summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJenkins <jenkins@review.openstack.org>2017-07-05 11:49:53 +0000
committerGerrit Code Review <review@openstack.org>2017-07-05 11:49:53 +0000
commit50d18d50f198be0963f4fa524507a117a6f37ddb (patch)
treeab16407b4870795016a5b434f19a878e79cf6c09
parent1af919009ab11a4e9ff3fed4ffc673b037039d21 (diff)
parent0390301e40528db26176476c892b5e7e6450dbb5 (diff)
Merge "doc: Add configuration reference"
-rw-r--r--doc/source/configuration/index.rst376
-rw-r--r--doc/source/index.rst1
2 files changed, 377 insertions, 0 deletions
diff --git a/doc/source/configuration/index.rst b/doc/source/configuration/index.rst
new file mode 100644
index 0000000..b442a3f
--- /dev/null
+++ b/doc/source/configuration/index.rst
@@ -0,0 +1,376 @@
1=============
2Configuration
3=============
4
5Django OpenStack Auth is configured through Django ``settings.py`` file.
6In most cases it is used combined with the OpenStack Dashboard,
7so the settings file will be ``local/local_settings.py`` file
8in your OpenStack Dashboard deployment.
9
10This page covers the configuration options referred by Django OpenStack Auth.
11
12:ref:`Some settings <settings-shared-with-horizon>` are also referred to
13by Horizon. Configure them carefully.
14
15General settings
16================
17
18``AUTHENTICATION_PLUGINS``
19--------------------------
20
21Default: ``['openstack_auth.plugin.password.PasswordPlugin', 'openstack_auth.plugin.token.TokenPlugin']``
22
23A list of authentication plugins to be used.
24In most cases, there is no need to configure this.
25
26``AVAILABLE_REGIONS``
27---------------------
28
29Default: ``None``
30
31A list of tuples which define multiple regions. The tuple format is
32``('http://{{ keystone_host }}:5000/v2.0', '{{ region_name }}')``. If any regions
33are specified the login form will have a dropdown selector for authenticating
34to the appropriate region, and there will be a region switcher dropdown in
35the site header when logged in.
36
37You should also define ``OPENSTACK_KEYSTONE_URL`` to indicate which of
38the regions is the default one.
39
40``OPENSTACK_API_VERSIONS``
41--------------------------
42
43Default::
44
45 {
46 "identity": 2.0,
47 ...,
48 }
49
50Overrides for OpenStack API versions. Use this setting to force the
51OpenStack dashboard to use a specific API version for a given service API.
52Django OpenStack Auth refers to only the ``"identity"`` entry.
53The current valid values are "2.0" or "3".
54
55.. note::
56
57 See `Horizon settings
58 <https://docs.openstack.org/developer/horizon/install/settings.html#openstack-api-versions>`__
59 for the full description of this setting.
60
61``OPENSTACK_ENDPOINT_TYPE``
62---------------------------
63
64Default: ``"publicURL"``
65
66A string which specifies the endpoint type to use for the endpoints in the
67Keystone service catalog. The default value for all services except for
68identity is ``"publicURL"``. The default value for the identity service is
69``"internalURL"``.
70
71``OPENSTACK_KEYSTONE_ADMIN_ROLES``
72----------------------------------
73
74Default: ``["admin"]``
75
76The list of roles that have administrator privileges in this OpenStack
77installation. This check is very basic and essentially only works with
78keystone v2.0 and v3 with the default policy file. The setting assumes there
79is a common ``admin`` like role(s) across services. Example uses of this
80setting are:
81
82* to rename the ``admin`` role to ``cloud-admin``
83* allowing multiple roles to have administrative privileges, like
84 ``["admin", "cloud-admin", "net-op"]``
85
86``OPENSTACK_KEYSTONE_DEFAULT_DOMAIN``
87-------------------------------------
88
89Default: ``"Default"``
90
91Overrides the default domain used when running on single-domain model
92with Keystone V3. All entities will be created in the default domain.
93
94.. note::
95
96 This value must be the name of the default domain, NOT the ID.
97 Also, you will most likely have a value in the keystone policy file like
98 ``"cloud_admin": "rule:admin_required and domain_id:<your domain id>"``.
99 This value must be the name of the domain whose ID is specified there.
100
101``OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT``
102------------------------------------------
103
104Default: ``False``
105
106Set this to True if running on multi-domain model. When this is enabled, it
107will require user to enter the Domain name in addition to username for login.
108
109``OPENSTACK_KEYSTONE_URL``
110--------------------------
111
112Default: ``"http://%s:5000/v2.0" % OPENSTACK_HOST``
113
114The full URL for the Keystone endpoint used for authentication. Unless you
115are using HTTPS, running your Keystone server on a nonstandard port, or using
116a nonstandard URL scheme you shouldn't need to touch this setting.
117
118``OPENSTACK_SSL_CACERT``
119------------------------
120
121Default: ``None``
122
123When unset or set to ``None`` the default CA certificate on the system is used
124for SSL verification.
125
126When set with the path to a custom CA certificate file, this overrides use of
127the default system CA certificate. This custom certificate is used to verify all
128connections to openstack services when making API calls.
129
130``OPENSTACK_SSL_NO_VERIFY``
131---------------------------
132
133Default: ``False``
134
135Disable SSL certificate checks in the OpenStack clients (useful for self-signed
136certificates).
137
138``OPENSTACK_TOKEN_HASH_ALGORITHM``
139----------------------------------
140
141Default: ``"md5"``
142
143The hash algorithm to use for authentication tokens. This must match the hash
144algorithm that the identity (Keystone) server and the auth_token middleware
145are using. Allowed values are the algorithms supported by Python's hashlib
146library.
147
148``OPENSTACK_TOKEN_HASH_ENABLED``
149--------------------------------
150
151(Deprecated)
152
153Default: ``True``
154
155Hashing tokens from Keystone keeps the Horizon session data smaller, but it
156doesn't work in some cases when using PKI tokens. Uncomment this value and
157set it to False if using PKI tokens and there are 401 errors due to token
158hashing.
159
160This option is now marked as "deprecated" and will be removed in Ocata or a
161later release. PKI tokens currently work with hashing, and Keystone will soon
162deprecate usage of PKI tokens.
163
164``PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS``
165-------------------------------------------
166
167Default: ``-1``
168
169Password will have an expiration date when using keystone v3 and enabling the
170feature. This setting allows you to set the number of days that the user will
171be alerted prior to the password expiration. Once the password expires keystone
172will deny the access and users must contact an admin to change their password.
173Setting this value to ``N`` days means the user will be alerted when the
174password expires in less than ``N+1`` days. ``-1`` disables the feature.
175
176``POLICY_FILES``
177----------------
178
179Default: ``{'identity': 'keystone_policy.json', 'compute': 'nova_policy.json'}``
180
181This should essentially be the mapping of the contents of ``POLICY_FILES_PATH``
182to service types. When policy.json files are added to ``POLICY_FILES_PATH``,
183they should be included here too.
184
185``POLICY_FILES_PATH``
186---------------------
187
188Default: ``os.path.join(ROOT_PATH, "conf")``
189
190Specifies where service based policy files are located. These are used to
191define the policy rules actions are verified against.
192
193``SECURE_PROXY_ADDR_HEADER``
194----------------------------
195
196Default: ``False``
197
198If horizon is behind a proxy server and the proxy is configured, the IP address
199from request is passed using header variables inside the request. The header
200name depends on a proxy or a load-balancer. This setting specifies the name of
201the header with remote IP address. The main use is for authentication log
202(success or fail) displaing the IP address of the user.
203The commom value for this setting is ``HTTP_X_REAL_IP`` or
204``HTTP_X_FORWARDED_FOR``.
205If not present, then ``REMOTE_ADDR`` header is used. (``REMOTE_ADDR`` is the
206field of Django HttpRequest object which contains IP address of the client.)
207
208``SESSION_TIMEOUT``
209-------------------
210
211Default: ``"3600"``
212
213This ``SESSION_TIMEOUT`` is a method to supercede the token timeout with a
214shorter horizon session timeout (in seconds). So if your token expires in
21560 minutes, a value of 1800 will log users out after 30 minutes.
216
217``TOKEN_DELETION_DISABLED``
218---------------------------
219
220Default: ``False``
221
222This setting allows deployers to control whether a token is deleted on log out.
223This can be helpful when there are often long running processes being run
224in the Horizon environment.
225
226``TOKEN_TIMEOUT_MARGIN``
227------------------------
228
229Default: ``0``
230
231A time margin in seconds to subtract from the real token's validity.
232An example usage is that the token can be valid once the middleware
233passed, and invalid (timed-out) during a view rendering and this
234generates authorization errors during the view rendering.
235By setting this value to some smaller seconds, you can avoid token
236expiration during a view rendering.
237
238``WEBROOT``
239-----------
240
241Default: ``"/"``
242
243Specifies the location where the access to the dashboard is configured in
244the web server.
245
246For example, if you're accessing the Dashboard via
247https://<your server>/dashboard, you would set this to ``"/dashboard/"``.
248
249.. note::
250
251 Additional settings may be required in the config files of your webserver
252 of choice. For example to make ``"/dashboard/"`` the web root in Apache,
253 the ``"sites-available/horizon.conf"`` requires a couple of additional
254 aliases set::
255
256 Alias /dashboard/static %HORIZON_DIR%/static
257
258 Alias /dashboard/media %HORIZON_DIR%/openstack_dashboard/static
259
260 Apache also requires changing your WSGIScriptAlias to reflect the desired
261 path. For example, you'd replace ``/`` with ``/dashboard`` for the
262 alias.
263
264Web SSO (Single Sign On) settings
265=================================
266
267``WEBSSO_ENABLED``
268------------------
269
270Default: ``False``
271
272Enables keystone web single-sign-on if set to True. For this feature to work,
273make sure that you are using Keystone V3 and Django OpenStack Auth V1.2.0 or
274later.
275
276``WEBSSO_INITIAL_CHOICE``
277-------------------------
278
279Default: ``"credentials"``
280
281Determines the default authentication mechanism. When user lands on the login
282page, this is the first choice they will see.
283
284``WEBSSO_CHOICES``
285------------------
286
287Default::
288
289 (
290 ("credentials", _("Keystone Credentials")),
291 ("oidc", _("OpenID Connect")),
292 ("saml2", _("Security Assertion Markup Language"))
293 )
294
295This is the list of authentication mechanisms available to the user. It
296includes Keystone federation protocols such as OpenID Connect and SAML, and
297also keys that map to specific identity provider and federation protocol
298combinations (as defined in ``WEBSSO_IDP_MAPPING``). The list of choices is
299completely configurable, so as long as the id remains intact. Do not remove
300the credentials mechanism unless you are sure. Once removed, even admins will
301have no way to log into the system via the dashboard.
302
303``WEBSSO_IDP_MAPPING``
304----------------------
305
306Default: ``{}``
307
308A dictionary of specific identity provider and federation protocol combinations.
309From the selected authentication mechanism, the value will be looked up as keys
310in the dictionary. If a match is found, it will redirect the user to a identity
311provider and federation protocol specific WebSSO endpoint in keystone, otherwise
312it will use the value as the protocol_id when redirecting to the WebSSO by
313protocol endpoint.
314
315Example::
316
317 WEBSSO_CHOICES = (
318 ("credentials", _("Keystone Credentials")),
319 ("oidc", _("OpenID Connect")),
320 ("saml2", _("Security Assertion Markup Language")),
321 ("acme_oidc", "ACME - OpenID Connect"),
322 ("acme_saml2", "ACME - SAML2")
323 )
324
325 WEBSSO_IDP_MAPPING = {
326 "acme_oidc": ("acme", "oidc"),
327 "acme_saml2": ("acme", "saml2")
328 }
329
330.. note::
331 The value is expected to be a tuple formatted as: (<idp_id>, <protocol_id>).
332
333K2K (Keystone to Keystone) Federation settings
334==============================================
335
336``KEYSTONE_PROVIDER_IDP_NAME``
337------------------------------
338
339Default: ``Local Keystone``
340
341The Keystone Provider drop down uses Keystone to Keystone federation
342to switch between Keystone service providers.
343This sets display name for Identity Provider (dropdown display name).
344
345``KEYSTONE_PROVIDER_IDP_ID``
346----------------------------
347
348Default:: ``localkeystone``
349
350This ID is used for only for comparison with the service provider IDs.
351This ID should not match any service provider IDs.
352
353.. _settings-shared-with-horizon:
354
355Settings shared with Horizon
356============================
357
358The following settings in Django OpenStack Auth are also used by Horizon.
359
360* ``AVAILABLE_REGIONS``
361* ``OPENSTACK_API_VERSIONS``
362* ``OPENSTACK_KEYSTONE_URL``
363* ``OPENSTACK_ENDPOINT_TYPE``
364* ``OPENSTACK_SSL_CACERT``
365* ``OPENSTACK_SSL_NO_VERIFY``
366* ``WEBROOT``
367
368Django OpenStack Auth also refers to the following Django settings.
369For more detail, see `Django settings documentation
370<https://docs.djangoproject.com/en/1.11/ref/settings/#auth>`__.
371They are usually configured as part of Horizon settings.
372
373* ``LOGIN_REDIRECT_URL``
374* ``LOGIN_URL``
375* ``SESSION_ENGINE``
376* ``USE_TZ``
diff --git a/doc/source/index.rst b/doc/source/index.rst
index 9f93215..d9ba571 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -12,6 +12,7 @@ The current version is designed to work with the Keystone V2 or V3 API.
12 :maxdepth: 2 12 :maxdepth: 2
13 13
14 install/index 14 install/index
15 configuration/index
15 reference/index 16 reference/index
16 17
17* :ref:`genindex` 18* :ref:`genindex`