diff --git a/provision-keystone-apb/tasks/main.yaml b/provision-keystone-apb/tasks/main.yaml
index 8a30b2c..91d5e8e 100644
--- a/provision-keystone-apb/tasks/main.yaml
+++ b/provision-keystone-apb/tasks/main.yaml
@@ -8,14 +8,54 @@
debug: yes
register: create_project
-- name: Create keystone configmaps
+- name: Upload config files
+ template: src="{{item}}"
+ dest="/tmp/{{item}}"
+ backup=yes
+ mode=0644
+ with_items:
+ - httpd.conf
+ - httpd-keystone-main.conf
+ - keystone-schema.yaml
+
+- name: Run oslo.config
+ include_role:
+ name: os-gen-config
+ vars:
+ config_schema: "/tmp/keystone-schema.yaml"
+ config_show_help: false
+ config_show_defaults: false
+ dest: "/tmp/keystone.conf"
+ config_data:
+ DEFAULT:
+ bind_host: "0.0.0.0"
+ sql_connection: "mysql+pymysql://root:weakpassword@mariadb:3306/keystone"
+ token:
+ provider: "fernet"
+
+- name: Read configs into memory
+ slurp:
+ src: "/tmp/httpd-keystone-main.conf"
+ register: "httpd_keystone_main_conf"
+
+- name: Read configs into memory
+ slurp:
+ src: "/tmp/httpd.conf"
+ register: "httpd_conf"
+
+- name: Read configs into memory
+ slurp:
+ src: "/tmp/keystone.conf"
+ register: "keystone_conf"
+
+- name: Create keystone configmaps
ignore_errors: yes
k8s_v1_config_map:
host: "{{coe_host}}"
context: "{{kube_context}}"
kubeconfig: "{{config_file}}"
name: keystone
- namespace: openstack
+ namespace: openstack
state: present
debug: yes
labels:
@@ -52,179 +92,20 @@
]
}
keystone.conf: |
- [DEFAULT]
- bind_host = 0.0.0.0
- sql_connection=mysql+pymysql://root:weakpassword@mariadb:3306/keystone
- [token]
- provider=fernet
+ {{keystone_conf['content'] | b64decode}}
httpd.conf: |
- Listen *:5000
- Listen *:35357
-
- ServerRoot "/etc/httpd"
- DocumentRoot "/var/www/html"
- User apache
- Group apache
-
- Include conf.modules.d/*.conf
-
-
- AllowOverride none
- Require all denied
-
-
-
- AllowOverride None
- # Allow open access:
- Require all granted
-
-
-
- AllowOverride None
- Options None
- Require all granted
-
-
-
- DirectoryIndex index.html
-
-
-
- Require all denied
-
-
- ErrorLog /dev/stderr
-
- LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
- LogFormat "%h %l %u %t \"%r\" %>s %b" common
-
-
- # You need to enable mod_logio.c to use %I and %O
- LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
-
-
- CustomLog /dev/stdout combined
-
-
-
- #
- # TypesConfig points to the file containing the list of mappings from
- # filename extension to MIME-type.
- #
- TypesConfig /etc/mime.types
-
- #
- # AddType allows you to add to or override the MIME configuration
- # file specified in TypesConfig for specific file types.
- #
- #AddType application/x-gzip .tgz
- #
- # AddEncoding allows you to have certain browsers uncompress
- # information on the fly. Note: Not all browsers support this.
- #
- #AddEncoding x-compress .Z
- #AddEncoding x-gzip .gz .tgz
- #
- # If the AddEncoding directives above are commented-out, then you
- # probably should define those extensions to indicate media types:
- #
- AddType application/x-compress .Z
- AddType application/x-gzip .gz .tgz
-
- #
- # AddHandler allows you to map certain file extensions to "handlers":
- # actions unrelated to filetype. These can be either built into the server
- # or added with the Action directive (see below)
- #
- # To use CGI scripts outside of ScriptAliased directories:
- # (You will also need to add "ExecCGI" to the "Options" directive.)
- #
- #AddHandler cgi-script .cgi
-
- # For type maps (negotiated resources):
- #AddHandler type-map var
-
- #
- # Filters allow you to process content before it is sent to the client.
- #
- # To parse .shtml files for server-side includes (SSI):
- # (You will also need to add "Includes" to the "Options" directive.)
- #
- AddType text/html .shtml
- AddOutputFilter INCLUDES .shtml
-
-
- AddDefaultCharset UTF-8
-
-
- #
- # The mod_mime_magic module allows the server to use various hints from the
- # contents of the file itself to determine its type. The MIMEMagicFile
- # directive tells the module where the hint definitions are located.
- #
- MIMEMagicFile conf/magic
-
-
- EnableSendfile on
-
- # Supplemental configuration
- #
- # Load config files in the "/etc/httpd/conf.d" directory, if any.
- IncludeOptional conf.d/*.conf
+ {{httpd_conf['content'] | b64decode}}
httpd-keystone-main.conf: |
-
- ## Vhost docroot
- DocumentRoot "/var/www/cgi-bin/keystone"
-
- ## Directories, there should at least be a declaration for /var/www/cgi-bin/keystone
-
-
- Options Indexes FollowSymLinks MultiViews
- AllowOverride None
- Require all granted
-
-
- ## Logging
- # ErrorLog "/var/log/httpd/keystone_wsgi_main_error.log"
- ServerSignature Off
- # CustomLog "/var/log/httpd/keystone_wsgi_main_access.log" combined
- WSGIApplicationGroup %{GLOBAL}
- WSGIDaemonProcess keystone_main display-name=keystone-main group=keystone processes=2 threads=1 user=keystone
- WSGIProcessGroup keystone_main
- WSGIScriptAlias / "/var/www/cgi-bin/keystone/main"
- WSGIPassAuthorization On
-
- httpd-keystone-admin.conf: |
-
- ## Vhost docroot
- DocumentRoot "/var/www/cgi-bin/keystone"
-
- ## Directories, there should at least be a declaration for /var/www/cgi-bin/keystone
-
-
- Options Indexes FollowSymLinks MultiViews
- AllowOverride None
- Require all granted
-
-
- ## Logging
- # ErrorLog "/var/log/httpd/keystone_wsgi_admin_error.log"
- ServerSignature Off
- # CustomLog "/var/log/httpd/keystone_wsgi_admin_access.log" combined
- WSGIApplicationGroup %{GLOBAL}
- WSGIDaemonProcess keystone_admin display-name=keystone-admin group=keystone processes=2 threads=1 user=keystone
- WSGIProcessGroup keystone_admin
- WSGIScriptAlias / "/var/www/cgi-bin/keystone/admin"
- WSGIPassAuthorization On
-
+ {{httpd_keystone_main_conf['content'] | b64decode}}
-- name: Create keystone job
+
+- name: Create keystone job
k8s_v1_job:
host: "{{coe_host}}"
context: "{{kube_context}}"
kubeconfig: "{{config_file}}"
- name: keystone-db-sync
- namespace: openstack
+ name: keystone-db-sync
+ namespace: openstack
state: present
spec_template_metadata_annotations:
pod.beta.kubernetes.io/init-containers: '[
@@ -245,7 +126,7 @@
]
}
]'
- restart_policy: OnFailure
+ restart_policy: OnFailure
containers:
- image: tripleoupstream/centos-binary-keystone
name: keystone-db-sync
@@ -262,19 +143,19 @@
volumes:
- name: kolla-config
config_map:
- name: keystone
+ name: keystone
- name: keystone-fernet
state: present
-- name: Create keystone fernet job
+- name: Create keystone fernet job
k8s_v1_job:
host: "{{coe_host}}"
context: "{{kube_context}}"
kubeconfig: "{{config_file}}"
name: keystone-fernet
- namespace: openstack
+ namespace: openstack
state: present
- restart_policy: OnFailure
+ restart_policy: OnFailure
containers:
- image: tripleoupstream/centos-binary-keystone-fernet
name: keystone-fernet-bootstrap
@@ -290,17 +171,17 @@
volumes:
- name: kolla-config
config_map:
- name: keystone
+ name: keystone
- name: keystone-fernet
state: present
-- name: Create keystone service
+- name: Create keystone service
k8s_v1_service:
host: "{{coe_host}}"
context: "{{kube_context}}"
kubeconfig: "{{config_file}}"
name: keystone
- namespace: openstack
+ namespace: openstack
state: present
ports:
- port: 5000
@@ -309,15 +190,15 @@
name: keystone-api-admin
selector:
app: keystone-api
- register: create_service
+ register: create_service
-- name: Create keystone deployment
+- name: Create keystone deployment
k8s_v1beta1_deployment:
host: "{{coe_host}}"
context: "{{kube_context}}"
kubeconfig: "{{config_file}}"
name: keystone-api
- namespace: openstack
+ namespace: openstack
replicas: 1
spec_revision_history_limit: 3
spec_template_metadata_labels:
@@ -344,9 +225,7 @@
volumes:
- name: kolla-config
config_map:
- name: keystone
+ name: keystone
- name: keystone-fernet
state: present
register: create_service
-
-
diff --git a/provision-keystone-apb/templates/httpd-keystone-main.conf b/provision-keystone-apb/templates/httpd-keystone-main.conf
new file mode 100644
index 0000000..cc56eb6
--- /dev/null
+++ b/provision-keystone-apb/templates/httpd-keystone-main.conf
@@ -0,0 +1,45 @@
+
+ ## Vhost docroot
+ DocumentRoot "/var/www/cgi-bin/keystone"
+
+ ## Directories, there should at least be a declaration for /var/www/cgi-bin/keystone
+
+
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride None
+ Require all granted
+
+
+ ## Logging
+ # ErrorLog "/var/log/httpd/keystone_wsgi_main_error.log"
+ ServerSignature Off
+ # CustomLog "/var/log/httpd/keystone_wsgi_main_access.log" combined
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIDaemonProcess keystone_main display-name=keystone-main group=keystone processes=2 threads=1 user=keystone
+ WSGIProcessGroup keystone_main
+ WSGIScriptAlias / "/var/www/cgi-bin/keystone/main"
+ WSGIPassAuthorization On
+
+tpd-keystone-admin.conf: |
+
+ ## Vhost docroot
+ DocumentRoot "/var/www/cgi-bin/keystone"
+
+ ## Directories, there should at least be a declaration for /var/www/cgi-bin/keystone
+
+
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride None
+ Require all granted
+
+
+ ## Logging
+ # ErrorLog "/var/log/httpd/keystone_wsgi_admin_error.log"
+ ServerSignature Off
+ # CustomLog "/var/log/httpd/keystone_wsgi_admin_access.log" combined
+ WSGIApplicationGroup %{GLOBAL}
+ WSGIDaemonProcess keystone_admin display-name=keystone-admin group=keystone processes=2 threads=1 user=keystone
+ WSGIProcessGroup keystone_admin
+ WSGIScriptAlias / "/var/www/cgi-bin/keystone/admin"
+ WSGIPassAuthorization On
+
\ No newline at end of file
diff --git a/provision-keystone-apb/templates/httpd.conf b/provision-keystone-apb/templates/httpd.conf
new file mode 100644
index 0000000..b12f584
--- /dev/null
+++ b/provision-keystone-apb/templates/httpd.conf
@@ -0,0 +1,113 @@
+Listen *:5000
+Listen *:35357
+
+ServerRoot "/etc/httpd"
+DocumentRoot "/var/www/html"
+User apache
+Group apache
+
+Include conf.modules.d/*.conf
+
+
+ AllowOverride none
+ Require all denied
+
+
+
+ AllowOverride None
+ # Allow open access:
+ Require all granted
+
+
+
+ AllowOverride None
+ Options None
+ Require all granted
+
+
+
+ DirectoryIndex index.html
+
+
+
+ Require all denied
+
+
+ErrorLog /dev/stderr
+
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+ LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+
+ # You need to enable mod_logio.c to use %I and %O
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+
+
+ CustomLog /dev/stdout combined
+
+
+
+ #
+ # TypesConfig points to the file containing the list of mappings from
+ # filename extension to MIME-type.
+ #
+ TypesConfig /etc/mime.types
+
+ #
+ # AddType allows you to add to or override the MIME configuration
+ # file specified in TypesConfig for specific file types.
+ #
+ #AddType application/x-gzip .tgz
+ #
+ # AddEncoding allows you to have certain browsers uncompress
+ # information on the fly. Note: Not all browsers support this.
+ #
+ #AddEncoding x-compress .Z
+ #AddEncoding x-gzip .gz .tgz
+ #
+ # If the AddEncoding directives above are commented-out, then you
+ # probably should define those extensions to indicate media types:
+ #
+ AddType application/x-compress .Z
+ AddType application/x-gzip .gz .tgz
+
+ #
+ # AddHandler allows you to map certain file extensions to "handlers":
+ # actions unrelated to filetype. These can be either built into the server
+ # or added with the Action directive (see below)
+ #
+ # To use CGI scripts outside of ScriptAliased directories:
+ # (You will also need to add "ExecCGI" to the "Options" directive.)
+ #
+ #AddHandler cgi-script .cgi
+
+ # For type maps (negotiated resources):
+ #AddHandler type-map var
+
+ #
+ # Filters allow you to process content before it is sent to the client.
+ #
+ # To parse .shtml files for server-side includes (SSI):
+ # (You will also need to add "Includes" to the "Options" directive.)
+ #
+ AddType text/html .shtml
+ AddOutputFilter INCLUDES .shtml
+
+
+AddDefaultCharset UTF-8
+
+
+ #
+ # The mod_mime_magic module allows the server to use various hints from the
+ # contents of the file itself to determine its type. The MIMEMagicFile
+ # directive tells the module where the hint definitions are located.
+ #
+ MIMEMagicFile conf/magic
+
+
+EnableSendfile on
+
+# Supplemental configuration
+#
+# Load config files in the "/etc/httpd/conf.d" directory, if any.
+IncludeOptional conf.d/*.conf
\ No newline at end of file
diff --git a/provision-keystone-apb/templates/keystone-schema.yaml b/provision-keystone-apb/templates/keystone-schema.yaml
new file mode 100644
index 0000000..dd5dbca
--- /dev/null
+++ b/provision-keystone-apb/templates/keystone-schema.yaml
@@ -0,0 +1,12323 @@
+deprecated_options:
+ DATABASE:
+ - name: sql_connection
+ replacement_group: database
+ replacement_name: connection
+ - name: sql_idle_timeout
+ replacement_group: database
+ replacement_name: idle_timeout
+ - name: sql_min_pool_size
+ replacement_group: database
+ replacement_name: min_pool_size
+ - name: sql_max_pool_size
+ replacement_group: database
+ replacement_name: max_pool_size
+ - name: sql_max_retries
+ replacement_group: database
+ replacement_name: max_retries
+ - name: reconnect_interval
+ replacement_group: database
+ replacement_name: retry_interval
+ - name: sqlalchemy_max_overflow
+ replacement_group: database
+ replacement_name: max_overflow
+ - name: sqlalchemy_pool_timeout
+ replacement_group: database
+ replacement_name: pool_timeout
+ DEFAULT:
+ - name: rpc_conn_pool_size
+ replacement_group: DEFAULT
+ replacement_name: rpc_conn_pool_size
+ - name: rpc_zmq_bind_address
+ replacement_group: DEFAULT
+ replacement_name: rpc_zmq_bind_address
+ - name: rpc_zmq_matchmaker
+ replacement_group: DEFAULT
+ replacement_name: rpc_zmq_matchmaker
+ - name: rpc_zmq_contexts
+ replacement_group: DEFAULT
+ replacement_name: rpc_zmq_contexts
+ - name: rpc_zmq_topic_backlog
+ replacement_group: DEFAULT
+ replacement_name: rpc_zmq_topic_backlog
+ - name: rpc_zmq_ipc_dir
+ replacement_group: DEFAULT
+ replacement_name: rpc_zmq_ipc_dir
+ - name: rpc_zmq_host
+ replacement_group: DEFAULT
+ replacement_name: rpc_zmq_host
+ - name: rpc_cast_timeout
+ replacement_group: DEFAULT
+ replacement_name: zmq_linger
+ - name: rpc_poll_timeout
+ replacement_group: DEFAULT
+ replacement_name: rpc_poll_timeout
+ - name: zmq_target_expire
+ replacement_group: DEFAULT
+ replacement_name: zmq_target_expire
+ - name: zmq_target_update
+ replacement_group: DEFAULT
+ replacement_name: zmq_target_update
+ - name: use_pub_sub
+ replacement_group: DEFAULT
+ replacement_name: use_pub_sub
+ - name: use_router_proxy
+ replacement_group: DEFAULT
+ replacement_name: use_router_proxy
+ - name: rpc_zmq_min_port
+ replacement_group: DEFAULT
+ replacement_name: rpc_zmq_min_port
+ - name: rpc_zmq_max_port
+ replacement_group: DEFAULT
+ replacement_name: rpc_zmq_max_port
+ - name: rpc_zmq_bind_port_retries
+ replacement_group: DEFAULT
+ replacement_name: rpc_zmq_bind_port_retries
+ - name: rpc_zmq_serialization
+ replacement_group: DEFAULT
+ replacement_name: rpc_zmq_serialization
+ - name: rpc_thread_pool_size
+ replacement_group: DEFAULT
+ replacement_name: executor_thread_pool_size
+ - name: log_config
+ replacement_group: DEFAULT
+ replacement_name: log-config-append
+ - name: logfile
+ replacement_group: DEFAULT
+ replacement_name: log-file
+ - name: logdir
+ replacement_group: DEFAULT
+ replacement_name: log-dir
+ - name: rpc_zmq_bind_address
+ replacement_group: oslo_messaging_zmq
+ replacement_name: rpc_zmq_bind_address
+ - name: rpc_zmq_matchmaker
+ replacement_group: oslo_messaging_zmq
+ replacement_name: rpc_zmq_matchmaker
+ - name: rpc_zmq_contexts
+ replacement_group: oslo_messaging_zmq
+ replacement_name: rpc_zmq_contexts
+ - name: rpc_zmq_topic_backlog
+ replacement_group: oslo_messaging_zmq
+ replacement_name: rpc_zmq_topic_backlog
+ - name: rpc_zmq_ipc_dir
+ replacement_group: oslo_messaging_zmq
+ replacement_name: rpc_zmq_ipc_dir
+ - name: rpc_zmq_host
+ replacement_group: oslo_messaging_zmq
+ replacement_name: rpc_zmq_host
+ - name: rpc_cast_timeout
+ replacement_group: oslo_messaging_zmq
+ replacement_name: zmq_linger
+ - name: rpc_poll_timeout
+ replacement_group: oslo_messaging_zmq
+ replacement_name: rpc_poll_timeout
+ - name: zmq_target_expire
+ replacement_group: oslo_messaging_zmq
+ replacement_name: zmq_target_expire
+ - name: zmq_target_update
+ replacement_group: oslo_messaging_zmq
+ replacement_name: zmq_target_update
+ - name: use_pub_sub
+ replacement_group: oslo_messaging_zmq
+ replacement_name: use_pub_sub
+ - name: use_router_proxy
+ replacement_group: oslo_messaging_zmq
+ replacement_name: use_router_proxy
+ - name: rpc_zmq_min_port
+ replacement_group: oslo_messaging_zmq
+ replacement_name: rpc_zmq_min_port
+ - name: rpc_zmq_max_port
+ replacement_group: oslo_messaging_zmq
+ replacement_name: rpc_zmq_max_port
+ - name: rpc_zmq_bind_port_retries
+ replacement_group: oslo_messaging_zmq
+ replacement_name: rpc_zmq_bind_port_retries
+ - name: rpc_zmq_serialization
+ replacement_group: oslo_messaging_zmq
+ replacement_name: rpc_zmq_serialization
+ - name: notification_driver
+ replacement_group: oslo_messaging_notifications
+ replacement_name: driver
+ - name: notification_transport_url
+ replacement_group: oslo_messaging_notifications
+ replacement_name: transport_url
+ - name: notification_topics
+ replacement_group: oslo_messaging_notifications
+ replacement_name: topics
+ - name: amqp_durable_queues
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: amqp_durable_queues
+ - name: rabbit_durable_queues
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: amqp_durable_queues
+ - name: amqp_auto_delete
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: amqp_auto_delete
+ - name: kombu_reconnect_delay
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: kombu_reconnect_delay
+ - name: rabbit_host
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: rabbit_host
+ - name: rabbit_port
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: rabbit_port
+ - name: rabbit_hosts
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: rabbit_hosts
+ - name: rabbit_userid
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: rabbit_userid
+ - name: rabbit_password
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: rabbit_password
+ - name: rabbit_login_method
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: rabbit_login_method
+ - name: rabbit_virtual_host
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: rabbit_virtual_host
+ - name: rabbit_retry_backoff
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: rabbit_retry_backoff
+ - name: rabbit_max_retries
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: rabbit_max_retries
+ - name: rabbit_ha_queues
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: rabbit_ha_queues
+ - name: fake_rabbit
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: fake_rabbit
+ - name: bind_host
+ replacement_group: eventlet_server
+ replacement_name: public_bind_host
+ - name: public_bind_host
+ replacement_group: eventlet_server
+ replacement_name: public_bind_host
+ - name: public_port
+ replacement_group: eventlet_server
+ replacement_name: public_port
+ - name: bind_host
+ replacement_group: eventlet_server
+ replacement_name: admin_bind_host
+ - name: admin_bind_host
+ replacement_group: eventlet_server
+ replacement_name: admin_bind_host
+ - name: admin_port
+ replacement_group: eventlet_server
+ replacement_name: admin_port
+ - name: policy_file
+ replacement_group: oslo_policy
+ replacement_name: policy_file
+ - name: policy_default_rule
+ replacement_group: oslo_policy
+ replacement_name: policy_default_rule
+ - name: policy_dirs
+ replacement_group: oslo_policy
+ replacement_name: policy_dirs
+ - name: osapi_max_request_body_size
+ replacement_group: oslo_middleware
+ replacement_name: max_request_body_size
+ - name: max_request_body_size
+ replacement_group: oslo_middleware
+ replacement_name: max_request_body_size
+ - name: sqlite_synchronous
+ replacement_group: database
+ replacement_name: sqlite_synchronous
+ - name: db_backend
+ replacement_group: database
+ replacement_name: backend
+ - name: sql_connection
+ replacement_group: database
+ replacement_name: connection
+ - name: sql_idle_timeout
+ replacement_group: database
+ replacement_name: idle_timeout
+ - name: sql_min_pool_size
+ replacement_group: database
+ replacement_name: min_pool_size
+ - name: sql_max_pool_size
+ replacement_group: database
+ replacement_name: max_pool_size
+ - name: sql_max_retries
+ replacement_group: database
+ replacement_name: max_retries
+ - name: sql_retry_interval
+ replacement_group: database
+ replacement_name: retry_interval
+ - name: sql_max_overflow
+ replacement_group: database
+ replacement_name: max_overflow
+ - name: sql_connection_debug
+ replacement_group: database
+ replacement_name: connection_debug
+ - name: sql_connection_trace
+ replacement_group: database
+ replacement_name: connection_trace
+ amqp1:
+ - name: container_name
+ replacement_group: oslo_messaging_amqp
+ replacement_name: container_name
+ - name: idle_timeout
+ replacement_group: oslo_messaging_amqp
+ replacement_name: idle_timeout
+ - name: trace
+ replacement_group: oslo_messaging_amqp
+ replacement_name: trace
+ - name: ssl_ca_file
+ replacement_group: oslo_messaging_amqp
+ replacement_name: ssl_ca_file
+ - name: ssl_cert_file
+ replacement_group: oslo_messaging_amqp
+ replacement_name: ssl_cert_file
+ - name: ssl_key_file
+ replacement_group: oslo_messaging_amqp
+ replacement_name: ssl_key_file
+ - name: ssl_key_password
+ replacement_group: oslo_messaging_amqp
+ replacement_name: ssl_key_password
+ - name: allow_insecure_clients
+ replacement_group: oslo_messaging_amqp
+ replacement_name: allow_insecure_clients
+ - name: sasl_mechanisms
+ replacement_group: oslo_messaging_amqp
+ replacement_name: sasl_mechanisms
+ - name: sasl_config_dir
+ replacement_group: oslo_messaging_amqp
+ replacement_name: sasl_config_dir
+ - name: sasl_config_name
+ replacement_group: oslo_messaging_amqp
+ replacement_name: sasl_config_name
+ - name: username
+ replacement_group: oslo_messaging_amqp
+ replacement_name: username
+ - name: password
+ replacement_group: oslo_messaging_amqp
+ replacement_name: password
+ - name: server_request_prefix
+ replacement_group: oslo_messaging_amqp
+ replacement_name: server_request_prefix
+ - name: broadcast_prefix
+ replacement_group: oslo_messaging_amqp
+ replacement_name: broadcast_prefix
+ - name: group_request_prefix
+ replacement_group: oslo_messaging_amqp
+ replacement_name: group_request_prefix
+ assignment:
+ - name: caching
+ replacement_group: resource
+ replacement_name: caching
+ - name: cache_time
+ replacement_group: resource
+ replacement_name: cache_time
+ - name: list_limit
+ replacement_group: resource
+ replacement_name: list_limit
+ oslo_messaging_rabbit:
+ - name: kombu_ssl_version
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: ssl_version
+ - name: kombu_ssl_keyfile
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: ssl_key_file
+ - name: kombu_ssl_certfile
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: ssl_cert_file
+ - name: kombu_ssl_ca_certs
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: ssl_ca_file
+ - name: kombu_reconnect_timeout
+ replacement_group: oslo_messaging_rabbit
+ replacement_name: kombu_missing_consumer_retry_timeout
+ profiler:
+ - name: profiler_enabled
+ replacement_group: profiler
+ replacement_name: enabled
+ rpc_notifier2:
+ - name: topics
+ replacement_group: oslo_messaging_notifications
+ replacement_name: topics
+ sql:
+ - name: connection
+ replacement_group: database
+ replacement_name: connection
+ - name: idle_timeout
+ replacement_group: database
+ replacement_name: idle_timeout
+ token:
+ - name: revocation_cache_time
+ replacement_group: revoke
+ replacement_name: cache_time
+generator_options:
+ config_dir: []
+ config_file:
+ - config-generator/keystone.conf
+ format_: yaml
+ minimal: false
+ namespace:
+ - keystone
+ - oslo.cache
+ - oslo.log
+ - oslo.messaging
+ - oslo.policy
+ - oslo.db
+ - oslo.middleware
+ - osprofiler
+ output_file: keystone-schema.yaml
+ summarize: false
+ wrap_width: 79
+options:
+ DEFAULT:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: admin_token
+ help: Using this feature is *NOT* recommended. Instead, use the `keystone-manage
+ bootstrap` command. The value of this option is treated as a "shared secret"
+ that can be used to bootstrap Keystone through the API. This "token" does
+ not represent a user (it has no identity), and carries no explicit authorization
+ (it effectively bypasses most authorization checks). If set to `None`, the
+ value is ignored and the `admin_token` middleware is effectively disabled.
+ However, to completely disable `admin_token` in production (highly recommended,
+ as it presents a security risk), remove `AdminTokenAuthMiddleware` (the `admin_token_auth`
+ filter) from your paste application pipelines (for example, in `keystone-paste.ini`).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: admin_token
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: true
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: public_endpoint
+ help: 'The base public endpoint URL for Keystone that is advertised to clients
+ (NOTE: this does NOT affect how Keystone listens for connections). Defaults
+ to the base host URL of the request. For example, if keystone receives a request
+ to `http://server:5000/v3/users`, then this will option will be automatically
+ treated as `http://server:5000`. You should only need to set option if either
+ the value of the base URL contains a path that keystone does not automatically
+ infer (`/prefix/v3`), or if the endpoint should be found on a different host.'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: public_endpoint
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: uri value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: admin_endpoint
+ help: 'The base admin endpoint URL for Keystone that is advertised to clients
+ (NOTE: this does NOT affect how Keystone listens for connections). Defaults
+ to the base host URL of the request. For example, if keystone receives a request
+ to `http://server:35357/v3/users`, then this will option will be automatically
+ treated as `http://server:35357`. You should only need to set option if either
+ the value of the base URL contains a path that keystone does not automatically
+ infer (`/prefix/v3`), or if the endpoint should be found on a different host.'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: admin_endpoint
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: uri value
+ - advanced: false
+ choices: []
+ default: 5
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: max_project_tree_depth
+ help: 'Maximum depth of the project hierarchy, excluding the project acting
+ as a domain at the top of the hierarchy. WARNING: Setting it to a large value
+ may adversely impact performance.'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: max_project_tree_depth
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 64
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: max_param_size
+ help: Limit the sizes of user & project ID/names.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: max_param_size
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 255
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: max_token_size
+ help: Similar to `[DEFAULT] max_param_size`, but provides an exception for token
+ values. With Fernet tokens, this can be set as low as 255. With UUID tokens,
+ this should be set to 32).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: max_token_size
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 9fe2ff9ee4384b1894a90878d3e92bab
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: member_role_id
+ help: Similar to the `[DEFAULT] member_role_name` option, this represents the
+ default role ID used to associate users with their default projects in the
+ v2 API. This will be used as the explicit role where one is not specified
+ by the v2 API. You do not need to set this value unless you want keystone
+ to use an existing role with a different ID, other than the arbitrarily defined
+ `_member_` role (in which case, you should set `[DEFAULT] member_role_name`
+ as well).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: member_role_id
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: _member_
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: member_role_name
+ help: This is the role name used in combination with the `[DEFAULT] member_role_id`
+ option; see that option for more detail. You do not need to set this option
+ unless you want keystone to use an existing role (in which case, you should
+ set `[DEFAULT] member_role_id` as well).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: member_role_name
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 10000
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: sha512_crypt is insufficient for password hashes, use of
+ bcrypt, pbkfd2_sha512 and scrypt are now supported. Options are located in
+ the [identity] config block. This option is still used for rolling upgrade
+ compatibility password hashing.
+ deprecated_since: P
+ dest: crypt_strength
+ help: The value passed as the keyword "rounds" to passlib's encrypt method.
+ This option represents a trade off between security and performance. Higher
+ values lead to slower performance, but higher security. Changing this option
+ will only affect newly created passwords as existing password hashes already
+ have a fixed number of rounds applied, so it is safe to tune this option in
+ a running cluster. For more information, see https://pythonhosted.org/passlib/password_hash_api.html#choosing-the-right-rounds-value
+ max: 100000
+ metavar: null
+ min: 1000
+ mutable: false
+ name: crypt_strength
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: list_limit
+ help: The maximum number of entities that will be returned in a collection.
+ This global limit may be then overridden for a specific driver, by specifying
+ a list_limit in the appropriate section (for example, `[assignment]`). No
+ limit is set by default. In larger deployments, it is recommended that you
+ set this to a reasonable number to prevent operations like listing all users
+ and projects from placing an unnecessary load on the system.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: list_limit
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: strict_password_check
+ help: If set to true, strict password length checking is performed for password
+ manipulation. If a password exceeds the maximum length, the operation will
+ fail with an HTTP 403 Forbidden error. If set to false, passwords are automatically
+ truncated to the maximum length.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: strict_password_check
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: HTTP_X_FORWARDED_PROTO
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: This option has been deprecated in the N release and will
+ be removed in the P release. Use oslo.middleware.http_proxy_to_wsgi configuration
+ instead.
+ deprecated_since: N
+ dest: secure_proxy_ssl_header
+ help: The HTTP header used to determine the scheme for the original request,
+ even if it was removed by an SSL terminating proxy.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: secure_proxy_ssl_header
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: insecure_debug
+ help: If set to true, then the server will return information in HTTP responses
+ that may allow an unauthenticated or authenticated user to get more information
+ than normal, such as additional details about why authentication failed. This
+ may be useful for debugging but is insecure.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: insecure_debug
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: default_publisher_id
+ help: Default `publisher_id` for outgoing notifications. If left undefined,
+ Keystone will default to using the server's host name.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: default_publisher_id
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices:
+ - basic
+ - cadf
+ default: cadf
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: notification_format
+ help: Define the notification format for identity service events. A `basic`
+ notification only has information about the resource being operated on. A
+ `cadf` notification has the same information, as well as information about
+ the initiator of the event. The `cadf` option is entirely backwards compatible
+ with the `basic` option, but is fully CADF-compliant, and is recommended for
+ auditing use cases.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: notification_format
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default:
+ - identity.authenticate.success
+ - identity.authenticate.pending
+ - identity.authenticate.failed
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: notification_opt_out
+ help: 'You can reduce the number of notifications keystone emits by explicitly
+ opting out. Keystone will not emit notifications that match the patterns expressed
+ in this list. Values are expected to be in the form of `identity..`.
+ By default, all notifications related to authentication are automatically
+ suppressed. This field can be set multiple times in order to opt-out of multiple
+ notification topics. For example, the following suppresses notifications describing
+ user creation or successful authentication events: notification_opt_out=identity.user.create
+ notification_opt_out=identity.authenticate.success'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: notification_opt_out
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: multi valued
+ - advanced: false
+ choices: []
+ default: 30
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_conn_pool_size
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_conn_pool_size
+ help: Size of RPC connection pool.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_conn_pool_size
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 2
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: conn_pool_min_size
+ help: The pool size limit for connections expiration policy
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: conn_pool_min_size
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 1200
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: conn_pool_ttl
+ help: The time-to-live in sec of idle connections in the pool
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: conn_pool_ttl
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: '*'
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_bind_address
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_bind_address
+ help: ZeroMQ bind address. Should be a wildcard (*), an ethernet interface,
+ or IP. The "host" option should point or resolve to this address.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_zmq_bind_address
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: &id001
+ - redis
+ - sentinel
+ - dummy
+ default: redis
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_matchmaker
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_matchmaker
+ help: MatchMaker driver.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_zmq_matchmaker
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 1
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_contexts
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_contexts
+ help: Number of ZeroMQ contexts, defaults to 1.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_zmq_contexts
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_topic_backlog
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_topic_backlog
+ help: Maximum number of ingress messages to locally buffer per topic. Default
+ is unlimited.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_zmq_topic_backlog
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: /var/run/openstack
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_ipc_dir
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_ipc_dir
+ help: Directory for holding IPC sockets.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_zmq_ipc_dir
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: x1hobo
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_host
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_host
+ help: Name of this node. Must be a valid hostname, FQDN, or IP address. Must
+ match "host" option, if running Nova.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_zmq_host
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: localhost
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: -1
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_cast_timeout
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_linger
+ help: Number of seconds to wait before all pending messages will be sent after
+ closing a socket. The default value of -1 specifies an infinite linger period.
+ The value of 0 specifies no linger period. Pending messages shall be discarded
+ immediately when the socket is closed. Positive values specify an upper bound
+ for the linger period.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_linger
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 1
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_poll_timeout
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_poll_timeout
+ help: The default number of seconds that poll should wait. Poll raises timeout
+ exception when timeout expired.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_poll_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 300
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: zmq_target_expire
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_target_expire
+ help: Expiration timeout in seconds of a name service record about existing
+ target ( < 0 means no timeout).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_target_expire
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 180
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: zmq_target_update
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_target_update
+ help: Update period in seconds of a name service record about existing target.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_target_update
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: use_pub_sub
+ deprecated_reason: null
+ deprecated_since: null
+ dest: use_pub_sub
+ help: Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: use_pub_sub
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: use_router_proxy
+ deprecated_reason: null
+ deprecated_since: null
+ dest: use_router_proxy
+ help: Use ROUTER remote proxy.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: use_router_proxy
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: use_dynamic_connections
+ help: This option makes direct connections dynamic or static. It makes sense
+ only with use_router_proxy=False which means to use direct connections for
+ direct message types (ignored otherwise).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: use_dynamic_connections
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: 2
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_failover_connections
+ help: How many additional connections to a host will be made for failover reasons.
+ This option is actual only in dynamic connections mode.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_failover_connections
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 49153
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_min_port
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_min_port
+ help: Minimal port number for random ports range.
+ max: 65535
+ metavar: null
+ min: 0
+ mutable: false
+ name: rpc_zmq_min_port
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: port value
+ - advanced: false
+ choices: []
+ default: 65536
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_max_port
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_max_port
+ help: Maximal port number for random ports range.
+ max: 65536
+ metavar: null
+ min: 1
+ mutable: false
+ name: rpc_zmq_max_port
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 100
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_bind_port_retries
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_bind_port_retries
+ help: Number of retries to find free port number before fail with ZMQBindError.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_zmq_bind_port_retries
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: &id002
+ - json
+ - msgpack
+ default: json
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_serialization
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_serialization
+ help: Default serialization mechanism for serializing/deserializing outgoing/incoming
+ messages
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_zmq_serialization
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_immediate
+ help: This option configures round-robin mode in zmq socket. True means not
+ keeping a queue when server side disconnects. False means to keep queue and
+ messages even if server is disconnected, when the server appears we send all
+ accumulated messages to it.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_immediate
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: -1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_tcp_keepalive
+ help: Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or
+ any other negative value) means to skip any overrides and leave it to OS default;
+ 0 and 1 (or any other positive value) mean to disable and enable the option
+ respectively.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_tcp_keepalive
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: -1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_tcp_keepalive_idle
+ help: The duration between two keepalive transmissions in idle condition. The
+ unit is platform dependent, for example, seconds in Linux, milliseconds in
+ Windows etc. The default value of -1 (or any other negative value and 0) means
+ to skip any overrides and leave it to OS default.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_tcp_keepalive_idle
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: -1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_tcp_keepalive_cnt
+ help: The number of retransmissions to be carried out before declaring that
+ remote end is not available. The default value of -1 (or any other negative
+ value and 0) means to skip any overrides and leave it to OS default.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_tcp_keepalive_cnt
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: -1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_tcp_keepalive_intvl
+ help: The duration between two successive keepalive retransmissions, if acknowledgement
+ to the previous keepalive transmission is not received. The unit is platform
+ dependent, for example, seconds in Linux, milliseconds in Windows etc. The
+ default value of -1 (or any other negative value and 0) means to skip any
+ overrides and leave it to OS default.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_tcp_keepalive_intvl
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 100
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_thread_pool_size
+ help: Maximum number of (green) threads to work concurrently.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_thread_pool_size
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 300
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_message_ttl
+ help: Expiration timeout in seconds of a sent/received message after which it
+ is not tracked anymore by a client/server.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_message_ttl
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_use_acks
+ help: Wait for message acknowledgements from receivers. This mechanism works
+ only via proxy without PUB/SUB.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_use_acks
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: 15
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_ack_timeout_base
+ help: Number of seconds to wait for an ack from a cast/call. After each retry
+ attempt this timeout is multiplied by some specified multiplier.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_ack_timeout_base
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 2
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_ack_timeout_multiplier
+ help: Number to multiply base ack timeout by after each retry attempt.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_ack_timeout_multiplier
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 3
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_retry_attempts
+ help: 'Default number of message sending attempts in case of any problems occurred:
+ positive value N means at most N retries, 0 means no retries, None or -1 (or
+ any other negative values) mean to retry forever. This option is used only
+ if acknowledgments are enabled.'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_retry_attempts
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: []
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: subscribe_on
+ help: List of publisher hosts SubConsumer can subscribe on. This option has
+ higher priority then the default publishers list taken from the matchmaker.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: subscribe_on
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: 64
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_thread_pool_size
+ deprecated_reason: null
+ deprecated_since: null
+ dest: executor_thread_pool_size
+ help: Size of executor thread pool when executor is threading or eventlet.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: executor_thread_pool_size
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 60
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_response_timeout
+ help: Seconds to wait for a response from a call.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_response_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: transport_url
+ help: A URL representing the messaging driver to use and its full configuration.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: transport_url
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: true
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: rabbit
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: Replaced by [DEFAULT]/transport_url
+ deprecated_since: null
+ dest: rpc_backend
+ help: The messaging driver to use, defaults to rabbit. Other drivers include
+ amqp and zmq.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_backend
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: keystone
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: control_exchange
+ help: The default exchange under which topics are scoped. May be overridden
+ by an exchange name specified in the transport_url option.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: control_exchange
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: debug
+ help: If set to true, the logging level will be set to DEBUG instead of the
+ default INFO level.
+ max: null
+ metavar: null
+ min: null
+ mutable: true
+ name: debug
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: d
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: log_config
+ deprecated_reason: null
+ deprecated_since: null
+ dest: log_config_append
+ help: The name of a logging configuration file. This file is appended to any
+ existing logging configuration files. For details about logging configuration
+ files, see the Python logging module documentation. Note that when logging
+ configuration files are used then all logging configuration is set in the
+ configuration file and other logging configuration options are ignored (for
+ example, logging_context_format_string).
+ max: null
+ metavar: PATH
+ min: null
+ mutable: true
+ name: log-config-append
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: '%Y-%m-%d %H:%M:%S'
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: log_date_format
+ help: 'Defines the format string for %%(asctime)s in log records. Default: %(default)s
+ . This option is ignored if log_config_append is set.'
+ max: null
+ metavar: DATE_FORMAT
+ min: null
+ mutable: false
+ name: log-date-format
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: logfile
+ deprecated_reason: null
+ deprecated_since: null
+ dest: log_file
+ help: (Optional) Name of log file to send logging output to. If no default is
+ set, logging will go to stderr as defined by use_stderr. This option is ignored
+ if log_config_append is set.
+ max: null
+ metavar: PATH
+ min: null
+ mutable: false
+ name: log-file
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: logdir
+ deprecated_reason: null
+ deprecated_since: null
+ dest: log_dir
+ help: (Optional) The base directory used for relative log_file paths. This
+ option is ignored if log_config_append is set.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: log-dir
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: watch_log_file
+ help: Uses logging handler designed to watch file system. When log file is moved
+ or removed this handler will open a new log file with specified path instantaneously.
+ It makes sense only if log_file option is specified and Linux platform is
+ used. This option is ignored if log_config_append is set.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: watch-log-file
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: use_syslog
+ help: Use syslog for logging. Existing syslog format is DEPRECATED and will
+ be changed later to honor RFC5424. This option is ignored if log_config_append
+ is set.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: use-syslog
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: use_journal
+ help: Enable journald for logging. If running in a systemd environment you may
+ wish to enable journal support. Doing so will use the journal native protocol
+ which includes structured metadata in addition to log messages.This option
+ is ignored if log_config_append is set.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: use-journal
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: LOG_USER
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: syslog_log_facility
+ help: Syslog facility to receive log lines. This option is ignored if log_config_append
+ is set.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: syslog-log-facility
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: use_stderr
+ help: Log output to standard error. This option is ignored if log_config_append
+ is set.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: use_stderr
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s
+ %(user_identity)s] %(instance)s%(message)s'
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: logging_context_format_string
+ help: Format string to use for log messages with context.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: logging_context_format_string
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: '%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s'
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: logging_default_format_string
+ help: Format string to use for log messages when context is undefined.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: logging_default_format_string
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: '%(funcName)s %(pathname)s:%(lineno)d'
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: logging_debug_format_suffix
+ help: Additional data to append to log message when logging level for the message
+ is DEBUG.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: logging_debug_format_suffix
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: '%(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s'
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: logging_exception_prefix
+ help: Prefix each line of exception output with this format.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: logging_exception_prefix
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: '%(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s'
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: logging_user_identity_format
+ help: Defines the format string for %(user_identity)s that is used in logging_context_format_string.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: logging_user_identity_format
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default:
+ - amqp=WARN
+ - amqplib=WARN
+ - boto=WARN
+ - qpid=WARN
+ - sqlalchemy=WARN
+ - suds=INFO
+ - oslo.messaging=INFO
+ - oslo_messaging=INFO
+ - iso8601=WARN
+ - requests.packages.urllib3.connectionpool=WARN
+ - urllib3.connectionpool=WARN
+ - websocket=WARN
+ - requests.packages.urllib3.util.retry=WARN
+ - urllib3.util.retry=WARN
+ - keystonemiddleware=WARN
+ - routes.middleware=WARN
+ - stevedore=WARN
+ - taskflow=WARN
+ - keystoneauth=WARN
+ - oslo.cache=INFO
+ - dogpile.core.dogpile=INFO
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: default_log_levels
+ help: List of package logging levels in logger=LEVEL pairs. This option is ignored
+ if log_config_append is set.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: default_log_levels
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: publish_errors
+ help: Enables or disables publication of error events.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: publish_errors
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: '[instance: %(uuid)s] '
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: instance_format
+ help: The format for an instance that is passed with the log message.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: instance_format
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: '[instance: %(uuid)s] '
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: instance_uuid_format
+ help: The format for an instance UUID that is passed with the log message.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: instance_uuid_format
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 0
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rate_limit_interval
+ help: Interval, number of seconds, of log rate limiting.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rate_limit_interval
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 0
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rate_limit_burst
+ help: Maximum number of logged messages per rate_limit_interval.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rate_limit_burst
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: CRITICAL
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rate_limit_except_level
+ help: 'Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING,
+ DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level
+ are not filtered. An empty string means that all levels are filtered.'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rate_limit_except_level
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: fatal_deprecations
+ help: Enables or disables fatal status of deprecations.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: fatal_deprecations
+ namespace: oslo.log
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ standard_opts:
+ - admin_token
+ - public_endpoint
+ - admin_endpoint
+ - max_project_tree_depth
+ - max_param_size
+ - max_token_size
+ - member_role_id
+ - member_role_name
+ - crypt_strength
+ - list_limit
+ - strict_password_check
+ - secure_proxy_ssl_header
+ - insecure_debug
+ - default_publisher_id
+ - notification_format
+ - notification_opt_out
+ - rpc_conn_pool_size
+ - conn_pool_min_size
+ - conn_pool_ttl
+ - rpc_zmq_bind_address
+ - rpc_zmq_matchmaker
+ - rpc_zmq_contexts
+ - rpc_zmq_topic_backlog
+ - rpc_zmq_ipc_dir
+ - rpc_zmq_host
+ - zmq_linger
+ - rpc_poll_timeout
+ - zmq_target_expire
+ - zmq_target_update
+ - use_pub_sub
+ - use_router_proxy
+ - use_dynamic_connections
+ - zmq_failover_connections
+ - rpc_zmq_min_port
+ - rpc_zmq_max_port
+ - rpc_zmq_bind_port_retries
+ - rpc_zmq_serialization
+ - zmq_immediate
+ - zmq_tcp_keepalive
+ - zmq_tcp_keepalive_idle
+ - zmq_tcp_keepalive_cnt
+ - zmq_tcp_keepalive_intvl
+ - rpc_thread_pool_size
+ - rpc_message_ttl
+ - rpc_use_acks
+ - rpc_ack_timeout_base
+ - rpc_ack_timeout_multiplier
+ - rpc_retry_attempts
+ - subscribe_on
+ - executor_thread_pool_size
+ - rpc_response_timeout
+ - transport_url
+ - rpc_backend
+ - control_exchange
+ - debug
+ - log-config-append
+ - log-date-format
+ - log-file
+ - log-dir
+ - watch-log-file
+ - use-syslog
+ - use-journal
+ - syslog-log-facility
+ - use_stderr
+ - logging_context_format_string
+ - logging_default_format_string
+ - logging_debug_format_suffix
+ - logging_exception_prefix
+ - logging_user_identity_format
+ - default_log_levels
+ - publish_errors
+ - instance_format
+ - instance_uuid_format
+ - rate_limit_interval
+ - rate_limit_burst
+ - rate_limit_except_level
+ - fatal_deprecations
+ assignment:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: sql
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: Entry point for the assignment backend driver (where role assignments
+ are stored) in the `keystone.assignment` namespace. Only a SQL driver is supplied
+ by keystone itself. Unless you are writing proprietary drivers for keystone,
+ you do not need to set this option.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default:
+ - admin
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: prohibited_implied_role
+ help: A list of role names which are prohibited from being an implied role.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: prohibited_implied_role
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ standard_opts:
+ - driver
+ - prohibited_implied_role
+ auth:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default:
+ - external
+ - password
+ - token
+ - oauth1
+ - mapped
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: methods
+ help: 'Allowed authentication methods. Note: You should disable the `external`
+ auth method if you are currently using federation. External auth and federation
+ both use the REMOTE_USER variable. Since both the mapped and external plugin
+ are being invoked to validate attributes in the request environment, it can
+ cause conflicts.'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: methods
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: password
+ help: Entry point for the password auth plugin module in the `keystone.auth.password`
+ namespace. You do not need to set this unless you are overriding keystone's
+ own password authentication plugin.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: password
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: token
+ help: Entry point for the token auth plugin module in the `keystone.auth.token`
+ namespace. You do not need to set this unless you are overriding keystone's
+ own token authentication plugin.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: token
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: external
+ help: Entry point for the external (`REMOTE_USER`) auth plugin module in the
+ `keystone.auth.external` namespace. Supplied drivers are `DefaultDomain` and
+ `Domain`. The default driver is `DefaultDomain`, which assumes that all users
+ identified by the username specified to keystone in the `REMOTE_USER` variable
+ exist within the context of the default domain. The `Domain` option expects
+ an additional environment variable be presented to keystone, `REMOTE_DOMAIN`,
+ containing the domain name of the `REMOTE_USER` (if `REMOTE_DOMAIN` is not
+ set, then the default domain will be used instead). You do not need to set
+ this unless you are taking advantage of "external authentication", where the
+ application server (such as Apache) is handling authentication instead of
+ keystone.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: external
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: oauth1
+ help: Entry point for the OAuth 1.0a auth plugin module in the `keystone.auth.oauth1`
+ namespace. You do not need to set this unless you are overriding keystone's
+ own `oauth1` authentication plugin.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: oauth1
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: mapped
+ help: Entry point for the mapped auth plugin module in the `keystone.auth.mapped`
+ namespace. You do not need to set this unless you are overriding keystone's
+ own `mapped` authentication plugin.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: mapped
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ standard_opts:
+ - methods
+ - password
+ - token
+ - external
+ - oauth1
+ - mapped
+ cache:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: cache.oslo
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: config_prefix
+ help: Prefix for building the configuration dictionary for the cache region.
+ This should not need to be changed unless there is another dogpile.cache region
+ with the same configuration name.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: config_prefix
+ namespace: oslo.cache
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 600
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: expiration_time
+ help: Default TTL, in seconds, for any cached item in the dogpile.cache region.
+ This applies to any cached method that doesn't have an explicit cache expiration
+ time defined for it.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: expiration_time
+ namespace: oslo.cache
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: dogpile.cache.null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: backend
+ help: Dogpile.cache backend module. It is recommended that Memcache or Redis
+ (dogpile.cache.redis) be used in production deployments. For eventlet-based
+ or highly threaded servers, Memcache with pooling (oslo_cache.memcache_pool)
+ is recommended. For low thread servers, dogpile.cache.memcached is recommended.
+ Test environments with a single instance of the server can use the dogpile.cache.memory
+ backend.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: backend
+ namespace: oslo.cache
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: []
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: backend_argument
+ help: 'Arguments supplied to the backend module. Specify this option once per
+ argument to be passed to the dogpile.cache backend. Example format: ":".'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: backend_argument
+ namespace: oslo.cache
+ positional: false
+ required: false
+ sample_default: null
+ secret: true
+ short: null
+ type: multi valued
+ - advanced: false
+ choices: []
+ default: []
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: proxies
+ help: Proxy classes to import that will affect the way the dogpile.cache backend
+ functions. See the dogpile.cache documentation on changing-backend-behavior.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: proxies
+ namespace: oslo.cache
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: enabled
+ help: Global toggle for caching.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: enabled
+ namespace: oslo.cache
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: debug_cache_backend
+ help: Extra debugging from the cache backend (cache keys, get/set/delete/etc
+ calls). This is only really useful if you need to see the specific cache-backend
+ get/set/delete calls with the keys/values. Typically this should be left
+ set to false.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: debug_cache_backend
+ namespace: oslo.cache
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default:
+ - localhost:11211
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: memcache_servers
+ help: Memcache servers in the format of "host:port". (dogpile.cache.memcache
+ and oslo_cache.memcache_pool backends only).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: memcache_servers
+ namespace: oslo.cache
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: 300
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: memcache_dead_retry
+ help: Number of seconds memcached server is considered dead before it is tried
+ again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: memcache_dead_retry
+ namespace: oslo.cache
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 3
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: memcache_socket_timeout
+ help: Timeout in seconds for every call to a server. (dogpile.cache.memcache
+ and oslo_cache.memcache_pool backends only).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: memcache_socket_timeout
+ namespace: oslo.cache
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 10
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: memcache_pool_maxsize
+ help: Max total number of open connections to every memcached server. (oslo_cache.memcache_pool
+ backend only).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: memcache_pool_maxsize
+ namespace: oslo.cache
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 60
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: memcache_pool_unused_timeout
+ help: Number of seconds a connection to memcached is held unused in the pool
+ before it is closed. (oslo_cache.memcache_pool backend only).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: memcache_pool_unused_timeout
+ namespace: oslo.cache
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 10
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: memcache_pool_connection_get_timeout
+ help: Number of seconds that an operation will wait to get a memcache client
+ connection.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: memcache_pool_connection_get_timeout
+ namespace: oslo.cache
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ standard_opts:
+ - config_prefix
+ - expiration_time
+ - backend
+ - backend_argument
+ - proxies
+ - enabled
+ - debug_cache_backend
+ - memcache_servers
+ - memcache_dead_retry
+ - memcache_socket_timeout
+ - memcache_pool_maxsize
+ - memcache_pool_unused_timeout
+ - memcache_pool_connection_get_timeout
+ catalog:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: default_catalog.templates
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: template_file
+ help: Absolute path to the file used for the templated catalog backend. This
+ option is only used if the `[catalog] driver` is set to `templated`.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: template_file
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: sql
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: Entry point for the catalog driver in the `keystone.catalog` namespace.
+ Keystone provides a `sql` option (which supports basic CRUD operations through
+ SQL), a `templated` option (which loads the catalog from a templated catalog
+ file on disk), and a `endpoint_filter.sql` option (which supports arbitrary
+ service catalogs per project).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: caching
+ help: Toggle for catalog caching. This has no effect unless global caching is
+ enabled. In a typical deployment, there is no reason to disable this.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: caching
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: cache_time
+ help: Time to cache catalog data (in seconds). This has no effect unless global
+ and catalog caching are both enabled. Catalog data (services, endpoints, etc.)
+ typically does not change frequently, and so a longer duration than the global
+ default may be desirable.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: cache_time
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: list_limit
+ help: Maximum number of entities that will be returned in a catalog collection.
+ There is typically no reason to set this, as it would be unusual for a deployment
+ to have enough services or endpoints to exceed a reasonable limit.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: list_limit
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ standard_opts:
+ - template_file
+ - driver
+ - caching
+ - cache_time
+ - list_limit
+ cors:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: allowed_origin
+ help: 'Indicate whether this resource may be shared with the domain received
+ in the requests "origin" header. Format: "://[:]", no
+ trailing slash. Example: https://horizon.example.com'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: allowed_origin
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: allow_credentials
+ help: Indicate that the actual request can include user credentials
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: allow_credentials
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default:
+ - X-Auth-Token
+ - X-Openstack-Request-Id
+ - X-Subject-Token
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: expose_headers
+ help: Indicate which headers are safe to expose to the API. Defaults to HTTP
+ Simple Headers.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: expose_headers
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: 3600
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: max_age
+ help: Maximum cache age of CORS preflight requests.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: max_age
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default:
+ - GET
+ - PUT
+ - POST
+ - DELETE
+ - PATCH
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: allow_methods
+ help: Indicate which methods can be used during the actual request.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: allow_methods
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default:
+ - X-Auth-Token
+ - X-Openstack-Request-Id
+ - X-Subject-Token
+ - X-Project-Id
+ - X-Project-Name
+ - X-Project-Domain-Id
+ - X-Project-Domain-Name
+ - X-Domain-Id
+ - X-Domain-Name
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: allow_headers
+ help: Indicate which header field names may be used during the actual request.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: allow_headers
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ standard_opts:
+ - allowed_origin
+ - allow_credentials
+ - expose_headers
+ - max_age
+ - allow_methods
+ - allow_headers
+ cors.subdomain:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: allowed_origin
+ help: 'Indicate whether this resource may be shared with the domain received
+ in the requests "origin" header. Format: "://[:]", no
+ trailing slash. Example: https://horizon.example.com'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: allowed_origin
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: allow_credentials
+ help: Indicate that the actual request can include user credentials
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: allow_credentials
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default:
+ - X-Auth-Token
+ - X-Openstack-Request-Id
+ - X-Subject-Token
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: expose_headers
+ help: Indicate which headers are safe to expose to the API. Defaults to HTTP
+ Simple Headers.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: expose_headers
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: 3600
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: max_age
+ help: Maximum cache age of CORS preflight requests.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: max_age
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default:
+ - GET
+ - PUT
+ - POST
+ - DELETE
+ - PATCH
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: allow_methods
+ help: Indicate which methods can be used during the actual request.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: allow_methods
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default:
+ - X-Auth-Token
+ - X-Openstack-Request-Id
+ - X-Subject-Token
+ - X-Project-Id
+ - X-Project-Name
+ - X-Project-Domain-Id
+ - X-Project-Domain-Name
+ - X-Domain-Id
+ - X-Domain-Name
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: allow_headers
+ help: Indicate which header field names may be used during the actual request.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: allow_headers
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ standard_opts:
+ - allowed_origin
+ - allow_credentials
+ - expose_headers
+ - max_age
+ - allow_methods
+ - allow_headers
+ credential:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: sql
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: Entry point for the credential backend driver in the `keystone.credential`
+ namespace. Keystone only provides a `sql` driver, so there's no reason to
+ change this unless you are providing a custom entry point.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: fernet
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: provider
+ help: Entry point for credential encryption and decryption operations in the
+ `keystone.credential.provider` namespace. Keystone only provides a `fernet`
+ driver, so there's no reason to change this unless you are providing a custom
+ entry point to encrypt and decrypt credentials.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: provider
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: /etc/keystone/credential-keys/
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: key_repository
+ help: Directory containing Fernet keys used to encrypt and decrypt credentials
+ stored in the credential backend. Fernet keys used to encrypt credentials
+ have no relationship to Fernet keys used to encrypt Fernet tokens. Both sets
+ of keys should be managed separately and require different rotation policies.
+ Do not share this repository with the repository used to manage keys for Fernet
+ tokens.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: key_repository
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ standard_opts:
+ - driver
+ - provider
+ - key_repository
+ database:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: sqlite_synchronous
+ deprecated_reason: null
+ deprecated_since: null
+ dest: sqlite_synchronous
+ help: If True, SQLite uses synchronous mode.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: sqlite_synchronous
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: sqlalchemy
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: db_backend
+ deprecated_reason: null
+ deprecated_since: null
+ dest: backend
+ help: The back end to use for the database.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: backend
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: sql_connection
+ - group: DATABASE
+ name: sql_connection
+ - group: sql
+ name: connection
+ deprecated_reason: null
+ deprecated_since: null
+ dest: connection
+ help: The SQLAlchemy connection string to use to connect to the database.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: connection
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: true
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: slave_connection
+ help: The SQLAlchemy connection string to use to connect to the slave database.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: slave_connection
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: true
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: TRADITIONAL
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: mysql_sql_mode
+ help: 'The SQL mode to be used for MySQL sessions. This option, including the
+ default, overrides any server-set SQL mode. To use whatever SQL mode is set
+ by the server configuration, set this to no value. Example: mysql_sql_mode='
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: mysql_sql_mode
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 3600
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: sql_idle_timeout
+ - group: DATABASE
+ name: sql_idle_timeout
+ - group: sql
+ name: idle_timeout
+ deprecated_reason: null
+ deprecated_since: null
+ dest: idle_timeout
+ help: Timeout before idle SQL connections are reaped.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: idle_timeout
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 1
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: sql_min_pool_size
+ - group: DATABASE
+ name: sql_min_pool_size
+ deprecated_reason: null
+ deprecated_since: null
+ dest: min_pool_size
+ help: Minimum number of SQL connections to keep open in a pool.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: min_pool_size
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 5
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: sql_max_pool_size
+ - group: DATABASE
+ name: sql_max_pool_size
+ deprecated_reason: null
+ deprecated_since: null
+ dest: max_pool_size
+ help: Maximum number of SQL connections to keep open in a pool. Setting a value
+ of 0 indicates no limit.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: max_pool_size
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 10
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: sql_max_retries
+ - group: DATABASE
+ name: sql_max_retries
+ deprecated_reason: null
+ deprecated_since: null
+ dest: max_retries
+ help: Maximum number of database connection retries during startup. Set to -1
+ to specify an infinite retry count.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: max_retries
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 10
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: sql_retry_interval
+ - group: DATABASE
+ name: reconnect_interval
+ deprecated_reason: null
+ deprecated_since: null
+ dest: retry_interval
+ help: Interval between retries of opening a SQL connection.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: retry_interval
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 50
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: sql_max_overflow
+ - group: DATABASE
+ name: sqlalchemy_max_overflow
+ deprecated_reason: null
+ deprecated_since: null
+ dest: max_overflow
+ help: If set, use this value for max_overflow with SQLAlchemy.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: max_overflow
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 0
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: sql_connection_debug
+ deprecated_reason: null
+ deprecated_since: null
+ dest: connection_debug
+ help: 'Verbosity of SQL debugging information: 0=None, 100=Everything.'
+ max: 100
+ metavar: null
+ min: 0
+ mutable: false
+ name: connection_debug
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: sql_connection_trace
+ deprecated_reason: null
+ deprecated_since: null
+ dest: connection_trace
+ help: Add Python stack traces to SQL as comment strings.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: connection_trace
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DATABASE
+ name: sqlalchemy_pool_timeout
+ deprecated_reason: null
+ deprecated_since: null
+ dest: pool_timeout
+ help: If set, use this value for pool_timeout with SQLAlchemy.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: pool_timeout
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: use_db_reconnect
+ help: Enable the experimental use of database reconnect on connection lost.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: use_db_reconnect
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: 1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: db_retry_interval
+ help: Seconds between retries of a database transaction.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: db_retry_interval
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: db_inc_retry_interval
+ help: If True, increases the interval between retries of a database operation
+ up to db_max_retry_interval.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: db_inc_retry_interval
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: 10
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: db_max_retry_interval
+ help: If db_inc_retry_interval is set, the maximum seconds between retries of
+ a database operation.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: db_max_retry_interval
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 20
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: db_max_retries
+ help: Maximum retries in case of connection error or deadlock error before error
+ is raised. Set to -1 to specify an infinite retry count.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: db_max_retries
+ namespace: oslo.db
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ standard_opts:
+ - sqlite_synchronous
+ - backend
+ - connection
+ - slave_connection
+ - mysql_sql_mode
+ - idle_timeout
+ - min_pool_size
+ - max_pool_size
+ - max_retries
+ - retry_interval
+ - max_overflow
+ - connection_debug
+ - connection_trace
+ - pool_timeout
+ - use_db_reconnect
+ - db_retry_interval
+ - db_inc_retry_interval
+ - db_max_retry_interval
+ - db_max_retries
+ domain_config:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: sql
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: Entry point for the domain-specific configuration driver in the `keystone.resource.domain_config`
+ namespace. Only a `sql` option is provided by keystone, so there is no reason
+ to set this unless you are providing a custom entry point.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: caching
+ help: Toggle for caching of the domain-specific configuration backend. This
+ has no effect unless global caching is enabled. There is normally no reason
+ to disable this.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: caching
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: 300
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: cache_time
+ help: Time-to-live (TTL, in seconds) to cache domain-specific configuration
+ data. This has no effect unless `[domain_config] caching` is enabled.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: cache_time
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ standard_opts:
+ - driver
+ - caching
+ - cache_time
+ endpoint_filter:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: sql
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: Entry point for the endpoint filter driver in the `keystone.endpoint_filter`
+ namespace. Only a `sql` option is provided by keystone, so there is no reason
+ to set this unless you are providing a custom entry point.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: return_all_endpoints_if_no_filter
+ help: This controls keystone's behavior if the configured endpoint filters do
+ not result in any endpoints for a user + project pair (and therefore a potentially
+ empty service catalog). If set to true, keystone will return the entire service
+ catalog. If set to false, keystone will return an empty service catalog.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: return_all_endpoints_if_no_filter
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ standard_opts:
+ - driver
+ - return_all_endpoints_if_no_filter
+ endpoint_policy:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: sql
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: Entry point for the endpoint policy driver in the `keystone.endpoint_policy`
+ namespace. Only a `sql` driver is provided by keystone, so there is no reason
+ to set this unless you are providing a custom entry point.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ standard_opts:
+ - driver
+ eventlet_server:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: 0.0.0.0
+ deprecated_for_removal: true
+ deprecated_opts:
+ - group: DEFAULT
+ name: bind_host
+ - group: DEFAULT
+ name: public_bind_host
+ deprecated_reason: Support for running keystone under eventlet has been removed
+ in the Newton release. These options remain for backwards compatibility because
+ they are used for URL substitutions.
+ deprecated_since: K
+ dest: public_bind_host
+ help: The IP address of the network interface for the public service to listen
+ on.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: public_bind_host
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: unknown value
+ - advanced: false
+ choices: []
+ default: 5000
+ deprecated_for_removal: true
+ deprecated_opts:
+ - group: DEFAULT
+ name: public_port
+ deprecated_reason: Support for running keystone under eventlet has been removed
+ in the Newton release. These options remain for backwards compatibility because
+ they are used for URL substitutions.
+ deprecated_since: K
+ dest: public_port
+ help: The port number for the public service to listen on.
+ max: 65535
+ metavar: null
+ min: 0
+ mutable: false
+ name: public_port
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: port value
+ - advanced: false
+ choices: []
+ default: 0.0.0.0
+ deprecated_for_removal: true
+ deprecated_opts:
+ - group: DEFAULT
+ name: bind_host
+ - group: DEFAULT
+ name: admin_bind_host
+ deprecated_reason: Support for running keystone under eventlet has been removed
+ in the Newton release. These options remain for backwards compatibility because
+ they are used for URL substitutions.
+ deprecated_since: K
+ dest: admin_bind_host
+ help: The IP address of the network interface for the admin service to listen
+ on.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: admin_bind_host
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: unknown value
+ - advanced: false
+ choices: []
+ default: 35357
+ deprecated_for_removal: true
+ deprecated_opts:
+ - group: DEFAULT
+ name: admin_port
+ deprecated_reason: Support for running keystone under eventlet has been removed
+ in the Newton release. These options remain for backwards compatibility because
+ they are used for URL substitutions.
+ deprecated_since: K
+ dest: admin_port
+ help: The port number for the admin service to listen on.
+ max: 65535
+ metavar: null
+ min: 0
+ mutable: false
+ name: admin_port
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: port value
+ standard_opts:
+ - public_bind_host
+ - public_port
+ - admin_bind_host
+ - admin_port
+ federation:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: sql
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: Entry point for the federation backend driver in the `keystone.federation`
+ namespace. Keystone only provides a `sql` driver, so there is no reason to
+ set this option unless you are providing a custom entry point.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: ''
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: assertion_prefix
+ help: Prefix to use when filtering environment variable names for federated
+ assertions. Matched variables are passed into the federated mapping engine.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: assertion_prefix
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: remote_id_attribute
+ help: Value to be used to obtain the entity ID of the Identity Provider from
+ the environment. For `mod_shib`, this would be `Shib-Identity-Provider`. For
+ For `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`,
+ this could be `MELLON_IDP`.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: remote_id_attribute
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: Federated
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: federated_domain_name
+ help: An arbitrary domain name that is reserved to allow federated ephemeral
+ users to have a domain concept. Note that an admin will not be able to create
+ a domain with this name or update an existing domain to this name. You are
+ not advised to change this value unless you really have to.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: federated_domain_name
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: []
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: trusted_dashboard
+ help: 'A list of trusted dashboard hosts. Before accepting a Single Sign-On
+ request to return a token, the origin host must be a member of this list.
+ This configuration option may be repeated for multiple values. You must set
+ this in order to use web-based SSO flows. For example: trusted_dashboard=https://acme.example.com/auth/websso
+ trusted_dashboard=https://beta.example.com/auth/websso'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: trusted_dashboard
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: multi valued
+ - advanced: false
+ choices: []
+ default: /etc/keystone/sso_callback_template.html
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: sso_callback_template
+ help: Absolute path to an HTML file used as a Single Sign-On callback handler.
+ This page is expected to redirect the user from keystone back to a trusted
+ dashboard host, by form encoding a token in a POST request. Keystone's default
+ value should be sufficient for most deployments.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: sso_callback_template
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: caching
+ help: Toggle for federation caching. This has no effect unless global caching
+ is enabled. There is typically no reason to disable this.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: caching
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ standard_opts:
+ - driver
+ - assertion_prefix
+ - remote_id_attribute
+ - federated_domain_name
+ - trusted_dashboard
+ - sso_callback_template
+ - caching
+ fernet_tokens:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: /etc/keystone/fernet-keys/
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: key_repository
+ help: 'Directory containing Fernet token keys. This directory must exist before
+ using `keystone-manage fernet_setup` for the first time, must be writable
+ by the user running `keystone-manage fernet_setup` or `keystone-manage fernet_rotate`,
+ and of course must be readable by keystone''s server process. The repository
+ may contain keys in one of three states: a single staged key (always index
+ 0) used for token validation, a single primary key (always the highest index)
+ used for token creation and validation, and any number of secondary keys (all
+ other index values) used for token validation. With multiple keystone nodes,
+ each node must share the same key repository contents, with the exception
+ of the staged key (index 0). It is safe to run `keystone-manage fernet_rotate`
+ once on any one node to promote a staged key (index 0) to be the new primary
+ (incremented from the previous highest index), and produce a new staged key
+ (a new key with index 0); the resulting repository can then be atomically
+ replicated to other nodes without any risk of race conditions (for example,
+ it is safe to run `keystone-manage fernet_rotate` on host A, wait any amount
+ of time, create a tarball of the directory on host A, unpack it on host B
+ to a temporary location, and atomically move (`mv`) the directory into place
+ on host B). Running `keystone-manage fernet_rotate` *twice* on a key repository
+ without syncing other nodes will result in tokens that can not be validated
+ by all nodes.'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: key_repository
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 3
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: max_active_keys
+ help: This controls how many keys are held in rotation by `keystone-manage fernet_rotate`
+ before they are discarded. The default value of 3 means that keystone will
+ maintain one staged key (always index 0), one primary key (the highest numerical
+ index), and one secondary key (every other index). Increasing this value means
+ that additional secondary keys will be kept in the rotation.
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: max_active_keys
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ standard_opts:
+ - key_repository
+ - max_active_keys
+ healthcheck:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: /healthcheck
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: path
+ help: The path to respond to healtcheck requests on.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: path
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: detailed
+ help: Show more detailed information as part of the response
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: detailed
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: []
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: backends
+ help: Additional backends that can perform health checks and report that information
+ back as part of a request.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: backends
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: disable_by_file_path
+ help: Check the presence of a file to determine if an application is running
+ on a port. Used by DisableByFileHealthcheck plugin.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: disable_by_file_path
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: []
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: disable_by_file_paths
+ help: Check the presence of a file based on a port to determine if an application
+ is running on a port. Expects a "port:path" list of strings. Used by DisableByFilesPortsHealthcheck
+ plugin.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: disable_by_file_paths
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ standard_opts:
+ - path
+ - detailed
+ - backends
+ - disable_by_file_path
+ - disable_by_file_paths
+ identity:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: default
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: default_domain_id
+ help: This references the domain to use for all Identity API v2 requests (which
+ are not aware of domains). A domain with this ID can optionally be created
+ for you by `keystone-manage bootstrap`. The domain referenced by this ID cannot
+ be deleted on the v3 API, to prevent accidentally breaking the v2 API. There
+ is nothing special about this domain, other than the fact that it must exist
+ to order to maintain support for your v2 clients. There is typically no reason
+ to change this value.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: default_domain_id
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: domain_specific_drivers_enabled
+ help: A subset (or all) of domains can have their own identity driver, each
+ with their own partial configuration options, stored in either the resource
+ backend or in a file in a domain configuration directory (depending on the
+ setting of `[identity] domain_configurations_from_database`). Only values
+ specific to the domain need to be specified in this manner. This feature is
+ disabled by default, but may be enabled by default in a future release; set
+ to true to enable.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: domain_specific_drivers_enabled
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: domain_configurations_from_database
+ help: By default, domain-specific configuration data is read from files in the
+ directory identified by `[identity] domain_config_dir`. Enabling this configuration
+ option allows you to instead manage domain-specific configurations through
+ the API, which are then persisted in the backend (typically, a SQL database),
+ rather than using configuration files on disk.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: domain_configurations_from_database
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: /etc/keystone/domains
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: domain_config_dir
+ help: Absolute path where keystone should locate domain-specific `[identity]`
+ configuration files. This option has no effect unless `[identity] domain_specific_drivers_enabled`
+ is set to true. There is typically no reason to change this value.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: domain_config_dir
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: sql
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: Entry point for the identity backend driver in the `keystone.identity`
+ namespace. Keystone provides a `sql` and `ldap` driver. This option is also
+ used as the default driver selection (along with the other configuration variables
+ in this section) in the event that `[identity] domain_specific_drivers_enabled`
+ is enabled, but no applicable domain-specific configuration is defined for
+ the domain in question. Unless your deployment primarily relies on `ldap`
+ AND is not using domain-specific configuration, you should typically leave
+ this set to `sql`.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: caching
+ help: Toggle for identity caching. This has no effect unless global caching
+ is enabled. There is typically no reason to disable this.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: caching
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: 600
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: cache_time
+ help: Time to cache identity data (in seconds). This has no effect unless global
+ and identity caching are enabled.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: cache_time
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 4096
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: max_password_length
+ help: Maximum allowed length for user passwords. Decrease this value to improve
+ performance. Changing this value does not effect existing passwords.
+ max: 4096
+ metavar: null
+ min: null
+ mutable: false
+ name: max_password_length
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: list_limit
+ help: Maximum number of entities that will be returned in an identity collection.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: list_limit
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices:
+ - bcrypt
+ - scrypt
+ - pbkdf2_sha512
+ default: bcrypt
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: password_hash_algorithm
+ help: The password hashing algorithm to use for passwords stored within keystone.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: password_hash_algorithm
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: password_hash_rounds
+ help: 'This option represents a trade off between security and performance.
+ Higher values lead to slower performance, but higher security. Changing this
+ option will only affect newly created passwords as existing password hashes
+ already have a fixed number of rounds applied, so it is safe to tune this
+ option in a running cluster. The default for bcrypt is 12, must be between
+ 4 and 31, inclusive. The default for scrypt is 16, must be within `range(1,32)`. The
+ default for pbkdf_sha512 is 60000, must be within `range(1,1<<32)` WARNING:
+ If using scrypt, increasing this value increases BOTH time AND memory requirements
+ to hash a password.'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: password_hash_rounds
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: scrypt_block_size
+ help: Optional block size to pass to scrypt hash function (the `r` parameter).
+ Useful for tuning scrypt to optimal performance for your CPU architecture.
+ This option is only used when the `password_hash_algorithm` option is set
+ to `scrypt`. Defaults to 8.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: scrypt_block_size
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: scrypt_parallelism
+ help: Optional parallelism to pass to scrypt hash function (the `p` parameter).
+ This option is only used when the `password_hash_algorithm` option is set
+ to `scrypt`. Defaults to 1.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: scrypt_parallelism
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: salt_bytesize
+ help: Number of bytes to use in scrypt and pbkfd2_sha512 hashing salt. Default
+ for scrypt is 16 bytes. Default for pbkfd2_sha512 is 16 bytes. Limited to
+ a maximum of 96 bytes due to the size of the column used to store password
+ hashes.
+ max: 96
+ metavar: null
+ min: 0
+ mutable: false
+ name: salt_bytesize
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: Only used for rolling-upgrade between Ocata and Pike
+ deprecated_since: P
+ dest: rolling_upgrade_password_hash_compat
+ help: This option tells keystone to continue to hash passwords with the sha512_crypt
+ algorithm for supporting rolling upgrades. sha512_crypt is typically more
+ insecure than bcrypt, pbkdf2, and scrypt. This option should be set to `False`
+ except in the case of performing a rolling upgrade where some Keystone servers
+ may not know how to verify non-sha512_crypt based password hashes. This option
+ will be removed in the Queens release and is only to support rolling upgrades
+ from Ocata release to Pike release.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rolling_upgrade_password_hash_compat
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ standard_opts:
+ - default_domain_id
+ - domain_specific_drivers_enabled
+ - domain_configurations_from_database
+ - domain_config_dir
+ - driver
+ - caching
+ - cache_time
+ - max_password_length
+ - list_limit
+ - password_hash_algorithm
+ - password_hash_rounds
+ - scrypt_block_size
+ - scrypt_parallelism
+ - salt_bytesize
+ - rolling_upgrade_password_hash_compat
+ identity_mapping:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: sql
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: Entry point for the identity mapping backend driver in the `keystone.identity.id_mapping`
+ namespace. Keystone only provides a `sql` driver, so there is no reason to
+ change this unless you are providing a custom entry point.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: sha256
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: generator
+ help: Entry point for the public ID generator for user and group entities in
+ the `keystone.identity.id_generator` namespace. The Keystone identity mapper
+ only supports generators that produce 64 bytes or less. Keystone only provides
+ a `sha256` entry point, so there is no reason to change this value unless
+ you're providing a custom entry point.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: generator
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: backward_compatible_ids
+ help: The format of user and group IDs changed in Juno for backends that do
+ not generate UUIDs (for example, LDAP), with keystone providing a hash mapping
+ to the underlying attribute in LDAP. By default this mapping is disabled,
+ which ensures that existing IDs will not change. Even when the mapping is
+ enabled by using domain-specific drivers (`[identity] domain_specific_drivers_enabled`),
+ any users and groups from the default domain being handled by LDAP will still
+ not be mapped to ensure their IDs remain backward compatible. Setting this
+ value to false will enable the new mapping for all backends, including the
+ default LDAP driver. It is only guaranteed to be safe to enable this option
+ if you do not already have assignments for users and groups from the default
+ LDAP domain, and you consider it to be acceptable for Keystone to provide
+ the different IDs to clients than it did previously (existing IDs in the API
+ will suddenly change). Typically this means that the only time you can set
+ this value to false is when configuring a fresh installation, although that
+ is the recommended value.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: backward_compatible_ids
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ standard_opts:
+ - driver
+ - generator
+ - backward_compatible_ids
+ ldap:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: ldap://localhost
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: url
+ help: URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified
+ as a comma separated string. The first URL to successfully bind is used for
+ the connection.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: url
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user
+ help: The user name of the administrator bind DN to use when querying the LDAP
+ server, if your LDAP server requires it.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: password
+ help: The password of the administrator bind DN to use when querying the LDAP
+ server, if your LDAP server requires it.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: password
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: true
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: cn=example,cn=com
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: suffix
+ help: The default LDAP server suffix to use, if a DN is not defined via either
+ `[ldap] user_tree_dn` or `[ldap] group_tree_dn`.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: suffix
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices:
+ - one
+ - sub
+ default: one
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: query_scope
+ help: The search scope which defines how deep to search within the search base.
+ A value of `one` (representing `oneLevel` or `singleLevel`) indicates a search
+ of objects immediately below to the base object, but does not include the
+ base object itself. A value of `sub` (representing `subtree` or `wholeSubtree`)
+ indicates a search of both the base object itself and the entire subtree below
+ it.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: query_scope
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 0
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: page_size
+ help: Defines the maximum number of results per page that keystone should request
+ from the LDAP server when listing objects. A value of zero (`0`) disables
+ paging.
+ max: null
+ metavar: null
+ min: 0
+ mutable: false
+ name: page_size
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices:
+ - never
+ - searching
+ - always
+ - finding
+ - default
+ default: default
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: alias_dereferencing
+ help: The LDAP dereferencing option to use for queries involving aliases. A
+ value of `default` falls back to using default dereferencing behavior configured
+ by your `ldap.conf`. A value of `never` prevents aliases from being dereferenced
+ at all. A value of `searching` dereferences aliases only after name resolution.
+ A value of `finding` dereferences aliases only during name resolution. A value
+ of `always` dereferences aliases in all cases.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: alias_dereferencing
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: debug_level
+ help: Sets the LDAP debugging level for LDAP calls. A value of 0 means that
+ debugging is not enabled. This value is a bitmask, consult your LDAP documentation
+ for possible values.
+ max: null
+ metavar: null
+ min: -1
+ mutable: false
+ name: debug_level
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: chase_referrals
+ help: Sets keystone's referral chasing behavior across directory partitions.
+ If left unset, the system's default behavior will be used.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: chase_referrals
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_tree_dn
+ help: The search base to use for users. Defaults to the `[ldap] suffix` value.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_tree_dn
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_filter
+ help: The LDAP search filter to use for users.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_filter
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: inetOrgPerson
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_objectclass
+ help: The LDAP object class to use for users.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_objectclass
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: cn
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_id_attribute
+ help: The LDAP attribute mapped to user IDs in keystone. This must NOT be a
+ multivalued attribute. User IDs are expected to be globally unique across
+ keystone domains and URL-safe.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_id_attribute
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: sn
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_name_attribute
+ help: The LDAP attribute mapped to user names in keystone. User names are expected
+ to be unique only within a keystone domain and are not expected to be URL-safe.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_name_attribute
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: description
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_description_attribute
+ help: The LDAP attribute mapped to user descriptions in keystone.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_description_attribute
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: mail
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_mail_attribute
+ help: The LDAP attribute mapped to user emails in keystone.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_mail_attribute
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: userPassword
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_pass_attribute
+ help: The LDAP attribute mapped to user passwords in keystone.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_pass_attribute
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: enabled
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_enabled_attribute
+ help: The LDAP attribute mapped to the user enabled attribute in keystone. If
+ setting this option to `userAccountControl`, then you may be interested in
+ setting `[ldap] user_enabled_mask` and `[ldap] user_enabled_default` as well.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_enabled_attribute
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_enabled_invert
+ help: Logically negate the boolean value of the enabled attribute obtained from
+ the LDAP server. Some LDAP servers use a boolean lock attribute where "true"
+ means an account is disabled. Setting `[ldap] user_enabled_invert = true`
+ will allow these lock attributes to be used. This option will have no effect
+ if either the `[ldap] user_enabled_mask` or `[ldap] user_enabled_emulation`
+ options are in use.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_enabled_invert
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: 0
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_enabled_mask
+ help: Bitmask integer to select which bit indicates the enabled value if the
+ LDAP server represents "enabled" as a bit on an integer rather than as a discrete
+ boolean. A value of `0` indicates that the mask is not used. If this is not
+ set to `0` the typical value is `2`. This is typically used when `[ldap] user_enabled_attribute
+ = userAccountControl`. Setting this option causes keystone to ignore the value
+ of `[ldap] user_enabled_invert`.
+ max: null
+ metavar: null
+ min: 0
+ mutable: false
+ name: user_enabled_mask
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 'True'
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_enabled_default
+ help: The default value to enable users. This should match an appropriate integer
+ value if the LDAP server uses non-boolean (bitmask) values to indicate if
+ a user is enabled or disabled. If this is not set to `True`, then the typical
+ value is `512`. This is typically used when `[ldap] user_enabled_attribute
+ = userAccountControl`.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_enabled_default
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default:
+ - default_project_id
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_attribute_ignore
+ help: List of user attributes to ignore on create and update, or whether a specific
+ user attribute should be filtered for list or show user.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_attribute_ignore
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_default_project_id_attribute
+ help: The LDAP attribute mapped to a user's default_project_id in keystone.
+ This is most commonly used when keystone has write access to LDAP.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_default_project_id_attribute
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_enabled_emulation
+ help: If enabled, keystone uses an alternative method to determine if a user
+ is enabled or not by checking if they are a member of the group defined by
+ the `[ldap] user_enabled_emulation_dn` option. Enabling this option causes
+ keystone to ignore the value of `[ldap] user_enabled_invert`.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_enabled_emulation
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_enabled_emulation_dn
+ help: DN of the group entry to hold enabled users when using enabled emulation.
+ Setting this option has no effect unless `[ldap] user_enabled_emulation` is
+ also enabled.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_enabled_emulation_dn
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_enabled_emulation_use_group_config
+ help: Use the `[ldap] group_member_attribute` and `[ldap] group_objectclass`
+ settings to determine membership in the emulated enabled group. Enabling this
+ option has no effect unless `[ldap] user_enabled_emulation` is also enabled.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_enabled_emulation_use_group_config
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: []
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: user_additional_attribute_mapping
+ help: A list of LDAP attribute to keystone user attribute pairs used for mapping
+ additional attributes to users in keystone. The expected format is `:`,
+ where `ldap_attr` is the attribute in the LDAP object and `user_attr` is the
+ attribute which should appear in the identity API.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: user_additional_attribute_mapping
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: group_tree_dn
+ help: The search base to use for groups. Defaults to the `[ldap] suffix` value.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: group_tree_dn
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: group_filter
+ help: The LDAP search filter to use for groups.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: group_filter
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: groupOfNames
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: group_objectclass
+ help: The LDAP object class to use for groups. If setting this option to `posixGroup`,
+ you may also be interested in enabling the `[ldap] group_members_are_ids`
+ option.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: group_objectclass
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: cn
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: group_id_attribute
+ help: The LDAP attribute mapped to group IDs in keystone. This must NOT be a
+ multivalued attribute. Group IDs are expected to be globally unique across
+ keystone domains and URL-safe.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: group_id_attribute
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: ou
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: group_name_attribute
+ help: The LDAP attribute mapped to group names in keystone. Group names are
+ expected to be unique only within a keystone domain and are not expected to
+ be URL-safe.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: group_name_attribute
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: member
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: group_member_attribute
+ help: The LDAP attribute used to indicate that a user is a member of the group.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: group_member_attribute
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: group_members_are_ids
+ help: Enable this option if the members of the group object class are keystone
+ user IDs rather than LDAP DNs. This is the case when using `posixGroup` as
+ the group object class in Open Directory.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: group_members_are_ids
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: description
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: group_desc_attribute
+ help: The LDAP attribute mapped to group descriptions in keystone.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: group_desc_attribute
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: []
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: group_attribute_ignore
+ help: List of group attributes to ignore on create and update. or whether a
+ specific group attribute should be filtered for list or show group.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: group_attribute_ignore
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: []
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: group_additional_attribute_mapping
+ help: A list of LDAP attribute to keystone group attribute pairs used for mapping
+ additional attributes to groups in keystone. The expected format is `:`,
+ where `ldap_attr` is the attribute in the LDAP object and `group_attr` is
+ the attribute which should appear in the identity API.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: group_additional_attribute_mapping
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: group_ad_nesting
+ help: If enabled, group queries will use Active Directory specific filters for
+ nested groups.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: group_ad_nesting
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: tls_cacertfile
+ help: An absolute path to a CA certificate file to use when communicating with
+ LDAP servers. This option will take precedence over `[ldap] tls_cacertdir`,
+ so there is no reason to set both.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: tls_cacertfile
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: tls_cacertdir
+ help: An absolute path to a CA certificate directory to use when communicating
+ with LDAP servers. There is no reason to set this option if you've also set
+ `[ldap] tls_cacertfile`.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: tls_cacertdir
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: use_tls
+ help: Enable TLS when communicating with LDAP servers. You should also set the
+ `[ldap] tls_cacertfile` and `[ldap] tls_cacertdir` options when using this
+ option. Do not set this option if you are using LDAP over SSL (LDAPS) instead
+ of TLS.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: use_tls
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices:
+ - demand
+ - never
+ - allow
+ default: demand
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: tls_req_cert
+ help: Specifies which checks to perform against client certificates on incoming
+ TLS sessions. If set to `demand`, then a certificate will always be requested
+ and required from the LDAP server. If set to `allow`, then a certificate will
+ always be requested but not required from the LDAP server. If set to `never`,
+ then a certificate will never be requested.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: tls_req_cert
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: -1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: connection_timeout
+ help: The connection timeout to use with the LDAP server. A value of `-1` means
+ that connections will never timeout.
+ max: null
+ metavar: null
+ min: -1
+ mutable: false
+ name: connection_timeout
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: use_pool
+ help: Enable LDAP connection pooling for queries to the LDAP server. There is
+ typically no reason to disable this.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: use_pool
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: 10
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: pool_size
+ help: The size of the LDAP connection pool. This option has no effect unless
+ `[ldap] use_pool` is also enabled.
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: pool_size
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 3
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: pool_retry_max
+ help: The maximum number of times to attempt reconnecting to the LDAP server
+ before aborting. A value of zero prevents retries. This option has no effect
+ unless `[ldap] use_pool` is also enabled.
+ max: null
+ metavar: null
+ min: 0
+ mutable: false
+ name: pool_retry_max
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 0.1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: pool_retry_delay
+ help: The number of seconds to wait before attempting to reconnect to the LDAP
+ server. This option has no effect unless `[ldap] use_pool` is also enabled.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: pool_retry_delay
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: floating point value
+ - advanced: false
+ choices: []
+ default: -1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: pool_connection_timeout
+ help: The connection timeout to use when pooling LDAP connections. A value of
+ `-1` means that connections will never timeout. This option has no effect
+ unless `[ldap] use_pool` is also enabled.
+ max: null
+ metavar: null
+ min: -1
+ mutable: false
+ name: pool_connection_timeout
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 600
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: pool_connection_lifetime
+ help: The maximum connection lifetime to the LDAP server in seconds. When this
+ lifetime is exceeded, the connection will be unbound and removed from the
+ connection pool. This option has no effect unless `[ldap] use_pool` is also
+ enabled.
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: pool_connection_lifetime
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: use_auth_pool
+ help: Enable LDAP connection pooling for end user authentication. There is typically
+ no reason to disable this.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: use_auth_pool
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: 100
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: auth_pool_size
+ help: The size of the connection pool to use for end user authentication. This
+ option has no effect unless `[ldap] use_auth_pool` is also enabled.
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: auth_pool_size
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 60
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: auth_pool_connection_lifetime
+ help: The maximum end user authentication connection lifetime to the LDAP server
+ in seconds. When this lifetime is exceeded, the connection will be unbound
+ and removed from the connection pool. This option has no effect unless `[ldap]
+ use_auth_pool` is also enabled.
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: auth_pool_connection_lifetime
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ standard_opts:
+ - url
+ - user
+ - password
+ - suffix
+ - query_scope
+ - page_size
+ - alias_dereferencing
+ - debug_level
+ - chase_referrals
+ - user_tree_dn
+ - user_filter
+ - user_objectclass
+ - user_id_attribute
+ - user_name_attribute
+ - user_description_attribute
+ - user_mail_attribute
+ - user_pass_attribute
+ - user_enabled_attribute
+ - user_enabled_invert
+ - user_enabled_mask
+ - user_enabled_default
+ - user_attribute_ignore
+ - user_default_project_id_attribute
+ - user_enabled_emulation
+ - user_enabled_emulation_dn
+ - user_enabled_emulation_use_group_config
+ - user_additional_attribute_mapping
+ - group_tree_dn
+ - group_filter
+ - group_objectclass
+ - group_id_attribute
+ - group_name_attribute
+ - group_member_attribute
+ - group_members_are_ids
+ - group_desc_attribute
+ - group_attribute_ignore
+ - group_additional_attribute_mapping
+ - group_ad_nesting
+ - tls_cacertfile
+ - tls_cacertdir
+ - use_tls
+ - tls_req_cert
+ - connection_timeout
+ - use_pool
+ - pool_size
+ - pool_retry_max
+ - pool_retry_delay
+ - pool_connection_timeout
+ - pool_connection_lifetime
+ - use_auth_pool
+ - auth_pool_size
+ - auth_pool_connection_lifetime
+ matchmaker_redis:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: 127.0.0.1
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: Replaced by [DEFAULT]/transport_url
+ deprecated_since: null
+ dest: host
+ help: Host to locate redis.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: host
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 6379
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: Replaced by [DEFAULT]/transport_url
+ deprecated_since: null
+ dest: port
+ help: Use this port to connect to redis host.
+ max: 65535
+ metavar: null
+ min: 0
+ mutable: false
+ name: port
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: port value
+ - advanced: false
+ choices: []
+ default: ''
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: Replaced by [DEFAULT]/transport_url
+ deprecated_since: null
+ dest: password
+ help: Password for Redis server (optional).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: password
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: true
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: []
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: Replaced by [DEFAULT]/transport_url
+ deprecated_since: null
+ dest: sentinel_hosts
+ help: List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port,
+ host1:port ... ]
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: sentinel_hosts
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: oslo-messaging-zeromq
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: sentinel_group_name
+ help: Redis replica set name.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: sentinel_group_name
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 2000
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: wait_timeout
+ help: Time in ms to wait between connection attempts.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: wait_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 20000
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: check_timeout
+ help: Time in ms to wait before the transaction is killed.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: check_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 10000
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: socket_timeout
+ help: Timeout in ms on blocking socket operations.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: socket_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ standard_opts:
+ - host
+ - port
+ - password
+ - sentinel_hosts
+ - sentinel_group_name
+ - wait_timeout
+ - check_timeout
+ - socket_timeout
+ memcache:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: 300
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: dead_retry
+ help: Number of seconds memcached server is considered dead before it is tried
+ again. This is used by the key value store system.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: dead_retry
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 3
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: socket_timeout
+ help: Timeout in seconds for every call to a server. This is used by the key
+ value store system.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: socket_timeout
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 10
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: pool_maxsize
+ help: Max total number of open connections to every memcached server. This is
+ used by the key value store system.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: pool_maxsize
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 60
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: pool_unused_timeout
+ help: Number of seconds a connection to memcached is held unused in the pool
+ before it is closed. This is used by the key value store system.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: pool_unused_timeout
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 10
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: pool_connection_get_timeout
+ help: Number of seconds that an operation will wait to get a memcache client
+ connection. This is used by the key value store system.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: pool_connection_get_timeout
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ standard_opts:
+ - dead_retry
+ - socket_timeout
+ - pool_maxsize
+ - pool_unused_timeout
+ - pool_connection_get_timeout
+ oauth1:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: sql
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: Entry point for the OAuth backend driver in the `keystone.oauth1` namespace.
+ Typically, there is no reason to set this option unless you are providing
+ a custom entry point.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 28800
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: request_token_duration
+ help: Number of seconds for the OAuth Request Token to remain valid after being
+ created. This is the amount of time the user has to authorize the token. Setting
+ this option to zero means that request tokens will last forever.
+ max: null
+ metavar: null
+ min: 0
+ mutable: false
+ name: request_token_duration
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 86400
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: access_token_duration
+ help: Number of seconds for the OAuth Access Token to remain valid after being
+ created. This is the amount of time the consumer has to interact with the
+ service provider (which is typically keystone). Setting this option to zero
+ means that access tokens will last forever.
+ max: null
+ metavar: null
+ min: 0
+ mutable: false
+ name: access_token_duration
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ standard_opts:
+ - driver
+ - request_token_duration
+ - access_token_duration
+ oslo_messaging_amqp:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: amqp1
+ name: container_name
+ deprecated_reason: null
+ deprecated_since: null
+ dest: container_name
+ help: Name for the AMQP container. must be globally unique. Defaults to a generated
+ UUID
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: container_name
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 0
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: amqp1
+ name: idle_timeout
+ deprecated_reason: null
+ deprecated_since: null
+ dest: idle_timeout
+ help: Timeout for inactive connections (in seconds)
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: idle_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: amqp1
+ name: trace
+ deprecated_reason: null
+ deprecated_since: null
+ dest: trace
+ help: 'Debug: dump AMQP frames to stdout'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: trace
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: ssl
+ help: Attempt to connect via SSL. If no other ssl-related parameters are given,
+ it will use the system's CA-bundle to verify the server's certificate.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: ssl
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: ''
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: amqp1
+ name: ssl_ca_file
+ deprecated_reason: null
+ deprecated_since: null
+ dest: ssl_ca_file
+ help: CA certificate PEM file used to verify the server's certificate
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: ssl_ca_file
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: ''
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: amqp1
+ name: ssl_cert_file
+ deprecated_reason: null
+ deprecated_since: null
+ dest: ssl_cert_file
+ help: Self-identifying certificate PEM file for client authentication
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: ssl_cert_file
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: ''
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: amqp1
+ name: ssl_key_file
+ deprecated_reason: null
+ deprecated_since: null
+ dest: ssl_key_file
+ help: Private key PEM file used to sign ssl_cert_file certificate (optional)
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: ssl_key_file
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: amqp1
+ name: ssl_key_password
+ deprecated_reason: null
+ deprecated_since: null
+ dest: ssl_key_password
+ help: Password for decrypting ssl_key_file (if encrypted)
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: ssl_key_password
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: true
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: true
+ deprecated_opts:
+ - group: amqp1
+ name: allow_insecure_clients
+ deprecated_reason: Not applicable - not a SSL server
+ deprecated_since: null
+ dest: allow_insecure_clients
+ help: Accept clients using either SSL or plain TCP
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: allow_insecure_clients
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: ''
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: amqp1
+ name: sasl_mechanisms
+ deprecated_reason: null
+ deprecated_since: null
+ dest: sasl_mechanisms
+ help: Space separated list of acceptable SASL mechanisms
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: sasl_mechanisms
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: ''
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: amqp1
+ name: sasl_config_dir
+ deprecated_reason: null
+ deprecated_since: null
+ dest: sasl_config_dir
+ help: Path to directory that contains the SASL configuration
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: sasl_config_dir
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: ''
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: amqp1
+ name: sasl_config_name
+ deprecated_reason: null
+ deprecated_since: null
+ dest: sasl_config_name
+ help: Name of configuration file (without .conf suffix)
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: sasl_config_name
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: ''
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: sasl_default_realm
+ help: SASL realm to use if no realm present in username
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: sasl_default_realm
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: ''
+ deprecated_for_removal: true
+ deprecated_opts:
+ - group: amqp1
+ name: username
+ deprecated_reason: Should use configuration option transport_url to provide
+ the username.
+ deprecated_since: null
+ dest: username
+ help: User name for message broker authentication
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: username
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: ''
+ deprecated_for_removal: true
+ deprecated_opts:
+ - group: amqp1
+ name: password
+ deprecated_reason: Should use configuration option transport_url to provide
+ the password.
+ deprecated_since: null
+ dest: password
+ help: Password for message broker authentication
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: password
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: true
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: connection_retry_interval
+ help: Seconds to pause before attempting to re-connect.
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: connection_retry_interval
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 2
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: connection_retry_backoff
+ help: Increase the connection_retry_interval by this many seconds after each
+ unsuccessful failover attempt.
+ max: null
+ metavar: null
+ min: 0
+ mutable: false
+ name: connection_retry_backoff
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 30
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: connection_retry_interval_max
+ help: Maximum limit for connection_retry_interval + connection_retry_backoff
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: connection_retry_interval_max
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 10
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: link_retry_delay
+ help: Time to pause between re-connecting an AMQP 1.0 link that failed due to
+ a recoverable error.
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: link_retry_delay
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 0
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: default_reply_retry
+ help: The maximum number of attempts to re-send a reply message which failed
+ due to a recoverable error.
+ max: null
+ metavar: null
+ min: -1
+ mutable: false
+ name: default_reply_retry
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 30
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: default_reply_timeout
+ help: The deadline for an rpc reply message delivery.
+ max: null
+ metavar: null
+ min: 5
+ mutable: false
+ name: default_reply_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 30
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: default_send_timeout
+ help: The deadline for an rpc cast or call message delivery. Only used when
+ caller does not provide a timeout expiry.
+ max: null
+ metavar: null
+ min: 5
+ mutable: false
+ name: default_send_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 30
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: default_notify_timeout
+ help: The deadline for a sent notification message delivery. Only used when
+ caller does not provide a timeout expiry.
+ max: null
+ metavar: null
+ min: 5
+ mutable: false
+ name: default_notify_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 600
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: default_sender_link_timeout
+ help: The duration to schedule a purge of idle sender links. Detach link after
+ expiry.
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: default_sender_link_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: dynamic
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: addressing_mode
+ help: 'Indicates the addressing mode used by the driver.
+
+ Permitted values:
+
+ ''legacy'' - use legacy non-routable addressing
+
+ ''routable'' - use routable addresses
+
+ ''dynamic'' - use legacy addresses if the message bus does not support routing
+ otherwise use routable addressing'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: addressing_mode
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: exclusive
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: amqp1
+ name: server_request_prefix
+ deprecated_reason: null
+ deprecated_since: null
+ dest: server_request_prefix
+ help: address prefix used when sending to a specific server
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: server_request_prefix
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: broadcast
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: amqp1
+ name: broadcast_prefix
+ deprecated_reason: null
+ deprecated_since: null
+ dest: broadcast_prefix
+ help: address prefix used when broadcasting to all servers
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: broadcast_prefix
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: unicast
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: amqp1
+ name: group_request_prefix
+ deprecated_reason: null
+ deprecated_since: null
+ dest: group_request_prefix
+ help: address prefix when sending to any server in group
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: group_request_prefix
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: openstack.org/om/rpc
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_address_prefix
+ help: Address prefix for all generated RPC addresses
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_address_prefix
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: openstack.org/om/notify
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: notify_address_prefix
+ help: Address prefix for all generated Notification addresses
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: notify_address_prefix
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: multicast
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: multicast_address
+ help: Appended to the address prefix when sending a fanout message. Used by
+ the message bus to identify fanout messages.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: multicast_address
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: unicast
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: unicast_address
+ help: Appended to the address prefix when sending to a particular RPC/Notification
+ server. Used by the message bus to identify messages sent to a single destination.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: unicast_address
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: anycast
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: anycast_address
+ help: Appended to the address prefix when sending to a group of consumers. Used
+ by the message bus to identify messages that should be delivered in a round-robin
+ fashion across consumers.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: anycast_address
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: default_notification_exchange
+ help: 'Exchange name used in notification addresses.
+
+ Exchange name resolution precedence:
+
+ Target.exchange if set
+
+ else default_notification_exchange if set
+
+ else control_exchange if set
+
+ else ''notify'''
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: default_notification_exchange
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: default_rpc_exchange
+ help: 'Exchange name used in RPC addresses.
+
+ Exchange name resolution precedence:
+
+ Target.exchange if set
+
+ else default_rpc_exchange if set
+
+ else control_exchange if set
+
+ else ''rpc'''
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: default_rpc_exchange
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 200
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: reply_link_credit
+ help: Window size for incoming RPC Reply messages.
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: reply_link_credit
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 100
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_server_credit
+ help: Window size for incoming RPC Request messages
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: rpc_server_credit
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 100
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: notify_server_credit
+ help: Window size for incoming Notification messages
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: notify_server_credit
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default:
+ - rpc-cast
+ - rpc-reply
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: pre_settled
+ help: 'Send messages of this type pre-settled.
+
+ Pre-settled messages will not receive acknowledgement
+
+ from the peer. Note well: pre-settled messages may be
+
+ silently discarded if the delivery fails.
+
+ Permitted values:
+
+ ''rpc-call'' - send RPC Calls pre-settled
+
+ ''rpc-reply''- send RPC Replies pre-settled
+
+ ''rpc-cast'' - Send RPC Casts pre-settled
+
+ ''notify'' - Send Notifications pre-settled
+
+ '
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: pre_settled
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: multi valued
+ standard_opts:
+ - container_name
+ - idle_timeout
+ - trace
+ - ssl
+ - ssl_ca_file
+ - ssl_cert_file
+ - ssl_key_file
+ - ssl_key_password
+ - allow_insecure_clients
+ - sasl_mechanisms
+ - sasl_config_dir
+ - sasl_config_name
+ - sasl_default_realm
+ - username
+ - password
+ - connection_retry_interval
+ - connection_retry_backoff
+ - connection_retry_interval_max
+ - link_retry_delay
+ - default_reply_retry
+ - default_reply_timeout
+ - default_send_timeout
+ - default_notify_timeout
+ - default_sender_link_timeout
+ - addressing_mode
+ - server_request_prefix
+ - broadcast_prefix
+ - group_request_prefix
+ - rpc_address_prefix
+ - notify_address_prefix
+ - multicast_address
+ - unicast_address
+ - anycast_address
+ - default_notification_exchange
+ - default_rpc_exchange
+ - reply_link_credit
+ - rpc_server_credit
+ - notify_server_credit
+ - pre_settled
+ oslo_messaging_kafka:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: localhost
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: Replaced by [DEFAULT]/transport_url
+ deprecated_since: null
+ dest: kafka_default_host
+ help: Default Kafka broker Host
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: kafka_default_host
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 9092
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: Replaced by [DEFAULT]/transport_url
+ deprecated_since: null
+ dest: kafka_default_port
+ help: Default Kafka broker Port
+ max: 65535
+ metavar: null
+ min: 0
+ mutable: false
+ name: kafka_default_port
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: port value
+ - advanced: false
+ choices: []
+ default: 1048576
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: kafka_max_fetch_bytes
+ help: Max fetch bytes of Kafka consumer
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: kafka_max_fetch_bytes
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 1.0
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: kafka_consumer_timeout
+ help: Default timeout(s) for Kafka consumers
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: kafka_consumer_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: floating point value
+ - advanced: false
+ choices: []
+ default: 10
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: pool_size
+ help: Pool Size for Kafka Consumers
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: pool_size
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 2
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: conn_pool_min_size
+ help: The pool size limit for connections expiration policy
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: conn_pool_min_size
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 1200
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: conn_pool_ttl
+ help: The time-to-live in sec of idle connections in the pool
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: conn_pool_ttl
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: oslo_messaging_consumer
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: consumer_group
+ help: Group id for Kafka consumer. Consumers in one group will coordinate message
+ consumption
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: consumer_group
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 0.0
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: producer_batch_timeout
+ help: Upper bound on the delay for KafkaProducer batching in seconds
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: producer_batch_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: floating point value
+ - advanced: false
+ choices: []
+ default: 16384
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: producer_batch_size
+ help: Size of batch for the producer async send
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: producer_batch_size
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ standard_opts:
+ - kafka_default_host
+ - kafka_default_port
+ - kafka_max_fetch_bytes
+ - kafka_consumer_timeout
+ - pool_size
+ - conn_pool_min_size
+ - conn_pool_ttl
+ - consumer_group
+ - producer_batch_timeout
+ - producer_batch_size
+ oslo_messaging_notifications:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: []
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: notification_driver
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: The Drivers(s) to handle sending notifications. Possible values are messaging,
+ messagingv2, routing, log, test, noop
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: multi valued
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: notification_transport_url
+ deprecated_reason: null
+ deprecated_since: null
+ dest: transport_url
+ help: A URL representing the messaging driver to use for notifications. If not
+ set, we fall back to the same configuration used for RPC.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: transport_url
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: true
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default:
+ - notifications
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: rpc_notifier2
+ name: topics
+ - group: DEFAULT
+ name: notification_topics
+ deprecated_reason: null
+ deprecated_since: null
+ dest: topics
+ help: AMQP topic used for OpenStack notifications.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: topics
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: -1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: retry
+ help: The maximum number of attempts to re-send a notification message which
+ failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: retry
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ standard_opts:
+ - driver
+ - transport_url
+ - topics
+ - retry
+ oslo_messaging_rabbit:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: amqp_durable_queues
+ - group: DEFAULT
+ name: rabbit_durable_queues
+ deprecated_reason: null
+ deprecated_since: null
+ dest: amqp_durable_queues
+ help: Use durable queues in AMQP.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: amqp_durable_queues
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: amqp_auto_delete
+ deprecated_reason: null
+ deprecated_since: null
+ dest: amqp_auto_delete
+ help: Auto-delete queues in AMQP.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: amqp_auto_delete
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: ssl
+ help: Enable SSL
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: ssl
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: ''
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: oslo_messaging_rabbit
+ name: kombu_ssl_version
+ deprecated_reason: null
+ deprecated_since: null
+ dest: ssl_version
+ help: SSL version to use (valid only if SSL enabled). Valid values are TLSv1
+ and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: ssl_version
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: ''
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: oslo_messaging_rabbit
+ name: kombu_ssl_keyfile
+ deprecated_reason: null
+ deprecated_since: null
+ dest: ssl_key_file
+ help: SSL key file (valid only if SSL enabled).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: ssl_key_file
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: ''
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: oslo_messaging_rabbit
+ name: kombu_ssl_certfile
+ deprecated_reason: null
+ deprecated_since: null
+ dest: ssl_cert_file
+ help: SSL cert file (valid only if SSL enabled).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: ssl_cert_file
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: ''
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: oslo_messaging_rabbit
+ name: kombu_ssl_ca_certs
+ deprecated_reason: null
+ deprecated_since: null
+ dest: ssl_ca_file
+ help: SSL certification authority file (valid only if SSL enabled).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: ssl_ca_file
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 1.0
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: kombu_reconnect_delay
+ deprecated_reason: null
+ deprecated_since: null
+ dest: kombu_reconnect_delay
+ help: How long to wait before reconnecting in response to an AMQP consumer cancel
+ notification.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: kombu_reconnect_delay
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: floating point value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: kombu_compression
+ help: 'EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression
+ will not be used. This option may not be available in future versions.'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: kombu_compression
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 60
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: oslo_messaging_rabbit
+ name: kombu_reconnect_timeout
+ deprecated_reason: null
+ deprecated_since: null
+ dest: kombu_missing_consumer_retry_timeout
+ help: How long to wait a missing client before abandoning to send it its replies.
+ This value should not be longer than rpc_response_timeout.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: kombu_missing_consumer_retry_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices:
+ - round-robin
+ - shuffle
+ default: round-robin
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: kombu_failover_strategy
+ help: Determines how the next RabbitMQ node is chosen in case the one we are
+ currently connected to becomes unavailable. Takes effect only if more than
+ one RabbitMQ node is provided in config.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: kombu_failover_strategy
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: localhost
+ deprecated_for_removal: true
+ deprecated_opts:
+ - group: DEFAULT
+ name: rabbit_host
+ deprecated_reason: Replaced by [DEFAULT]/transport_url
+ deprecated_since: null
+ dest: rabbit_host
+ help: The RabbitMQ broker address where a single node is used.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rabbit_host
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 5672
+ deprecated_for_removal: true
+ deprecated_opts:
+ - group: DEFAULT
+ name: rabbit_port
+ deprecated_reason: Replaced by [DEFAULT]/transport_url
+ deprecated_since: null
+ dest: rabbit_port
+ help: The RabbitMQ broker port where a single node is used.
+ max: 65535
+ metavar: null
+ min: 0
+ mutable: false
+ name: rabbit_port
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: port value
+ - advanced: false
+ choices: []
+ default:
+ - $rabbit_host:$rabbit_port
+ deprecated_for_removal: true
+ deprecated_opts:
+ - group: DEFAULT
+ name: rabbit_hosts
+ deprecated_reason: Replaced by [DEFAULT]/transport_url
+ deprecated_since: null
+ dest: rabbit_hosts
+ help: RabbitMQ HA cluster host:port pairs.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rabbit_hosts
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: guest
+ deprecated_for_removal: true
+ deprecated_opts:
+ - group: DEFAULT
+ name: rabbit_userid
+ deprecated_reason: Replaced by [DEFAULT]/transport_url
+ deprecated_since: null
+ dest: rabbit_userid
+ help: The RabbitMQ userid.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rabbit_userid
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: guest
+ deprecated_for_removal: true
+ deprecated_opts:
+ - group: DEFAULT
+ name: rabbit_password
+ deprecated_reason: Replaced by [DEFAULT]/transport_url
+ deprecated_since: null
+ dest: rabbit_password
+ help: The RabbitMQ password.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rabbit_password
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: true
+ short: null
+ type: string value
+ - advanced: false
+ choices:
+ - PLAIN
+ - AMQPLAIN
+ - RABBIT-CR-DEMO
+ default: AMQPLAIN
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rabbit_login_method
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rabbit_login_method
+ help: The RabbitMQ login method.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rabbit_login_method
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: /
+ deprecated_for_removal: true
+ deprecated_opts:
+ - group: DEFAULT
+ name: rabbit_virtual_host
+ deprecated_reason: Replaced by [DEFAULT]/transport_url
+ deprecated_since: null
+ dest: rabbit_virtual_host
+ help: The RabbitMQ virtual host.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rabbit_virtual_host
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rabbit_retry_interval
+ help: How frequently to retry connecting with RabbitMQ.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rabbit_retry_interval
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 2
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rabbit_retry_backoff
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rabbit_retry_backoff
+ help: How long to backoff for between retries when connecting to RabbitMQ.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rabbit_retry_backoff
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 30
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rabbit_interval_max
+ help: Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rabbit_interval_max
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 0
+ deprecated_for_removal: true
+ deprecated_opts:
+ - group: DEFAULT
+ name: rabbit_max_retries
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rabbit_max_retries
+ help: Maximum number of RabbitMQ connection retries. Default is 0 (infinite
+ retry count).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rabbit_max_retries
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rabbit_ha_queues
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rabbit_ha_queues
+ help: 'Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this
+ option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring
+ is no longer controlled by the x-ha-policy argument when declaring a queue.
+ If you just want to make sure that all queues (except those with auto-generated
+ names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA ''^(?!amq\.).*''
+ ''{"ha-mode": "all"}'' "'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rabbit_ha_queues
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: 1800
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rabbit_transient_queues_ttl
+ help: Positive integer representing duration in seconds for queue TTL (x-expires).
+ Queues which are unused for the duration of the TTL are automatically deleted.
+ The parameter affects only reply and fanout queues.
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: rabbit_transient_queues_ttl
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 0
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rabbit_qos_prefetch_count
+ help: Specifies the number of messages to prefetch. Setting to zero allows unlimited
+ messages.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rabbit_qos_prefetch_count
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 60
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: heartbeat_timeout_threshold
+ help: Number of seconds after which the Rabbit broker is considered down if
+ heartbeat's keep-alive fails (0 disable the heartbeat). EXPERIMENTAL
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: heartbeat_timeout_threshold
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 2
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: heartbeat_rate
+ help: How often times during the heartbeat_timeout_threshold we check the heartbeat.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: heartbeat_rate
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: fake_rabbit
+ deprecated_reason: null
+ deprecated_since: null
+ dest: fake_rabbit
+ help: Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: fake_rabbit
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: channel_max
+ help: Maximum number of channels to allow
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: channel_max
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: frame_max
+ help: The maximum byte size for an AMQP frame
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: frame_max
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 3
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: heartbeat_interval
+ help: How often to send heartbeats for consumer's connections
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: heartbeat_interval
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: ssl_options
+ help: Arguments passed to ssl.wrap_socket
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: ssl_options
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: dict value
+ - advanced: false
+ choices: []
+ default: 0.25
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: socket_timeout
+ help: Set socket timeout in seconds for connection's socket
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: socket_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: floating point value
+ - advanced: false
+ choices: []
+ default: 0.25
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: tcp_user_timeout
+ help: Set TCP_USER_TIMEOUT in seconds for connection's socket
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: tcp_user_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: floating point value
+ - advanced: false
+ choices: []
+ default: 0.25
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: host_connection_reconnect_delay
+ help: Set delay for reconnection to some host which has connection error
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: host_connection_reconnect_delay
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: floating point value
+ - advanced: false
+ choices:
+ - new
+ - single
+ - read_write
+ default: single
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: connection_factory
+ help: Connection factory implementation
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: connection_factory
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 30
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: pool_max_size
+ help: Maximum number of connections to keep queued.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: pool_max_size
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 0
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: pool_max_overflow
+ help: Maximum number of connections to create above `pool_max_size`.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: pool_max_overflow
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 30
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: pool_timeout
+ help: Default number of seconds to wait for a connections to available
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: pool_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 600
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: pool_recycle
+ help: Lifetime of a connection (since creation) in seconds or None for no recycling.
+ Expired connections are closed on acquire.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: pool_recycle
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 60
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: pool_stale
+ help: Threshold at which inactive (since release) connections are considered
+ stale in seconds or None for no staleness. Stale connections are closed on
+ acquire.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: pool_stale
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices:
+ - json
+ - msgpack
+ default: json
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: default_serializer_type
+ help: Default serialization mechanism for serializing/deserializing outgoing/incoming
+ messages
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: default_serializer_type
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: notification_persistence
+ help: Persist notification messages.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: notification_persistence
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: ${control_exchange}_notification
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: default_notification_exchange
+ help: Exchange name for sending notifications
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: default_notification_exchange
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 100
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: notification_listener_prefetch_count
+ help: Max number of not acknowledged message which RabbitMQ can send to notification
+ listener.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: notification_listener_prefetch_count
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: -1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: default_notification_retry_attempts
+ help: Reconnecting retry count in case of connectivity problem during sending
+ notification, -1 means infinite retry.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: default_notification_retry_attempts
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 0.25
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: notification_retry_delay
+ help: Reconnecting retry delay in case of connectivity problem during sending
+ notification message
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: notification_retry_delay
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: floating point value
+ - advanced: false
+ choices: []
+ default: 60
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_queue_expiration
+ help: Time to live for rpc queues without consumers in seconds.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_queue_expiration
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: ${control_exchange}_rpc
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: default_rpc_exchange
+ help: Exchange name for sending RPC messages
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: default_rpc_exchange
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: ${control_exchange}_rpc_reply
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_reply_exchange
+ help: Exchange name for receiving RPC replies
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_reply_exchange
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 100
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_listener_prefetch_count
+ help: Max number of not acknowledged message which RabbitMQ can send to rpc
+ listener.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_listener_prefetch_count
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 100
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_reply_listener_prefetch_count
+ help: Max number of not acknowledged message which RabbitMQ can send to rpc
+ reply listener.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_reply_listener_prefetch_count
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: -1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_reply_retry_attempts
+ help: Reconnecting retry count in case of connectivity problem during sending
+ reply. -1 means infinite retry during rpc_timeout
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_reply_retry_attempts
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 0.25
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_reply_retry_delay
+ help: Reconnecting retry delay in case of connectivity problem during sending
+ reply.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_reply_retry_delay
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: floating point value
+ - advanced: false
+ choices: []
+ default: -1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: default_rpc_retry_attempts
+ help: Reconnecting retry count in case of connectivity problem during sending
+ RPC message, -1 means infinite retry. If actual retry attempts in not 0 the
+ rpc request could be processed more than one time
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: default_rpc_retry_attempts
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 0.25
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_retry_delay
+ help: Reconnecting retry delay in case of connectivity problem during sending
+ RPC message
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_retry_delay
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: floating point value
+ standard_opts:
+ - amqp_durable_queues
+ - amqp_auto_delete
+ - ssl
+ - ssl_version
+ - ssl_key_file
+ - ssl_cert_file
+ - ssl_ca_file
+ - kombu_reconnect_delay
+ - kombu_compression
+ - kombu_missing_consumer_retry_timeout
+ - kombu_failover_strategy
+ - rabbit_host
+ - rabbit_port
+ - rabbit_hosts
+ - rabbit_userid
+ - rabbit_password
+ - rabbit_login_method
+ - rabbit_virtual_host
+ - rabbit_retry_interval
+ - rabbit_retry_backoff
+ - rabbit_interval_max
+ - rabbit_max_retries
+ - rabbit_ha_queues
+ - rabbit_transient_queues_ttl
+ - rabbit_qos_prefetch_count
+ - heartbeat_timeout_threshold
+ - heartbeat_rate
+ - fake_rabbit
+ - channel_max
+ - frame_max
+ - heartbeat_interval
+ - ssl_options
+ - socket_timeout
+ - tcp_user_timeout
+ - host_connection_reconnect_delay
+ - connection_factory
+ - pool_max_size
+ - pool_max_overflow
+ - pool_timeout
+ - pool_recycle
+ - pool_stale
+ - default_serializer_type
+ - notification_persistence
+ - default_notification_exchange
+ - notification_listener_prefetch_count
+ - default_notification_retry_attempts
+ - notification_retry_delay
+ - rpc_queue_expiration
+ - default_rpc_exchange
+ - rpc_reply_exchange
+ - rpc_listener_prefetch_count
+ - rpc_reply_listener_prefetch_count
+ - rpc_reply_retry_attempts
+ - rpc_reply_retry_delay
+ - default_rpc_retry_attempts
+ - rpc_retry_delay
+ oslo_messaging_zmq:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: '*'
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_bind_address
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_bind_address
+ help: ZeroMQ bind address. Should be a wildcard (*), an ethernet interface,
+ or IP. The "host" option should point or resolve to this address.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_zmq_bind_address
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: *id001
+ default: redis
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_matchmaker
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_matchmaker
+ help: MatchMaker driver.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_zmq_matchmaker
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 1
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_contexts
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_contexts
+ help: Number of ZeroMQ contexts, defaults to 1.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_zmq_contexts
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_topic_backlog
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_topic_backlog
+ help: Maximum number of ingress messages to locally buffer per topic. Default
+ is unlimited.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_zmq_topic_backlog
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: /var/run/openstack
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_ipc_dir
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_ipc_dir
+ help: Directory for holding IPC sockets.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_zmq_ipc_dir
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: x1hobo
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_host
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_host
+ help: Name of this node. Must be a valid hostname, FQDN, or IP address. Must
+ match "host" option, if running Nova.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_zmq_host
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: localhost
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: -1
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_cast_timeout
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_linger
+ help: Number of seconds to wait before all pending messages will be sent after
+ closing a socket. The default value of -1 specifies an infinite linger period.
+ The value of 0 specifies no linger period. Pending messages shall be discarded
+ immediately when the socket is closed. Positive values specify an upper bound
+ for the linger period.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_linger
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 1
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_poll_timeout
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_poll_timeout
+ help: The default number of seconds that poll should wait. Poll raises timeout
+ exception when timeout expired.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_poll_timeout
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 300
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: zmq_target_expire
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_target_expire
+ help: Expiration timeout in seconds of a name service record about existing
+ target ( < 0 means no timeout).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_target_expire
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 180
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: zmq_target_update
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_target_update
+ help: Update period in seconds of a name service record about existing target.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_target_update
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: use_pub_sub
+ deprecated_reason: null
+ deprecated_since: null
+ dest: use_pub_sub
+ help: Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: use_pub_sub
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: use_router_proxy
+ deprecated_reason: null
+ deprecated_since: null
+ dest: use_router_proxy
+ help: Use ROUTER remote proxy.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: use_router_proxy
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: use_dynamic_connections
+ help: This option makes direct connections dynamic or static. It makes sense
+ only with use_router_proxy=False which means to use direct connections for
+ direct message types (ignored otherwise).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: use_dynamic_connections
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: 2
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_failover_connections
+ help: How many additional connections to a host will be made for failover reasons.
+ This option is actual only in dynamic connections mode.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_failover_connections
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 49153
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_min_port
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_min_port
+ help: Minimal port number for random ports range.
+ max: 65535
+ metavar: null
+ min: 0
+ mutable: false
+ name: rpc_zmq_min_port
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: port value
+ - advanced: false
+ choices: []
+ default: 65536
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_max_port
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_max_port
+ help: Maximal port number for random ports range.
+ max: 65536
+ metavar: null
+ min: 1
+ mutable: false
+ name: rpc_zmq_max_port
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 100
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_bind_port_retries
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_bind_port_retries
+ help: Number of retries to find free port number before fail with ZMQBindError.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_zmq_bind_port_retries
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: *id002
+ default: json
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: rpc_zmq_serialization
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_zmq_serialization
+ help: Default serialization mechanism for serializing/deserializing outgoing/incoming
+ messages
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_zmq_serialization
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_immediate
+ help: This option configures round-robin mode in zmq socket. True means not
+ keeping a queue when server side disconnects. False means to keep queue and
+ messages even if server is disconnected, when the server appears we send all
+ accumulated messages to it.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_immediate
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: -1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_tcp_keepalive
+ help: Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or
+ any other negative value) means to skip any overrides and leave it to OS default;
+ 0 and 1 (or any other positive value) mean to disable and enable the option
+ respectively.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_tcp_keepalive
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: -1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_tcp_keepalive_idle
+ help: The duration between two keepalive transmissions in idle condition. The
+ unit is platform dependent, for example, seconds in Linux, milliseconds in
+ Windows etc. The default value of -1 (or any other negative value and 0) means
+ to skip any overrides and leave it to OS default.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_tcp_keepalive_idle
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: -1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_tcp_keepalive_cnt
+ help: The number of retransmissions to be carried out before declaring that
+ remote end is not available. The default value of -1 (or any other negative
+ value and 0) means to skip any overrides and leave it to OS default.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_tcp_keepalive_cnt
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: -1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: zmq_tcp_keepalive_intvl
+ help: The duration between two successive keepalive retransmissions, if acknowledgement
+ to the previous keepalive transmission is not received. The unit is platform
+ dependent, for example, seconds in Linux, milliseconds in Windows etc. The
+ default value of -1 (or any other negative value and 0) means to skip any
+ overrides and leave it to OS default.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: zmq_tcp_keepalive_intvl
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 100
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_thread_pool_size
+ help: Maximum number of (green) threads to work concurrently.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_thread_pool_size
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 300
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_message_ttl
+ help: Expiration timeout in seconds of a sent/received message after which it
+ is not tracked anymore by a client/server.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_message_ttl
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_use_acks
+ help: Wait for message acknowledgements from receivers. This mechanism works
+ only via proxy without PUB/SUB.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_use_acks
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: 15
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_ack_timeout_base
+ help: Number of seconds to wait for an ack from a cast/call. After each retry
+ attempt this timeout is multiplied by some specified multiplier.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_ack_timeout_base
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 2
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_ack_timeout_multiplier
+ help: Number to multiply base ack timeout by after each retry attempt.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_ack_timeout_multiplier
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 3
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: rpc_retry_attempts
+ help: 'Default number of message sending attempts in case of any problems occurred:
+ positive value N means at most N retries, 0 means no retries, None or -1 (or
+ any other negative values) mean to retry forever. This option is used only
+ if acknowledgments are enabled.'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: rpc_retry_attempts
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: []
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: subscribe_on
+ help: List of publisher hosts SubConsumer can subscribe on. This option has
+ higher priority then the default publishers list taken from the matchmaker.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: subscribe_on
+ namespace: oslo.messaging
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ standard_opts:
+ - rpc_zmq_bind_address
+ - rpc_zmq_matchmaker
+ - rpc_zmq_contexts
+ - rpc_zmq_topic_backlog
+ - rpc_zmq_ipc_dir
+ - rpc_zmq_host
+ - zmq_linger
+ - rpc_poll_timeout
+ - zmq_target_expire
+ - zmq_target_update
+ - use_pub_sub
+ - use_router_proxy
+ - use_dynamic_connections
+ - zmq_failover_connections
+ - rpc_zmq_min_port
+ - rpc_zmq_max_port
+ - rpc_zmq_bind_port_retries
+ - rpc_zmq_serialization
+ - zmq_immediate
+ - zmq_tcp_keepalive
+ - zmq_tcp_keepalive_idle
+ - zmq_tcp_keepalive_cnt
+ - zmq_tcp_keepalive_intvl
+ - rpc_thread_pool_size
+ - rpc_message_ttl
+ - rpc_use_acks
+ - rpc_ack_timeout_base
+ - rpc_ack_timeout_multiplier
+ - rpc_retry_attempts
+ - subscribe_on
+ oslo_middleware:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: 114688
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: osapi_max_request_body_size
+ - group: DEFAULT
+ name: max_request_body_size
+ deprecated_reason: null
+ deprecated_since: null
+ dest: max_request_body_size
+ help: The maximum body size for each request, in bytes.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: max_request_body_size
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: X-Forwarded-Proto
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: secure_proxy_ssl_header
+ help: The HTTP Header that will be used to determine what the original request
+ protocol scheme was, even if it was hidden by a SSL termination proxy.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: secure_proxy_ssl_header
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: enable_proxy_headers_parsing
+ help: Whether the application is behind a proxy or not. This determines if the
+ middleware should parse the headers or not.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: enable_proxy_headers_parsing
+ namespace: oslo.middleware
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ standard_opts:
+ - max_request_body_size
+ - secure_proxy_ssl_header
+ - enable_proxy_headers_parsing
+ oslo_policy:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: policy.json
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: policy_file
+ deprecated_reason: null
+ deprecated_since: null
+ dest: policy_file
+ help: The file that defines policies.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: policy_file
+ namespace: oslo.policy
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: default
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: policy_default_rule
+ deprecated_reason: null
+ deprecated_since: null
+ dest: policy_default_rule
+ help: Default rule. Enforced when a requested rule is not found.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: policy_default_rule
+ namespace: oslo.policy
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default:
+ - policy.d
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: DEFAULT
+ name: policy_dirs
+ deprecated_reason: null
+ deprecated_since: null
+ dest: policy_dirs
+ help: Directories where policy configuration files are stored. They can be relative
+ to any directory in the search path defined by the config_dir option, or absolute
+ paths. The file defined by policy_file must exist for these directories to
+ be searched. Missing or empty directories are ignored.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: policy_dirs
+ namespace: oslo.policy
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: multi valued
+ standard_opts:
+ - policy_file
+ - policy_default_rule
+ - policy_dirs
+ paste_deploy:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: keystone-paste.ini
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: config_file
+ help: Name of (or absolute path to) the Paste Deploy configuration file that
+ composes middleware and the keystone application itself into actual WSGI entry
+ points. See http://pythonpaste.org/deploy/ for additional documentation on
+ the file's format.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: config_file
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ standard_opts:
+ - config_file
+ policy:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: sql
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: Entry point for the policy backend driver in the `keystone.policy` namespace.
+ Supplied drivers are `rules` (which does not support any CRUD operations for
+ the v3 policy API) and `sql`. Typically, there is no reason to set this option
+ unless you are providing a custom entry point.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: list_limit
+ help: Maximum number of entities that will be returned in a policy collection.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: list_limit
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ standard_opts:
+ - driver
+ - list_limit
+ profiler:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: profiler
+ name: profiler_enabled
+ deprecated_reason: null
+ deprecated_since: null
+ dest: enabled
+ help: '
+
+ Enables the profiling for all services on this node. Default value is False
+
+ (fully disable the profiling feature).
+
+
+ Possible values:
+
+
+ * True: Enables the feature
+
+ * False: Disables the feature. The profiling cannot be started via this project
+
+ operations. If the profiling is triggered by another project, this project
+ part
+
+ will be empty.
+
+ '
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: enabled
+ namespace: osprofiler
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: trace_sqlalchemy
+ help: '
+
+ Enables SQL requests profiling in services. Default value is False (SQL
+
+ requests won''t be traced).
+
+
+ Possible values:
+
+
+ * True: Enables SQL requests profiling. Each SQL query will be part of the
+
+ trace and can the be analyzed by how much time was spent for that.
+
+ * False: Disables SQL requests profiling. The spent time is only shown on
+ a
+
+ higher level of operations. Single SQL queries cannot be analyzed this
+
+ way.
+
+ '
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: trace_sqlalchemy
+ namespace: osprofiler
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: SECRET_KEY
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: hmac_keys
+ help: '
+
+ Secret key(s) to use for encrypting context data for performance profiling.
+
+ This string value should have the following format: [,,...],
+
+ where each key is some random string. A user who triggers the profiling via
+
+ the REST API has to set one of these keys in the headers of the REST API call
+
+ to include profiling results of this node for this particular project.
+
+
+ Both "enabled" flag and "hmac_keys" config options should be set to enable
+
+ profiling. Also, to generate correct profiling information across all services
+
+ at least one key needs to be consistent between OpenStack projects. This
+
+ ensures it can be used from client side to generate the trace, containing
+
+ information from all possible resources.'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: hmac_keys
+ namespace: osprofiler
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: messaging://
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: connection_string
+ help: '
+
+ Connection string for a notifier backend. Default value is messaging:// which
+
+ sets the notifier to oslo_messaging.
+
+
+ Examples of possible values:
+
+
+ * messaging://: use oslo_messaging driver for sending notifications.
+
+ * mongodb://127.0.0.1:27017 : use mongodb driver for sending notifications.
+
+ * elasticsearch://127.0.0.1:9200 : use elasticsearch driver for sending
+
+ notifications.
+
+ '
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: connection_string
+ namespace: osprofiler
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: notification
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: es_doc_type
+ help: '
+
+ Document type for notification indexing in elasticsearch.
+
+ '
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: es_doc_type
+ namespace: osprofiler
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 2m
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: es_scroll_time
+ help: '
+
+ This parameter is a time value parameter (for example: es_scroll_time=2m),
+
+ indicating for how long the nodes that participate in the search will maintain
+
+ relevant resources in order to continue and support it.
+
+ '
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: es_scroll_time
+ namespace: osprofiler
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 10000
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: es_scroll_size
+ help: '
+
+ Elasticsearch splits large requests in batches. This parameter defines
+
+ maximum size of each batch (for example: es_scroll_size=10000).
+
+ '
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: es_scroll_size
+ namespace: osprofiler
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 0.1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: socket_timeout
+ help: '
+
+ Redissentinel provides a timeout option on the connections.
+
+ This parameter defines that timeout (for example: socket_timeout=0.1).
+
+ '
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: socket_timeout
+ namespace: osprofiler
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: floating point value
+ - advanced: false
+ choices: []
+ default: mymaster
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: sentinel_service_name
+ help: '
+
+ Redissentinel uses a service name to identify a master redis service.
+
+ This parameter defines the name (for example:
+
+ sentinal_service_name=mymaster).
+
+ '
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: sentinel_service_name
+ namespace: osprofiler
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ standard_opts:
+ - enabled
+ - trace_sqlalchemy
+ - hmac_keys
+ - connection_string
+ - es_doc_type
+ - es_scroll_time
+ - es_scroll_size
+ - socket_timeout
+ - sentinel_service_name
+ resource:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: sql
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: Entry point for the resource driver in the `keystone.resource` namespace.
+ Only a `sql` driver is supplied by keystone. Unless you are writing proprietary
+ drivers for keystone, you do not need to set this option.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: assignment
+ name: caching
+ deprecated_reason: null
+ deprecated_since: null
+ dest: caching
+ help: Toggle for resource caching. This has no effect unless global caching
+ is enabled.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: caching
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: assignment
+ name: cache_time
+ deprecated_reason: null
+ deprecated_since: null
+ dest: cache_time
+ help: Time to cache resource data in seconds. This has no effect unless global
+ caching is enabled.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: cache_time
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: assignment
+ name: list_limit
+ deprecated_reason: null
+ deprecated_since: null
+ dest: list_limit
+ help: Maximum number of entities that will be returned in a resource collection.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: list_limit
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: admin_project_domain_name
+ help: Name of the domain that owns the `admin_project_name`. If left unset,
+ then there is no admin project. `[resource] admin_project_name` must also
+ be set to use this option.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: admin_project_domain_name
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: admin_project_name
+ help: This is a special project which represents cloud-level administrator privileges
+ across services. Tokens scoped to this project will contain a true `is_admin_project`
+ attribute to indicate to policy systems that the role assignments on that
+ specific project should apply equally across every project. If left unset,
+ then there is no admin project, and thus no explicit means of cross-project
+ role assignments. `[resource] admin_project_domain_name` must also be set
+ to use this option.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: admin_project_name
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices:
+ - 'off'
+ - new
+ - strict
+ default: 'off'
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: project_name_url_safe
+ help: This controls whether the names of projects are restricted from containing
+ URL-reserved characters. If set to `new`, attempts to create or update a project
+ with a URL-unsafe name will fail. If set to `strict`, attempts to scope a
+ token with a URL-unsafe project name will fail, thereby forcing all project
+ names to be updated to be URL-safe.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: project_name_url_safe
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices:
+ - 'off'
+ - new
+ - strict
+ default: 'off'
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: domain_name_url_safe
+ help: This controls whether the names of domains are restricted from containing
+ URL-reserved characters. If set to `new`, attempts to create or update a domain
+ with a URL-unsafe name will fail. If set to `strict`, attempts to scope a
+ token with a URL-unsafe domain name will fail, thereby forcing all domain
+ names to be updated to be URL-safe.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: domain_name_url_safe
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ standard_opts:
+ - driver
+ - caching
+ - cache_time
+ - list_limit
+ - admin_project_domain_name
+ - admin_project_name
+ - project_name_url_safe
+ - domain_name_url_safe
+ revoke:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: sql
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: Entry point for the token revocation backend driver in the `keystone.revoke`
+ namespace. Keystone only provides a `sql` driver, so there is no reason to
+ set this option unless you are providing a custom entry point.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 1800
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: expiration_buffer
+ help: The number of seconds after a token has expired before a corresponding
+ revocation event may be purged from the backend.
+ max: null
+ metavar: null
+ min: 0
+ mutable: false
+ name: expiration_buffer
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: caching
+ help: Toggle for revocation event caching. This has no effect unless global
+ caching is enabled.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: caching
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: 3600
+ deprecated_for_removal: false
+ deprecated_opts:
+ - group: token
+ name: revocation_cache_time
+ deprecated_reason: null
+ deprecated_since: null
+ dest: cache_time
+ help: Time to cache the revocation list and the revocation events (in seconds).
+ This has no effect unless global and `[revoke] caching` are both enabled.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: cache_time
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ standard_opts:
+ - driver
+ - expiration_buffer
+ - caching
+ - cache_time
+ role:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: Entry point for the role backend driver in the `keystone.role` namespace.
+ Keystone only provides a `sql` driver, so there's no reason to change this
+ unless you are providing a custom entry point.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: caching
+ help: Toggle for role caching. This has no effect unless global caching is enabled.
+ In a typical deployment, there is no reason to disable this.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: caching
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: cache_time
+ help: Time to cache role data, in seconds. This has no effect unless both global
+ caching and `[role] caching` are enabled.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: cache_time
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: list_limit
+ help: Maximum number of entities that will be returned in a role collection.
+ This may be useful to tune if you have a large number of discrete roles in
+ your deployment.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: list_limit
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ standard_opts:
+ - driver
+ - caching
+ - cache_time
+ - list_limit
+ saml:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: 3600
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: assertion_expiration_time
+ help: Determines the lifetime for any SAML assertions generated by keystone,
+ using `NotOnOrAfter` attributes.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: assertion_expiration_time
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: xmlsec1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: xmlsec1_binary
+ help: Name of, or absolute path to, the binary to be used for XML signing. Although
+ only the XML Security Library (`xmlsec1`) is supported, it may have a non-standard
+ name or path on your system. If keystone cannot find the binary itself, you
+ may need to install the appropriate package, use this option to specify an
+ absolute path, or adjust keystone's PATH environment variable.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: xmlsec1_binary
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: /etc/keystone/ssl/certs/signing_cert.pem
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: certfile
+ help: Absolute path to the public certificate file to use for SAML signing.
+ The value cannot contain a comma (`,`).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: certfile
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: /etc/keystone/ssl/private/signing_key.pem
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: keyfile
+ help: Absolute path to the private key file to use for SAML signing. The value
+ cannot contain a comma (`,`).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: keyfile
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: idp_entity_id
+ help: 'This is the unique entity identifier of the identity provider (keystone)
+ to use when generating SAML assertions. This value is required to generate
+ identity provider metadata and must be a URI (a URL is recommended). For example:
+ `https://keystone.example.com/v3/OS-FEDERATION/saml2/idp`.'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: idp_entity_id
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: uri value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: idp_sso_endpoint
+ help: 'This is the single sign-on (SSO) service location of the identity provider
+ which accepts HTTP POST requests. A value is required to generate identity
+ provider metadata. For example: `https://keystone.example.com/v3/OS-FEDERATION/saml2/sso`.'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: idp_sso_endpoint
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: uri value
+ - advanced: false
+ choices: []
+ default: en
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: idp_lang
+ help: This is the language used by the identity provider's organization.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: idp_lang
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: SAML Identity Provider
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: idp_organization_name
+ help: This is the name of the identity provider's organization.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: idp_organization_name
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: OpenStack SAML Identity Provider
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: idp_organization_display_name
+ help: This is the name of the identity provider's organization to be displayed.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: idp_organization_display_name
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: https://example.com/
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: idp_organization_url
+ help: This is the URL of the identity provider's organization. The URL referenced
+ here should be useful to humans.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: idp_organization_url
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: uri value
+ - advanced: false
+ choices: []
+ default: Example, Inc.
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: idp_contact_company
+ help: This is the company name of the identity provider's contact person.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: idp_contact_company
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: SAML Identity Provider Support
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: idp_contact_name
+ help: This is the given name of the identity provider's contact person.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: idp_contact_name
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: Support
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: idp_contact_surname
+ help: This is the surname of the identity provider's contact person.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: idp_contact_surname
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: support@example.com
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: idp_contact_email
+ help: This is the email address of the identity provider's contact person.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: idp_contact_email
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: +1 800 555 0100
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: idp_contact_telephone
+ help: This is the telephone number of the identity provider's contact person.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: idp_contact_telephone
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices:
+ - technical
+ - support
+ - administrative
+ - billing
+ - other
+ default: other
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: idp_contact_type
+ help: This is the type of contact that best describes the identity provider's
+ contact person.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: idp_contact_type
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: /etc/keystone/saml2_idp_metadata.xml
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: idp_metadata_path
+ help: Absolute path to the identity provider metadata file. This file should
+ be generated with the `keystone-manage saml_idp_metadata` command. There is
+ typically no reason to change this value.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: idp_metadata_path
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 'ss:mem:'
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: relay_state_prefix
+ help: The prefix of the RelayState SAML attribute to use when generating enhanced
+ client and proxy (ECP) assertions. In a typical deployment, there is no reason
+ to change this value.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: relay_state_prefix
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ standard_opts:
+ - assertion_expiration_time
+ - xmlsec1_binary
+ - certfile
+ - keyfile
+ - idp_entity_id
+ - idp_sso_endpoint
+ - idp_lang
+ - idp_organization_name
+ - idp_organization_display_name
+ - idp_organization_url
+ - idp_contact_company
+ - idp_contact_name
+ - idp_contact_surname
+ - idp_contact_email
+ - idp_contact_telephone
+ - idp_contact_type
+ - idp_metadata_path
+ - relay_state_prefix
+ security_compliance:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: disable_user_account_days_inactive
+ help: The maximum number of days a user can go without authenticating before
+ being considered "inactive" and automatically disabled (locked). This feature
+ is disabled by default; set any value to enable it. This feature depends on
+ the `sql` backend for the `[identity] driver`. When a user exceeds this threshold
+ and is considered "inactive", the user's `enabled` attribute in the HTTP API
+ may not match the value of the user's `enabled` column in the user table.
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: disable_user_account_days_inactive
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: lockout_failure_attempts
+ help: The maximum number of times that a user can fail to authenticate before
+ the user account is locked for the number of seconds specified by `[security_compliance]
+ lockout_duration`. This feature is disabled by default. If this feature is
+ enabled and `[security_compliance] lockout_duration` is not set, then users
+ may be locked out indefinitely until the user is explicitly enabled via the
+ API. This feature depends on the `sql` backend for the `[identity] driver`.
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: lockout_failure_attempts
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 1800
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: lockout_duration
+ help: The number of seconds a user account will be locked when the maximum number
+ of failed authentication attempts (as specified by `[security_compliance]
+ lockout_failure_attempts`) is exceeded. Setting this option will have no effect
+ unless you also set `[security_compliance] lockout_failure_attempts` to a
+ non-zero value. This feature depends on the `sql` backend for the `[identity]
+ driver`.
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: lockout_duration
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: password_expires_days
+ help: The number of days for which a password will be considered valid before
+ requiring it to be changed. This feature is disabled by default. If enabled,
+ new password changes will have an expiration date, however existing passwords
+ would not be impacted. This feature depends on the `sql` backend for the `[identity]
+ driver`.
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: password_expires_days
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 1
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: unique_last_password_count
+ help: This controls the number of previous user password iterations to keep
+ in history, in order to enforce that newly created passwords are unique. Setting
+ the value to one (the default) disables this feature. Thus, to enable this
+ feature, values must be greater than 1. This feature depends on the `sql`
+ backend for the `[identity] driver`.
+ max: null
+ metavar: null
+ min: 1
+ mutable: false
+ name: unique_last_password_count
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 0
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: minimum_password_age
+ help: 'The number of days that a password must be used before the user can change
+ it. This prevents users from changing their passwords immediately in order
+ to wipe out their password history and reuse an old password. This feature
+ does not prevent administrators from manually resetting passwords. It is disabled
+ by default and allows for immediate password changes. This feature depends
+ on the `sql` backend for the `[identity] driver`. Note: If `[security_compliance]
+ password_expires_days` is set, then the value for this option should be less
+ than the `password_expires_days`.'
+ max: null
+ metavar: null
+ min: 0
+ mutable: false
+ name: minimum_password_age
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: password_regex
+ help: 'The regular expression used to validate password strength requirements.
+ By default, the regular expression will match any password. The following
+ is an example of a pattern which requires at least 1 letter, 1 digit, and
+ have a minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This
+ feature depends on the `sql` backend for the `[identity] driver`.'
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: password_regex
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: password_regex_description
+ help: Describe your password regular expression here in language for humans.
+ If a password fails to match the regular expression, the contents of this
+ configuration variable will be returned to users to explain why their requested
+ password was insufficient.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: password_regex_description
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: change_password_upon_first_use
+ help: Enabling this option requires users to change their password when the
+ user is created, or upon administrative reset. Before accessing any services,
+ affected users will have to change their password. To ignore this requirement
+ for specific users, such as service users, set the `options` attribute `ignore_change_password_upon_first_use`
+ to `True` for the desired user via the update user API. This feature is disabled
+ by default. This feature is only applicable with the `sql` backend for the
+ `[identity] driver`.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: change_password_upon_first_use
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ standard_opts:
+ - disable_user_account_days_inactive
+ - lockout_failure_attempts
+ - lockout_duration
+ - password_expires_days
+ - unique_last_password_count
+ - minimum_password_age
+ - password_regex
+ - password_regex_description
+ - change_password_upon_first_use
+ shadow_users:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: sql
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: Entry point for the shadow users backend driver in the `keystone.identity.shadow_users`
+ namespace. This driver is used for persisting local user references to externally-managed
+ identities (via federation, LDAP, etc). Keystone only provides a `sql` driver,
+ so there is no reason to change this option unless you are providing a custom
+ entry point.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ standard_opts:
+ - driver
+ signing:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: /etc/keystone/ssl/certs/signing_cert.pem
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: '`keystone-manage pki_setup` was deprecated in Mitaka and
+ removed in Pike. These options remain for backwards compatibility.'
+ deprecated_since: P
+ dest: certfile
+ help: Absolute path to the public certificate file to use for signing responses
+ to revocation lists requests. Set this together with `[signing] keyfile`.
+ For non-production environments, you may be interested in using `keystone-manage
+ pki_setup` to generate self-signed certificates.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: certfile
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: /etc/keystone/ssl/private/signing_key.pem
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: '`keystone-manage pki_setup` was deprecated in Mitaka and
+ removed in Pike. These options remain for backwards compatibility.'
+ deprecated_since: P
+ dest: keyfile
+ help: Absolute path to the private key file to use for signing responses to
+ revocation lists requests. Set this together with `[signing] certfile`.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: keyfile
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: /etc/keystone/ssl/certs/ca.pem
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: '`keystone-manage pki_setup` was deprecated in Mitaka and
+ removed in Pike. These options remain for backwards compatibility.'
+ deprecated_since: P
+ dest: ca_certs
+ help: Absolute path to the public certificate authority (CA) file to use when
+ creating self-signed certificates with `keystone-manage pki_setup`. Set this
+ together with `[signing] ca_key`. There is no reason to set this option unless
+ you are requesting revocation lists in a non-production environment. Use a
+ `[signing] certfile` issued from a trusted certificate authority instead.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: ca_certs
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: /etc/keystone/ssl/private/cakey.pem
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: '`keystone-manage pki_setup` was deprecated in Mitaka and
+ removed in Pike. These options remain for backwards compatibility.'
+ deprecated_since: P
+ dest: ca_key
+ help: Absolute path to the private certificate authority (CA) key file to use
+ when creating self-signed certificates with `keystone-manage pki_setup`. Set
+ this together with `[signing] ca_certs`. There is no reason to set this option
+ unless you are requesting revocation lists in a non-production environment.
+ Use a `[signing] certfile` issued from a trusted certificate authority instead.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: ca_key
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 2048
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: '`keystone-manage pki_setup` was deprecated in Mitaka and
+ removed in Pike. These options remain for backwards compatibility.'
+ deprecated_since: P
+ dest: key_size
+ help: Key size (in bits) to use when generating a self-signed token signing
+ certificate. There is no reason to set this option unless you are requesting
+ revocation lists in a non-production environment. Use a `[signing] certfile`
+ issued from a trusted certificate authority instead.
+ max: null
+ metavar: null
+ min: 1024
+ mutable: false
+ name: key_size
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: 3650
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: '`keystone-manage pki_setup` was deprecated in Mitaka and
+ removed in Pike. These options remain for backwards compatibility.'
+ deprecated_since: P
+ dest: valid_days
+ help: The validity period (in days) to use when generating a self-signed token
+ signing certificate. There is no reason to set this option unless you are
+ requesting revocation lists in a non-production environment. Use a `[signing]
+ certfile` issued from a trusted certificate authority instead.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: valid_days
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: '`keystone-manage pki_setup` was deprecated in Mitaka and
+ removed in Pike. These options remain for backwards compatibility.'
+ deprecated_since: P
+ dest: cert_subject
+ help: The certificate subject to use when generating a self-signed token signing
+ certificate. There is no reason to set this option unless you are requesting
+ revocation lists in a non-production environment. Use a `[signing] certfile`
+ issued from a trusted certificate authority instead.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: cert_subject
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ standard_opts:
+ - certfile
+ - keyfile
+ - ca_certs
+ - ca_key
+ - key_size
+ - valid_days
+ - cert_subject
+ token:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: []
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: bind
+ help: This is a list of external authentication mechanisms which should add
+ token binding metadata to tokens, such as `kerberos` or `x509`. Binding metadata
+ is enforced according to the `[token] enforce_token_bind` option.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: bind
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: list value
+ - advanced: false
+ choices: []
+ default: permissive
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: P
+ dest: enforce_token_bind
+ help: This controls the token binding enforcement policy on tokens presented
+ to keystone with token binding metadata (as specified by the `[token] bind`
+ option). `disabled` completely bypasses token binding validation. `permissive`
+ and `strict` do not require tokens to have binding metadata (but will validate
+ it if present), whereas `required` will always demand tokens to having binding
+ metadata. `permissive` will allow unsupported binding metadata to pass through
+ without validation (usually to be validated at another time by another component),
+ whereas `strict` and `required` will demand that the included binding metadata
+ be supported by keystone.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: enforce_token_bind
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: 3600
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: expiration
+ help: The amount of time that a token should remain valid (in seconds). Drastically
+ reducing this value may break "long-running" operations that involve multiple
+ services to coordinate together, and will force users to authenticate with
+ keystone more frequently. Drastically increasing this value will increase
+ load on the `[token] driver`, as more tokens will be simultaneously valid.
+ Keystone tokens are also bearer tokens, so a shorter duration will also reduce
+ the potential security impact of a compromised token.
+ max: 9223372036854775807
+ metavar: null
+ min: 0
+ mutable: false
+ name: expiration
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: fernet
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: provider
+ help: Entry point for the token provider in the `keystone.token.provider` namespace.
+ The token provider controls the token construction, validation, and revocation
+ operations. Keystone includes `fernet` and `uuid` token providers. `uuid`
+ tokens must be persisted (using the backend specified in the `[token] driver`
+ option), but do not require any extra configuration or setup. `fernet` tokens
+ do not need to be persisted at all, but require that you run `keystone-manage
+ fernet_setup` (also see the `keystone-manage fernet_rotate` command).
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: provider
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: sql
+ deprecated_for_removal: true
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: P
+ dest: driver
+ help: Entry point for the token persistence backend driver in the `keystone.token.persistence`
+ namespace. Keystone provides the `sql` driver. The `sql` option (default)
+ depends on the options in your `[database]` section. If you're using the `fernet`
+ `[token] provider`, this backend will not be utilized to persist tokens at
+ all.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: caching
+ help: Toggle for caching token creation and validation data. This has no effect
+ unless global caching is enabled.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: caching
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: null
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: cache_time
+ help: The number of seconds to cache token creation and validation data. This
+ has no effect unless both global and `[token] caching` are enabled.
+ max: 9223372036854775807
+ metavar: null
+ min: 0
+ mutable: false
+ name: cache_time
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: revoke_by_id
+ help: This toggles support for revoking individual tokens by the token identifier
+ and thus various token enumeration operations (such as listing all tokens
+ issued to a specific user). These operations are used to determine the list
+ of tokens to consider revoked. Do not disable this option if you're using
+ the `kvs` `[revoke] driver`.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: revoke_by_id
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: allow_rescope_scoped_token
+ help: This toggles whether scoped tokens may be re-scoped to a new project or
+ domain, thereby preventing users from exchanging a scoped token (including
+ those with a default project scope) for any other token. This forces users
+ to either authenticate for unscoped tokens (and later exchange that unscoped
+ token for tokens with a more specific scope) or to provide their credentials
+ in every request for a scoped token to avoid re-scoping altogether.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: allow_rescope_scoped_token
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: infer_roles
+ help: This controls whether roles should be included with tokens that are not
+ directly assigned to the token's scope, but are instead linked implicitly
+ to other role assignments.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: infer_roles
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: cache_on_issue
+ help: Enable storing issued token data to token validation cache so that first
+ token validation doesn't actually cause full validation cycle. This option
+ has no effect unless global caching and token caching are enabled.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: cache_on_issue
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: 172800
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: allow_expired_window
+ help: This controls the number of seconds that a token can be retrieved for
+ beyond the built-in expiry time. This allows long running operations to succeed.
+ Defaults to two days.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: allow_expired_window
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ standard_opts:
+ - bind
+ - enforce_token_bind
+ - expiration
+ - provider
+ - driver
+ - caching
+ - cache_time
+ - revoke_by_id
+ - allow_rescope_scoped_token
+ - infer_roles
+ - cache_on_issue
+ - allow_expired_window
+ tokenless_auth:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: []
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: trusted_issuer
+ help: The list of distinguished names which identify trusted issuers of client
+ certificates allowed to use X.509 tokenless authorization. If the option is
+ absent then no certificates will be allowed. The format for the values of
+ a distinguished name (DN) must be separated by a comma and contain no spaces.
+ Furthermore, because an individual DN may contain commas, this configuration
+ option may be repeated multiple times to represent multiple values. For example,
+ keystone.conf would include two consecutive lines in order to trust two different
+ DNs, such as `trusted_issuer = CN=john,OU=keystone,O=openstack` and `trusted_issuer
+ = CN=mary,OU=eng,O=abc`.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: trusted_issuer
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: multi valued
+ - advanced: false
+ choices: []
+ default: x509
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: protocol
+ help: The federated protocol ID used to represent X.509 tokenless authorization.
+ This is used in combination with the value of `[tokenless_auth] issuer_attribute`
+ to find a corresponding federated mapping. In a typical deployment, there
+ is no reason to change this value.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: protocol
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ - advanced: false
+ choices: []
+ default: SSL_CLIENT_I_DN
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: issuer_attribute
+ help: The name of the WSGI environment variable used to pass the issuer of the
+ client certificate to keystone. This attribute is used as an identity provider
+ ID for the X.509 tokenless authorization along with the protocol to look up
+ its corresponding mapping. In a typical deployment, there is no reason to
+ change this value.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: issuer_attribute
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ standard_opts:
+ - trusted_issuer
+ - protocol
+ - issuer_attribute
+ trust:
+ driver_option: ''
+ driver_opts: {}
+ dynamic_group_owner: ''
+ help: ''
+ opts:
+ - advanced: false
+ choices: []
+ default: true
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: enabled
+ help: Delegation and impersonation features using trusts can be optionally disabled.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: enabled
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: false
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: allow_redelegation
+ help: Allows authorization to be redelegated from one user to another, effectively
+ chaining trusts together. When disabled, the `remaining_uses` attribute of
+ a trust is constrained to be zero.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: allow_redelegation
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: boolean value
+ - advanced: false
+ choices: []
+ default: 3
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: max_redelegation_count
+ help: Maximum number of times that authorization can be redelegated from one
+ user to another in a chain of trusts. This number may be reduced further for
+ a specific trust.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: max_redelegation_count
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: integer value
+ - advanced: false
+ choices: []
+ default: sql
+ deprecated_for_removal: false
+ deprecated_opts: []
+ deprecated_reason: null
+ deprecated_since: null
+ dest: driver
+ help: Entry point for the trust backend driver in the `keystone.trust` namespace.
+ Keystone only provides a `sql` driver, so there is no reason to change this
+ unless you are providing a custom entry point.
+ max: null
+ metavar: null
+ min: null
+ mutable: false
+ name: driver
+ namespace: keystone
+ positional: false
+ required: false
+ sample_default: null
+ secret: false
+ short: null
+ type: string value
+ standard_opts:
+ - enabled
+ - allow_redelegation
+ - max_redelegation_count
+ - driver
+