Update config options

The config options in the architecture page needed to be updated. This includes new values and correct text for old values. We also note in the code that the revocation event list is only valid for PKI tokens. Change-Id: Ib98d3de771d88feea72ea9598d094b77cde6093e
2016-05-04 20:11:46 -06:00 · 2016-05-04 20:11:46 -06:00 · 5ef2e510d1
parent 89ec136e5a
commit 5ef2e510d1
2 changed files with 32 additions and 6 deletions
--- a/doc/source/middlewarearchitecture.rst
+++ b/doc/source/middlewarearchitecture.rst
@ -222,8 +222,12 @@ a WSGI component. Example for the auth_token middleware:
    # (integer value)
    #token_cache_time=300

-    # Value only used for unit testing (integer value)
-    #revocation_cache_time=1
+    # Determines the frequency at which the list of revoked tokens
+    # is retrieved from the Identity service (in seconds). A high
+    # number of revocation events combined with a low cache duration
+    # may significantly reduce performance. Only valid for PKI tokens.
+    # (integer value)
+    #revocation_cache_time = 10

    # (optional) if defined, indicate whether token data should be
    # authenticated or authenticated and encrypted. Acceptable
@ -256,9 +260,30 @@ a WSGI component. Example for the auth_token middleware:
    # value)
    #enforce_token_bind=permissive

-    # The plugin used for authentication, such as password, token (string
-    # value)
-    #auth_plugin=password
+    # If true, the revocation list will be checked for cached
+    # tokens. This requires that PKI tokens are configured on the
+    # identity server. 
+    # (boolean value)
+    #check_revocations_for_cached = false
+
+    # Hash algorithms to use for hashing PKI tokens. This may be a
+    # single algorithm or multiple. The algorithms are those supported
+    # by Python standard hashlib.new(). The hashes will be tried in the
+    # order given, so put the preferred one first for performance. The
+    # result of the first hash will be  stored in the cache. This will
+    # typically be set to multiple values only while migrating from a
+    # less secure algorithm to a more secure  one. Once all the old
+    # tokens are expired this option should be set to a single value
+    # for better performance. (list value)
+    #hash_algorithms = md5
+
+    # Authentication type to load (unknown value)
+    # Deprecated group/name - [DEFAULT]/auth_plugin
+    #auth_type = <None>
+
+    # Config Section from which to load plugin specific options
+    # (unknown value)
+    #auth_section = <None>

 If the ``auth_plugin`` configuration option is set, you may need to refer to
 the `Authentication Plugins <http://docs.openstack.org/developer/
--- a/keystonemiddleware/auth_token/init.py
+++ b/keystonemiddleware/auth_token/init.py
@ -299,7 +299,8 @@ _OPTS = [
               help='Determines the frequency at which the list of revoked'
               ' tokens is retrieved from the Identity service (in seconds). A'
               ' high number of revocation events combined with a low cache'
-               ' duration may significantly reduce performance.'),
+               ' duration may significantly reduce performance. Only valid'
+               ' for PKI tokens.'),
    cfg.StrOpt('memcache_security_strategy',
               default='None',
               choices=('None', 'MAC', 'ENCRYPT'),