Merge "generate sample config automatically"

.gitignore

@@ -56,3 +56,6 @@ ChangeLog
 
 # Files created by releasenotes build
 releasenotes/build
+
+# sample config included in docs
+doc/source/_static/keystonemiddleware.conf.sample

config-generator/keystonemiddleware.conf

@@ -0,0 +1,4 @@
+[DEFAULT]
+output_file = etc/keystone.conf.sample
+wrap_width = 79
+namespace = keystonemiddleware.auth_token

doc/source/conf.py

@@ -49,9 +49,13 @@ extensions = ['sphinx.ext.autodoc',
               # remove this Sphinx extension when
               # https://launchpad.net/bugs/1260495 is fixed.
               'ext.apidoc',
-              'oslosphinx'
+              'oslosphinx',
+              'oslo_config.sphinxconfiggen'
              ]
 
+config_generator_config_file = '../../config-generator/keystonemiddleware.conf'
+sample_config_basename = '_static/keystonemiddleware'
+
 todo_include_todos = True
 
 # Add any paths that contain templates here, relative to this directory.
@@ -156,7 +160,7 @@ man_pages = []
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-#html_static_path = ['static']
+html_static_path = ['_static']
 
 # If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
 # using the given strftime format.

doc/source/middlewarearchitecture.rst

@@ -124,166 +124,7 @@ a WSGI component. Example for the auth_token middleware:
     [filter:authtoken]
     paste.filter_factory = keystonemiddleware.auth_token:filter_factory
 
-    # Prefix to prepend at the beginning of the path (string
-    # value)
-    # Deprecated group/name - [keystone_authtoken]/auth_url
-    #auth_admin_prefix=
-
-    # Authentication URL (string value)
-    auth_url=http://127.0.0.1:35357
-
-    # Host providing the admin Identity API endpoint (string
-    # value)
-    # Deprecated group/name - [keystone_authtoken]/auth_url
-    #auth_host=127.0.0.1
-
-    # Port of the admin Identity API endpoint (integer value)
-    # Deprecated group/name - [keystone_authtoken]/auth_url
-    #auth_port=35357
-
-    # Protocol of the admin Identity API endpoint(http or https)
-    # (string value)
-    # Deprecated group/name - [keystone_authtoken]/auth_url
-    #auth_protocol=https
-
-    # Complete admin Identity API endpoint.
-    # This should specify the unversioned root endpoint
-    # e.g. https://localhost:35357/. (string value)
-    # Deprecated group/name - [keystone_authtoken]/auth_url
-    #identity_uri=<None>
-
-    # Complete public Identity API endpoint (string value)
-    #auth_uri=<None>
-
-    # API version of the admin Identity API endpoint (string
-    # value)
-    #auth_version=<None>
-
-    # Do not handle authorization requests within the middleware,
-    # but delegate the authorization decision to downstream WSGI
-    # components (boolean value)
-    #delay_auth_decision=false
-
-    # Request timeout value for communicating with Identity API
-    # server. (boolean value)
-    #http_connect_timeout=<None>
-
-    # How many times are we trying to reconnect when communicating
-    # with Identity API Server. (integer value)
-    #http_request_max_retries=3
-
-    # Single shared secret with the Keystone configuration used
-    # for bootstrapping a Keystone installation, or otherwise
-    # bypassing the normal authentication process. (string value)
-    # Deprecated, use username and password instead.
-    #admin_token=<None>
-
-    # Keystone account username (string value)
-    #admin_user=<None>
-
-    # Keystone account password (string value)
-    admin_password=SuperSekretPassword
-
-    # Keystone service account tenant name to validate user tokens
-    # (string value)
-    #admin_tenant_name=admin
-
-    # Env key for the swift cache (string value)
-    #cache=<None>
-
-    # Required if Keystone server requires client certificate
-    # (string value)
-    #certfile=<None>
-
-    # Required if Keystone server requires client certificate
-    # (string value)
-    #keyfile=<None>
-
-    # A PEM encoded Certificate Authority to use when verifying
-    # HTTPs connections. Defaults to system CAs. (string value)
-    #cafile=<None>
-
-    # Verify HTTPS connections. (boolean value)
-    #insecure=false
-
-    # Directory used to cache files related to PKI tokens (string
-    # value)
-    #signing_dir=<None>
-
-    # If defined, the memcached server(s) to use for caching (list
-    # value)
-    # Deprecated group/name - [DEFAULT]/memcache_servers
-    #memcached_servers=<None>
-
-    # In order to prevent excessive requests and validations, the
-    # middleware uses an in-memory cache for the tokens the
-    # Keystone API returns. This is only valid if memcache_servers
-    # is defined. Set to -1 to disable caching completely.
-    # (integer value)
-    #token_cache_time=300
-
-    # Determines the frequency at which the list of revoked tokens
-    # is retrieved from the Identity service (in seconds). A high
-    # number of revocation events combined with a low cache duration
-    # may significantly reduce performance. Only valid for PKI tokens.
-    # (integer value)
-    #revocation_cache_time = 10
-
-    # (optional) if defined, indicate whether token data should be
-    # authenticated or authenticated and encrypted. Acceptable
-    # values are MAC or ENCRYPT.  If MAC, token data is
-    # authenticated (with HMAC) in the cache. If ENCRYPT, token
-    # data is encrypted and authenticated in the cache. If the
-    # value is not one of these options or empty, auth_token will
-    # raise an exception on initialization. (string value)
-    #memcache_security_strategy=<None>
-
-    # (optional, mandatory if memcache_security_strategy is
-    # defined) this string is used for key derivation. (string
-    # value)
-    #memcache_secret_key=<None>
-
-    # (optional) indicate whether to set the X-Service-Catalog
-    # header. If False, middleware will not ask for service
-    # catalog on token validation and will not set the X-Service-
-    # Catalog header. (boolean value)
-    #include_service_catalog=true
-
-    # Used to control the use and type of token binding. Can be
-    # set to: "disabled" to not check token binding. "permissive"
-    # (default) to validate binding information if the bind type
-    # is of a form known to the server and ignore it if not.
-    # "strict" like "permissive" but if the bind type is unknown
-    # the token will be rejected. "required" any form of token
-    # binding is needed to be allowed. Finally the name of a
-    # binding method that must be present in tokens. (string
-    # value)
-    #enforce_token_bind=permissive
-
-    # If true, the revocation list will be checked for cached
-    # tokens. This requires that PKI tokens are configured on the
-    # identity server. 
-    # (boolean value)
-    #check_revocations_for_cached = false
-
-    # Hash algorithms to use for hashing PKI tokens. This may be a
-    # single algorithm or multiple. The algorithms are those supported
-    # by Python standard hashlib.new(). The hashes will be tried in the
-    # order given, so put the preferred one first for performance. The
-    # result of the first hash will be  stored in the cache. This will
-    # typically be set to multiple values only while migrating from a
-    # less secure algorithm to a more secure  one. Once all the old
-    # tokens are expired this option should be set to a single value
-    # for better performance. (list value)
-    #hash_algorithms = md5
-
-    # Authentication type to load (unknown value)
-    # Deprecated group/name - [DEFAULT]/auth_plugin
-    #auth_type = <None>
-
-    # Config Section from which to load plugin specific options
-    # (unknown value)
-    #auth_section = <None>
+.. literalinclude:: _static/keystonemiddleware.conf.sample
 
 If the ``auth_plugin`` configuration option is set, you may need to refer to
 the `Authentication Plugins <http://docs.openstack.org/developer/