summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docker/Dockerfile2
-rw-r--r--docker/README.rst3
-rw-r--r--docker/monasca-api.conf.j2275
3 files changed, 246 insertions, 34 deletions
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 14bf04b..6c322c9 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -29,12 +29,14 @@ ENV \
29 MYSQL_PASSWORD=password \ 29 MYSQL_PASSWORD=password \
30 MYSQL_DB=mon \ 30 MYSQL_DB=mon \
31 MEMCACHED_URI=memcached:11211 \ 31 MEMCACHED_URI=memcached:11211 \
32 DEFAULT_REGION=RegionOne \
32 KEYSTONE_IDENTITY_URI=http://keystone:35357 \ 33 KEYSTONE_IDENTITY_URI=http://keystone:35357 \
33 KEYSTONE_AUTH_URI=http://keystone:5000 \ 34 KEYSTONE_AUTH_URI=http://keystone:5000 \
34 KEYSTONE_ADMIN_USER=admin \ 35 KEYSTONE_ADMIN_USER=admin \
35 KEYSTONE_ADMIN_PASSWORD=secretadmin \ 36 KEYSTONE_ADMIN_PASSWORD=secretadmin \
36 KEYSTONE_ADMIN_TENANT=admin \ 37 KEYSTONE_ADMIN_TENANT=admin \
37 KEYSTONE_ADMIN_DOMAIN=default \ 38 KEYSTONE_ADMIN_DOMAIN=default \
39 KEYSTONE_INSECURE=false \
38 GUNICORN_WORKERS=9 \ 40 GUNICORN_WORKERS=9 \
39 GUNICORN_WORKER_CLASS=gevent \ 41 GUNICORN_WORKER_CLASS=gevent \
40 GUNICORN_WORKER_CONNECTIONS=2000 \ 42 GUNICORN_WORKER_CONNECTIONS=2000 \
diff --git a/docker/README.rst b/docker/README.rst
index 07717d9..7711ed8 100644
--- a/docker/README.rst
+++ b/docker/README.rst
@@ -59,6 +59,7 @@ MYSQL_WAIT_RETRIES 24
59MYSQL_WAIT_DELAY 5 Seconds to wait between attempts 59MYSQL_WAIT_DELAY 5 Seconds to wait between attempts
60API_MYSQL_DISABLED unset If 'true' do not use a mysql database. Only metric API will work 60API_MYSQL_DISABLED unset If 'true' do not use a mysql database. Only metric API will work
61MEMCACHED_URI memcached:11211 URI to Keystone authentication cache 61MEMCACHED_URI memcached:11211 URI to Keystone authentication cache
62DEFAULT_REGION RegionOne Region that API is running in
62AUTHORIZED_ROLES admin,domainuser,domainadmin,monasca-user Roles for Monasca users (full API access) 63AUTHORIZED_ROLES admin,domainuser,domainadmin,monasca-user Roles for Monasca users (full API access)
63AGENT_AUTHORIZED_ROLES monasca-agent Roles for Monasca agents (sending data only) 64AGENT_AUTHORIZED_ROLES monasca-agent Roles for Monasca agents (sending data only)
64READ_ONLY_AUTHORIZED_ROLES monasca-read-only-user Roles for read only users 65READ_ONLY_AUTHORIZED_ROLES monasca-read-only-user Roles for read only users
@@ -69,6 +70,8 @@ KEYSTONE_ADMIN_USER admin
69KEYSTONE_ADMIN_PASSWORD secretadmin OpenStack administrator user password 70KEYSTONE_ADMIN_PASSWORD secretadmin OpenStack administrator user password
70KEYSTONE_ADMIN_TENANT admin OpenStack administrator tenant name 71KEYSTONE_ADMIN_TENANT admin OpenStack administrator tenant name
71KEYSTONE_ADMIN_DOMAIN default OpenStack administrator domain 72KEYSTONE_ADMIN_DOMAIN default OpenStack administrator domain
73KEYSTONE_INSECURE false Allow insecure Keystone connection
74KEYSTONE_REGION_NAME undefined Keystone admin account region
72GUNICORN_WORKERS 9 Number of gunicorn (WSGI-HTTP server) workers 75GUNICORN_WORKERS 9 Number of gunicorn (WSGI-HTTP server) workers
73GUNICORN_WORKER_CLASS gevent Used gunicorn worker class 76GUNICORN_WORKER_CLASS gevent Used gunicorn worker class
74GUNICORN_WORKER_CONNECTIONS 2000 Number of gunicorn worker connections 77GUNICORN_WORKER_CONNECTIONS 2000 Number of gunicorn worker connections
diff --git a/docker/monasca-api.conf.j2 b/docker/monasca-api.conf.j2
index ac63dae..b0b0d4f 100644
--- a/docker/monasca-api.conf.j2
+++ b/docker/monasca-api.conf.j2
@@ -7,7 +7,11 @@
7# 7#
8# Region that API is running in 8# Region that API is running in
9# (string value) 9# (string value)
10region = useast 10#
11# This option has a sample default set, which means that
12# its actual default value may vary from the one documented
13# below.
14region = {{ DEFAULT_REGION }}
11 15
12# 16#
13# Valid periods for notification methods 17# Valid periods for notification methods
@@ -79,6 +83,39 @@ log_config_append=/etc/monasca/api-logging.conf
79# set (boolean value) 83# set (boolean value)
80#use_stderr = false 84#use_stderr = false
81 85
86# Log output to Windows Event Log (boolean value)
87#use_eventlog = false
88
89# The amount of time before the log files are rotated. This option is ignored
90# unless log_rotation_type is setto "interval" (integer value)
91#log_rotate_interval = 1
92
93# Rotation interval type. The time of the last file change (or the time when
94# the service was started) is used when scheduling the next rotation (string
95# value)
96# Possible values:
97# Seconds - <No description provided>
98# Minutes - <No description provided>
99# Hours - <No description provided>
100# Days - <No description provided>
101# Weekday - <No description provided>
102# Midnight - <No description provided>
103#log_rotate_interval_type = days
104
105# Maximum number of rotated log files (integer value)
106#max_logfile_count = 30
107
108# Log file maximum size in MB. This option is ignored if "log_rotation_type" is
109# not set to "size" (integer value)
110#max_logfile_size_mb = 200
111
112# Log rotation type (string value)
113# Possible values:
114# interval - Rotate logs at predefined time intervals.
115# size - Rotate logs once they reach a predefined size.
116# none - Do not rotate log files.
117#log_rotation_type = none
118
82# Format string to use for log messages with context (string value) 119# Format string to use for log messages with context (string value)
83#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s 120#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
84 121
@@ -99,7 +136,7 @@ log_config_append=/etc/monasca/api-logging.conf
99 136
100# List of package logging levels in logger=LEVEL pairs. This option is ignored 137# List of package logging levels in logger=LEVEL pairs. This option is ignored
101# if log_config_append is set (list value) 138# if log_config_append is set (list value)
102#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO 139#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,oslo_policy=INFO,dogpile.core.dogpile=INFO
103 140
104# Enables or disables publication of error events (boolean value) 141# Enables or disables publication of error events (boolean value)
105#publish_errors = false 142#publish_errors = false
@@ -157,19 +194,6 @@ log_config_append=/etc/monasca/api-logging.conf
157[database] 194[database]
158 195
159# 196#
160# From monasca_api
161#
162
163# DEPRECATED:
164# The SQLAlchemy connection string to use to connect to the database
165# (string value)
166# This option is deprecated for removal since 1.6.0.
167# Its value may be silently ignored in the future.
168# Reason: Please use database.connection option,database.url is scheduled for
169# removal in Pike release
170#url = $database.connection
171
172#
173# From oslo.db 197# From oslo.db
174# 198#
175 199
@@ -454,6 +478,208 @@ wait_time = 1
454#auto_commit = false 478#auto_commit = false
455 479
456 480
481[keystone_authtoken]
482
483auth_url = {{ KEYSTONE_IDENTITY_URI }}
484username = {{ KEYSTONE_ADMIN_USER }}
485password = {{ KEYSTONE_ADMIN_PASSWORD }}
486user_domain_name = Default
487project_name = {{ KEYSTONE_ADMIN_TENANT }}
488project_domain_name = Default
489
490#
491# From keystonemiddleware.auth_token
492#
493
494# Complete "public" Identity API endpoint. This endpoint should not be an
495# "admin" endpoint, as it should be accessible by all end users.
496# Unauthenticated clients are redirected to this endpoint to authenticate.
497# Although this endpoint should ideally be unversioned, client support in the
498# wild varies. If you're using a versioned v2 endpoint here, then this should
499# *not* be the same endpoint the service user utilizes for validating tokens,
500# because normal end users may not be able to reach that endpoint (string
501# value)
502# Deprecated group/name - [keystone_authtoken]/auth_uri
503www_authenticate_uri = {{ KEYSTONE_AUTH_URI }}
504
505# DEPRECATED: Complete "public" Identity API endpoint. This endpoint should not
506# be an "admin" endpoint, as it should be accessible by all end users.
507# Unauthenticated clients are redirected to this endpoint to authenticate.
508# Although this endpoint should ideally be unversioned, client support in the
509# wild varies. If you're using a versioned v2 endpoint here, then this should
510# *not* be the same endpoint the service user utilizes for validating tokens,
511# because normal end users may not be able to reach that endpoint. This option
512# is deprecated in favor of www_authenticate_uri and will be removed in the S
513# release (string value)
514# This option is deprecated for removal since Queens.
515# Its value may be silently ignored in the future.
516# Reason: The auth_uri option is deprecated in favor of www_authenticate_uri
517# and will be removed in the S release.
518#auth_uri = <None>
519
520# API version of the admin Identity API endpoint (string value)
521#auth_version = <None>
522
523# Do not handle authorization requests within the middleware, but delegate the
524# authorization decision to downstream WSGI components (boolean value)
525#delay_auth_decision = false
526
527# Request timeout value for communicating with Identity API server (integer
528# value)
529#http_connect_timeout = <None>
530
531# How many times are we trying to reconnect when communicating with Identity
532# API Server (integer value)
533#http_request_max_retries = 3
534
535# Request environment key where the Swift cache object is stored. When
536# auth_token middleware is deployed with a Swift cache, use this option to have
537# the middleware share a caching backend with swift. Otherwise, use the
538# ``memcached_servers`` option instead (string value)
539#cache = <None>
540
541# Required if identity server requires client certificate (string value)
542#certfile = <None>
543
544# Required if identity server requires client certificate (string value)
545#keyfile = <None>
546
547# A PEM encoded Certificate Authority to use when verifying HTTPs connections.
548# Defaults to system CAs (string value)
549#cafile = <None>
550
551# Verify HTTPS connections (boolean value)
552insecure = {{ KEYSTONE_INSECURE }}
553
554# The region in which the identity server can be found (string value)
555{% if KEYSTONE_REGION_NAME is defined %}
556region_name = {{ KEYSTONE_REGION_NAME }}
557{% endif %}
558
559# DEPRECATED: Directory used to cache files related to PKI tokens. This option
560# has been deprecated in the Ocata release and will be removed in the P release
561# (string value)
562# This option is deprecated for removal since Ocata.
563# Its value may be silently ignored in the future.
564# Reason: PKI token format is no longer supported.
565#signing_dir = <None>
566
567# Optionally specify a list of memcached server(s) to use for caching. If left
568# undefined, tokens will instead be cached in-process (list value)
569# Deprecated group/name - [keystone_authtoken]/memcache_servers
570memcached_servers = {{ MEMCACHED_URI }}
571
572# In order to prevent excessive effort spent validating tokens, the middleware
573# caches previously-seen tokens for a configurable duration (in seconds). Set
574# to -1 to disable caching completely (integer value)
575#token_cache_time = 300
576
577# DEPRECATED: Determines the frequency at which the list of revoked tokens is
578# retrieved from the Identity service (in seconds). A high number of revocation
579# events combined with a low cache duration may significantly reduce
580# performance. Only valid for PKI tokens. This option has been deprecated in
581# the Ocata release and will be removed in the P release (integer value)
582# This option is deprecated for removal since Ocata.
583# Its value may be silently ignored in the future.
584# Reason: PKI token format is no longer supported.
585#revocation_cache_time = 10
586
587# (Optional) If defined, indicate whether token data should be authenticated or
588# authenticated and encrypted. If MAC, token data is authenticated (with HMAC)
589# in the cache. If ENCRYPT, token data is encrypted and authenticated in the
590# cache. If the value is not one of these options or empty, auth_token will
591# raise an exception on initialization (string value)
592# Possible values:
593# None - <No description provided>
594# MAC - <No description provided>
595# ENCRYPT - <No description provided>
596#memcache_security_strategy = None
597
598# (Optional, mandatory if memcache_security_strategy is defined) This string is
599# used for key derivation (string value)
600#memcache_secret_key = <None>
601
602# (Optional) Number of seconds memcached server is considered dead before it is
603# tried again (integer value)
604#memcache_pool_dead_retry = 300
605
606# (Optional) Maximum total number of open connections to every memcached server
607# (integer value)
608#memcache_pool_maxsize = 10
609
610# (Optional) Socket timeout in seconds for communicating with a memcached
611# server (integer value)
612#memcache_pool_socket_timeout = 3
613
614# (Optional) Number of seconds a connection to memcached is held unused in the
615# pool before it is closed (integer value)
616#memcache_pool_unused_timeout = 60
617
618# (Optional) Number of seconds that an operation will wait to get a memcached
619# client connection from the pool (integer value)
620#memcache_pool_conn_get_timeout = 10
621
622# (Optional) Use the advanced (eventlet safe) memcached client pool. The
623# advanced pool will only work under python 2.x (boolean value)
624#memcache_use_advanced_pool = false
625
626# (Optional) Indicate whether to set the X-Service-Catalog header. If False,
627# middleware will not ask for service catalog on token validation and will not
628# set the X-Service-Catalog header (boolean value)
629#include_service_catalog = true
630
631# Used to control the use and type of token binding. Can be set to: "disabled"
632# to not check token binding. "permissive" (default) to validate binding
633# information if the bind type is of a form known to the server and ignore it
634# if not. "strict" like "permissive" but if the bind type is unknown the token
635# will be rejected. "required" any form of token binding is needed to be
636# allowed. Finally the name of a binding method that must be present in tokens
637# (string value)
638#enforce_token_bind = permissive
639
640# DEPRECATED: If true, the revocation list will be checked for cached tokens.
641# This requires that PKI tokens are configured on the identity server (boolean
642# value)
643# This option is deprecated for removal since Ocata.
644# Its value may be silently ignored in the future.
645# Reason: PKI token format is no longer supported.
646#check_revocations_for_cached = false
647
648# DEPRECATED: Hash algorithms to use for hashing PKI tokens. This may be a
649# single algorithm or multiple. The algorithms are those supported by Python
650# standard hashlib.new(). The hashes will be tried in the order given, so put
651# the preferred one first for performance. The result of the first hash will be
652# stored in the cache. This will typically be set to multiple values only while
653# migrating from a less secure algorithm to a more secure one. Once all the old
654# tokens are expired this option should be set to a single value for better
655# performance (list value)
656# This option is deprecated for removal since Ocata.
657# Its value may be silently ignored in the future.
658# Reason: PKI token format is no longer supported.
659#hash_algorithms = md5
660
661# A choice of roles that must be present in a service token. Service tokens are
662# allowed to request that an expired token can be used and so this check should
663# tightly control that only actual services should be sending this token. Roles
664# here are applied as an ANY check so any role in this list must be present.
665# For backwards compatibility reasons this currently only affects the
666# allow_expired check (list value)
667#service_token_roles = service
668
669# For backwards compatibility reasons we must let valid service tokens pass
670# that don't pass the service_token_roles check as valid. Setting this true
671# will become the default in a future release and should be enabled if possible
672# (boolean value)
673service_token_roles_required = true
674
675# Authentication type to load (string value)
676# Deprecated group/name - [keystone_authtoken]/auth_plugin
677auth_type = password
678
679# Config Section from which to load plugin specific options (string value)
680#auth_section = <None>
681
682
457[messaging] 683[messaging]
458 684
459# 685#
@@ -610,22 +836,3 @@ read_only_authorized_roles = {{ READ_ONLY_AUTHORIZED_ROLES | default('monasca-re
610# behalf of another tenant 836# behalf of another tenant
611# (list value) 837# (list value)
612delegate_authorized_roles = {{ DELEGATE_AUTHORIZED_ROLES | default('admin') }} 838delegate_authorized_roles = {{ DELEGATE_AUTHORIZED_ROLES | default('admin') }}
613
614[dispatcher]
615driver = v2_reference
616
617[keystone_authtoken]
618auth_type = password
619auth_url = {{ KEYSTONE_IDENTITY_URI }}
620auth_uri = {{ KEYSTONE_AUTH_URI }}
621username = {{ KEYSTONE_ADMIN_USER }}
622password = {{ KEYSTONE_ADMIN_PASSWORD }}
623user_domain_name = Default
624project_name = {{ KEYSTONE_ADMIN_TENANT }}
625project_domain_name = Default
626service_token_roles_required = true
627memcached_servers = {{ MEMCACHED_URI }}
628insecure = false
629cafile =
630certfile =
631keyfile =