diff --git a/.gitignore b/.gitignore index c6112cd553..f143a3f657 100644 --- a/.gitignore +++ b/.gitignore @@ -36,6 +36,7 @@ keystone/locale/*/LC_MESSAGES/*.mo releasenotes/build # sample config included in docs doc/source/_static/keystone.conf.sample +etc/keystone.conf.sample # sample policy file included in docs doc/source/_static/keystone.policy.yaml.sample etc/keystone.policy.yaml.sample diff --git a/etc/README.txt b/etc/README.txt new file mode 100644 index 0000000000..481535f7f8 --- /dev/null +++ b/etc/README.txt @@ -0,0 +1,9 @@ +To generate the sample keystone.conf and keystone.policy.yaml files, run the +following commands from the top level of the keystone directory: + + tox -egenconfig + tox -egenpolicy + +For a pre-generated example of the latest files, see: + + https://docs.openstack.org/keystone/latest/configuration/samples/index.html diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample deleted file mode 100644 index 35b0ff338b..0000000000 --- a/etc/keystone.conf.sample +++ /dev/null @@ -1,2932 +0,0 @@ -[DEFAULT] - -# -# From keystone -# - -# Using this feature is *NOT* recommended. Instead, use the `keystone-manage -# bootstrap` command. The value of this option is treated as a "shared secret" -# that can be used to bootstrap Keystone through the API. This "token" does not -# represent a user (it has no identity), and carries no explicit authorization -# (it effectively bypasses most authorization checks). If set to `None`, the -# value is ignored and the `admin_token` middleware is effectively disabled. -# (string value) -#admin_token = - -# The base public endpoint URL for Keystone that is advertised to clients -# (NOTE: this does NOT affect how Keystone listens for connections). Defaults -# to the base host URL of the request. For example, if keystone receives a -# request to `http://server:5000/v3/users`, then this will option will be -# automatically treated as `http://server:5000`. You should only need to set -# option if either the value of the base URL contains a path that keystone does -# not automatically infer (`/prefix/v3`), or if the endpoint should be found on -# a different host. (uri value) -#public_endpoint = - -# The base admin endpoint URL for Keystone that is advertised to clients (NOTE: -# this does NOT affect how Keystone listens for connections). Defaults to the -# base host URL of the request. For example, if keystone receives a request to -# `http://server:35357/v3/users`, then this will option will be automatically -# treated as `http://server:35357`. You should only need to set option if -# either the value of the base URL contains a path that keystone does not -# automatically infer (`/prefix/v3`), or if the endpoint should be found on a -# different host. (uri value) -#admin_endpoint = - -# Maximum depth of the project hierarchy, excluding the project acting as a -# domain at the top of the hierarchy. WARNING: Setting it to a large value may -# adversely impact performance. (integer value) -#max_project_tree_depth = 5 - -# Limit the sizes of user & project ID/names. (integer value) -#max_param_size = 64 - -# Similar to `[DEFAULT] max_param_size`, but provides an exception for token -# values. With Fernet tokens, this can be set as low as 255. With UUID tokens, -# this should be set to 32). (integer value) -#max_token_size = 255 - -# DEPRECATED: Similar to the `[DEFAULT] member_role_name` option, this -# represents the default role ID used to associate users with their default -# projects in the v2 API. This will be used as the explicit role where one is -# not specified by the v2 API. You do not need to set this value unless you -# want keystone to use an existing role with a different ID, other than the -# arbitrarily defined `_member_` role (in which case, you should set `[DEFAULT] -# member_role_name` as well). (string value) -# This option is deprecated for removal since Q. -# Its value may be silently ignored in the future. -# Reason: This option was used to create a default member role for keystone v2 -# role assignments, but with the removal of the v2 API it is no longer -# necessary to create this default role. This option is deprecated and will be -# removed in the S release. If you are depending on having a predictable role -# name and ID for this member role you will need to update your tooling. -#member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab - -# DEPRECATED: This is the role name used in combination with the `[DEFAULT] -# member_role_id` option; see that option for more detail. You do not need to -# set this option unless you want keystone to use an existing role (in which -# case, you should set `[DEFAULT] member_role_id` as well). (string value) -# This option is deprecated for removal since Q. -# Its value may be silently ignored in the future. -# Reason: This option was used to create a default member role for keystone v2 -# role assignments, but with the removal of the v2 API it is no longer -# necessary to create this default role. This option is deprecated and will be -# removed in the S release. If you are depending on having a predictable role -# name and ID for this member role you will need to update your tooling. -#member_role_name = _member_ - -# The value passed as the keyword "rounds" to passlib's encrypt method. This -# option represents a trade off between security and performance. Higher values -# lead to slower performance, but higher security. Changing this option will -# only affect newly created passwords as existing password hashes already have -# a fixed number of rounds applied, so it is safe to tune this option in a -# running cluster. For more information, see -# https://pythonhosted.org/passlib/password_hash_api.html#choosing-the-right- -# rounds-value (integer value) -# Minimum value: 1000 -# Maximum value: 100000 -#crypt_strength = 10000 - -# The maximum number of entities that will be returned in a collection. This -# global limit may be then overridden for a specific driver, by specifying a -# list_limit in the appropriate section (for example, `[assignment]`). No limit -# is set by default. In larger deployments, it is recommended that you set this -# to a reasonable number to prevent operations like listing all users and -# projects from placing an unnecessary load on the system. (integer value) -#list_limit = - -# If set to true, strict password length checking is performed for password -# manipulation. If a password exceeds the maximum length, the operation will -# fail with an HTTP 403 Forbidden error. If set to false, passwords are -# automatically truncated to the maximum length. (boolean value) -#strict_password_check = false - -# DEPRECATED: The HTTP header used to determine the scheme for the original -# request, even if it was removed by an SSL terminating proxy. (string value) -# This option is deprecated for removal since N. -# Its value may be silently ignored in the future. -# Reason: This option has been deprecated in the N release and will be removed -# in the P release. Use oslo.middleware.http_proxy_to_wsgi configuration -# instead. -#secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO - -# If set to true, then the server will return information in HTTP responses -# that may allow an unauthenticated or authenticated user to get more -# information than normal, such as additional details about why authentication -# failed. This may be useful for debugging but is insecure. (boolean value) -#insecure_debug = false - -# Default `publisher_id` for outgoing notifications. If left undefined, -# Keystone will default to using the server's host name. (string value) -#default_publisher_id = - -# Define the notification format for identity service events. A `basic` -# notification only has information about the resource being operated on. A -# `cadf` notification has the same information, as well as information about -# the initiator of the event. The `cadf` option is entirely backwards -# compatible with the `basic` option, but is fully CADF-compliant, and is -# recommended for auditing use cases. (string value) -# Allowed values: basic, cadf -#notification_format = cadf - -# You can reduce the number of notifications keystone emits by explicitly -# opting out. Keystone will not emit notifications that match the patterns -# expressed in this list. Values are expected to be in the form of -# `identity..`. By default, all notifications related -# to authentication are automatically suppressed. This field can be set -# multiple times in order to opt-out of multiple notification topics. For -# example, the following suppresses notifications describing user creation or -# successful authentication events: notification_opt_out=identity.user.create -# notification_opt_out=identity.authenticate.success (multi valued) -#notification_opt_out = identity.authenticate.success -#notification_opt_out = identity.authenticate.pending -#notification_opt_out = identity.authenticate.failed - -# -# From oslo.log -# - -# If set to true, the logging level will be set to DEBUG instead of the default -# INFO level. (boolean value) -# Note: This option can be changed without restarting. -#debug = false - -# The name of a logging configuration file. This file is appended to any -# existing logging configuration files. For details about logging configuration -# files, see the Python logging module documentation. Note that when logging -# configuration files are used then all logging configuration is set in the -# configuration file and other logging configuration options are ignored (for -# example, logging_context_format_string). (string value) -# Note: This option can be changed without restarting. -# Deprecated group/name - [DEFAULT]/log_config -#log_config_append = - -# Defines the format string for %%(asctime)s in log records. Default: -# %(default)s . This option is ignored if log_config_append is set. (string -# value) -#log_date_format = %Y-%m-%d %H:%M:%S - -# (Optional) Name of log file to send logging output to. If no default is set, -# logging will go to stderr as defined by use_stderr. This option is ignored if -# log_config_append is set. (string value) -# Deprecated group/name - [DEFAULT]/logfile -#log_file = - -# (Optional) The base directory used for relative log_file paths. This option -# is ignored if log_config_append is set. (string value) -# Deprecated group/name - [DEFAULT]/logdir -#log_dir = - -# Uses logging handler designed to watch file system. When log file is moved or -# removed this handler will open a new log file with specified path -# instantaneously. It makes sense only if log_file option is specified and -# Linux platform is used. This option is ignored if log_config_append is set. -# (boolean value) -#watch_log_file = false - -# Use syslog for logging. Existing syslog format is DEPRECATED and will be -# changed later to honor RFC5424. This option is ignored if log_config_append -# is set. (boolean value) -#use_syslog = false - -# Enable journald for logging. If running in a systemd environment you may wish -# to enable journal support. Doing so will use the journal native protocol -# which includes structured metadata in addition to log messages.This option is -# ignored if log_config_append is set. (boolean value) -#use_journal = false - -# Syslog facility to receive log lines. This option is ignored if -# log_config_append is set. (string value) -#syslog_log_facility = LOG_USER - -# Log output to standard error. This option is ignored if log_config_append is -# set. (boolean value) -#use_stderr = false - -# Format string to use for log messages with context. (string value) -#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s - -# Format string to use for log messages when context is undefined. (string -# value) -#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s - -# Additional data to append to log message when logging level for the message -# is DEBUG. (string value) -#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d - -# Prefix each line of exception output with this format. (string value) -#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s - -# Defines the format string for %(user_identity)s that is used in -# logging_context_format_string. (string value) -#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s - -# List of package logging levels in logger=LEVEL pairs. This option is ignored -# if log_config_append is set. (list value) -#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO - -# Enables or disables publication of error events. (boolean value) -#publish_errors = false - -# The format for an instance that is passed with the log message. (string -# value) -#instance_format = "[instance: %(uuid)s] " - -# The format for an instance UUID that is passed with the log message. (string -# value) -#instance_uuid_format = "[instance: %(uuid)s] " - -# Interval, number of seconds, of log rate limiting. (integer value) -#rate_limit_interval = 0 - -# Maximum number of logged messages per rate_limit_interval. (integer value) -#rate_limit_burst = 0 - -# Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG -# or empty string. Logs with level greater or equal to rate_limit_except_level -# are not filtered. An empty string means that all levels are filtered. (string -# value) -#rate_limit_except_level = CRITICAL - -# Enables or disables fatal status of deprecations. (boolean value) -#fatal_deprecations = false - -# -# From oslo.messaging -# - -# Size of RPC connection pool. (integer value) -#rpc_conn_pool_size = 30 - -# The pool size limit for connections expiration policy (integer value) -#conn_pool_min_size = 2 - -# The time-to-live in sec of idle connections in the pool (integer value) -#conn_pool_ttl = 1200 - -# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. -# The "host" option should point or resolve to this address. (string value) -#rpc_zmq_bind_address = * - -# MatchMaker driver. (string value) -# Allowed values: redis, sentinel, dummy -#rpc_zmq_matchmaker = redis - -# Number of ZeroMQ contexts, defaults to 1. (integer value) -#rpc_zmq_contexts = 1 - -# Maximum number of ingress messages to locally buffer per topic. Default is -# unlimited. (integer value) -#rpc_zmq_topic_backlog = - -# Directory for holding IPC sockets. (string value) -#rpc_zmq_ipc_dir = /var/run/openstack - -# Name of this node. Must be a valid hostname, FQDN, or IP address. Must match -# "host" option, if running Nova. (string value) -#rpc_zmq_host = localhost - -# Number of seconds to wait before all pending messages will be sent after -# closing a socket. The default value of -1 specifies an infinite linger -# period. The value of 0 specifies no linger period. Pending messages shall be -# discarded immediately when the socket is closed. Positive values specify an -# upper bound for the linger period. (integer value) -# Deprecated group/name - [DEFAULT]/rpc_cast_timeout -#zmq_linger = -1 - -# The default number of seconds that poll should wait. Poll raises timeout -# exception when timeout expired. (integer value) -#rpc_poll_timeout = 1 - -# Expiration timeout in seconds of a name service record about existing target -# ( < 0 means no timeout). (integer value) -#zmq_target_expire = 300 - -# Update period in seconds of a name service record about existing target. -# (integer value) -#zmq_target_update = 180 - -# Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy. (boolean -# value) -#use_pub_sub = false - -# Use ROUTER remote proxy. (boolean value) -#use_router_proxy = false - -# This option makes direct connections dynamic or static. It makes sense only -# with use_router_proxy=False which means to use direct connections for direct -# message types (ignored otherwise). (boolean value) -#use_dynamic_connections = false - -# How many additional connections to a host will be made for failover reasons. -# This option is actual only in dynamic connections mode. (integer value) -#zmq_failover_connections = 2 - -# Minimal port number for random ports range. (port value) -# Minimum value: 0 -# Maximum value: 65535 -#rpc_zmq_min_port = 49153 - -# Maximal port number for random ports range. (integer value) -# Minimum value: 1 -# Maximum value: 65536 -#rpc_zmq_max_port = 65536 - -# Number of retries to find free port number before fail with ZMQBindError. -# (integer value) -#rpc_zmq_bind_port_retries = 100 - -# Default serialization mechanism for serializing/deserializing -# outgoing/incoming messages (string value) -# Allowed values: json, msgpack -#rpc_zmq_serialization = json - -# This option configures round-robin mode in zmq socket. True means not keeping -# a queue when server side disconnects. False means to keep queue and messages -# even if server is disconnected, when the server appears we send all -# accumulated messages to it. (boolean value) -#zmq_immediate = true - -# Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any -# other negative value) means to skip any overrides and leave it to OS default; -# 0 and 1 (or any other positive value) mean to disable and enable the option -# respectively. (integer value) -#zmq_tcp_keepalive = -1 - -# The duration between two keepalive transmissions in idle condition. The unit -# is platform dependent, for example, seconds in Linux, milliseconds in Windows -# etc. The default value of -1 (or any other negative value and 0) means to -# skip any overrides and leave it to OS default. (integer value) -#zmq_tcp_keepalive_idle = -1 - -# The number of retransmissions to be carried out before declaring that remote -# end is not available. The default value of -1 (or any other negative value -# and 0) means to skip any overrides and leave it to OS default. (integer -# value) -#zmq_tcp_keepalive_cnt = -1 - -# The duration between two successive keepalive retransmissions, if -# acknowledgement to the previous keepalive transmission is not received. The -# unit is platform dependent, for example, seconds in Linux, milliseconds in -# Windows etc. The default value of -1 (or any other negative value and 0) -# means to skip any overrides and leave it to OS default. (integer value) -#zmq_tcp_keepalive_intvl = -1 - -# Maximum number of (green) threads to work concurrently. (integer value) -#rpc_thread_pool_size = 100 - -# Expiration timeout in seconds of a sent/received message after which it is -# not tracked anymore by a client/server. (integer value) -#rpc_message_ttl = 300 - -# Wait for message acknowledgements from receivers. This mechanism works only -# via proxy without PUB/SUB. (boolean value) -#rpc_use_acks = false - -# Number of seconds to wait for an ack from a cast/call. After each retry -# attempt this timeout is multiplied by some specified multiplier. (integer -# value) -#rpc_ack_timeout_base = 15 - -# Number to multiply base ack timeout by after each retry attempt. (integer -# value) -#rpc_ack_timeout_multiplier = 2 - -# Default number of message sending attempts in case of any problems occurred: -# positive value N means at most N retries, 0 means no retries, None or -1 (or -# any other negative values) mean to retry forever. This option is used only if -# acknowledgments are enabled. (integer value) -#rpc_retry_attempts = 3 - -# List of publisher hosts SubConsumer can subscribe on. This option has higher -# priority then the default publishers list taken from the matchmaker. (list -# value) -#subscribe_on = - -# Size of executor thread pool when executor is threading or eventlet. (integer -# value) -# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size -#executor_thread_pool_size = 64 - -# Seconds to wait for a response from a call. (integer value) -#rpc_response_timeout = 60 - -# A URL representing the messaging driver to use and its full configuration. -# (string value) -#transport_url = - -# DEPRECATED: The messaging driver to use, defaults to rabbit. Other drivers -# include amqp and zmq. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Replaced by [DEFAULT]/transport_url -#rpc_backend = rabbit - -# The default exchange under which topics are scoped. May be overridden by an -# exchange name specified in the transport_url option. (string value) -#control_exchange = keystone - - -[application_credential] - -# -# From keystone -# - -# Entry point for the application credential backend driver in the -# `keystone.application_credential` namespace. Keystone only provides a `sql` -# driver, so there is no reason to change this unless you are providing a -# custom entry point. (string value) -#driver = sql - -# Toggle for application credential caching. This has no effect unless global -# caching is enabled. (boolean value) -#caching = true - -# Time to cache application credential data in seconds. This has no effect -# unless global caching is enabled. (integer value) -#cache_time = - -# Maximum number of application credentials a user is permitted to create. A -# value of -1 means unlimited. If a limit is not set, users are permitted to -# create application credentials at will, which could lead to bloat in the -# keystone database or open keystone to a DoS attack. (integer value) -#user_limit = -1 - - -[assignment] - -# -# From keystone -# - -# Entry point for the assignment backend driver (where role assignments are -# stored) in the `keystone.assignment` namespace. Only a SQL driver is supplied -# by keystone itself. Unless you are writing proprietary drivers for keystone, -# you do not need to set this option. (string value) -#driver = sql - -# A list of role names which are prohibited from being an implied role. (list -# value) -#prohibited_implied_role = admin - - -[auth] - -# -# From keystone -# - -# Allowed authentication methods. Note: You should disable the `external` auth -# method if you are currently using federation. External auth and federation -# both use the REMOTE_USER variable. Since both the mapped and external plugin -# are being invoked to validate attributes in the request environment, it can -# cause conflicts. (list value) -#methods = external,password,token,oauth1,mapped,application_credential - -# Entry point for the password auth plugin module in the -# `keystone.auth.password` namespace. You do not need to set this unless you -# are overriding keystone's own password authentication plugin. (string value) -#password = - -# Entry point for the token auth plugin module in the `keystone.auth.token` -# namespace. You do not need to set this unless you are overriding keystone's -# own token authentication plugin. (string value) -#token = - -# Entry point for the external (`REMOTE_USER`) auth plugin module in the -# `keystone.auth.external` namespace. Supplied drivers are `DefaultDomain` and -# `Domain`. The default driver is `DefaultDomain`, which assumes that all users -# identified by the username specified to keystone in the `REMOTE_USER` -# variable exist within the context of the default domain. The `Domain` option -# expects an additional environment variable be presented to keystone, -# `REMOTE_DOMAIN`, containing the domain name of the `REMOTE_USER` (if -# `REMOTE_DOMAIN` is not set, then the default domain will be used instead). -# You do not need to set this unless you are taking advantage of "external -# authentication", where the application server (such as Apache) is handling -# authentication instead of keystone. (string value) -#external = - -# Entry point for the OAuth 1.0a auth plugin module in the -# `keystone.auth.oauth1` namespace. You do not need to set this unless you are -# overriding keystone's own `oauth1` authentication plugin. (string value) -#oauth1 = - -# Entry point for the mapped auth plugin module in the `keystone.auth.mapped` -# namespace. You do not need to set this unless you are overriding keystone's -# own `mapped` authentication plugin. (string value) -#mapped = - -# Entry point for the application_credential auth plugin module in the -# `keystone.auth.application_credential` namespace. You do not need to set this -# unless you are overriding keystone's own `application_credential` -# authentication plugin. (string value) -#application_credential = - - -[cache] - -# -# From oslo.cache -# - -# Prefix for building the configuration dictionary for the cache region. This -# should not need to be changed unless there is another dogpile.cache region -# with the same configuration name. (string value) -#config_prefix = cache.oslo - -# Default TTL, in seconds, for any cached item in the dogpile.cache region. -# This applies to any cached method that doesn't have an explicit cache -# expiration time defined for it. (integer value) -#expiration_time = 600 - -# Dogpile.cache backend module. It is recommended that Memcache or Redis -# (dogpile.cache.redis) be used in production deployments. For eventlet-based -# or highly threaded servers, Memcache with pooling (oslo_cache.memcache_pool) -# is recommended. For low thread servers, dogpile.cache.memcached is -# recommended. Test environments with a single instance of the server can use -# the dogpile.cache.memory backend. (string value) -#backend = dogpile.cache.null - -# Arguments supplied to the backend module. Specify this option once per -# argument to be passed to the dogpile.cache backend. Example format: -# ":". (multi valued) -#backend_argument = - -# Proxy classes to import that will affect the way the dogpile.cache backend -# functions. See the dogpile.cache documentation on changing-backend-behavior. -# (list value) -#proxies = - -# Global toggle for caching. (boolean value) -#enabled = true - -# Extra debugging from the cache backend (cache keys, get/set/delete/etc -# calls). This is only really useful if you need to see the specific cache- -# backend get/set/delete calls with the keys/values. Typically this should be -# left set to false. (boolean value) -#debug_cache_backend = false - -# Memcache servers in the format of "host:port". (dogpile.cache.memcache and -# oslo_cache.memcache_pool backends only). (list value) -#memcache_servers = localhost:11211 - -# Number of seconds memcached server is considered dead before it is tried -# again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only). -# (integer value) -#memcache_dead_retry = 300 - -# Timeout in seconds for every call to a server. (dogpile.cache.memcache and -# oslo_cache.memcache_pool backends only). (integer value) -#memcache_socket_timeout = 3 - -# Max total number of open connections to every memcached server. -# (oslo_cache.memcache_pool backend only). (integer value) -#memcache_pool_maxsize = 10 - -# Number of seconds a connection to memcached is held unused in the pool before -# it is closed. (oslo_cache.memcache_pool backend only). (integer value) -#memcache_pool_unused_timeout = 60 - -# Number of seconds that an operation will wait to get a memcache client -# connection. (integer value) -#memcache_pool_connection_get_timeout = 10 - - -[catalog] - -# -# From keystone -# - -# Absolute path to the file used for the templated catalog backend. This option -# is only used if the `[catalog] driver` is set to `templated`. (string value) -#template_file = default_catalog.templates - -# Entry point for the catalog driver in the `keystone.catalog` namespace. -# Keystone provides a `sql` option (which supports basic CRUD operations -# through SQL), a `templated` option (which loads the catalog from a templated -# catalog file on disk), and a `endpoint_filter.sql` option (which supports -# arbitrary service catalogs per project). (string value) -#driver = sql - -# Toggle for catalog caching. This has no effect unless global caching is -# enabled. In a typical deployment, there is no reason to disable this. -# (boolean value) -#caching = true - -# Time to cache catalog data (in seconds). This has no effect unless global and -# catalog caching are both enabled. Catalog data (services, endpoints, etc.) -# typically does not change frequently, and so a longer duration than the -# global default may be desirable. (integer value) -#cache_time = - -# Maximum number of entities that will be returned in a catalog collection. -# There is typically no reason to set this, as it would be unusual for a -# deployment to have enough services or endpoints to exceed a reasonable limit. -# (integer value) -#list_limit = - - -[cors] - -# -# From oslo.middleware -# - -# Indicate whether this resource may be shared with the domain received in the -# requests "origin" header. Format: "://[:]", no trailing -# slash. Example: https://horizon.example.com (list value) -#allowed_origin = - -# Indicate that the actual request can include user credentials (boolean value) -#allow_credentials = true - -# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple -# Headers. (list value) -#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token - -# Maximum cache age of CORS preflight requests. (integer value) -#max_age = 3600 - -# Indicate which methods can be used during the actual request. (list value) -#allow_methods = GET,PUT,POST,DELETE,PATCH - -# Indicate which header field names may be used during the actual request. -# (list value) -#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name - - -[credential] - -# -# From keystone -# - -# Entry point for the credential backend driver in the `keystone.credential` -# namespace. Keystone only provides a `sql` driver, so there's no reason to -# change this unless you are providing a custom entry point. (string value) -#driver = sql - -# Entry point for credential encryption and decryption operations in the -# `keystone.credential.provider` namespace. Keystone only provides a `fernet` -# driver, so there's no reason to change this unless you are providing a custom -# entry point to encrypt and decrypt credentials. (string value) -#provider = fernet - -# Directory containing Fernet keys used to encrypt and decrypt credentials -# stored in the credential backend. Fernet keys used to encrypt credentials -# have no relationship to Fernet keys used to encrypt Fernet tokens. Both sets -# of keys should be managed separately and require different rotation policies. -# Do not share this repository with the repository used to manage keys for -# Fernet tokens. (string value) -#key_repository = /etc/keystone/credential-keys/ - - -[database] - -# -# From oslo.db -# - -# If True, SQLite uses synchronous mode. (boolean value) -#sqlite_synchronous = true - -# The back end to use for the database. (string value) -# Deprecated group/name - [DEFAULT]/db_backend -#backend = sqlalchemy - -# The SQLAlchemy connection string to use to connect to the database. (string -# value) -# Deprecated group/name - [DEFAULT]/sql_connection -# Deprecated group/name - [DATABASE]/sql_connection -# Deprecated group/name - [sql]/connection -#connection = - -# The SQLAlchemy connection string to use to connect to the slave database. -# (string value) -#slave_connection = - -# The SQL mode to be used for MySQL sessions. This option, including the -# default, overrides any server-set SQL mode. To use whatever SQL mode is set -# by the server configuration, set this to no value. Example: mysql_sql_mode= -# (string value) -#mysql_sql_mode = TRADITIONAL - -# If True, transparently enables support for handling MySQL Cluster (NDB). -# (boolean value) -#mysql_enable_ndb = false - -# Timeout before idle SQL connections are reaped. (integer value) -# Deprecated group/name - [DEFAULT]/sql_idle_timeout -# Deprecated group/name - [DATABASE]/sql_idle_timeout -# Deprecated group/name - [sql]/idle_timeout -#idle_timeout = 3600 - -# Minimum number of SQL connections to keep open in a pool. (integer value) -# Deprecated group/name - [DEFAULT]/sql_min_pool_size -# Deprecated group/name - [DATABASE]/sql_min_pool_size -#min_pool_size = 1 - -# Maximum number of SQL connections to keep open in a pool. Setting a value of -# 0 indicates no limit. (integer value) -# Deprecated group/name - [DEFAULT]/sql_max_pool_size -# Deprecated group/name - [DATABASE]/sql_max_pool_size -#max_pool_size = 5 - -# Maximum number of database connection retries during startup. Set to -1 to -# specify an infinite retry count. (integer value) -# Deprecated group/name - [DEFAULT]/sql_max_retries -# Deprecated group/name - [DATABASE]/sql_max_retries -#max_retries = 10 - -# Interval between retries of opening a SQL connection. (integer value) -# Deprecated group/name - [DEFAULT]/sql_retry_interval -# Deprecated group/name - [DATABASE]/reconnect_interval -#retry_interval = 10 - -# If set, use this value for max_overflow with SQLAlchemy. (integer value) -# Deprecated group/name - [DEFAULT]/sql_max_overflow -# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow -#max_overflow = 50 - -# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer -# value) -# Minimum value: 0 -# Maximum value: 100 -# Deprecated group/name - [DEFAULT]/sql_connection_debug -#connection_debug = 0 - -# Add Python stack traces to SQL as comment strings. (boolean value) -# Deprecated group/name - [DEFAULT]/sql_connection_trace -#connection_trace = false - -# If set, use this value for pool_timeout with SQLAlchemy. (integer value) -# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout -#pool_timeout = - -# Enable the experimental use of database reconnect on connection lost. -# (boolean value) -#use_db_reconnect = false - -# Seconds between retries of a database transaction. (integer value) -#db_retry_interval = 1 - -# If True, increases the interval between retries of a database operation up to -# db_max_retry_interval. (boolean value) -#db_inc_retry_interval = true - -# If db_inc_retry_interval is set, the maximum seconds between retries of a -# database operation. (integer value) -#db_max_retry_interval = 10 - -# Maximum retries in case of connection error or deadlock error before error is -# raised. Set to -1 to specify an infinite retry count. (integer value) -#db_max_retries = 20 - - -[domain_config] - -# -# From keystone -# - -# Entry point for the domain-specific configuration driver in the -# `keystone.resource.domain_config` namespace. Only a `sql` option is provided -# by keystone, so there is no reason to set this unless you are providing a -# custom entry point. (string value) -#driver = sql - -# Toggle for caching of the domain-specific configuration backend. This has no -# effect unless global caching is enabled. There is normally no reason to -# disable this. (boolean value) -#caching = true - -# Time-to-live (TTL, in seconds) to cache domain-specific configuration data. -# This has no effect unless `[domain_config] caching` is enabled. (integer -# value) -#cache_time = 300 - - -[endpoint_filter] - -# -# From keystone -# - -# Entry point for the endpoint filter driver in the `keystone.endpoint_filter` -# namespace. Only a `sql` option is provided by keystone, so there is no reason -# to set this unless you are providing a custom entry point. (string value) -#driver = sql - -# This controls keystone's behavior if the configured endpoint filters do not -# result in any endpoints for a user + project pair (and therefore a -# potentially empty service catalog). If set to true, keystone will return the -# entire service catalog. If set to false, keystone will return an empty -# service catalog. (boolean value) -#return_all_endpoints_if_no_filter = true - - -[endpoint_policy] - -# -# From keystone -# - -# Entry point for the endpoint policy driver in the `keystone.endpoint_policy` -# namespace. Only a `sql` driver is provided by keystone, so there is no reason -# to set this unless you are providing a custom entry point. (string value) -#driver = sql - - -[eventlet_server] - -# -# From keystone -# - -# DEPRECATED: The IP address of the network interface for the public service to -# listen on. (unknown value) -# Deprecated group/name - [DEFAULT]/bind_host -# Deprecated group/name - [DEFAULT]/public_bind_host -# This option is deprecated for removal since K. -# Its value may be silently ignored in the future. -# Reason: Support for running keystone under eventlet has been removed in the -# Newton release. These options remain for backwards compatibility because they -# are used for URL substitutions. -#public_bind_host = 0.0.0.0 - -# DEPRECATED: The port number for the public service to listen on. (port value) -# Minimum value: 0 -# Maximum value: 65535 -# Deprecated group/name - [DEFAULT]/public_port -# This option is deprecated for removal since K. -# Its value may be silently ignored in the future. -# Reason: Support for running keystone under eventlet has been removed in the -# Newton release. These options remain for backwards compatibility because they -# are used for URL substitutions. -#public_port = 5000 - -# DEPRECATED: The IP address of the network interface for the admin service to -# listen on. (unknown value) -# Deprecated group/name - [DEFAULT]/bind_host -# Deprecated group/name - [DEFAULT]/admin_bind_host -# This option is deprecated for removal since K. -# Its value may be silently ignored in the future. -# Reason: Support for running keystone under eventlet has been removed in the -# Newton release. These options remain for backwards compatibility because they -# are used for URL substitutions. -#admin_bind_host = 0.0.0.0 - -# DEPRECATED: The port number for the admin service to listen on. (port value) -# Minimum value: 0 -# Maximum value: 65535 -# Deprecated group/name - [DEFAULT]/admin_port -# This option is deprecated for removal since K. -# Its value may be silently ignored in the future. -# Reason: Support for running keystone under eventlet has been removed in the -# Newton release. These options remain for backwards compatibility because they -# are used for URL substitutions. -#admin_port = 35357 - - -[federation] - -# -# From keystone -# - -# Entry point for the federation backend driver in the `keystone.federation` -# namespace. Keystone only provides a `sql` driver, so there is no reason to -# set this option unless you are providing a custom entry point. (string value) -#driver = sql - -# Prefix to use when filtering environment variable names for federated -# assertions. Matched variables are passed into the federated mapping engine. -# (string value) -#assertion_prefix = - -# Value to be used to obtain the entity ID of the Identity Provider from the -# environment. For `mod_shib`, this would be `Shib-Identity-Provider`. For -# `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`, -# this could be `MELLON_IDP`. (string value) -#remote_id_attribute = - -# An arbitrary domain name that is reserved to allow federated ephemeral users -# to have a domain concept. Note that an admin will not be able to create a -# domain with this name or update an existing domain to this name. You are not -# advised to change this value unless you really have to. (string value) -#federated_domain_name = Federated - -# A list of trusted dashboard hosts. Before accepting a Single Sign-On request -# to return a token, the origin host must be a member of this list. This -# configuration option may be repeated for multiple values. You must set this -# in order to use web-based SSO flows. For example: -# trusted_dashboard=https://acme.example.com/auth/websso -# trusted_dashboard=https://beta.example.com/auth/websso (multi valued) -#trusted_dashboard = - -# Absolute path to an HTML file used as a Single Sign-On callback handler. This -# page is expected to redirect the user from keystone back to a trusted -# dashboard host, by form encoding a token in a POST request. Keystone's -# default value should be sufficient for most deployments. (string value) -#sso_callback_template = /etc/keystone/sso_callback_template.html - -# Toggle for federation caching. This has no effect unless global caching is -# enabled. There is typically no reason to disable this. (boolean value) -#caching = true - - -[fernet_tokens] - -# -# From keystone -# - -# Directory containing Fernet token keys. This directory must exist before -# using `keystone-manage fernet_setup` for the first time, must be writable by -# the user running `keystone-manage fernet_setup` or `keystone-manage -# fernet_rotate`, and of course must be readable by keystone's server process. -# The repository may contain keys in one of three states: a single staged key -# (always index 0) used for token validation, a single primary key (always the -# highest index) used for token creation and validation, and any number of -# secondary keys (all other index values) used for token validation. With -# multiple keystone nodes, each node must share the same key repository -# contents, with the exception of the staged key (index 0). It is safe to run -# `keystone-manage fernet_rotate` once on any one node to promote a staged key -# (index 0) to be the new primary (incremented from the previous highest -# index), and produce a new staged key (a new key with index 0); the resulting -# repository can then be atomically replicated to other nodes without any risk -# of race conditions (for example, it is safe to run `keystone-manage -# fernet_rotate` on host A, wait any amount of time, create a tarball of the -# directory on host A, unpack it on host B to a temporary location, and -# atomically move (`mv`) the directory into place on host B). Running -# `keystone-manage fernet_rotate` *twice* on a key repository without syncing -# other nodes will result in tokens that can not be validated by all nodes. -# (string value) -#key_repository = /etc/keystone/fernet-keys/ - -# This controls how many keys are held in rotation by `keystone-manage -# fernet_rotate` before they are discarded. The default value of 3 means that -# keystone will maintain one staged key (always index 0), one primary key (the -# highest numerical index), and one secondary key (every other index). -# Increasing this value means that additional secondary keys will be kept in -# the rotation. (integer value) -# Minimum value: 1 -#max_active_keys = 3 - - -[healthcheck] - -# -# From oslo.middleware -# - -# DEPRECATED: The path to respond to healtcheck requests on. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#path = /healthcheck - -# Show more detailed information as part of the response (boolean value) -#detailed = false - -# Additional backends that can perform health checks and report that -# information back as part of a request. (list value) -#backends = - -# Check the presence of a file to determine if an application is running on a -# port. Used by DisableByFileHealthcheck plugin. (string value) -#disable_by_file_path = - -# Check the presence of a file based on a port to determine if an application -# is running on a port. Expects a "port:path" list of strings. Used by -# DisableByFilesPortsHealthcheck plugin. (list value) -#disable_by_file_paths = - - -[identity] - -# -# From keystone -# - -# This references the domain to use for all Identity API v2 requests (which are -# not aware of domains). A domain with this ID can optionally be created for -# you by `keystone-manage bootstrap`. The domain referenced by this ID cannot -# be deleted on the v3 API, to prevent accidentally breaking the v2 API. There -# is nothing special about this domain, other than the fact that it must exist -# to order to maintain support for your v2 clients. There is typically no -# reason to change this value. (string value) -#default_domain_id = default - -# A subset (or all) of domains can have their own identity driver, each with -# their own partial configuration options, stored in either the resource -# backend or in a file in a domain configuration directory (depending on the -# setting of `[identity] domain_configurations_from_database`). Only values -# specific to the domain need to be specified in this manner. This feature is -# disabled by default, but may be enabled by default in a future release; set -# to true to enable. (boolean value) -#domain_specific_drivers_enabled = false - -# By default, domain-specific configuration data is read from files in the -# directory identified by `[identity] domain_config_dir`. Enabling this -# configuration option allows you to instead manage domain-specific -# configurations through the API, which are then persisted in the backend -# (typically, a SQL database), rather than using configuration files on disk. -# (boolean value) -#domain_configurations_from_database = false - -# Absolute path where keystone should locate domain-specific `[identity]` -# configuration files. This option has no effect unless `[identity] -# domain_specific_drivers_enabled` is set to true. There is typically no reason -# to change this value. (string value) -#domain_config_dir = /etc/keystone/domains - -# Entry point for the identity backend driver in the `keystone.identity` -# namespace. Keystone provides a `sql` and `ldap` driver. This option is also -# used as the default driver selection (along with the other configuration -# variables in this section) in the event that `[identity] -# domain_specific_drivers_enabled` is enabled, but no applicable domain- -# specific configuration is defined for the domain in question. Unless your -# deployment primarily relies on `ldap` AND is not using domain-specific -# configuration, you should typically leave this set to `sql`. (string value) -#driver = sql - -# Toggle for identity caching. This has no effect unless global caching is -# enabled. There is typically no reason to disable this. (boolean value) -#caching = true - -# Time to cache identity data (in seconds). This has no effect unless global -# and identity caching are enabled. (integer value) -#cache_time = 600 - -# Maximum allowed length for user passwords. Decrease this value to improve -# performance. Changing this value does not effect existing passwords. (integer -# value) -# Maximum value: 4096 -#max_password_length = 4096 - -# Maximum number of entities that will be returned in an identity collection. -# (integer value) -#list_limit = - -# The password hashing algorithm to use for passwords stored within keystone. -# (string value) -# Allowed values: bcrypt, scrypt, pbkdf2_sha512 -#password_hash_algorithm = bcrypt - -# This option represents a trade off between security and performance. Higher -# values lead to slower performance, but higher security. Changing this option -# will only affect newly created passwords as existing password hashes already -# have a fixed number of rounds applied, so it is safe to tune this option in a -# running cluster. The default for bcrypt is 12, must be between 4 and 31, -# inclusive. The default for scrypt is 16, must be within `range(1,32)`. The -# default for pbkdf_sha512 is 60000, must be within `range(1,1<<32)` WARNING: -# If using scrypt, increasing this value increases BOTH time AND memory -# requirements to hash a password. (integer value) -#password_hash_rounds = - -# Optional block size to pass to scrypt hash function (the `r` parameter). -# Useful for tuning scrypt to optimal performance for your CPU architecture. -# This option is only used when the `password_hash_algorithm` option is set to -# `scrypt`. Defaults to 8. (integer value) -#scrypt_block_size = - -# Optional parallelism to pass to scrypt hash function (the `p` parameter). -# This option is only used when the `password_hash_algorithm` option is set to -# `scrypt`. Defaults to 1. (integer value) -#scrypt_parallelism = - -# Number of bytes to use in scrypt and pbkfd2_sha512 hashing salt. Default for -# scrypt is 16 bytes. Default for pbkfd2_sha512 is 16 bytes. Limited to a -# maximum of 96 bytes due to the size of the column used to store password -# hashes. (integer value) -# Minimum value: 0 -# Maximum value: 96 -#salt_bytesize = - - -[identity_mapping] - -# -# From keystone -# - -# Entry point for the identity mapping backend driver in the -# `keystone.identity.id_mapping` namespace. Keystone only provides a `sql` -# driver, so there is no reason to change this unless you are providing a -# custom entry point. (string value) -#driver = sql - -# Entry point for the public ID generator for user and group entities in the -# `keystone.identity.id_generator` namespace. The Keystone identity mapper only -# supports generators that produce 64 bytes or less. Keystone only provides a -# `sha256` entry point, so there is no reason to change this value unless -# you're providing a custom entry point. (string value) -#generator = sha256 - -# The format of user and group IDs changed in Juno for backends that do not -# generate UUIDs (for example, LDAP), with keystone providing a hash mapping to -# the underlying attribute in LDAP. By default this mapping is disabled, which -# ensures that existing IDs will not change. Even when the mapping is enabled -# by using domain-specific drivers (`[identity] -# domain_specific_drivers_enabled`), any users and groups from the default -# domain being handled by LDAP will still not be mapped to ensure their IDs -# remain backward compatible. Setting this value to false will enable the new -# mapping for all backends, including the default LDAP driver. It is only -# guaranteed to be safe to enable this option if you do not already have -# assignments for users and groups from the default LDAP domain, and you -# consider it to be acceptable for Keystone to provide the different IDs to -# clients than it did previously (existing IDs in the API will suddenly -# change). Typically this means that the only time you can set this value to -# false is when configuring a fresh installation, although that is the -# recommended value. (boolean value) -#backward_compatible_ids = true - - -[ldap] - -# -# From keystone -# - -# URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified -# as a comma separated string. The first URL to successfully bind is used for -# the connection. (string value) -#url = ldap://localhost - -# The user name of the administrator bind DN to use when querying the LDAP -# server, if your LDAP server requires it. (string value) -#user = - -# The password of the administrator bind DN to use when querying the LDAP -# server, if your LDAP server requires it. (string value) -#password = - -# The default LDAP server suffix to use, if a DN is not defined via either -# `[ldap] user_tree_dn` or `[ldap] group_tree_dn`. (string value) -#suffix = cn=example,cn=com - -# The search scope which defines how deep to search within the search base. A -# value of `one` (representing `oneLevel` or `singleLevel`) indicates a search -# of objects immediately below to the base object, but does not include the -# base object itself. A value of `sub` (representing `subtree` or -# `wholeSubtree`) indicates a search of both the base object itself and the -# entire subtree below it. (string value) -# Allowed values: one, sub -#query_scope = one - -# Defines the maximum number of results per page that keystone should request -# from the LDAP server when listing objects. A value of zero (`0`) disables -# paging. (integer value) -# Minimum value: 0 -#page_size = 0 - -# The LDAP dereferencing option to use for queries involving aliases. A value -# of `default` falls back to using default dereferencing behavior configured by -# your `ldap.conf`. A value of `never` prevents aliases from being dereferenced -# at all. A value of `searching` dereferences aliases only after name -# resolution. A value of `finding` dereferences aliases only during name -# resolution. A value of `always` dereferences aliases in all cases. (string -# value) -# Allowed values: never, searching, always, finding, default -#alias_dereferencing = default - -# Sets the LDAP debugging level for LDAP calls. A value of 0 means that -# debugging is not enabled. This value is a bitmask, consult your LDAP -# documentation for possible values. (integer value) -# Minimum value: -1 -#debug_level = - -# Sets keystone's referral chasing behavior across directory partitions. If -# left unset, the system's default behavior will be used. (boolean value) -#chase_referrals = - -# The search base to use for users. Defaults to the `[ldap] suffix` value. -# (string value) -#user_tree_dn = - -# The LDAP search filter to use for users. (string value) -#user_filter = - -# The LDAP object class to use for users. (string value) -#user_objectclass = inetOrgPerson - -# The LDAP attribute mapped to user IDs in keystone. This must NOT be a -# multivalued attribute. User IDs are expected to be globally unique across -# keystone domains and URL-safe. (string value) -#user_id_attribute = cn - -# The LDAP attribute mapped to user names in keystone. User names are expected -# to be unique only within a keystone domain and are not expected to be URL- -# safe. (string value) -#user_name_attribute = sn - -# The LDAP attribute mapped to user descriptions in keystone. (string value) -#user_description_attribute = description - -# The LDAP attribute mapped to user emails in keystone. (string value) -#user_mail_attribute = mail - -# The LDAP attribute mapped to user passwords in keystone. (string value) -#user_pass_attribute = userPassword - -# The LDAP attribute mapped to the user enabled attribute in keystone. If -# setting this option to `userAccountControl`, then you may be interested in -# setting `[ldap] user_enabled_mask` and `[ldap] user_enabled_default` as well. -# (string value) -#user_enabled_attribute = enabled - -# Logically negate the boolean value of the enabled attribute obtained from the -# LDAP server. Some LDAP servers use a boolean lock attribute where "true" -# means an account is disabled. Setting `[ldap] user_enabled_invert = true` -# will allow these lock attributes to be used. This option will have no effect -# if either the `[ldap] user_enabled_mask` or `[ldap] user_enabled_emulation` -# options are in use. (boolean value) -#user_enabled_invert = false - -# Bitmask integer to select which bit indicates the enabled value if the LDAP -# server represents "enabled" as a bit on an integer rather than as a discrete -# boolean. A value of `0` indicates that the mask is not used. If this is not -# set to `0` the typical value is `2`. This is typically used when `[ldap] -# user_enabled_attribute = userAccountControl`. Setting this option causes -# keystone to ignore the value of `[ldap] user_enabled_invert`. (integer value) -# Minimum value: 0 -#user_enabled_mask = 0 - -# The default value to enable users. This should match an appropriate integer -# value if the LDAP server uses non-boolean (bitmask) values to indicate if a -# user is enabled or disabled. If this is not set to `True`, then the typical -# value is `512`. This is typically used when `[ldap] user_enabled_attribute = -# userAccountControl`. (string value) -#user_enabled_default = True - -# List of user attributes to ignore on create and update, or whether a specific -# user attribute should be filtered for list or show user. (list value) -#user_attribute_ignore = default_project_id - -# The LDAP attribute mapped to a user's default_project_id in keystone. This is -# most commonly used when keystone has write access to LDAP. (string value) -#user_default_project_id_attribute = - -# If enabled, keystone uses an alternative method to determine if a user is -# enabled or not by checking if they are a member of the group defined by the -# `[ldap] user_enabled_emulation_dn` option. Enabling this option causes -# keystone to ignore the value of `[ldap] user_enabled_invert`. (boolean value) -#user_enabled_emulation = false - -# DN of the group entry to hold enabled users when using enabled emulation. -# Setting this option has no effect unless `[ldap] user_enabled_emulation` is -# also enabled. (string value) -#user_enabled_emulation_dn = - -# Use the `[ldap] group_member_attribute` and `[ldap] group_objectclass` -# settings to determine membership in the emulated enabled group. Enabling this -# option has no effect unless `[ldap] user_enabled_emulation` is also enabled. -# (boolean value) -#user_enabled_emulation_use_group_config = false - -# A list of LDAP attribute to keystone user attribute pairs used for mapping -# additional attributes to users in keystone. The expected format is -# `:`, where `ldap_attr` is the attribute in the LDAP -# object and `user_attr` is the attribute which should appear in the identity -# API. (list value) -#user_additional_attribute_mapping = - -# The search base to use for groups. Defaults to the `[ldap] suffix` value. -# (string value) -#group_tree_dn = - -# The LDAP search filter to use for groups. (string value) -#group_filter = - -# The LDAP object class to use for groups. If setting this option to -# `posixGroup`, you may also be interested in enabling the `[ldap] -# group_members_are_ids` option. (string value) -#group_objectclass = groupOfNames - -# The LDAP attribute mapped to group IDs in keystone. This must NOT be a -# multivalued attribute. Group IDs are expected to be globally unique across -# keystone domains and URL-safe. (string value) -#group_id_attribute = cn - -# The LDAP attribute mapped to group names in keystone. Group names are -# expected to be unique only within a keystone domain and are not expected to -# be URL-safe. (string value) -#group_name_attribute = ou - -# The LDAP attribute used to indicate that a user is a member of the group. -# (string value) -#group_member_attribute = member - -# Enable this option if the members of the group object class are keystone user -# IDs rather than LDAP DNs. This is the case when using `posixGroup` as the -# group object class in Open Directory. (boolean value) -#group_members_are_ids = false - -# The LDAP attribute mapped to group descriptions in keystone. (string value) -#group_desc_attribute = description - -# List of group attributes to ignore on create and update. or whether a -# specific group attribute should be filtered for list or show group. (list -# value) -#group_attribute_ignore = - -# A list of LDAP attribute to keystone group attribute pairs used for mapping -# additional attributes to groups in keystone. The expected format is -# `:`, where `ldap_attr` is the attribute in the LDAP -# object and `group_attr` is the attribute which should appear in the identity -# API. (list value) -#group_additional_attribute_mapping = - -# If enabled, group queries will use Active Directory specific filters for -# nested groups. (boolean value) -#group_ad_nesting = false - -# An absolute path to a CA certificate file to use when communicating with LDAP -# servers. This option will take precedence over `[ldap] tls_cacertdir`, so -# there is no reason to set both. (string value) -#tls_cacertfile = - -# An absolute path to a CA certificate directory to use when communicating with -# LDAP servers. There is no reason to set this option if you've also set -# `[ldap] tls_cacertfile`. (string value) -#tls_cacertdir = - -# Enable TLS when communicating with LDAP servers. You should also set the -# `[ldap] tls_cacertfile` and `[ldap] tls_cacertdir` options when using this -# option. Do not set this option if you are using LDAP over SSL (LDAPS) instead -# of TLS. (boolean value) -#use_tls = false - -# Specifies which checks to perform against client certificates on incoming TLS -# sessions. If set to `demand`, then a certificate will always be requested and -# required from the LDAP server. If set to `allow`, then a certificate will -# always be requested but not required from the LDAP server. If set to `never`, -# then a certificate will never be requested. (string value) -# Allowed values: demand, never, allow -#tls_req_cert = demand - -# The connection timeout to use with the LDAP server. A value of `-1` means -# that connections will never timeout. (integer value) -# Minimum value: -1 -#connection_timeout = -1 - -# Enable LDAP connection pooling for queries to the LDAP server. There is -# typically no reason to disable this. (boolean value) -#use_pool = true - -# The size of the LDAP connection pool. This option has no effect unless -# `[ldap] use_pool` is also enabled. (integer value) -# Minimum value: 1 -#pool_size = 10 - -# The maximum number of times to attempt reconnecting to the LDAP server before -# aborting. A value of zero prevents retries. This option has no effect unless -# `[ldap] use_pool` is also enabled. (integer value) -# Minimum value: 0 -#pool_retry_max = 3 - -# The number of seconds to wait before attempting to reconnect to the LDAP -# server. This option has no effect unless `[ldap] use_pool` is also enabled. -# (floating point value) -#pool_retry_delay = 0.1 - -# The connection timeout to use when pooling LDAP connections. A value of `-1` -# means that connections will never timeout. This option has no effect unless -# `[ldap] use_pool` is also enabled. (integer value) -# Minimum value: -1 -#pool_connection_timeout = -1 - -# The maximum connection lifetime to the LDAP server in seconds. When this -# lifetime is exceeded, the connection will be unbound and removed from the -# connection pool. This option has no effect unless `[ldap] use_pool` is also -# enabled. (integer value) -# Minimum value: 1 -#pool_connection_lifetime = 600 - -# Enable LDAP connection pooling for end user authentication. There is -# typically no reason to disable this. (boolean value) -#use_auth_pool = true - -# The size of the connection pool to use for end user authentication. This -# option has no effect unless `[ldap] use_auth_pool` is also enabled. (integer -# value) -# Minimum value: 1 -#auth_pool_size = 100 - -# The maximum end user authentication connection lifetime to the LDAP server in -# seconds. When this lifetime is exceeded, the connection will be unbound and -# removed from the connection pool. This option has no effect unless `[ldap] -# use_auth_pool` is also enabled. (integer value) -# Minimum value: 1 -#auth_pool_connection_lifetime = 60 - - -[matchmaker_redis] - -# -# From oslo.messaging -# - -# DEPRECATED: Host to locate redis. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Replaced by [DEFAULT]/transport_url -#host = 127.0.0.1 - -# DEPRECATED: Use this port to connect to redis host. (port value) -# Minimum value: 0 -# Maximum value: 65535 -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Replaced by [DEFAULT]/transport_url -#port = 6379 - -# DEPRECATED: Password for Redis server (optional). (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Replaced by [DEFAULT]/transport_url -#password = - -# DEPRECATED: List of Redis Sentinel hosts (fault tolerance mode), e.g., -# [host:port, host1:port ... ] (list value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Replaced by [DEFAULT]/transport_url -#sentinel_hosts = - -# Redis replica set name. (string value) -#sentinel_group_name = oslo-messaging-zeromq - -# Time in ms to wait between connection attempts. (integer value) -#wait_timeout = 2000 - -# Time in ms to wait before the transaction is killed. (integer value) -#check_timeout = 20000 - -# Timeout in ms on blocking socket operations. (integer value) -#socket_timeout = 10000 - - -[memcache] - -# -# From keystone -# - -# Number of seconds memcached server is considered dead before it is tried -# again. This is used by the key value store system. (integer value) -#dead_retry = 300 - -# Timeout in seconds for every call to a server. This is used by the key value -# store system. (integer value) -#socket_timeout = 3 - -# Max total number of open connections to every memcached server. This is used -# by the key value store system. (integer value) -#pool_maxsize = 10 - -# Number of seconds a connection to memcached is held unused in the pool before -# it is closed. This is used by the key value store system. (integer value) -#pool_unused_timeout = 60 - -# Number of seconds that an operation will wait to get a memcache client -# connection. This is used by the key value store system. (integer value) -#pool_connection_get_timeout = 10 - - -[oauth1] - -# -# From keystone -# - -# Entry point for the OAuth backend driver in the `keystone.oauth1` namespace. -# Typically, there is no reason to set this option unless you are providing a -# custom entry point. (string value) -#driver = sql - -# Number of seconds for the OAuth Request Token to remain valid after being -# created. This is the amount of time the user has to authorize the token. -# Setting this option to zero means that request tokens will last forever. -# (integer value) -# Minimum value: 0 -#request_token_duration = 28800 - -# Number of seconds for the OAuth Access Token to remain valid after being -# created. This is the amount of time the consumer has to interact with the -# service provider (which is typically keystone). Setting this option to zero -# means that access tokens will last forever. (integer value) -# Minimum value: 0 -#access_token_duration = 86400 - - -[oslo_messaging_amqp] - -# -# From oslo.messaging -# - -# Name for the AMQP container. must be globally unique. Defaults to a generated -# UUID (string value) -#container_name = - -# Timeout for inactive connections (in seconds) (integer value) -#idle_timeout = 0 - -# Debug: dump AMQP frames to stdout (boolean value) -#trace = false - -# Attempt to connect via SSL. If no other ssl-related parameters are given, it -# will use the system's CA-bundle to verify the server's certificate. (boolean -# value) -#ssl = false - -# CA certificate PEM file used to verify the server's certificate (string -# value) -#ssl_ca_file = - -# Self-identifying certificate PEM file for client authentication (string -# value) -#ssl_cert_file = - -# Private key PEM file used to sign ssl_cert_file certificate (optional) -# (string value) -#ssl_key_file = - -# Password for decrypting ssl_key_file (if encrypted) (string value) -#ssl_key_password = - -# DEPRECATED: Accept clients using either SSL or plain TCP (boolean value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Not applicable - not a SSL server -#allow_insecure_clients = false - -# Space separated list of acceptable SASL mechanisms (string value) -#sasl_mechanisms = - -# Path to directory that contains the SASL configuration (string value) -#sasl_config_dir = - -# Name of configuration file (without .conf suffix) (string value) -#sasl_config_name = - -# SASL realm to use if no realm present in username (string value) -#sasl_default_realm = - -# DEPRECATED: User name for message broker authentication (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Should use configuration option transport_url to provide the -# username. -#username = - -# DEPRECATED: Password for message broker authentication (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Should use configuration option transport_url to provide the -# password. -#password = - -# Seconds to pause before attempting to re-connect. (integer value) -# Minimum value: 1 -#connection_retry_interval = 1 - -# Increase the connection_retry_interval by this many seconds after each -# unsuccessful failover attempt. (integer value) -# Minimum value: 0 -#connection_retry_backoff = 2 - -# Maximum limit for connection_retry_interval + connection_retry_backoff -# (integer value) -# Minimum value: 1 -#connection_retry_interval_max = 30 - -# Time to pause between re-connecting an AMQP 1.0 link that failed due to a -# recoverable error. (integer value) -# Minimum value: 1 -#link_retry_delay = 10 - -# The maximum number of attempts to re-send a reply message which failed due to -# a recoverable error. (integer value) -# Minimum value: -1 -#default_reply_retry = 0 - -# The deadline for an rpc reply message delivery. (integer value) -# Minimum value: 5 -#default_reply_timeout = 30 - -# The deadline for an rpc cast or call message delivery. Only used when caller -# does not provide a timeout expiry. (integer value) -# Minimum value: 5 -#default_send_timeout = 30 - -# The deadline for a sent notification message delivery. Only used when caller -# does not provide a timeout expiry. (integer value) -# Minimum value: 5 -#default_notify_timeout = 30 - -# The duration to schedule a purge of idle sender links. Detach link after -# expiry. (integer value) -# Minimum value: 1 -#default_sender_link_timeout = 600 - -# Indicates the addressing mode used by the driver. -# Permitted values: -# 'legacy' - use legacy non-routable addressing -# 'routable' - use routable addresses -# 'dynamic' - use legacy addresses if the message bus does not support routing -# otherwise use routable addressing (string value) -#addressing_mode = dynamic - -# address prefix used when sending to a specific server (string value) -#server_request_prefix = exclusive - -# address prefix used when broadcasting to all servers (string value) -#broadcast_prefix = broadcast - -# address prefix when sending to any server in group (string value) -#group_request_prefix = unicast - -# Address prefix for all generated RPC addresses (string value) -#rpc_address_prefix = openstack.org/om/rpc - -# Address prefix for all generated Notification addresses (string value) -#notify_address_prefix = openstack.org/om/notify - -# Appended to the address prefix when sending a fanout message. Used by the -# message bus to identify fanout messages. (string value) -#multicast_address = multicast - -# Appended to the address prefix when sending to a particular RPC/Notification -# server. Used by the message bus to identify messages sent to a single -# destination. (string value) -#unicast_address = unicast - -# Appended to the address prefix when sending to a group of consumers. Used by -# the message bus to identify messages that should be delivered in a round- -# robin fashion across consumers. (string value) -#anycast_address = anycast - -# Exchange name used in notification addresses. -# Exchange name resolution precedence: -# Target.exchange if set -# else default_notification_exchange if set -# else control_exchange if set -# else 'notify' (string value) -#default_notification_exchange = - -# Exchange name used in RPC addresses. -# Exchange name resolution precedence: -# Target.exchange if set -# else default_rpc_exchange if set -# else control_exchange if set -# else 'rpc' (string value) -#default_rpc_exchange = - -# Window size for incoming RPC Reply messages. (integer value) -# Minimum value: 1 -#reply_link_credit = 200 - -# Window size for incoming RPC Request messages (integer value) -# Minimum value: 1 -#rpc_server_credit = 100 - -# Window size for incoming Notification messages (integer value) -# Minimum value: 1 -#notify_server_credit = 100 - -# Send messages of this type pre-settled. -# Pre-settled messages will not receive acknowledgement -# from the peer. Note well: pre-settled messages may be -# silently discarded if the delivery fails. -# Permitted values: -# 'rpc-call' - send RPC Calls pre-settled -# 'rpc-reply'- send RPC Replies pre-settled -# 'rpc-cast' - Send RPC Casts pre-settled -# 'notify' - Send Notifications pre-settled -# (multi valued) -#pre_settled = rpc-cast -#pre_settled = rpc-reply - - -[oslo_messaging_kafka] - -# -# From oslo.messaging -# - -# DEPRECATED: Default Kafka broker Host (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Replaced by [DEFAULT]/transport_url -#kafka_default_host = localhost - -# DEPRECATED: Default Kafka broker Port (port value) -# Minimum value: 0 -# Maximum value: 65535 -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Replaced by [DEFAULT]/transport_url -#kafka_default_port = 9092 - -# Max fetch bytes of Kafka consumer (integer value) -#kafka_max_fetch_bytes = 1048576 - -# Default timeout(s) for Kafka consumers (floating point value) -#kafka_consumer_timeout = 1.0 - -# Pool Size for Kafka Consumers (integer value) -#pool_size = 10 - -# The pool size limit for connections expiration policy (integer value) -#conn_pool_min_size = 2 - -# The time-to-live in sec of idle connections in the pool (integer value) -#conn_pool_ttl = 1200 - -# Group id for Kafka consumer. Consumers in one group will coordinate message -# consumption (string value) -#consumer_group = oslo_messaging_consumer - -# Upper bound on the delay for KafkaProducer batching in seconds (floating -# point value) -#producer_batch_timeout = 0.0 - -# Size of batch for the producer async send (integer value) -#producer_batch_size = 16384 - - -[oslo_messaging_notifications] - -# -# From oslo.messaging -# - -# The Drivers(s) to handle sending notifications. Possible values are -# messaging, messagingv2, routing, log, test, noop (multi valued) -# Deprecated group/name - [DEFAULT]/notification_driver -#driver = - -# A URL representing the messaging driver to use for notifications. If not set, -# we fall back to the same configuration used for RPC. (string value) -# Deprecated group/name - [DEFAULT]/notification_transport_url -#transport_url = - -# AMQP topic used for OpenStack notifications. (list value) -# Deprecated group/name - [rpc_notifier2]/topics -# Deprecated group/name - [DEFAULT]/notification_topics -#topics = notifications - -# The maximum number of attempts to re-send a notification message which failed -# to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite -# (integer value) -#retry = -1 - - -[oslo_messaging_rabbit] - -# -# From oslo.messaging -# - -# Use durable queues in AMQP. (boolean value) -# Deprecated group/name - [DEFAULT]/amqp_durable_queues -# Deprecated group/name - [DEFAULT]/rabbit_durable_queues -#amqp_durable_queues = false - -# Auto-delete queues in AMQP. (boolean value) -#amqp_auto_delete = false - -# Enable SSL (boolean value) -#ssl = - -# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and -# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some -# distributions. (string value) -# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_version -#ssl_version = - -# SSL key file (valid only if SSL enabled). (string value) -# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_keyfile -#ssl_key_file = - -# SSL cert file (valid only if SSL enabled). (string value) -# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_certfile -#ssl_cert_file = - -# SSL certification authority file (valid only if SSL enabled). (string value) -# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_ca_certs -#ssl_ca_file = - -# How long to wait before reconnecting in response to an AMQP consumer cancel -# notification. (floating point value) -#kombu_reconnect_delay = 1.0 - -# EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not -# be used. This option may not be available in future versions. (string value) -#kombu_compression = - -# How long to wait a missing client before abandoning to send it its replies. -# This value should not be longer than rpc_response_timeout. (integer value) -# Deprecated group/name - [oslo_messaging_rabbit]/kombu_reconnect_timeout -#kombu_missing_consumer_retry_timeout = 60 - -# Determines how the next RabbitMQ node is chosen in case the one we are -# currently connected to becomes unavailable. Takes effect only if more than -# one RabbitMQ node is provided in config. (string value) -# Allowed values: round-robin, shuffle -#kombu_failover_strategy = round-robin - -# DEPRECATED: The RabbitMQ broker address where a single node is used. (string -# value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Replaced by [DEFAULT]/transport_url -#rabbit_host = localhost - -# DEPRECATED: The RabbitMQ broker port where a single node is used. (port -# value) -# Minimum value: 0 -# Maximum value: 65535 -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Replaced by [DEFAULT]/transport_url -#rabbit_port = 5672 - -# DEPRECATED: RabbitMQ HA cluster host:port pairs. (list value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Replaced by [DEFAULT]/transport_url -#rabbit_hosts = $rabbit_host:$rabbit_port - -# DEPRECATED: The RabbitMQ userid. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Replaced by [DEFAULT]/transport_url -#rabbit_userid = guest - -# DEPRECATED: The RabbitMQ password. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Replaced by [DEFAULT]/transport_url -#rabbit_password = guest - -# The RabbitMQ login method. (string value) -# Allowed values: PLAIN, AMQPLAIN, RABBIT-CR-DEMO -#rabbit_login_method = AMQPLAIN - -# DEPRECATED: The RabbitMQ virtual host. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Replaced by [DEFAULT]/transport_url -#rabbit_virtual_host = / - -# How frequently to retry connecting with RabbitMQ. (integer value) -#rabbit_retry_interval = 1 - -# How long to backoff for between retries when connecting to RabbitMQ. (integer -# value) -#rabbit_retry_backoff = 2 - -# Maximum interval of RabbitMQ connection retries. Default is 30 seconds. -# (integer value) -#rabbit_interval_max = 30 - -# DEPRECATED: Maximum number of RabbitMQ connection retries. Default is 0 -# (infinite retry count). (integer value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#rabbit_max_retries = 0 - -# Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this -# option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring -# is no longer controlled by the x-ha-policy argument when declaring a queue. -# If you just want to make sure that all queues (except those with auto- -# generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy -# HA '^(?!amq\.).*' '{"ha-mode": "all"}' " (boolean value) -#rabbit_ha_queues = false - -# Positive integer representing duration in seconds for queue TTL (x-expires). -# Queues which are unused for the duration of the TTL are automatically -# deleted. The parameter affects only reply and fanout queues. (integer value) -# Minimum value: 1 -#rabbit_transient_queues_ttl = 1800 - -# Specifies the number of messages to prefetch. Setting to zero allows -# unlimited messages. (integer value) -#rabbit_qos_prefetch_count = 0 - -# Number of seconds after which the Rabbit broker is considered down if -# heartbeat's keep-alive fails (0 disable the heartbeat). EXPERIMENTAL (integer -# value) -#heartbeat_timeout_threshold = 60 - -# How often times during the heartbeat_timeout_threshold we check the -# heartbeat. (integer value) -#heartbeat_rate = 2 - -# Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value) -#fake_rabbit = false - -# Maximum number of channels to allow (integer value) -#channel_max = - -# The maximum byte size for an AMQP frame (integer value) -#frame_max = - -# How often to send heartbeats for consumer's connections (integer value) -#heartbeat_interval = 3 - -# Arguments passed to ssl.wrap_socket (dict value) -#ssl_options = - -# Set socket timeout in seconds for connection's socket (floating point value) -#socket_timeout = 0.25 - -# Set TCP_USER_TIMEOUT in seconds for connection's socket (floating point -# value) -#tcp_user_timeout = 0.25 - -# Set delay for reconnection to some host which has connection error (floating -# point value) -#host_connection_reconnect_delay = 0.25 - -# Connection factory implementation (string value) -# Allowed values: new, single, read_write -#connection_factory = single - -# Maximum number of connections to keep queued. (integer value) -#pool_max_size = 30 - -# Maximum number of connections to create above `pool_max_size`. (integer -# value) -#pool_max_overflow = 0 - -# Default number of seconds to wait for a connections to available (integer -# value) -#pool_timeout = 30 - -# Lifetime of a connection (since creation) in seconds or None for no -# recycling. Expired connections are closed on acquire. (integer value) -#pool_recycle = 600 - -# Threshold at which inactive (since release) connections are considered stale -# in seconds or None for no staleness. Stale connections are closed on acquire. -# (integer value) -#pool_stale = 60 - -# Default serialization mechanism for serializing/deserializing -# outgoing/incoming messages (string value) -# Allowed values: json, msgpack -#default_serializer_type = json - -# Persist notification messages. (boolean value) -#notification_persistence = false - -# Exchange name for sending notifications (string value) -#default_notification_exchange = ${control_exchange}_notification - -# Max number of not acknowledged message which RabbitMQ can send to -# notification listener. (integer value) -#notification_listener_prefetch_count = 100 - -# Reconnecting retry count in case of connectivity problem during sending -# notification, -1 means infinite retry. (integer value) -#default_notification_retry_attempts = -1 - -# Reconnecting retry delay in case of connectivity problem during sending -# notification message (floating point value) -#notification_retry_delay = 0.25 - -# Time to live for rpc queues without consumers in seconds. (integer value) -#rpc_queue_expiration = 60 - -# Exchange name for sending RPC messages (string value) -#default_rpc_exchange = ${control_exchange}_rpc - -# Exchange name for receiving RPC replies (string value) -#rpc_reply_exchange = ${control_exchange}_rpc_reply - -# Max number of not acknowledged message which RabbitMQ can send to rpc -# listener. (integer value) -#rpc_listener_prefetch_count = 100 - -# Max number of not acknowledged message which RabbitMQ can send to rpc reply -# listener. (integer value) -#rpc_reply_listener_prefetch_count = 100 - -# Reconnecting retry count in case of connectivity problem during sending -# reply. -1 means infinite retry during rpc_timeout (integer value) -#rpc_reply_retry_attempts = -1 - -# Reconnecting retry delay in case of connectivity problem during sending -# reply. (floating point value) -#rpc_reply_retry_delay = 0.25 - -# Reconnecting retry count in case of connectivity problem during sending RPC -# message, -1 means infinite retry. If actual retry attempts in not 0 the rpc -# request could be processed more than one time (integer value) -#default_rpc_retry_attempts = -1 - -# Reconnecting retry delay in case of connectivity problem during sending RPC -# message (floating point value) -#rpc_retry_delay = 0.25 - - -[oslo_messaging_zmq] - -# -# From oslo.messaging -# - -# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. -# The "host" option should point or resolve to this address. (string value) -#rpc_zmq_bind_address = * - -# MatchMaker driver. (string value) -# Allowed values: redis, sentinel, dummy -#rpc_zmq_matchmaker = redis - -# Number of ZeroMQ contexts, defaults to 1. (integer value) -#rpc_zmq_contexts = 1 - -# Maximum number of ingress messages to locally buffer per topic. Default is -# unlimited. (integer value) -#rpc_zmq_topic_backlog = - -# Directory for holding IPC sockets. (string value) -#rpc_zmq_ipc_dir = /var/run/openstack - -# Name of this node. Must be a valid hostname, FQDN, or IP address. Must match -# "host" option, if running Nova. (string value) -#rpc_zmq_host = localhost - -# Number of seconds to wait before all pending messages will be sent after -# closing a socket. The default value of -1 specifies an infinite linger -# period. The value of 0 specifies no linger period. Pending messages shall be -# discarded immediately when the socket is closed. Positive values specify an -# upper bound for the linger period. (integer value) -# Deprecated group/name - [DEFAULT]/rpc_cast_timeout -#zmq_linger = -1 - -# The default number of seconds that poll should wait. Poll raises timeout -# exception when timeout expired. (integer value) -#rpc_poll_timeout = 1 - -# Expiration timeout in seconds of a name service record about existing target -# ( < 0 means no timeout). (integer value) -#zmq_target_expire = 300 - -# Update period in seconds of a name service record about existing target. -# (integer value) -#zmq_target_update = 180 - -# Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy. (boolean -# value) -#use_pub_sub = false - -# Use ROUTER remote proxy. (boolean value) -#use_router_proxy = false - -# This option makes direct connections dynamic or static. It makes sense only -# with use_router_proxy=False which means to use direct connections for direct -# message types (ignored otherwise). (boolean value) -#use_dynamic_connections = false - -# How many additional connections to a host will be made for failover reasons. -# This option is actual only in dynamic connections mode. (integer value) -#zmq_failover_connections = 2 - -# Minimal port number for random ports range. (port value) -# Minimum value: 0 -# Maximum value: 65535 -#rpc_zmq_min_port = 49153 - -# Maximal port number for random ports range. (integer value) -# Minimum value: 1 -# Maximum value: 65536 -#rpc_zmq_max_port = 65536 - -# Number of retries to find free port number before fail with ZMQBindError. -# (integer value) -#rpc_zmq_bind_port_retries = 100 - -# Default serialization mechanism for serializing/deserializing -# outgoing/incoming messages (string value) -# Allowed values: json, msgpack -#rpc_zmq_serialization = json - -# This option configures round-robin mode in zmq socket. True means not keeping -# a queue when server side disconnects. False means to keep queue and messages -# even if server is disconnected, when the server appears we send all -# accumulated messages to it. (boolean value) -#zmq_immediate = true - -# Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any -# other negative value) means to skip any overrides and leave it to OS default; -# 0 and 1 (or any other positive value) mean to disable and enable the option -# respectively. (integer value) -#zmq_tcp_keepalive = -1 - -# The duration between two keepalive transmissions in idle condition. The unit -# is platform dependent, for example, seconds in Linux, milliseconds in Windows -# etc. The default value of -1 (or any other negative value and 0) means to -# skip any overrides and leave it to OS default. (integer value) -#zmq_tcp_keepalive_idle = -1 - -# The number of retransmissions to be carried out before declaring that remote -# end is not available. The default value of -1 (or any other negative value -# and 0) means to skip any overrides and leave it to OS default. (integer -# value) -#zmq_tcp_keepalive_cnt = -1 - -# The duration between two successive keepalive retransmissions, if -# acknowledgement to the previous keepalive transmission is not received. The -# unit is platform dependent, for example, seconds in Linux, milliseconds in -# Windows etc. The default value of -1 (or any other negative value and 0) -# means to skip any overrides and leave it to OS default. (integer value) -#zmq_tcp_keepalive_intvl = -1 - -# Maximum number of (green) threads to work concurrently. (integer value) -#rpc_thread_pool_size = 100 - -# Expiration timeout in seconds of a sent/received message after which it is -# not tracked anymore by a client/server. (integer value) -#rpc_message_ttl = 300 - -# Wait for message acknowledgements from receivers. This mechanism works only -# via proxy without PUB/SUB. (boolean value) -#rpc_use_acks = false - -# Number of seconds to wait for an ack from a cast/call. After each retry -# attempt this timeout is multiplied by some specified multiplier. (integer -# value) -#rpc_ack_timeout_base = 15 - -# Number to multiply base ack timeout by after each retry attempt. (integer -# value) -#rpc_ack_timeout_multiplier = 2 - -# Default number of message sending attempts in case of any problems occurred: -# positive value N means at most N retries, 0 means no retries, None or -1 (or -# any other negative values) mean to retry forever. This option is used only if -# acknowledgments are enabled. (integer value) -#rpc_retry_attempts = 3 - -# List of publisher hosts SubConsumer can subscribe on. This option has higher -# priority then the default publishers list taken from the matchmaker. (list -# value) -#subscribe_on = - - -[oslo_middleware] - -# -# From oslo.middleware -# - -# The maximum body size for each request, in bytes. (integer value) -# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size -# Deprecated group/name - [DEFAULT]/max_request_body_size -#max_request_body_size = 114688 - -# DEPRECATED: The HTTP Header that will be used to determine what the original -# request protocol scheme was, even if it was hidden by a SSL termination -# proxy. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#secure_proxy_ssl_header = X-Forwarded-Proto - -# Whether the application is behind a proxy or not. This determines if the -# middleware should parse the headers or not. (boolean value) -#enable_proxy_headers_parsing = false - - -[oslo_policy] - -# -# From oslo.policy -# - -# The file that defines policies. (string value) -#policy_file = policy.json - -# Default rule. Enforced when a requested rule is not found. (string value) -#policy_default_rule = default - -# Directories where policy configuration files are stored. They can be relative -# to any directory in the search path defined by the config_dir option, or -# absolute paths. The file defined by policy_file must exist for these -# directories to be searched. Missing or empty directories are ignored. (multi -# valued) -#policy_dirs = policy.d - - -[paste_deploy] - -# -# From keystone -# - -# Name of (or absolute path to) the Paste Deploy configuration file that -# composes middleware and the keystone application itself into actual WSGI -# entry points. See http://pythonpaste.org/deploy/ for additional documentation -# on the file's format. (string value) -#config_file = keystone-paste.ini - - -[policy] - -# -# From keystone -# - -# Entry point for the policy backend driver in the `keystone.policy` namespace. -# Supplied drivers are `rules` (which does not support any CRUD operations for -# the v3 policy API) and `sql`. Typically, there is no reason to set this -# option unless you are providing a custom entry point. (string value) -#driver = sql - -# Maximum number of entities that will be returned in a policy collection. -# (integer value) -#list_limit = - - -[profiler] - -# -# From osprofiler -# - -# -# Enables the profiling for all services on this node. Default value is False -# (fully disable the profiling feature). -# -# Possible values: -# -# * True: Enables the feature -# * False: Disables the feature. The profiling cannot be started via this -# project -# operations. If the profiling is triggered by another project, this project -# part -# will be empty. -# (boolean value) -# Deprecated group/name - [profiler]/profiler_enabled -#enabled = false - -# -# Enables SQL requests profiling in services. Default value is False (SQL -# requests won't be traced). -# -# Possible values: -# -# * True: Enables SQL requests profiling. Each SQL query will be part of the -# trace and can the be analyzed by how much time was spent for that. -# * False: Disables SQL requests profiling. The spent time is only shown on a -# higher level of operations. Single SQL queries cannot be analyzed this -# way. -# (boolean value) -#trace_sqlalchemy = false - -# -# Secret key(s) to use for encrypting context data for performance profiling. -# This string value should have the following format: -# [,,...], -# where each key is some random string. A user who triggers the profiling via -# the REST API has to set one of these keys in the headers of the REST API call -# to include profiling results of this node for this particular project. -# -# Both "enabled" flag and "hmac_keys" config options should be set to enable -# profiling. Also, to generate correct profiling information across all -# services -# at least one key needs to be consistent between OpenStack projects. This -# ensures it can be used from client side to generate the trace, containing -# information from all possible resources. (string value) -#hmac_keys = SECRET_KEY - -# -# Connection string for a notifier backend. Default value is messaging:// which -# sets the notifier to oslo_messaging. -# -# Examples of possible values: -# -# * messaging://: use oslo_messaging driver for sending notifications. -# * mongodb://127.0.0.1:27017 : use mongodb driver for sending notifications. -# * elasticsearch://127.0.0.1:9200 : use elasticsearch driver for sending -# notifications. -# (string value) -#connection_string = messaging:// - -# -# Document type for notification indexing in elasticsearch. -# (string value) -#es_doc_type = notification - -# -# This parameter is a time value parameter (for example: es_scroll_time=2m), -# indicating for how long the nodes that participate in the search will -# maintain -# relevant resources in order to continue and support it. -# (string value) -#es_scroll_time = 2m - -# -# Elasticsearch splits large requests in batches. This parameter defines -# maximum size of each batch (for example: es_scroll_size=10000). -# (integer value) -#es_scroll_size = 10000 - -# -# Redissentinel provides a timeout option on the connections. -# This parameter defines that timeout (for example: socket_timeout=0.1). -# (floating point value) -#socket_timeout = 0.1 - -# -# Redissentinel uses a service name to identify a master redis service. -# This parameter defines the name (for example: -# sentinal_service_name=mymaster). -# (string value) -#sentinel_service_name = mymaster - - -[resource] - -# -# From keystone -# - -# DEPRECATED: Entry point for the resource driver in the `keystone.resource` -# namespace. Only a `sql` driver is supplied by keystone. Unless you are -# writing proprietary drivers for keystone, you do not need to set this option. -# (string value) -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -# Reason: Non-SQL resource cannot be used with SQL Identity and has been unable -# to be used since Ocata. SQL Resource backend is a requirement as of Pike. -# Setting this option no longer has an effect on how Keystone operates. -#driver = sql - -# Toggle for resource caching. This has no effect unless global caching is -# enabled. (boolean value) -# Deprecated group/name - [assignment]/caching -#caching = true - -# Time to cache resource data in seconds. This has no effect unless global -# caching is enabled. (integer value) -# Deprecated group/name - [assignment]/cache_time -#cache_time = - -# Maximum number of entities that will be returned in a resource collection. -# (integer value) -# Deprecated group/name - [assignment]/list_limit -#list_limit = - -# Name of the domain that owns the `admin_project_name`. If left unset, then -# there is no admin project. `[resource] admin_project_name` must also be set -# to use this option. (string value) -#admin_project_domain_name = - -# This is a special project which represents cloud-level administrator -# privileges across services. Tokens scoped to this project will contain a true -# `is_admin_project` attribute to indicate to policy systems that the role -# assignments on that specific project should apply equally across every -# project. If left unset, then there is no admin project, and thus no explicit -# means of cross-project role assignments. `[resource] -# admin_project_domain_name` must also be set to use this option. (string -# value) -#admin_project_name = - -# This controls whether the names of projects are restricted from containing -# URL-reserved characters. If set to `new`, attempts to create or update a -# project with a URL-unsafe name will fail. If set to `strict`, attempts to -# scope a token with a URL-unsafe project name will fail, thereby forcing all -# project names to be updated to be URL-safe. (string value) -# Allowed values: off, new, strict -#project_name_url_safe = off - -# This controls whether the names of domains are restricted from containing -# URL-reserved characters. If set to `new`, attempts to create or update a -# domain with a URL-unsafe name will fail. If set to `strict`, attempts to -# scope a token with a URL-unsafe domain name will fail, thereby forcing all -# domain names to be updated to be URL-safe. (string value) -# Allowed values: off, new, strict -#domain_name_url_safe = off - - -[revoke] - -# -# From keystone -# - -# Entry point for the token revocation backend driver in the `keystone.revoke` -# namespace. Keystone only provides a `sql` driver, so there is no reason to -# set this option unless you are providing a custom entry point. (string value) -#driver = sql - -# The number of seconds after a token has expired before a corresponding -# revocation event may be purged from the backend. (integer value) -# Minimum value: 0 -#expiration_buffer = 1800 - -# Toggle for revocation event caching. This has no effect unless global caching -# is enabled. (boolean value) -#caching = true - -# Time to cache the revocation list and the revocation events (in seconds). -# This has no effect unless global and `[revoke] caching` are both enabled. -# (integer value) -# Deprecated group/name - [token]/revocation_cache_time -#cache_time = 3600 - - -[role] - -# -# From keystone -# - -# Entry point for the role backend driver in the `keystone.role` namespace. -# Keystone only provides a `sql` driver, so there's no reason to change this -# unless you are providing a custom entry point. (string value) -#driver = - -# Toggle for role caching. This has no effect unless global caching is enabled. -# In a typical deployment, there is no reason to disable this. (boolean value) -#caching = true - -# Time to cache role data, in seconds. This has no effect unless both global -# caching and `[role] caching` are enabled. (integer value) -#cache_time = - -# Maximum number of entities that will be returned in a role collection. This -# may be useful to tune if you have a large number of discrete roles in your -# deployment. (integer value) -#list_limit = - - -[saml] - -# -# From keystone -# - -# Determines the lifetime for any SAML assertions generated by keystone, using -# `NotOnOrAfter` attributes. (integer value) -#assertion_expiration_time = 3600 - -# Name of, or absolute path to, the binary to be used for XML signing. Although -# only the XML Security Library (`xmlsec1`) is supported, it may have a non- -# standard name or path on your system. If keystone cannot find the binary -# itself, you may need to install the appropriate package, use this option to -# specify an absolute path, or adjust keystone's PATH environment variable. -# (string value) -#xmlsec1_binary = xmlsec1 - -# Absolute path to the public certificate file to use for SAML signing. The -# value cannot contain a comma (`,`). (string value) -#certfile = /etc/keystone/ssl/certs/signing_cert.pem - -# Absolute path to the private key file to use for SAML signing. The value -# cannot contain a comma (`,`). (string value) -#keyfile = /etc/keystone/ssl/private/signing_key.pem - -# This is the unique entity identifier of the identity provider (keystone) to -# use when generating SAML assertions. This value is required to generate -# identity provider metadata and must be a URI (a URL is recommended). For -# example: `https://keystone.example.com/v3/OS-FEDERATION/saml2/idp`. (uri -# value) -#idp_entity_id = - -# This is the single sign-on (SSO) service location of the identity provider -# which accepts HTTP POST requests. A value is required to generate identity -# provider metadata. For example: `https://keystone.example.com/v3/OS- -# FEDERATION/saml2/sso`. (uri value) -#idp_sso_endpoint = - -# This is the language used by the identity provider's organization. (string -# value) -#idp_lang = en - -# This is the name of the identity provider's organization. (string value) -#idp_organization_name = SAML Identity Provider - -# This is the name of the identity provider's organization to be displayed. -# (string value) -#idp_organization_display_name = OpenStack SAML Identity Provider - -# This is the URL of the identity provider's organization. The URL referenced -# here should be useful to humans. (uri value) -#idp_organization_url = https://example.com/ - -# This is the company name of the identity provider's contact person. (string -# value) -#idp_contact_company = Example, Inc. - -# This is the given name of the identity provider's contact person. (string -# value) -#idp_contact_name = SAML Identity Provider Support - -# This is the surname of the identity provider's contact person. (string value) -#idp_contact_surname = Support - -# This is the email address of the identity provider's contact person. (string -# value) -#idp_contact_email = support@example.com - -# This is the telephone number of the identity provider's contact person. -# (string value) -#idp_contact_telephone = +1 800 555 0100 - -# This is the type of contact that best describes the identity provider's -# contact person. (string value) -# Allowed values: technical, support, administrative, billing, other -#idp_contact_type = other - -# Absolute path to the identity provider metadata file. This file should be -# generated with the `keystone-manage saml_idp_metadata` command. There is -# typically no reason to change this value. (string value) -#idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml - -# The prefix of the RelayState SAML attribute to use when generating enhanced -# client and proxy (ECP) assertions. In a typical deployment, there is no -# reason to change this value. (string value) -#relay_state_prefix = ss:mem: - - -[security_compliance] - -# -# From keystone -# - -# The maximum number of days a user can go without authenticating before being -# considered "inactive" and automatically disabled (locked). This feature is -# disabled by default; set any value to enable it. This feature depends on the -# `sql` backend for the `[identity] driver`. When a user exceeds this threshold -# and is considered "inactive", the user's `enabled` attribute in the HTTP API -# may not match the value of the user's `enabled` column in the user table. -# (integer value) -# Minimum value: 1 -#disable_user_account_days_inactive = - -# The maximum number of times that a user can fail to authenticate before the -# user account is locked for the number of seconds specified by -# `[security_compliance] lockout_duration`. This feature is disabled by -# default. If this feature is enabled and `[security_compliance] -# lockout_duration` is not set, then users may be locked out indefinitely until -# the user is explicitly enabled via the API. This feature depends on the `sql` -# backend for the `[identity] driver`. (integer value) -# Minimum value: 1 -#lockout_failure_attempts = - -# The number of seconds a user account will be locked when the maximum number -# of failed authentication attempts (as specified by `[security_compliance] -# lockout_failure_attempts`) is exceeded. Setting this option will have no -# effect unless you also set `[security_compliance] lockout_failure_attempts` -# to a non-zero value. This feature depends on the `sql` backend for the -# `[identity] driver`. (integer value) -# Minimum value: 1 -#lockout_duration = 1800 - -# The number of days for which a password will be considered valid before -# requiring it to be changed. This feature is disabled by default. If enabled, -# new password changes will have an expiration date, however existing passwords -# would not be impacted. This feature depends on the `sql` backend for the -# `[identity] driver`. (integer value) -# Minimum value: 1 -#password_expires_days = - -# This controls the number of previous user password iterations to keep in -# history, in order to enforce that newly created passwords are unique. The -# total number which includes the new password should not be greater or equal -# to this value. Setting the value to one (the default) disables this feature. -# Thus, to enable this feature, values must be greater than 1. This feature -# depends on the `sql` backend for the `[identity] driver`. (integer value) -# Minimum value: 1 -#unique_last_password_count = 1 - -# The number of days that a password must be used before the user can change -# it. This prevents users from changing their passwords immediately in order to -# wipe out their password history and reuse an old password. This feature does -# not prevent administrators from manually resetting passwords. It is disabled -# by default and allows for immediate password changes. This feature depends on -# the `sql` backend for the `[identity] driver`. Note: If -# `[security_compliance] password_expires_days` is set, then the value for this -# option should be less than the `password_expires_days`. (integer value) -# Minimum value: 0 -#minimum_password_age = 0 - -# The regular expression used to validate password strength requirements. By -# default, the regular expression will match any password. The following is an -# example of a pattern which requires at least 1 letter, 1 digit, and have a -# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature -# depends on the `sql` backend for the `[identity] driver`. (string value) -#password_regex = - -# Describe your password regular expression here in language for humans. If a -# password fails to match the regular expression, the contents of this -# configuration variable will be returned to users to explain why their -# requested password was insufficient. (string value) -#password_regex_description = - -# Enabling this option requires users to change their password when the user is -# created, or upon administrative reset. Before accessing any services, -# affected users will have to change their password. To ignore this requirement -# for specific users, such as service users, set the `options` attribute -# `ignore_change_password_upon_first_use` to `True` for the desired user via -# the update user API. This feature is disabled by default. This feature is -# only applicable with the `sql` backend for the `[identity] driver`. (boolean -# value) -#change_password_upon_first_use = false - - -[shadow_users] - -# -# From keystone -# - -# Entry point for the shadow users backend driver in the -# `keystone.identity.shadow_users` namespace. This driver is used for -# persisting local user references to externally-managed identities (via -# federation, LDAP, etc). Keystone only provides a `sql` driver, so there is no -# reason to change this option unless you are providing a custom entry point. -# (string value) -#driver = sql - - -[signing] - -# -# From keystone -# - -# DEPRECATED: Absolute path to the public certificate file to use for signing -# responses to revocation lists requests. Set this together with `[signing] -# keyfile`. For non-production environments, you may be interested in using -# `keystone-manage pki_setup` to generate self-signed certificates. (string -# value) -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in -# Pike. These options remain for backwards compatibility. -#certfile = /etc/keystone/ssl/certs/signing_cert.pem - -# DEPRECATED: Absolute path to the private key file to use for signing -# responses to revocation lists requests. Set this together with `[signing] -# certfile`. (string value) -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in -# Pike. These options remain for backwards compatibility. -#keyfile = /etc/keystone/ssl/private/signing_key.pem - -# DEPRECATED: Absolute path to the public certificate authority (CA) file to -# use when creating self-signed certificates with `keystone-manage pki_setup`. -# Set this together with `[signing] ca_key`. There is no reason to set this -# option unless you are requesting revocation lists in a non-production -# environment. Use a `[signing] certfile` issued from a trusted certificate -# authority instead. (string value) -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in -# Pike. These options remain for backwards compatibility. -#ca_certs = /etc/keystone/ssl/certs/ca.pem - -# DEPRECATED: Absolute path to the private certificate authority (CA) key file -# to use when creating self-signed certificates with `keystone-manage -# pki_setup`. Set this together with `[signing] ca_certs`. There is no reason -# to set this option unless you are requesting revocation lists in a non- -# production environment. Use a `[signing] certfile` issued from a trusted -# certificate authority instead. (string value) -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in -# Pike. These options remain for backwards compatibility. -#ca_key = /etc/keystone/ssl/private/cakey.pem - -# DEPRECATED: Key size (in bits) to use when generating a self-signed token -# signing certificate. There is no reason to set this option unless you are -# requesting revocation lists in a non-production environment. Use a `[signing] -# certfile` issued from a trusted certificate authority instead. (integer -# value) -# Minimum value: 1024 -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in -# Pike. These options remain for backwards compatibility. -#key_size = 2048 - -# DEPRECATED: The validity period (in days) to use when generating a self- -# signed token signing certificate. There is no reason to set this option -# unless you are requesting revocation lists in a non-production environment. -# Use a `[signing] certfile` issued from a trusted certificate authority -# instead. (integer value) -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in -# Pike. These options remain for backwards compatibility. -#valid_days = 3650 - -# DEPRECATED: The certificate subject to use when generating a self-signed -# token signing certificate. There is no reason to set this option unless you -# are requesting revocation lists in a non-production environment. Use a -# `[signing] certfile` issued from a trusted certificate authority instead. -# (string value) -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in -# Pike. These options remain for backwards compatibility. -#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com - - -[token] - -# -# From keystone -# - -# This is a list of external authentication mechanisms which should add token -# binding metadata to tokens, such as `kerberos` or `x509`. Binding metadata is -# enforced according to the `[token] enforce_token_bind` option. (list value) -#bind = - -# DEPRECATED: This controls the token binding enforcement policy on tokens -# presented to keystone with token binding metadata (as specified by the -# `[token] bind` option). `disabled` completely bypasses token binding -# validation. `permissive` and `strict` do not require tokens to have binding -# metadata (but will validate it if present), whereas `required` will always -# demand tokens to having binding metadata. `permissive` will allow unsupported -# binding metadata to pass through without validation (usually to be validated -# at another time by another component), whereas `strict` and `required` will -# demand that the included binding metadata be supported by keystone. (string -# value) -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -#enforce_token_bind = permissive - -# The amount of time that a token should remain valid (in seconds). Drastically -# reducing this value may break "long-running" operations that involve multiple -# services to coordinate together, and will force users to authenticate with -# keystone more frequently. Drastically increasing this value will increase -# load on the `[token] driver`, as more tokens will be simultaneously valid. -# Keystone tokens are also bearer tokens, so a shorter duration will also -# reduce the potential security impact of a compromised token. (integer value) -# Minimum value: 0 -# Maximum value: 9223372036854775807 -#expiration = 3600 - -# Entry point for the token provider in the `keystone.token.provider` -# namespace. The token provider controls the token construction, validation, -# and revocation operations. Keystone includes `fernet` and `uuid` token -# providers. `uuid` tokens must be persisted (using the backend specified in -# the `[token] driver` option), but do not require any extra configuration or -# setup. `fernet` tokens do not need to be persisted at all, but require that -# you run `keystone-manage fernet_setup` (also see the `keystone-manage -# fernet_rotate` command). (string value) -#provider = fernet - -# DEPRECATED: Entry point for the token persistence backend driver in the -# `keystone.token.persistence` namespace. Keystone provides the `sql` driver. -# The `sql` option (default) depends on the options in your `[database]` -# section. If you're using the `fernet` `[token] provider`, this backend will -# not be utilized to persist tokens at all. (string value) -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -#driver = sql - -# Toggle for caching token creation and validation data. This has no effect -# unless global caching is enabled. (boolean value) -#caching = true - -# The number of seconds to cache token creation and validation data. This has -# no effect unless both global and `[token] caching` are enabled. (integer -# value) -# Minimum value: 0 -# Maximum value: 9223372036854775807 -#cache_time = - -# This toggles support for revoking individual tokens by the token identifier -# and thus various token enumeration operations (such as listing all tokens -# issued to a specific user). These operations are used to determine the list -# of tokens to consider revoked. Do not disable this option if you're using the -# `kvs` `[revoke] driver`. (boolean value) -#revoke_by_id = true - -# This toggles whether scoped tokens may be re-scoped to a new project or -# domain, thereby preventing users from exchanging a scoped token (including -# those with a default project scope) for any other token. This forces users to -# either authenticate for unscoped tokens (and later exchange that unscoped -# token for tokens with a more specific scope) or to provide their credentials -# in every request for a scoped token to avoid re-scoping altogether. (boolean -# value) -#allow_rescope_scoped_token = true - -# This controls whether roles should be included with tokens that are not -# directly assigned to the token's scope, but are instead linked implicitly to -# other role assignments. (boolean value) -#infer_roles = true - -# Enable storing issued token data to token validation cache so that first -# token validation doesn't actually cause full validation cycle. This option -# has no effect unless global caching and token caching are enabled. (boolean -# value) -#cache_on_issue = true - -# This controls the number of seconds that a token can be retrieved for beyond -# the built-in expiry time. This allows long running operations to succeed. -# Defaults to two days. (integer value) -#allow_expired_window = 172800 - - -[tokenless_auth] - -# -# From keystone -# - -# The list of distinguished names which identify trusted issuers of client -# certificates allowed to use X.509 tokenless authorization. If the option is -# absent then no certificates will be allowed. The format for the values of a -# distinguished name (DN) must be separated by a comma and contain no spaces. -# Furthermore, because an individual DN may contain commas, this configuration -# option may be repeated multiple times to represent multiple values. For -# example, keystone.conf would include two consecutive lines in order to trust -# two different DNs, such as `trusted_issuer = CN=john,OU=keystone,O=openstack` -# and `trusted_issuer = CN=mary,OU=eng,O=abc`. (multi valued) -#trusted_issuer = - -# The federated protocol ID used to represent X.509 tokenless authorization. -# This is used in combination with the value of `[tokenless_auth] -# issuer_attribute` to find a corresponding federated mapping. In a typical -# deployment, there is no reason to change this value. (string value) -#protocol = x509 - -# The name of the WSGI environment variable used to pass the issuer of the -# client certificate to keystone. This attribute is used as an identity -# provider ID for the X.509 tokenless authorization along with the protocol to -# look up its corresponding mapping. In a typical deployment, there is no -# reason to change this value. (string value) -#issuer_attribute = SSL_CLIENT_I_DN - - -[trust] - -# -# From keystone -# - -# DEPRECATED: Delegation and impersonation features using trusts can be -# optionally disabled. (boolean value) -# This option is deprecated for removal since Q. -# Its value may be silently ignored in the future. -# Reason: Disabling the trusts API is deprecated. This option will be removed -# in the next release and trusts will always be enabled. -#enabled = true - -# Allows authorization to be redelegated from one user to another, effectively -# chaining trusts together. When disabled, the `remaining_uses` attribute of a -# trust is constrained to be zero. (boolean value) -#allow_redelegation = false - -# Maximum number of times that authorization can be redelegated from one user -# to another in a chain of trusts. This number may be reduced further for a -# specific trust. (integer value) -#max_redelegation_count = 3 - -# Entry point for the trust backend driver in the `keystone.trust` namespace. -# Keystone only provides a `sql` driver, so there is no reason to change this -# unless you are providing a custom entry point. (string value) -#driver = sql - - -[unified_limit] - -# -# From keystone -# - -# Entry point for the unified limit backend driver in the -# `keystone.unified_limit` namespace. Keystone only provides a `sql` driver, so -# there's no reason to change this unless you are providing a custom entry -# point. (string value) -#driver = sql - -# Toggle for unified limit caching. This has no effect unless global caching is -# enabled. In a typical deployment, there is no reason to disable this. -# (boolean value) -#caching = true - -# Time to cache unified limit data, in seconds. This has no effect unless both -# global caching and `[unified_limit] caching` are enabled. (integer value) -#cache_time = - -# Maximum number of entities that will be returned in a role collection. This -# may be useful to tune if you have a large number of unified limits in your -# deployment. (integer value) -#list_limit = diff --git a/keystone/tests/unit/test_config.py b/keystone/tests/unit/test_config.py index 36fa73343e..a0c46c342e 100644 --- a/keystone/tests/unit/test_config.py +++ b/keystone/tests/unit/test_config.py @@ -12,8 +12,11 @@ # License for the specific language governing permissions and limitations # under the License. +import os import uuid +from oslo_config import generator + import keystone.conf from keystone import exception from keystone.server import wsgi @@ -27,22 +30,30 @@ class ConfigTestCase(unit.TestCase): def config_files(self): config_files = super(ConfigTestCase, self).config_files() - # Insert the keystone sample as the first config file to be loaded - # since it is used in one of the code paths to determine the paste-ini - # location. - config_files.insert(0, unit.dirs.etc('keystone.conf.sample')) + + # NOTE(lbragstad): This needs some investigation, but CONF.find_file() + # apparently needs the sample configuration file in order to find the + # paste file. This should really be replaced by just setting the + # default configuration directory on the config object instead. + sample_file = 'keystone.conf.sample' + args = ['--namespace', 'keystone', '--output-file', + unit.dirs.etc(sample_file)] + generator.main(args=args) + config_files.insert(0, unit.dirs.etc(sample_file)) + self.addCleanup(os.remove, unit.dirs.etc(sample_file)) return config_files - def test_paste_config(self): - self.assertEqual(unit.dirs.etc('keystone-paste.ini'), - wsgi.find_paste_config()) - self.config_fixture.config(group='paste_deploy', - config_file=uuid.uuid4().hex) - self.assertRaises(exception.ConfigFileNotFound, - wsgi.find_paste_config) - self.config_fixture.config(group='paste_deploy', config_file='') - self.assertEqual(unit.dirs.etc('keystone.conf.sample'), - wsgi.find_paste_config()) + def test_default_paste_config_location_succeeds(self): + paste_file_location = unit.dirs.etc(CONF.paste_deploy.config_file) + self.assertEqual(paste_file_location, wsgi.find_paste_config()) + + def test_invalid_paste_file_location_fails(self): + self.config_fixture.config( + group='paste_deploy', config_file=uuid.uuid4().hex + ) + self.assertRaises( + exception.ConfigFileNotFound, wsgi.find_paste_config + ) def test_config_default(self): self.assertIsNone(CONF.auth.password)