRole(userName, roleARN string) (*sts.AssumeRoleResponse, error) {
+func (c *STSClient) AssumeRole(roleSessionName, roleARN string) (*sts.AssumeRoleResponse, error) {
 	assumeRoleReq := sts.CreateAssumeRoleRequest()
 	assumeRoleReq.RoleArn = roleARN
-	assumeRoleReq.RoleSessionName = userName
+	assumeRoleReq.RoleSessionName = roleSessionName
 	return c.client.AssumeRole(assumeRoleReq)
 }

vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/path_creds.go

@@ -60,7 +60,7 @@ func (b *backend) operationCredsRead(ctx context.Context, req *logical.Request,
 		if err != nil {
 			return nil, err
 		}
-		assumeRoleResp, err := client.AssumeRole(generateUsername(req.DisplayName, roleName), role.RoleARN)
+		assumeRoleResp, err := client.AssumeRole(generateRoleSessionName(req.DisplayName, roleName), role.RoleARN)
 		if err != nil {
 			return nil, err
 		}
@@ -243,15 +243,24 @@ func (b *backend) operationCredsRead(ctx context.Context, req *logical.Request,
 
 // The max length of a username per AliCloud is 64.
 func generateUsername(displayName, roleName string) string {
-	username := fmt.Sprintf("%s-%s-", displayName, roleName)
+	return generateName(displayName, roleName, 64)
+}
 
-	// The time and random number take up to 15 more in length, so if the username
+// The max length of a role session name per AliCloud is 32.
+func generateRoleSessionName(displayName, roleName string) string {
+	return generateName(displayName, roleName, 32)
+}
+
+func generateName(displayName, roleName string, maxLength int) string {
+	name := fmt.Sprintf("%s-%s-", displayName, roleName)
+
+	// The time and random number take up to 15 more in length, so if the name
 	// is too long we need to trim it.
-	if len(username) > 49 {
-		username = username[:49]
+	if len(name) > maxLength-15 {
+		name = name[:maxLength-15]
 	}
 	r := rand.New(rand.NewSource(time.Now().UnixNano()))
-	return fmt.Sprintf("%s%d-%d", username, time.Now().Unix(), r.Intn(10000))
+	return fmt.Sprintf("%s%d-%d", name, time.Now().Unix(), r.Intn(10000))
 }
 
 const pathCredsHelpSyn = `

vendor/github.com/hashicorp/vault-plugin-secrets-gcpkms/README.md

@@ -84,6 +84,12 @@ instructions are only useful if you want to develop against the plugin.**
     $ vault secrets enable -path=gcpkms -plugin=vault-plugin-secrets-gcpkms plugin
     ```
 
+### Documentation
+
+The documentation for the plugin lives in the [main Vault
+repository](/hashicorp/vault) in the `website/` folder. Please make any
+documentation updates as separate Pull Requests against that repo.
+
 ### Tests
 
 This plugin has both unit tests and acceptance tests. To run the acceptance

vendor/vendor.json

@@ -1391,10 +1391,10 @@
 			"revisionTime": "2018-11-09T18:06:36Z"
 		},
 		{
-			"checksumSHA1": "Jj3mz58lSv0dsuXd6bVxGV4759w=",
+			"checksumSHA1": "UgLfwpXoRLpMOF0rzaj+cRcTtdo=",
 			"path": "github.com/hashicorp/vault-plugin-auth-azure",
-			"revision": "4c0b46069a2293d5a6ca7506c8d3e0c4a92f3dbc",
-			"revisionTime": "2018-12-07T23:25:28Z"
+			"revision": "0af1d040b5b329f41904cadcd96be55179468880",
+			"revisionTime": "2019-02-01T22:26:32Z"
 		},
 		{
 			"checksumSHA1": "4Z/niOo76EcP8KpLdSL5GdDcy78=",
@@ -1403,10 +1403,10 @@
 			"revisionTime": "2018-08-16T20:11:31Z"
 		},
 		{
-			"checksumSHA1": "llLHR3FVdqtuFgjIoL9GNN8zKKI=",
+			"checksumSHA1": "Nd9aBfL80t7N8B9VVsNBgihA5f4=",
 			"path": "github.com/hashicorp/vault-plugin-auth-gcp/plugin",
-			"revision": "4d63bbfe6fcf0363a2ea2c273846e88b95d85089",
-			"revisionTime": "2018-12-10T20:01:33Z"
+			"revision": "7d4c2101e7d0b61ec9fb0dc3c75d79920c6369c5",
+			"revisionTime": "2019-02-01T21:54:14Z"
 		},
 		{
 			"checksumSHA1": "jCtLHj3YAONxCcV6v6kifTrRJwM=",
@@ -1417,40 +1417,40 @@
 			"versionExact": "oidc-dev"
 		},
 		{
-			"checksumSHA1": "Ldg2jQeyPrpAupyQq4lRVN+jfFY=",
+			"checksumSHA1": "NfVgV3CmKXGRsXk1sYVgMMRZ5Zc=",
 			"path": "github.com/hashicorp/vault-plugin-auth-kubernetes",
-			"revision": "091d9e5d5fabce920533eff31ad778778992a671",
-			"revisionTime": "2018-11-30T16:25:33Z"
+			"revision": "db96aa4ab438cbc1cf544cec758d0d16ca4e9681",
+			"revisionTime": "2019-02-01T22:22:09Z"
 		},
 		{
 			"checksumSHA1": "PmhyvCKVlEMEP6JO31ozW+CBIiE=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin",
-			"revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a",
-			"revisionTime": "2018-11-09T18:28:34Z"
+			"revision": "4796d99801253c6f10d7d96b968a3204a9a1ead8",
+			"revisionTime": "2019-01-31T22:24:16Z"
 		},
 		{
 			"checksumSHA1": "GOxdFElG31lXWgKFG9aqpDcG47M=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin/client",
-			"revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a",
-			"revisionTime": "2018-11-09T18:28:34Z"
+			"revision": "4796d99801253c6f10d7d96b968a3204a9a1ead8",
+			"revisionTime": "2019-01-31T22:24:16Z"
 		},
 		{
 			"checksumSHA1": "RaH2xTkjaToCk+RoPhap7I66ibo=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin/util",
-			"revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a",
-			"revisionTime": "2018-11-09T18:28:34Z"
+			"revision": "4796d99801253c6f10d7d96b968a3204a9a1ead8",
+			"revisionTime": "2019-01-31T22:24:16Z"
 		},
 		{
-			"checksumSHA1": "VLXyxS5dEoiWTSFmpMJIz+Pwtmw=",
+			"checksumSHA1": "l0xVOHA0/SIjNfrmBRbrFvMVOaw=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-alicloud",
-			"revision": "2aee79cc5cbf1bbca654dbc594f809cafc19cd8d",
-			"revisionTime": "2018-11-09T18:14:53Z"
+			"revision": "b0abe36195cb171e673a9f6425df977eff1ef825",
+			"revisionTime": "2019-01-31T21:18:12Z"
 		},
 		{
-			"checksumSHA1": "dqduixICi6NeyLNRCDdw62t1LFU=",
+			"checksumSHA1": "e96mN6plz/ApctpjvU2kiCumOl0=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-alicloud/clients",
-			"revision": "2aee79cc5cbf1bbca654dbc594f809cafc19cd8d",
-			"revisionTime": "2018-11-09T18:14:53Z"
+			"revision": "b0abe36195cb171e673a9f6425df977eff1ef825",
+			"revisionTime": "2019-01-31T21:18:12Z"
 		},
 		{
 			"checksumSHA1": "rgeBhrdLyF2orH3QA/H66ZSSbuo=",
@@ -1477,16 +1477,16 @@
 			"revisionTime": "2018-09-21T17:32:00Z"
 		},
 		{
-			"checksumSHA1": "TbPoZQkYZ7Bukdw6U+/GejbaZAs=",
+			"checksumSHA1": "StwRTX92gyH7iHkyZk4df+dLISM=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-gcpkms",
-			"revision": "6cd991800a6d7af69b1950ec4cbf402d021a099d",
-			"revisionTime": "2018-12-12T18:25:53Z"
+			"revision": "d6b25b0b4a39132ec3c02f19631b6a9bdadef042",
+			"revisionTime": "2019-01-16T16:49:38Z"
 		},
 		{
 			"checksumSHA1": "yhUUqN5rbEXnfI8WfGUofXToD+o=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-kv",
-			"revision": "9dbe04db0e34c9c3c75bedcdb16d8ff78f0c54bd",
-			"revisionTime": "2018-12-19T17:59:33Z"
+			"revision": "edbfe287c5d9277cecf2c91c79ffcc34f19d2049",
+			"revisionTime": "2019-01-15T20:37:47Z"
 		},
 		{
 			"checksumSHA1": "ldkAQ1CpiAaQ9sti0qIch+UyRsI=",

version/version_base.go

@@ -2,7 +2,7 @@ package version
 
 func init() {
 	// The main version number that is being run at the moment.
-	Version = "1.0.2"
+	Version = "1.0.3"
 
 	// A pre-release marker for the version. If this is "" (empty string)
 	// then it means that it is a final release. Otherwise, this is a pre-release

website/config.rb

@@ -6,7 +6,7 @@ use ReshapeMiddleware, component_file: "assets/reshape.js"
 
 activate :hashicorp do |h|
   h.name         = "vault"
-  h.version      = "1.0.2"
+  h.version      = "1.0.3"
   h.github_slug  = "hashicorp/vault"
   h.website_root = "website"
   h.releases_enabled = true

website/source/docs/secrets/transit/index.html.md

@@ -32,13 +32,14 @@ disabled to accommodate auditing requirements.
 
 ## Working Set Management
 
-This secrets engine does not currently delete keys. Keys that are out of the
-working set (earlier than a key's specified `min_decryption_version` are
-instead archived. This is a performance consideration to keep key loading fast,
-as well as a security consideration: by disallowing decryption of old versions
-of keys, found ciphertext corresponding to obsolete (but sensitive) data can
-not be decrypted by most users, but in an emergency the
-`min_decryption_version` can be moved back to allow for legitimate decryption.
+The Transit engine supports versioning of keys. Key versions that are earlier
+than a key's specified `min_decryption_version` gets archived, and the rest of
+the key versions belong to the working set. This is a performance consideration
+to keep key loading fast, as well as a security consideration: by disallowing
+decryption of old versions of keys, found ciphertext corresponding to obsolete
+(but sensitive) data can not be decrypted by most users, but in an emergency
+the `min_decryption_version` can be moved back to allow for legitimate
+decryption.
 
 Currently this archive is stored in a single storage entry. With some storage
 backends, notably those using Raft or Paxos for HA capabilities, frequent