From 1baf3e65232183e8162eb46c28a4fa7708ff3509 Mon Sep 17 00:00:00 2001
From: Samriddhi Jain <j.samriddhi13@gmail.com>
Date: Thu, 15 Jun 2017 10:53:10 +0530
Subject: [PATCH] Added configuration references to documentation

Currently some of the config references docs are a part of
general OpenStack-manuals. Migrating those docs to keystone
documentation so that they can be reviewed effectively by
keystone developers too.

Following the specs, the files are added to admin/ and
configuration/ directories.

The files containing congiguration options are added
in a subsequent patch using oslo.config plugin.

Partial-Bug #1694460

Change-Id: I9a85f610e66a10dac54c50b2a54305e979888ee5
---
 doc/source/admin/caching.rst                  |  35 ++
 doc/source/admin/federated-identity.rst       | 501 ++++++++++++++++++
 .../admin/figures/keystone-federation.png     | Bin 0 -> 21328 bytes
 .../admin/figures/keystone-federation.svg     |  79 +++
 doc/source/admin/identity-management.rst      |   3 +
 doc/source/admin/token-provider.rst           |  49 ++
 doc/source/configuration/samples/index.rst    |  13 +
 .../configuration/samples/keystone-conf.rst   |   8 +
 .../samples/keystone-paste-ini.rst            |   8 +
 .../configuration/samples/logging-conf.rst    |  11 +
 .../configuration/samples/policy-json.rst     |   8 +
 doc/source/index.rst                          |   8 +
 12 files changed, 723 insertions(+)
 create mode 100644 doc/source/admin/caching.rst
 create mode 100644 doc/source/admin/federated-identity.rst
 create mode 100644 doc/source/admin/figures/keystone-federation.png
 create mode 100644 doc/source/admin/figures/keystone-federation.svg
 create mode 100644 doc/source/admin/token-provider.rst
 create mode 100644 doc/source/configuration/samples/index.rst
 create mode 100644 doc/source/configuration/samples/keystone-conf.rst
 create mode 100644 doc/source/configuration/samples/keystone-paste-ini.rst
 create mode 100644 doc/source/configuration/samples/logging-conf.rst
 create mode 100644 doc/source/configuration/samples/policy-json.rst

diff --git a/doc/source/admin/caching.rst b/doc/source/admin/caching.rst
new file mode 100644
index 0000000000..3fd6cca3b1
--- /dev/null
+++ b/doc/source/admin/caching.rst
@@ -0,0 +1,35 @@
+=============
+Caching layer
+=============
+
+Identity supports a caching layer that is above the configurable subsystems,
+such as token or assignment. The majority of the caching configuration options
+are set in the ``[cache]`` section. However, each section that has the
+capability to be cached usually has a ``caching`` option that will toggle
+caching for that specific section. By default, caching is globally disabled.
+
+Current functional back ends are:
+
+``dogpile.cache.memcached``
+   Memcached back end using the standard ``python-memcached`` library.
+
+``dogpile.cache.pylibmc``
+   Memcached back end using the ``pylibmc`` library.
+
+``dogpile.cache.bmemcached``
+   Memcached using the ``python-binary-memcached`` library.
+
+``dogpile.cache.redis``
+   Redis back end.
+
+``dogpile.cache.dbm``
+   Local DBM file back end.
+
+``dogpile.cache.memory``
+   In-memory cache, not suitable for use outside of testing as it does not
+   cleanup its internal cache on cache expiration and does not share cache
+   between processes. This means that caching and cache invalidation will not
+   be consistent or reliable.
+
+``dogpile.cache.mongo``
+    MongoDB as caching back end.
diff --git a/doc/source/admin/federated-identity.rst b/doc/source/admin/federated-identity.rst
new file mode 100644
index 0000000000..173a92ace4
--- /dev/null
+++ b/doc/source/admin/federated-identity.rst
@@ -0,0 +1,501 @@
+==================
+Federated Identity
+==================
+
+You can use federation for the Identity service (keystone) in two ways:
+
+* Supporting keystone as a :abbr:`SP (Service Provider)`: consuming identity
+  assertions issued by an external Identity Provider, such as SAML
+  assertions or OpenID Connect claims.
+* Supporting keystone as an :abbr:`IdP (Identity Provider)`: fulfilling
+  authentication requests on behalf of Service Providers.
+
+  .. note::
+
+      It is also possible to have one keystone act as an SP that
+      consumes Identity from another keystone acting as an IdP.
+
+There is currently support for two major federation protocols:
+
+* `SAML <https://en.wikipedia.org/wiki/SAML_2.0>`_
+* `OpenID Connect <https://en.wikipedia.org/wiki/OpenID_Connect>`_
+
+.. figure:: figures/keystone-federation.png
+   :width: 100%
+
+   Keystone federation
+
+To enable federation:
+
+#. Run keystone under Apache. See `Configure the Apache HTTP server
+   <https://docs.openstack.org/ocata/install-guide-obs/keystone-install.html>`_
+   for more information.
+
+   .. note::
+
+      Other application servers, such as `nginx <https://www.nginx.com/resources/wiki>`_,
+      have support for federation extensions that may work but are not tested
+      by the community.
+
+#. Configure Apache to use a federation capable module.
+   We recommend Shibboleth, see `the Shibboleth documentation <https://docs.openstack.org/developer/keystone/federation/shibboleth.html>`_
+   for more information.
+
+   .. note::
+
+      Another option is ``mod_auth_melon``, see `the mod's github repo <https://github.com/UNINETT/mod_auth_mellon>`_
+      for more information.
+
+#. Configure federation in keystone.
+
+.. note::
+
+   The external IdP is responsible for authenticating users and communicates
+   the result of authentication to keystone using authentication assertions.
+   Keystone maps these values to keystone user groups and assignments
+   created in keystone.
+
+Supporting keystone as a SP
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To have keystone as an SP, you will need to configure
+keystone to accept assertions from external IdPs. Examples of external
+IdPs are:
+
+* :abbr:`ADFS (Active Directory Federation Services)`
+* FreeIPA
+* Tivoli Access Manager
+* Keystone
+
+Configuring federation in keystone
+----------------------------------
+
+#. Configure authentication drivers in ``keystone.conf`` by adding the
+   authentication methods to the ``[auth]`` section in ``keystone.conf``.
+   Ensure the names are the same as to the protocol names added via Identity
+   API v3.
+
+   For example:
+
+   .. code-block:: ini
+
+      [auth]
+      methods = external,password,token,mapped,openid
+
+   .. note::
+
+      ``mapped`` and ``openid`` are the federation specific drivers.
+      The other names in the example are not related to federation.
+
+#. Create local keystone groups and assign roles.
+
+   .. important::
+
+      The keystone requires group-based role assignments to authorize
+      federated users. The federation mapping engine maps federated users into
+      local user groups, which are the actors in keystone's role assignments.
+
+#. Create an IdP object in keystone. The object must represent the
+   IdP you will use to authenticate end users:
+
+   .. code:: ini
+
+      PUT /OS-FEDERATION/identity_providers/{idp_id}
+
+   More configuration information for IdPs can be found `Register an Identity Provider <https://developer.openstack.org/api-ref/identity/v3-ext/index.html#register-an-identity-provider>`_.
+
+#. Add mapping rules:
+
+   .. code:: ini
+
+      PUT /OS-FEDERATION/mappings/{mapping_id}
+
+   More configuration information for mapping rules can be found `Create a mapping <https://developer.openstack.org/api-ref/identity/v3-ext/index.html#create-a-mapping>`_.
+
+   .. note::
+
+       The only keystone API objects that support mapping are groups and users.
+
+#. Add a protocol object and specify the mapping ID you want to use with the
+   combination of the IdP and protocol:
+
+   .. code:: ini
+
+      PUT /OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
+
+   More configuration information for protocols can be found `Add a protocol and attribute mapping to an identity provider <https://developer.openstack.org/api-ref/identity/v3-ext/index.html#add-a-protocol-and-attribute-mapping-to-an-identity-provider>`_.
+
+Performing federated authentication
+-----------------------------------
+
+#. Authenticate externally and generate an unscoped token in keystone:
+
+   .. note::
+
+      Unlike other authentication methods in keystone, the user does
+      not issue an HTTP POST request with authentication data in the request body.
+      To start federated authentication a user must access the dedicated URL with
+      IdP's and orotocol’s identifiers stored within a protected URL.
+      The URL has a format of:
+      ``/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth``.
+
+   .. code:: ini
+
+      GET/POST /OS-FEDERATION/identity_providers/{identity_provider}/protocols/{protocol}/auth
+
+#. Determine accessible resources. By using the previously returned token, the
+   user can issue requests to the list projects and domains that are
+   accessible.
+
+   * List projects a federated user can access: GET /OS-FEDERATION/projects
+   * List domains a federated user can access: GET /OS-FEDERATION/domains
+
+   .. code:: ini
+
+      GET /OS-FEDERATION/projects
+
+#. Get a scoped token. A federated user can request a scoped token using
+   the unscoped token. A project or domain can be specified by either ID or
+   name. An ID is sufficient to uniquely identify a project or domain.
+
+   .. code:: ini
+
+      POST /auth/tokens
+
+Supporting keystone as an IdP
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When acting as an IdP, the primary role of keystone is
+to issue assertions about users owned by keystone. This is done using PySAML2.
+
+Configuring federation in keystone
+----------------------------------
+
+There are certain settings in ``keystone.conf`` that must be set up, prior
+to attempting to federate multiple keystone deployments.
+
+#. Within ``keystone.conf``, assign values to the ``[saml]``
+   related fields, for example:
+
+   .. code:: ini
+
+      [saml]
+      certfile=/etc/keystone/ssl/certs/ca.pem
+      keyfile=/etc/keystone/ssl/private/cakey.pem
+      idp_entity_id=https://keystone.example.com/v3/OS-FEDERATION/saml2/idp
+      idp_sso_endpoint=https://keystone.example.com/v3/OS-FEDERATION/saml2/sso
+      idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml
+
+#. We recommend the following `Organization` configuration options.
+   Ensure these values contain not special characters that may cause
+   problems as part of a URL:
+
+   .. code:: ini
+
+      idp_organization_name=example_company
+      idp_organization_display_name=Example Corp.
+      idp_organization_url=example.com
+
+#. As with the `Organization` options, the `Contact` options are not
+   necessary, but it is advisable to set these values:
+
+   .. code:: ini
+
+      idp_contact_company=example_company
+      idp_contact_name=John
+      idp_contact_surname=Smith
+      idp_contact_email=jsmith@example.com
+      idp_contact_telephone=555-55-5555
+      idp_contact_type=technical
+
+Generate metadata
+-----------------
+
+Metadata must be exchanged to create a trust between the IdP and the SP.
+
+#. Create metadata for your keystone IdP, run the ``keystone-manage`` command
+   and pipe the output to a file. For example:
+
+   .. code:: console
+
+      $ keystone-manage saml_idp_metadata > /etc/keystone/saml2_idp_metadata.xml
+
+   .. note::
+
+      The file location must match the value of the ``idp_metadata_path``
+      configuration option assigned previously.
+
+Create a SP
+-----------
+
+To setup keystone-as-a-Service-Provider properly, you will need to
+understand what protocols are supported by external IdPs.
+For example, keystone as an SP can allow identities to federate in from a
+ADFS IdP but it must be configured to understand the SAML v2.0 protocol.
+ADFS issues assertions using SAML v2.0. Some examples
+of federated protocols include:
+
+* SAML v2.0
+* OpenID Connect
+
+The following instructions are an example of how you can configure
+keystone as an SP.
+
+#. Create a new SP with an ID of BETA.
+
+#. Create a ``sp_url`` of `<http://beta.example.com/Shibboleth.sso/SAML2/ECP>`_.
+
+#. Create a ``auth_url`` of `<http://beta.example.com:5000/v3/OS-FEDERATION/identity_providers/beta/protocols/saml2/auth>`_.
+
+   .. note::
+
+      Use the ``sp_url`` when creating a SAML assertion for BETA and signed by
+      the current keystone IdP. Use the ``auth_url`` when retrieving the token
+      for BETA once the SAML assertion is sent.
+
+#. Set the ``enabled`` field to ``true``. It is set to
+   ``false`` by default.
+
+#. Your output should reflect the following example:
+
+   .. code:: console
+
+      $ curl -s -X PUT \
+     -H "X-Auth-Token: $OS_TOKEN" \
+     -H "Content-Type: application/json" \
+     -d '{"service_provider": {"auth_url": "http://beta.example.com:5000/v3/OS-FEDERATION/identity_providers/beta/protocols/saml2/auth", "sp_url": "https://example.com:5000/Shibboleth.sso/SAML2/ECP", "enabled": true}}' \
+     http://localhost:5000/v3/OS-FEDERATION/service_providers/BETA | python -mjson.tool
+
+keystone-to-keystone
+~~~~~~~~~~~~~~~~~~~~
+
+Keystone acting as an IdP is known as :abbr:`k2k (keystone-2-keystone)`
+or k2k federation, where a keystone somewhere is acting as the SP
+and another keystone is acting as the IdP. All IdPs issue
+assertions about the identities it owns using a `Protocol`.
+
+Mapping rules
+~~~~~~~~~~~~~
+
+Mapping adds a set of rules to map federation attributes to keystone users
+or groups. An IdP has exactly one mapping specified per protocol.
+
+A mapping is a translation between assertions provided from an IdP and
+the permission and roles applied by an SP. Given an assertion from an IdP, an
+SP applies a mapping to translate attributes from the
+IdP to known roles. A mapping is typically
+owned by an SP.
+
+Mapping objects can be used multiple times by different combinations
+of IdP and protocol.
+
+A rule hierarchy is as follows:
+
+.. code:: ini
+
+   {
+        "rules": [
+           {
+               "local": [
+                  {
+                       "<user> or <group>"
+                   }
+               ],
+               "remote": [
+                   {
+                       "<condition>"
+                   }
+               ]
+           }
+       ]
+   }
+
+* ``rules``: top-level list of rules.
+* ``local``: a rule containing information on what local attributes
+  will be mapped.
+* ``remote``: a rule containing information on what remote attributes will
+  be mapped.
+* ``condition``: contains information on conditions that allow a rule, can
+  only be set in a remote rule.
+
+For more information on mapping rules, see `Mapping Rules
+<https://docs.openstack.org/developer/keystone/federation/federated_identity.html#mapping-rules>`_.
+
+Mapping creation
+----------------
+
+Mapping creation starts with the communication between the IdP and SP.
+The IdP usually provides a set of assertions that their users
+have in their assertion document. The SP will have to map
+those assertions to known groups and roles.
+For example:
+
+.. code:: ini
+
+   Identity Provider 1:
+     name: jsmith
+     groups: hacker
+     other: <assertion information>
+   The Service Provider may have 3 groups:
+     Admin Group
+     Developer Group
+     User Group
+
+   The mapping created by the Service Provider might look like:
+     Local:
+     Group: Developer Group
+   Remote:
+     Groups: hackers
+
+The ``Developer Group`` may have a role assignment on the
+``Developer Project``. When `jsmith` authenticates against IdP 1, it
+presents that assertion to the SP.The SP maps the `jsmith` user to the
+``Developer Group`` because the assertion says `jsmith` is a member of
+the ``hacker`` group.
+
+Mapping examples
+----------------
+
+A bare bones mapping is sufficient if you would like all federated users to
+have the same authorization in the SP cloud. However, mapping is
+quite powerful and flexible. You can map different remote
+users into different user groups in keystone, limited only by the number of
+assertions your IdP makes about each user.
+
+A mapping is composed of a list of rules, and each rule is further composed of
+a list of remote attributes and a list of local attributes. If a rule is
+matched, all of the local attributes are applied in the SP. For a
+rule to match, all of the remote attributes it defines must match.
+
+In the base case, a federated user simply needs an assertion containing
+an email address to be identified in the SP cloud. To achieve that, only
+one rule is needed that requires the presence of one remote attribute:
+
+.. code:: javascript
+
+    {
+        "rules": [
+            {
+                "remote": [
+                    {
+                        "type": "Email"
+                    }
+                ],
+                "local": [
+                    {
+                        "user": {
+                            "name": "{0}"
+                        }
+                    }
+                ]
+            }
+        ]
+    }
+
+However, that is not particularly useful as the federated user would receive no
+authorization. To rectify it, you can map all federated users with email
+addresses into a ``federated-users`` group in the ``default`` domain. All
+federated users will then be able to consume whatever role assignments that
+user group has already received in keystone:
+
+.. note::
+
+   In this example, there is only one rule requiring one remote attribute.
+
+.. code:: javascript
+
+    {
+        "rules": [
+            {
+                "remote": [
+                    {
+                        "type": "Email"
+                    }
+                ],
+                "local": [
+                    {
+                        "user": {
+                            "name": "{0}"
+                        }
+                    },
+                    {
+                        "group": {
+                            "domain": {
+                                "id": "0cd5e9"
+                            },
+                            "name": "federated-users"
+                        }
+                    }
+                ]
+            }
+        ]
+    }
+
+This example can be expanded by adding a second rule that conveys
+additional authorization to only a subset of federated users. Federated users
+with a `title` attribute that matches either ``Manager`` or
+``Supervisor`` are granted the hypothetical ``observer`` role, which would
+allow them to perform any read-only API call in the cloud:
+
+.. code:: javascript
+
+    {
+        "rules": [
+            {
+                "remote": [
+                    {
+                        "type": "Email"
+                    },
+                ],
+                "local": [
+                    {
+                        "user": {
+                            "name": "{0}"
+                        }
+                    },
+                    {
+                        "group": {
+                            "domain": {
+                                "id": "default"
+                            },
+                            "name": "federated-users"
+                        }
+                    }
+                ]
+            },
+            {
+                "remote": [
+                    {
+                        "type": "Title",
+                        "any_one_of": [".*Manager$", "Supervisor"],
+                        "regex": "true"
+                    },
+                ],
+                "local": [
+                    {
+                        "group": {
+                            "domain": {
+                                "id": "default"
+                            },
+                            "name": "observers"
+                        }
+                    }
+                ]
+            }
+        ]
+    }
+
+.. note::
+
+   ``any_one_of`` and ``regex`` in the rule above map federated users into
+   the ``observers`` group when a user's ``Title`` assertion matches any of
+   the regular expressions specified in the ``any_one_of`` attribute.
+
+Keystone also supports the following:
+
+* ``not_any_of``, matches any assertion that does not include one of
+  the specified values
+* ``blacklist``, matches all assertions of the specified type except
+  those included in the specified value
+* ``whitelist`` does not match any assertion except those listed in the
+  specified value.
diff --git a/doc/source/admin/figures/keystone-federation.png b/doc/source/admin/figures/keystone-federation.png
new file mode 100644
index 0000000000000000000000000000000000000000..b076e006d8d0bdb85329622772c776162807c5d8
GIT binary patch
literal 21328
zcma%jbyQSe*e)$7NQ;zoBOM|QN+aDZC5?nM1A;WtAT1@`-3>FebcYTg4Fd=R19K1l
zzPr}9?qBy0*E*cpXUDtW{l@b?+er0y@_3Ia9;2Y3;3+D+(L_N(1p)skv9W+Rd~~54
zC@2^#zS{a8PTulv7Oo#uU97AfQBYL1^{UHxi0%dDmjfdIY$p)OyhN3OjFP@I&j?mO
zKd3HnFER;^-KFIJO+M)_SvX6>J(VJf(bP3+P%>fxr`x9aT(kMe!{kPm^#W6NAE|Hm
zGz_!rfJXC8oe-yWco()@{qF)cIrQQC&1;&S?hkA+mU?p5HbL7CU#z$p&jqbYg01ff
zhzz~H-?eq6_&n+ER=C9V3uP7f*vo~XoIv(fswKB;njDdv!rhW`PT8|{)pD_Yi<n8q
z)ZavuFJ9egj_n1ap6az`S;EW9Xe+w%h$W$<*7+!Qg2m!Qi#6anbeJAle?W0ku|(6Q
z`BlJ5kg8PU{%6O?i77^9D>-fsSvG=&t6hC+iS8?`8kUq9=%2{VbBOq@+GnxoI;x^{
za4Y(G13l~4a4wdnHBgn$->9o#E&lWlVe#R{_kwMI?@ZF!Sq|4LQ@>TUg;5*#2|T{3
zEX)2yt`MGhNDei#pm;qxTN=XAkn;wcinNzZDRqNGI*9*yl0}*FlG<8J_Orb7XOkZb
zQXSz>EzPf<tF?(Ixc><aQ$)XUc9wWqhbF$fHT(T}G8MyLSyy^iTV5mD9<3b<u0grE
z#UrlE;NtmQi%+~x?+mDS>J5q)Ub}sHx}e85U+z3rM2n*8@brmIMOFnBUXF_krdk-{
z8A~c?A;h}ZPiZ}5Zn0?b+&Fr#<1kh0kLFwYRL3d%6Q&wc-xooG1sOz7c%~|tm@|Gp
z3-$BdjAGZR@Q`Z=$cSCf_XxPyW3j3a<0iQ_cDS04D^^gNsLY-`HL8s&fW&!oLvXX!
zQ`7Jbr<*7GDB>x0&ctXo^Om2K>3uXa<Jq3fiE63GZH>z9OkCa#Q~Yg9c|PxHRO4J3
zBR82dtsf~LwQFInkyFUpY*bxsO_j5Gq{=g5Q@?cEm%bkTO4tN%e0m}EgPV%T0uH&J
zp8YXS;@6e@BNXJ8>VjAU+^_V^o0>+h!l`lQ_m%=Zc4HoR3f-~{uCZfFGL|}0^F6`c
zo7zCOSMdW5>GDOo&5Ck(mO~i*k6kOOL=2=2rv^QmLLiLOxmDncmY<)$$CgT++nss5
z)@spFwG;IL%4ICk1fBzKDUE<qIyQ6h+LdOG{;Kmy1oxXMUzsaI^Fp^Rzopgi4>rTL
z?$%Mu>)#<JXQ>3b9c6U;>0<9(Q@FC~^&tC9@mCJNV+=)83e?!}SAYL<b%>uFbQ5)Z
zSt(eq^JN)71(`)35E^WziV(PwsjvHxX>~=FPjBtv&YzN&bCol&W;*AlE*y;a_-f1M
zw?k>cFOSlj9%27TxvUuq7*$riHO!H?BtOS63nVyT{2`{%@kN)@aPjSr)+gYLOWKp)
z(06Aef6ved(W#t$KkB}rIPZ(P;%@afd*eESe6_82KimYp<i^^!Oh7@QMNxbst?g}k
zl>I1K`|V8FXejhMHmec=DSAG=Mn2ISR2+5%5@`%b$(y%QOgM?sby1%U>KJhz(@U!-
z(9#<a5b)4`#<-iDL3D0de_P8=&ra{;Z@$SAZx?lU@wzlxbJ5W&j=sM==|;Xuq6d0L
ziwY_xXi<P{Xx+?@umgY5n-i$R7Q+7f=@Fqi?CSe;;|TB`cmsE!RL3AeecKZPJo~Bd
z8Ct)UB2>pnMl|9*bVR=?4LpmNcvRN?>ssl484GAFMR-b!rgZ;8yG_>sXib931ad<E
z*P%B7@QlxHQeN?IB8lBi53SWP#3F(cyC0=g>F7R;CIvBD`8Pb;i#Jk`jS!^;c8-V9
zzC){>9$J&2;seho(nSs_r2oE$EeQSpO@Din@On2FG^U(p7U*-zeLxu%^aNP3SDxl7
z<8+ltJ0s{G0f}m`n_+IfoHt4e;3|ETW!(upP8TXBk!+KVjCSAs%|u*nfWn~sR$%kG
zZ-Ne~vlRw_^gkULvKcmfU^O@pjS4CUMCz6DdX;6Y$!P`pBhy()x2C%5MoB4^GyTwA
zQGAorVYWnL`iE*J(COjma2!oq-<Kz&U#Uf{PB(jDhxL;goWPIFc$7lgF#Kog0qb+X
z2DBTBmvU!u!<(H}bh$b&rq3}%-JlT{dowKG31u_|Z}y6Fp+l4|0&#^{@LX{}-6#?^
zdP*V3cpPG8aFUvYoz+sy$AYn3Nwas^ubD3Q=aSGc9~XAL*G79w`vvH}n4rfSw5E6;
zC;s=_*=O#yKlyLURUHv)UK=SNe-Dw@jb)2AYnSV)?k`kxr}Nvs^FA3%=Z8&*o`4_G
z_?t_VtLJ@Q_1VpKL*8APN!<rS;dfUXl%KnxiOSHeaGF#R_Z@H$D!SG2YU@xYOBR11
z!aJSUGR$f;Rh7?rgwc8=Il-{e9^$!R!ty-l%M&sRhEIQ{=<JpoO0_HWHC}jcqMjd5
z7b$N8>;1vybH1ZmGW;3yNukR|SDioH?VNnlk{0gtak<Vq+8>ZaqL7ne(k_{qzXg;w
zg<VG}L)e9D!Ps53Lzt;Dcl2R<(q&eeza}Aojj&KS_!Z6lmxGxRC(n7k1OEA>y7R9g
zd?(X|(eLjeTDt6Kvp~3Y{#;`Y=)2ErS^f!?$e*_38G;sXwyJwhx^CaiSDSIGiJc8#
znlUiA6Lwk9>|oNuc`b*oD`o3##$!;el9RtV{vD(ear^djP)E;XTj;V}>|;z&B8ZAZ
zm`djy?{+iY7Lv$BcMx#<mmF=N{dm4I6PN1Ml>e~%OTz{pjFt~S>CX+?KOI>OL=eJ&
ziRH*QboyQ<x^&;^+Dv4n$5%5UrOpw53gVzY<!L&<j~vWb@^2^MmwFz|e<n1lvx>x}
z5CHoNS%C@8$r-`{?O*b~2YyQdc5cf1)O%mZMRe;R3xhdMF^M@n@;xQ{FMg}{B)>R}
zb|<p8|E{=5y2#xAj+0D%?YSQ+Yn>5JPe1^iaMWJtS~yzz=@)`0r0k4d8v)H{H`U$u
zzP*_f-*^jnA`LsdKc0)MOXliT8qQT@&;{IGF6@X$)H^Ix;e_JCiJ#&ys==5M?{PBR
zu=}B-X_LvQyeDhz3!zTF7k?~t&j@~<;qfv(JNHTycH`&n0b4KCSu-Pb%5@bZiI~PV
zVw|sYLZ#Cs0@~oUb)I|EOubUC@f7UGK6*FnIE+g_m=Wnj?CV6(?cXEfR4Ldmzz8~v
z-FN^kMYoi_Lr#?d&4}S;HEC<0Qx^?BY+nw)_H`Roft-ia1jY|Wld%wRf;NC<?aoC{
zo>swo>%EwjJ6P0m1Q;hmtCL~^AjniBXGNY5)}yI{1=vQ9aB-ETA^o|I6Gize%`Rz_
z&MmzW`Os==-eur;$y1&^=ir{gF~feYslvXMARFkt8qbhN${c<~^_iRem&v0<79SBv
zu6o>MS3<GZ$+`{w0<(;EhozPhc%%7gJhJm@-C>76kpVetx=dlIsxgSi5A1;jmcV-5
zdG;w&Xm1q71{C*X(KS548F_!l4E^ji1}(=!H*mAM#ET^5^}d}awi%2K5GoZj(10Ff
zuf*!VYsHo)?B0dvg6@|pU>|+g-c4?_&dvzC$QW;rr0|Euye1eKN#RI?9P|XEyA4x&
zef#-^dWlEzSk$(sUg`d9-spX~gwlO&QFVzj<sW+*Fm+vhEh3VbB?D)SltULRi!W{k
z4f8jclW_z=!3jJ33JFZ<6(trTC3uj{Sjo#-E!15|;yVz=0V4?a$(sqH*&K1d42W$a
zlP?SW_fLFEp|SYadGs3{;rKLM)S{mRPU>4@6&;D_ctm^0iPU$V6Y;Ak-D|i^7=A~8
z@G?&o=?O}9)tDXTD-^$7U!<|oz4-h1m9RULZVTQZMuzQsj01;cM9LL#+%sz8-NUN`
zo?3=kz?hJdNW@IV&#UH&6fbf@S16{kQ3|3lsg)4uRM>v-EuYBbip3=!Wf76lZrq~E
zA0g+}YcWkLSyBw}n`%|ZkuvR4&CkX726aL?8Yqzo=-ZeX#qQg<qjET%iv!FYLJ3P6
zn6S-O_fT}`5w4^Lm$G&?bka|V%36=*>~5<+Jhm9Q?st-1%!`XT6z#7#;hL%?R7|K+
zSs!COJFA_{%J3aZW8KrKxys#*crRx6sdWdEB+u1;Sofst-SwB}BBNsNJ7adAdYDtt
zApEsgOB!RVvb5H8WDHn|;;S#&TES@vD3RNhDvl1C7^`0aU%Mh$2xEKjsRXEi2WLPj
zvnl=OkyjqPVSAXi#6P!89|V{v45>NJe{R-Q6i_$kh4_);ho({(fDw&DDak1M=lY%H
z0Z)BIp$Y%z|07U<ri3Uu_1gcUhocAQWg^R-`>!dXloUh~?Yn*IzmTAX8jx|b1FH;-
z`sT>Rpndzh<N9SL72>D`;lA$}sx<AW71gtC$CZ$^#0Rc~*D2N-xhZ{h+|$Y^>Z->6
zqiSmEh)(nJPEptC{;e~IYa_IC=P@KlFvK`#N0VEIkl6Enca~fPar<$p6ItT8d>@_M
zacS=ZU3V7_veU$nc`GH3R8NTRy}ExDs5CUW%9_q!l$PiPO&aCa>WdQ;ym!Beskm`Y
zL--uJ_>|euK@#ayD|Do{J#l~)a%sE~7<ew=)CnC)P(ALtT*cGPcuyAWnRzu5EZeQP
zi?z!Yy-<ja5e<m3CSvf<d8qGG8c_!86E1=RLG{`ILj5l1cB@H`(y*WgyU<Xel|s$n
zyt2x1*K5!0Sx`+$;ZJonM>cL8JGE>HhLgaXMh`ph=67hrvAP9%giOdk7TNYp;|8r-
zPZ5EJQDh@&_Iw|D6Qs?@hfESV4y-lrau5k@Qtq)vz#jkBZA6wYme0&9Z+-S*)cZU3
zqNK99%zN`Rx6b0=#a@0b$c0S;w^0X%j~?MX`Kwi9bo=LR^at?pQPg8;2^mQmE`9Eh
zl~lYfr+~pxU_bq&ZjZval72KQ`F#JeUhylFzbi2zo87w}W_S<}Xc0bn+oBI44Afx*
zStQhF!h0OtY*VEP!+*>h@cbcYoO()&9KvUV50{s1<P<?^s@r0%IssLTtWt)BAt>iq
zw}|YtV_X?dCl2TK;o+3p_|RhL2`ZE9Jzg2d!&k-Q8n8IMHMu%drTc_83rs$;_m}0Q
zUXcRqaxH}3UdI%dh<?1XM=&keRZt=w(iflg-&ncD|L<5dm1WQqBF|8h82nuhcsR8-
zzE#P8BgL(njiC!(+K@^b*68+2tZN5E*;hhy>961awgz{<BV|G^PU)U%2G*%VB)w-Z
z@POF10TtZ+X*=JddT&bNXnS5%8GI*5nUi)^3VNqh?rXgb4^AqQ>Rpj#_u6ezO%%6v
zh9rxWbAA)ic}la&jhDO6IWZ|a@+yW~Wc#sYleDd1z|Vz!_@mg2E+F6y7D9n9RFDM1
zXr|j^jX^U<n&r~v=jy=OZ)otnc(Df?dDXhtG{r^flXt{0-J;{grvJxTqy-d*aEFCL
zTf4r$l2mh=6WLZ$HLwZ%0nN?09=2Zstan)}Ei?>4Q|9eO;DYh@PyD*mc39?<QQ0_g
zCV70CcwY4Ok!5Z&i0q{y_%<ngq{J?FRJD1H>CxY#)Q=&4;520$<;t6vMH=PDi6RH2
zb%Ar5ON~zTS+DQnR9>tbjp&rVq&B0Xdt%$cVEM=^twPV334M4n(GrAU2HnBiA;W?9
z)8MP^q~>9T86j@4pih-B+GHT;bK&GS19si=H1%NQ{jJ(g04x>Pue1|h;n0oawh`jF
zogdAmq+R8r%bk?#g=FlexziB>HOp}kCH&>aO)_ph&k);D%cV~<O_g(lw#|b*Cj;h)
z_mP8rdzu$HQ816RU^kQd%$T1Uubsbl2>V39JGR~L7+r#m(9mD?6x+NsEzSW2>F-%0
zWdX~EUWp2;4m7)lfIj59L(OV^1MIY_8%WqS4PW?H6m{JBni<sl2ghXn{bC&8B;ivx
zzouE<JEPg;_R{C}GSKaMDv<n@#n%dBKKYwZ&h&UjpOW5Nmw`{yR+Q(K<0uoU7Jn<2
zBGl1auY%j^YzAdSZVtFL%VZiuCpokOW;=}9-s6>OoUqZ&&Nc;#*sVFmuNrjtf7TTa
zXji)N3Xm}+zpF(AAijy6ds~wW>}f$jmU&j&>{_KiW-B&E!2Ty8aU<xS8990rKl>lW
z8qc=M{=S7ai7G?-RhJ<ZUc)18)v4eEnyTd8+^Uy$TxuLIbM`pOyT7q$4dW+6_`4Gv
zm)yfDx5o|gp)^7~;>ig>vX+bo*J~GUI91j>#XXpL_juJ<|Cm$5)VHCGEy<=TO(3l}
zDT(DiwfG=4@df&Z09~fAd?({?3DcKp#%`rl@Jli~?QI($%Ly#F-Dq=|J{=^QyX#FV
zcLrVbZWl{um<m55^25wmW@J%rAgz2HRdP6Ga}w%W29y8&TwN=l-C{JeiyT3x=zP){
zO?8R~IUjSxIKL&97)y1`{TrAusQz%HT^7jNIE;h?vnz}(C9bEzF~%n`M=sD+_-|&d
zr=E9iXO0YdXM8$^qe*jCunHH|r5G&l`+LLKBG1lgKI?UxR(3sS5x>7NK2^>$Up4a)
z=oSt>?rBwelah`fd|4QP)BcA72Kp`oXvMYiE?Dw_RKyCB<yEvBZ|C-NkZiP6i={|5
z1O^*Zw#0*9olHZ~lEXXeRRY%=RRcxc)b|CPZM)2BKZK3JT|ZyYh#Fyia$)w&Xb^VC
ziti3^mRk6MlZ%Ak5|)BCF8QqQpBV_9$ijbLF-%wVEAOVfU9>(dH?i7^VcR*Uh-*w9
z&N<|yT&Pyjt_r#R!~&KMz_t^t(p3M!wags7+rhzdf3Hj-e&_$$c&TcPZImo9Q60q5
zb1%M9^tSTJN0$xv&{ebBvzo>ZpV4GQKh}?MK25-G*3lu$wvQkCsmgb(zN_NaUmWOT
z>6n)t@^2aO9#Oe&a#7cPeHm!-_h_B@T*628=4(2e?L<}r2r14X+T<Lc>B7y-A(2Vf
zO)bLMNZBYZf1f)Z-%9f?Ik0*%Q7_lUIi@eR`B{SXIW5wC67TT-P2cXo`6F>;A+&Sr
znL*cwHjh6d(_$wo&+)9<#GHJW>Mf(mF_X(R<?Bq+88ljT1MclUQ^iYecPtmAL;N7c
zCyHrZNn@;iBPqxqGO(MVU7~$8@4fmZt)eNDqV2&?o>tIy4#t46v4`z}e68FVom<#R
z<6No>SEV`czLpb5*5vJF#{k~xy92meY3Vcx3D#RqU-a3F65Kv}<eYjOvYwE*T@Kkj
zmyD<5Zc3)pO3iS6cUAl%IhdGCp^MTbsVKLLB`N$WS+Tw=Ek)TDauSZOSczmoa!Y2?
z<pv69n3D4=V_iAYF^x*HTC*=COp^J3J6-+0o5|uoQFt_TX{HpHI>)GY?9aD<r^DQJ
ztn%bXH{0k=CpUL&h6S@-am+D;L7h!n-{1%n`@-_}x%I@O--R2Ctu~CZH_qdHdrLo3
zjnj}e<Y&i^E!9)Ukv(8fv&)<55;s&I3$UMNg$HT6h*OOEaggG9kyEE8Y}OsU$Z`8M
z^Vp?I(qq1x5FO@R*P<_@DTw|rMQJb%KnI%WkR#T|xPT6HPMbQn))#75tV`(zNa)>o
zIa`ge8aHH7-B`zY_+2_#Qau~bqA$4l#IsSPoU3v3HJbs`xl6W7|Fo7$91%Th?>%vD
z*6RI(ZuS^`BX#K{Hbt>NCryuqo2ZZHZ>zz~5Tn0ojk*SZ<VvZANa^1XPkc(G51#CU
zBl2ty!mUmwDtFpB+>IGRn7R47iIYaz!kIuu?+S|jl$O{%RZQQ(yG=T^eH%rud{Q0t
z6i*0g(lvgjp6Dt!Khq(G?$6q0X?uTn*7vOaFxU(P6r>t1RzCnYFD`pesvMq+2*_i2
z7Pxc421(wIdZOOAQA<KxEfVi>Gb`z4kTJ^bJqw4M4F{$TrNBlP)w&Y0TF>F*sp>Pe
zl3z1U_-x0WQ+<|6qKqRU6NtV&Efyx(9~HYPsLaF2oBq&1#2k=GCi>c(r77LB4NgU$
zZ~)=cK|C_xYL(DSaINOA``%hrleTY3g4kNXwNEIeSBh%BjIwTEaZYy{$%`Lt?C@|L
z1z}rsxE?Dh2-<CXYqJDc0?m%qkVGz7X5n(${JNL7N)X9>lwrFarTdR%`nHX<NH?b6
zaeykf1(jV7vNIurf~LbK{y8%|G#Iy0evN~DhCb(pAQ~1e_D6qR{8qY`W}VXg63*&x
zVjw`mVfpyUTVrsy$49StWJPH|6JXx9f2>50w%i|W4<^(TrD}y~HW#jod_;VsT5Z;X
zt&!Zffja$j4%cem+DqQ6v<yCd-Oatg3V(!`(M1d3fgdp9k>Z0gqJ|<_rwCv3xC=WI
zldz6<xv%$aW?`MDp%=Lw0`H+9*9|W6)ylk%*Vb<rSwbdrL|(4tl+aFIWYX)I>CtBK
zU}i6jG;Wmd(g@h!d<HzxG78iTc09`j`UH7LF{|j@a_L;E-dRg^?Gqm3eTK6q`mq#o
zyU`6hg9h8+OI>0eZJ!2<^LbuG!!BX1n%i5?G>h$QTRBw?)35Cx`4sx#L()aNe=ghd
zGb^`Uq(hJS@WJv)kH850VWl0%rJ@-QE$B$r!bs2Vi<E%&CZ#!fBgOuCZpd-2&`5--
z8aVH+y$BJ4S9Cwq$!NL5VfDLh()#4@xJ~;0?QgSGB2s&$^9fnTfFVw|eJD=4gmukW
z&THexWZh~M4S|YPcSt<L1KqJCmu^GWaZ!BLIo$^P>_ku*JFVOkJy@K^ASQzl)GS{i
z&)gK}wjP;<F!B}PV41}8SF7qe##-vO&Fl~<toNXV)yB|FnKn5YzvPZHbNs6LXSy(X
z73r$XX4)0zj~J4IADwbfJAqmFN|eRfbel4?%hrs)3IBm>zqOn0>OQ>Qq6A{NkXe^G
zqb4Uqjsi1ZB{~0=-uRmswvZyH>c}u?ZYii)Y{}=_s%}G;zd&ubBhsQ1*W3Mz)Gr1<
z!KCFlNfxi<3dSTXNe0p~!PJq)%+VlQ8lgwMb1rN0T?VaEHYz@<Sl#u8b;b$(p~*L%
z6-?;G70C^Ie4*6!QvAl9fd#(z!JmsJnP?v(-ysw@Sv!X(1UaxVTqr-oH+?crI%Fhy
zeg4#^$V8A$b4MD!wZdIAc|8~=wGb#_B$2VWAU14Mvk^xX|1@ruE2OwGsZ&%4a%*|}
z?Idu$_HCH>hQduZyvSdmv^ooM%k2Y&kTD*lh*(elRduuex(d581C5-LQH+ifr$M6N
zCy*bWxyt2aLlm(LYH4AEMJrQ#b)YMu^!p(xA8Xj|&Z{WFQ5(p}TN<!srLXb=bCK1b
z+l>)Yk%{b)rEW{rQr+&(RnN&gX8iq&k;2LGp{iLWhi(m++RH=BR%0fl{=8{Wo$USF
zla7}?#SG_*+<r~uzYdY}O0voEpao_oRSP|nY`vS9+p$msTIA1w3^Up{)eB@we~o<#
zO^!0H|2*1&lnv&BbGvC$eP8-Ps=E&p2*oqO>(rU!et63r^jC9^?D9_$oCUtZ{9)F{
z-Sch-Cf0@ijYB)+a!)%AbrYYh$$^7ASGMB{!VB%!+=pc=?)+0ZbKqeD0XFd-4sMf}
zbz*0S1Z-xN2@G*S0B8>NQfK**UfsP`m;<uPa5CO4gVHSQi|dJiyTR0@%J<>;hbel?
ztK4@RrU4V@8_lv|9+fQOa$_mH0U3(HD^ZGT#lFCtX&`k=TF};B8psk-64PU{>7=N~
z>Fsu+GFQ@BfRW-cLU?r9n!jkzU6u*d+df7mz2hh{_Vcl5Q$<qV+JW*U?~@o_A4_%l
zz1JRLV}Z62XZz*ChgLjvxO0sb8heOkkEQlIKiT^$$s0+S+3RyWyV;N5JC;jRFVbtq
z9O>Kt<VRais!=ix3&I(-<~b%4K+%t3h!UUDeRwtU9T51hy*ktZFnH0z<52=wcll{$
zDf_p`pTgW6**D!BBGoU=!N~F6?84D_@;a|uxxJaPL^?-o-%b9;!rPi9x1-DE5xr=M
zWc;Da)L^ZJbYjtFXMMJ639XfwXQmm~Uqm=;^{;N+{34??OFumkxtzq=TRE1tyE#->
z%#;YhJ^88b8-vgeTskj^@y@I5;IZ#A&fb+Xxc;ecz~^3f5%632_g*dovKUX!3?!kP
zI_4|8e38S+Ev6y2-+aU}$T6F|CK<@W-B?A>t!Buz0PO_O%77JJL7zgk!J0{7N}=-I
z+_Fkhp$FTd+KI^|2n7uv0h^}+{d%&ZsiarR@+C?ySvDT&kR7udD=&Ut89bDE!oTHC
z?2^j|UA=)f?C~q@_RcU(#_rDV6WfAXb>6l%+qjn^T$Rt4CTQlByFVe@$;&^$Go~v>
z72vnkl7(uce&f>a++U5@&o^k8_}BlqtV5Co+r@78<r77bFY9dfJouZ{w-el<-N(^O
zHW<@wSCn-D=L>u_ma!NenO>AHnK&fg-y=WvE2Y2AFTbE@*5-P8TGRHOglw~aBcK{e
zL#uuB?Ew$O7kC8jcFj9ArFik!vArpfBMGaC7bBO-AV=&hElWILIn*d?Qsxi!0ZDR~
zOQq0yw<_lhRFpZA-)bWDRD{L%-tVttpR;j}h$qYil66#OWvu|d9kUZTTcAl43iuJK
zCBkbX+b+RAM=8!BOv*+2n99P>wtwg)5MJP^o>&zE;f0Cp{TFBD09ZH=%U=gJ>lcoU
z&8s?GAE3?t=U;G7boG?<oM>ZTcRl+XYt)O~a4_t$T`7H3#A1pZOv5<0U(8)=QG`ey
ze)pvX)E}Rf9M*j_f4WAMLIghT0Nr}#LMLeapWAO#y@Z_uc1ynWHkK?WV{hS3blm#V
zplU27<NdcfVW)d(aisQw%pnfo)%{*SF?<h3re>~5-%CHK=4OoUNu^0fBw;Gjw4nTx
z*<*0Gxik~fTjz4V62N%NRutxyA(DxI+8ABH$RC-H+ul%+GOS`Fu7B&|-G=@zU`BYg
z1i)6x?(H%YK^^--iI<wNIL0<E2qlc$wO^GhL2eLR7;Ob~qaluT4cQMyJjB^nU`Y__
zzriMs{@=kQH!g+$XRyQNTGjvc71UOaD-8(2AcJIPhr!Ff<xv1cQ0;2D6#vP(Q|Du)
zQxt$esquy$Pk!H6F&kY{t_N@1&9s{7r|__1+>7|gaEY9UUwkkYD7m_@0P2k!=uYMn
zBiVKK2f2y7qbdKOvFimI`9iDSF#tt#*E6!$#6SZYN~#yWziyT7zI%DMVZgHFzVmZR
z4fo)uo`;M?IR0_MaqMv_)zb8^#&`q!&j*;3g0=m7%oUkS(uo(6X^+p^D_DSC<`u!K
zkB2p@Il=|A<t0h*t)3YN9{^BO_&snRm#vgk*8I)~`#3`P^160|Nh?E(;vkN7<Se^2
z5#)bx)v<i{5s@5oZxuo%=^0t5n5)V)JtxUqd<P)@dhhP;GOZNcb(d$^I1Ts;BU@jW
z^c(}z*r4`}C?g3C(sh!cO)DN{O#7k8l4hDAhbOHqNMLM1aG%a!3>_;ahD}CVYQpA?
zDfV%m$^<Oq0}$s6r)Mf?)k|*bUAKD?RPf)SSrYC-6$(_V=OO;D4(;qjt?cyAJ>6{z
za$5CX99_3T$B5U7wYl3bh+6rSU$_1a<0!g*DdOq2Fdj=AW~Bv-qq822Dq(q-6;H&Z
zq!9j;x)3Pk)zW{8+RhTNOT?v-FxIU$eYrQimlH*TUPk@~C>|pt`VPj&fI=p#h#NFM
zPd425X%JAsgaA)g`?IAv<?Xt!njXODmjSJ&%lCJ;qrV2Dx9cY*+&e20h-x&8lr(GK
zzujB!^ec>-@+S=@0nqf^_t=8y(LGrr?ke9NN_mOGE~b-c^?p~*Y^EJ81XyLJoo%)s
zr=r>^fg|B{z+zLV)hBAEV~=h5W6xJtoe4BqCecB<pg#P?+a8;<!%4;c2{$0Et-+b3
zR$hqD>85nLkW&WBL9TWYrN9STp!RtIg*FRec>!aeIN!CHwn36uMr$nkJ$x+bGwMb+
zMO2gjFBia6^wS|LFemp;2_31Ehwz8mB)sznP&5-H&a80QZDvMd^Po<2Jqje_&{eU}
z#4rv95PgnW0za7&dCIH_k5CdS(;E*ca0KGShCUj69;yq`E1!tPh)eGx6nTLA!<|-l
zD$4a`^eU^O9#e}3@OJ=!ZaCRw%cSZ;b+O7|8x6hn_1?-BkSs|0>kkFIQ!?JtsHK=X
z-7IM>#07RFd26?{S<s45!qedor@y}ayF5C;v`{$b_$jNE<93g9`rp`H|D2@?c{noq
z17g=5Tv{<P)1Ix4R<3i#=nwt!WQpA-uYE71Y^9&UAlU$KmbEg+0SGwkxzAsmOO=8G
zUuuK5k8EFV`vWs>e9IUW<P426{XK<e{<Ggu`E@w3<R*-6>_7I&e}r*OR7nHII*s!a
zyVDwT71j*G@1aR*8R#n={tS8znOL{1uTY$S4Mh5)>o@dXnfp9&6MQvw=3|XZS7<%Z
z_4j|B6iuffIt!0b_RI3ZQKX_y87SPMd3rKBhXATWRva+4n_4t5_VLfR9ZLB*pbmQ>
zu&-){fMOUvO_i`4W~5Q!i{?>BQI9{g<C(&7+PoRn;eh<FYG6)to&^b_l)?Lh*}jov
zr2r8BHi>Q?9Y2ZVIS%{}bv@nZ=e-MyC_)~8)ZH<y+C28?^%HH51c60&{`i=CvoFVW
zC5*C$vJ*%>m>&v&wIz)_kcx7pJ`5|8x}Q4w8YoMaZvo?>veneqmcY?OQcc<OUfHac
zwlWdK`GIYWZ(pv82c4qm5Ljk%&|d{!VC@<W^%)d05hg_rC0w68cZDD+h_xRH*rNr&
zUf{Zt)Ggqd1KpxObSnjEiUPWoNUo&p`6U}yYVw2$IXf?vJhFf%tAX}fX|P110K<cd
ztN=<gJkqE$6Ki}{YPE*)EY~+yw=x+~@Wq2Y73fxz5P?kwbOCfvWeYgy;gKTyw%3dk
zq@46^z8v?SRFM?yaCtPHG-xSht8sn=c68pq##uH%<Kn2bMu)UkqIgn?xpKX@8AJO<
zPP9+x&-Gk(M$^=SH82t%w9Fvl{W&Tg=D?42P5Q>LYt7F&SL-^kIN5Bk!$pn2yGy<F
z*PixN^Y6-&Nzfco+V{)Ktrlx69w*bsGXe+q<GhpygI*S!0C@ioRt+uc`RQ-qWugDt
zHL?7NinLAxbs>rvekTy(vWx&~^D!UHqa!OE^aTg}YC;Yo`7XJfvh~-S1dEC=XOt%l
z-#&gz0c!iKI(j|>!9)z&m?oE`bmqTljhK+n_3{Bd{)j23?+=K{BFOTUAMjE)2Y6|*
z{Z_*Rc=@)*vV;|QshL_`g1ZObo3Av&U66SjhlPfYg&RL9aXW_ipo#I|UF24Rf$ua1
zi}DxSP&r9^y)1qLMJa71H~KxfDk#D9$sOHy%AN+3R}ZG3_OH3{>1n%u?R#G4&Zx{~
z><W{1-6%3{E-I8^7uEF#8HRaOQ?|ZWFyMNoBOKJKFQP%B3XzO5FK%F61E*+WTn0o3
zIit)p0Y{y|NlMslFe3lGf(kHWS%5B7@=)*-Ts4@;5jO&OFc!ZW0K<;w^*19|p0I|p
zhgsztt)TtvDeL3)%BIBbQBPnb<Ern^$<%~{23ydyXuA?Yk9(qr$^mVoVD)Rq1yo-3
zjsxDVf6|sPIye%^{}a$)V1t780YCvo(_SneP%CuLlhjhmo{nNaCJ@=av9MdKI@=2Z
zMd2VHDacoLc6htW2Jp4@<FjwC+EB+tAL{|Mk19`wv{8~@(jPt0zX>N-K~Lz#>k}LR
z_C*~)vLI6|%J(J=25R1;0at4*YwccF?=QtQY?(l5B?dtEZwT4Lq@{o<gJgk1Y4BH|
zuP4dh>5YQ`!9<_P<v~x-?tmjp#wz{x^g&qB8)13S+>y39z|>Tryp%A&09H{)FbG9g
zx-Tse0>m1%>F^Vk0oW$AF!moWv|(yYp0x?(R*=M<!grks94X1)2eD#MD0`HWS?S7k
zE2n{ma^q|G?C|2xf%o^fE;9-GYHJk+_1f`L(b^cF<$Ih_`YjZ5B?3;#|4>%R0J};$
zn+J#r)#D`}CpMtmH9dc#RDh#dfwcxEweD$bsd*T^@2OoGQ1+sEyXeWFN76f=PapO$
z{pSrD<N6RuCD#MFDpu6W!8e$wz<!f{V=#<J1ijh1Gur{m{3KzcYi*v<nvsSv^aKVN
zizq`P+R<d(Umc}0{N6k`X6%Yx+cL`5e3ZIp3G5GZ&<+;o`~rYlm_q~nKVyvvvGnWJ
zbRI-g)|Z>#mx9p3*no3a>(|P_b|<-8-FJn|{s3m|bGbq5GgJ^|&)=gJ7E!O`WPmr+
zqU&7!<Oh^y=vh3#_$f7Nu2M<odkdW9=fQIo#&JO>SUi90{9zClHyBiLVf0uB6@WGi
z9|#Wy&K+lRfMbrKdhMaG++fE5JSPJ&MOZ1uxE!IYFkoU9|NJaqlK)EOwq%_KiIco%
zT`={lY{$GR@c?)inqm&u=?H)&6%G9=dK^E>-EHgweN5bxp?XN$6V=pxf1@nqxM&W}
z)i?!c5G10cr}2dkpM6@WGO-@}#`|L{>GV_7vzP4KqiMps*U9WU>?%xlLQz5O1lRlJ
z)nlk%fJwHd?=E+Px(NwjC#$XX7e^}#CTQgXSbz)W5ySvzKRw+5A(^1xxJ+J)1l%;N
z2Hqak1>W88q!cc(q8-b8S4g0TJ+QFqY%k;Zw-B60O=Az=1A&Sox}NdJF9?9z!>r64
z_(0hz)ve6vxc(LGwwvu0R?j-FOz29Dwh?$+2@tO2CGIY?S}&%R$3H*PY;s(J0)nYZ
z(!<o8l;m^@vTzPY!z7{*=b-led&nld=AoqzTTmeh)|U>#SqHdA1`kxW82`x}agGOC
zj6+o`vu@cYxrpE)F_w<|1WuCSOQR;B_5?E36Aney8mDg}G{2;*y$4ul5J0mFeJ}TG
zP4ZqPn?fX2l*9qbo3YP!ip7X(y#~fFbkrlV<GF&wZa>e0#Qzu#ybmD`R;A5<978|A
z_IXu1YxDibXb1yBjDhcSG5;|d9%8oRxmcwi{}>Ge54!riA*1#mP2m`@h#Q@48j$}O
z4bOq5gdw{8{}_rroezu#Jz@6r{}>Gq0nPg<`=S3B4P-#fc(pIbr1e04pnVTCmB%$4
z*Z;>{yn0|Rny!^ty^t~=j3R{r#LQ8E@@89wyhzinG-RTR*R9a!br*JSA-;MCy7(!-
z^LTo>(Lp&wz)sT`<MIX|VU1yOGja*in{f#NW=b#WT#X%_EA@e`20d;+NnLSne_8hJ
z{(MrB@6(~ad)6gGoESZaUX?(LZkaa3_-H>f@Mez%4lwedHwV>eMlPK?hsbx-LDa+j
zE24d7pgYgjoBeXtdp1P?tCm*V(817*=pj}UqjTwk|G<4Ark@k=*Py!<@Wg5o*PG~D
zZ3Br+%0Ft}B$%{+QUq2sZY|p%hR5IRA}xW~5#?gu-{|g!2M;_U<D&9NZ!*0%^*`yn
z3Vr>SJ(y*?8#cnR6X6MBTm81o_o}ZAV0P_1cL3i2tSVkC%Fny+DK`W>_qFW+uH@(Y
zBjml+j?x$^I+jAS^P1Jvcj-RN*O4N)!RDEaaQBzMf&y7V_weFcE1(;I*i{B*N;4)>
zSf>*wj+lGOW=YuF4+n^qF-$w*9{aOwfWeP$b>h(ap^|4qJ>>_?FIhJHDLL+)kLxN%
zSaFb8k#gF*c;4@0Nj}&n6WOAAFF=To?q|5`J1n{W^xi3q6zn-~?h){DB)BiTVsEBc
z4NQ)Y5r<yE)ph;e-Hd~5LGtcm#@9eTLdkxkt22g5L{l!7g2`#QK@t2#S-piQ*{JrA
z{~@Tql358&Q#6C74-h%!G#ww-6Nvd%X%vKwWr@rfw>%ImzuE53S2~Dk8`+d#SZ+LM
zMeKs|iqF-W*EV2w1g=aR*E>X(?&UTx&;whjxu-%G)Fj(>bNrxH?Z=Nre?&q)UY}a<
zPk-nB=(!CnC3g5Y4)K%vl_jJ7d`0?qkes>skmzbm*t?#?%I0;x!F>Gd-u*a<tmONo
zK28nTa2r5HJpJrNSM)ae8M!4vBncqT#?{}$ag^LP!(XY%tWeL;`TD077%5II<HT*m
zUXA2g+%R{bi+!oH9vuNVoBcLcbZ!bEaxj2PibLi!C3RN>1P9~{F4kvPxTe3_JP$&L
z-bu_piNg%}&h`oek$@bCBz_o;nV|}G@OSZ~0W4g*<yFL_g4pPh0br*E+6K#qZy68K
zg5$$*$=_pVe;VBQlP=`ai3F@41W2vMF*(J3FL>lo<+lOuvv3ZZuzQ}1RRO+*wqdig
z6Br!0Q_)(v5Q;+#g|Orbm>IY+Zd4jIQ^0|Ik^yk~!W*$K#Frb|0qc{|y#hp^@l5`+
z?OraH*skV1L8p)MsH;>4U4O->Z^V%EXPkUU3$0aP>m^yegX|qZey3=WIe-C@?k80E
z%oXGbZibMP{V|HqQR4y^Ey(JTJFf7hZ1HoF81xe@ZjaCq-74eOO^P+7<WU*|pX!yl
znAj7FH;n)X*)l=l-4~c-4ti{_nF@z~DN+40)UvXuTdXoIJ{ecw7|5W(VR)3GbR+|B
z(XFt*@MQ(DFbT_H6us*FCAA;9+v&0)QL0lu?~~JAnKr|a2{2N9tVa0by;uvX07o~%
zKPhJUT5Q0Xl8w4uuiA8|Jii`DY1n!>3h*`?r3kn?PCt{^5ykmm&go4$pwBDz%={wq
zQ|+bORKEA#jHML*n~B31y5M;G<D3o`HWW*V2WR;dz-r2T1paHezH1-{0yw?A7%}cr
z?cd`T2mHKqXh4WsUaIWZo_yOpYQf=3t$HS&b3S~x44`HFfUiPd&ZPn<gdD$}zQ{dU
z?=%8Zs~q!&h!B1y+MklWk1RhYeZV6Pcx)Vx3CGdVkXP<w8}zuj*bChDNR&kA<;h_F
zUZg|EnodI`@bm6YkJyWYSjc*f2*kYe(7_-W6f)i6bN)mwrnf<&8|u<2L4j515>BdO
z#WMf`+~4>q0Y}W+fc?^9mGmGrCX^Qrn7!|};5k?!OvBMQ^Y*eCKt|4wp^8rTb)nW$
z-qI1^YTI-$yia3f9*k%g3HN(OzycQyuQ&5Q`;yFUwmu+kcLCi^ru;QfzX(v0?Sh&t
z)y?`|0HjjkfyavZjK7-W1xEVNM*&WC?_sR)dOQ#XWZnkY&3e$je*KKP6{p?fXn78I
z_$B;zsRpwri}Y&Kas1^sUQ3nM7*-x70qx@8>+Li%6@?*@i$bmr+gMaM-|HY0KHCY-
z&|*&bOleOa#cMDP`AU-$2ZLM;kLSR5K0|{#D@CyElsScym^i?=RKTO^B~hcwIy(d$
zhlG~3MEHkD+Zp6@r;i%1Po|i8dzR{L)lP-z^8Mj3MSu^gN?DI#c`JMr^H)Xzi#p%^
zz^A}$IU?J3^Zh3|oKM<Hxs1lWB_a1V{Uy4>O{N!m%am@@rV8`w3E_foUeP?KUarCu
zpXPR2b9AJX$X6v+qJJ#i`C-_&;4%5HZ!+<zi2h)<!Xpmb95Ejv=K50N)jn1Xbo<}8
zT~IZ~FEp-iyi|S_P|_0uf99Mrd7Jw?HGJ;E=APl=5n?0vyk!D$2%wR$X%2XJu*>C5
zEM_vHZA@Tavl3}G=w{lU)@YdW=&lI8-r%DZ>(E`P3FzLXx7(PKdk>vF#c|1!Q*@+~
z-AtzB16^;06H^qq7yzEIk@t<h=RrVCey|05zxqL*{&W#>2ou(b8TLq`WEdLeEprTe
zY{b`a)EbCc3s{IKhJ`w03YWUCOWqWh?MyrCMN$3M`-+!vBeji@9)AKSD8P+Y^3deS
z0l!}L{Fo?dfpUY3(YH$Gg!Aah+E3dL!mkM8`EX>=ygEK)p?A0)j}$qHh|5zdUE;}`
zOGWha+kZ-wd{KEK7J|3L!-m@`4Q=RsASpj*VG;Tp0P_C0D~R!-)3~_)w}%+7N5wNV
z^!>-x>M!V2ZYCZ`**To^>9ugp4OjCK>~L7N+s*vw*X8VYsod~>gFh4GWoL7-DQh&&
zDm`9%(}NdVM=Q;vc*3jkg({Fnoo*=pA_2$8HyapRn*n?jHBjqL^bR$fpLBEzl%p~7
z?>j$=sgqEY%-IY`y_hGa&l$oHh<%oi#TxPGgai%i8gNAu9%!Oso+BrWp!I&KtpMN}
z#mWxv{!n}pDQTA*v1};VP6eTQcQ(fQC@y63xbw=C|F9rfW_eRqVm3XJ);2u9ei}7C
z-GY5Fh<ZK#5`1_%|H%*=HL*$7>7w6?Zk<%0gi~J~wlnURGva9J7Pg-?v<Bya^JTr^
z+U0*Pf&Hb8mIh}!$o%=SAv!KjaQTlOLf1seBXC+MF$2is%Wmwj>gqSwr&}lz@_O&`
z-4f}ZM$9?A&*_$g70b>0<c<H#`T9cKemS&ThqK8vCO@6OhIrBYaz41h&42-;)L<!#
zL6HS3b#n{NJHlIpj?JpK)(W~`;qr>dx)2pEx_vQMBWS3YAer^}(?q1-uba>=e{tla
z7v4Q@2zo*#<Su$5>j&A`(i0uNC|3Oqex9z~$G<bojACs-k@tisG}M(b*|O7&Qq)8D
znHsNtc`Vu2qL5QX){HHJH&&KmxUpwlIA#R>7rU6EkPWiuRzvjsDoy8T?^^G^D1FNf
zI&_p}Y68b+VY%qdE#{S;l;MeCQjpA3xnzVUm|sX0Tj@s-)|Jy^L-hUOvAsoG*G6o=
zDk$sB8U6K=roQuNhgR|g3RMiW<G!Rz8F)Voj!iIsADg^rpA4nQ4Ma*FPT}805emI-
zt~I%#&CR1(W+;&Ei}w!tB#rgj>NrY5>JPU%thoRkS00cjznHyzg09Oua(~Y~?wym{
z7|F>E->Fvu7nYPS8lUU?IBwMY{ED!^Rp^4|YO3HAGws4d+Nm3vp8c)Ok!+#kVBp%>
z%%T%1mbOv^q&q&p5Si^#B0Lqiorcipxw$+TXM8#!mmf^f95#E}z(x?46DmA*ip$qi
zR!@YzO^h7kKQ+mJ7By!>H0b<P`WX@RK%(RsFPNGeOho1;l9Yr%O_l5AdFEqq5B8g|
zMI>~)e{+CPBr*$4PJN@JM-q42lKi@8$!4^JY$%RQ=vO2m&MJ77!0B|dSOrh8gC=sR
z;6?@3qrK7eKh$ua)tN6nk31#jz@8%GBfhB{ot+YFnbtp(nCj+dgFjkc<MN--lYE6<
z(L^WxD#pVpUpyal;K57ZA7M0%`v?bLR0P(1g!_3Ag{NEU&*Tu|XDuGy^l(CWO^N5K
zV+mhrz@x59Sa`f7n!7K&BjizxtfJe5^v!FxiLQOoX+^dlu6azzfrxn#v?i<(F9E5I
zIt$~Q7gXl87ng{n$GjqVR17pNw8_vk#L===hebtoc8~>04~3_gYXxboFqruL4mo@O
z`Eyi?B)nYU4h5_3N*H-fpZ5&7$BLhJn$^*tz~vK=(lM`}7!%{YiX21`^Ao&lt(_k;
zIL#ayaE*z_XP_0``+QbYs|YJ}H*mb(pn)@p#$vuNCgw|z{bkVY(9iZKWRlkLSCI!n
z7y_I~1;2gDk-myfMnS*LyD#Mov%!XZh=MtH!FMoVwh<85WizEQ{jllho!4JYe5|uE
za7Dl3B9lIBG&qTYl-a$JugE?%>==7*a#L+m-h@E+a$|V13Osi3SwlXJX2qN2?|G<W
z2k@m?vp5kO!JKl>P00Vu)~1Ydy{Iwea!PoM_YB<uBO*@pYM8*@y0x?(UnDZYRXvGW
zHKsn9NQF3Qrnz$&&s0d@ZA*kW@8Nvo7B5THEN0H<`b|E$z(d*m4HnXgJmd-vT>Z*|
zw%rVN)p$y<3{)M6g)pRjS%=@fn$|z9qoXI1;wL}k_Wz~ahsaHy8)|Q~Ana3k@{E(m
znkRA@2+Kkht^2s+m#@!$k6*FkPJ+`9r()zz9O4h%BNNguVLo4Z$cVpx3Q2Ys=wYXB
zZ(1DEKH8^bffF+`OsM4(ZdxpPw>93xygLMAS@XwzE;bi^A-e_zZ)}vIh(fGJhbS$&
zhVIo&mM~Hmu}DEfL^2=0PIM?hw<`FP(mh}UU)_89Z3`oZAvgExLN|+q9`8pB$oIB5
zPdmqRag;lJ`yxN#OTRie8he5pA6!>zsialN+o=35Ku_^zWc=}4T&jXS^$QzW%ZYe5
z)<s5&bC!9qYoEwrAxf&%7NPlg2?`xmdua5@nVgyL9@C5~9Y{Bdhx~w2^68Mh7M8=D
z)8~uDHau4p>8$L82-Sg_bSs#ufR!j)v`T1ze-aZ2<VL()J9>QR_i3s8F88ToC!O6v
z?aB!!e8saz-=A`Hmt1tr>nr0a$zd2xPA>|P%dqPr0zv-Th}oUi`|LSx>cmpLE)VDB
z!GdJ<4RoAQD^KPN(fmi^Uy6>JacM_WLQKjNGIlLD?>q=k@#=Y6?fcb!rVOkVEfHwF
zFaO?0*J<+hTOyt*IN@+fBK{GhTAwC-#b(@!SXM49DC-GPWa!+GR&WQx2X$VVHq42I
zo`LRB4z~4{kH$iB>f1nb6;9#WjvgAdEW$UeFXEjzCp_=WWvQRO5c^gW@Zt_D^Kg1n
zLFli!_4ICkTu>4sfDAvhyJ2xWp-TxGLP+^D()Glb1=RjI5-k6oxG$LY8z=lxVx+`x
zXN*I+YFC$mx^}Vt?CSQP+Iu9y*AD=(#Kkwqm*2R}AuJY!u6PShIV$WcZ&4wS^YI_9
zZ*l;5hu0ShZR~&0NdChu1&_1&>3?{KD<*(<RH=tN&ie<AcswA;T<eAz|L~5ghnga(
zy*k~0&<GdM^yi?F@;|(zhx7p&k-=jR{nzy81FqcW?O^vGG=c^|BYGv$U;f=HrEPnF
zM#x-Vs{VsU^d3rGj|EEz{xy9ApeV>czbcFVfjXOy0Z_*z4~tahp=t0R07aoO>1Y%H
zW`4?wwz|^Gq-PvSF@k5h6$U`os}c5rQBpAsJ*oi!vLv7vo!Fuf(ca$L09hBN{>tuV
z!kIR)0iZ5hV6G*x7P3qZl~#|al`{Y{@aPp?CG7$s1Kov%aq4zPMu5vXnQiV2rZthH
zxc~xi78?D>CwJw#<tBAhzYBTqw>8w^xKxLk=^2$1=L2h=7tj=rD8e=gFd&SO#@L@L
zXPFeg%Ay0^ka>x@Yi$6TE+cR^$)cQa068U#pZ;WD%Z)*Y7EO9x-0v?5n3`c|ZSlTJ
z63CFsTxkTMF5F7HhWb^;oj|mN&bI&Aw#7Nc=)6TEj`FtaW}m~-yQQM@{a}=4r?2N8
z0LXl<#Vd^`FpV;RAs^771o;=dUfYQ+Lb1x=(KPN{ln|YD1pHhTz5iFzAto5eXOe)M
zp;=yYhTVa8Q21`Ha9V=<$tkthss)!l{v7*Ee9MA6kU#7=n^k#h$&$(_&*|ldp+GkZ
z<ne(NJFe9-qp91x7fsffv5E-#{yTuod=o7)^E(oR0Hd|8WKO!YY+;>KrF9bjDlw@4
zah4N~M`?4j2jGdS>mBVr=QewbwFQvhQ+cvGruN5p!>60n?zsYtkzQkhRja$>CJO+>
zARHDUAz?j20#wa}Pk`H}M`9KC09eUpP*(_CX=Dwi@y;EMc#ij~+AtKs>uszFh}hv=
ze8A-(S>K1>c0zyweLs?}VB=iEE5-ff3Y@?&*^bPd?A;uu0SR~&F^FD<y2lgCrm$%-
zTUM0BRr&#GPLb0}Q{UQ_@d&g$`~gkd{6v%loean~?t1zGxHCzbd<#G_&()vTnFL(U
zVWE(iBTZY~iU9m}#Q!NFI^QN*Adt|H?f%cDUdoU@%oCJ!BA9K9{O`ANuV(@1)Ebce
zE_r^CU=cn$nuZJtQTPR&OBG5{oc=Hltlwc9*&Fg`^l+&j57lX{O@~6zp3!rEmUqDJ
zmbI`MxMyt89oR`Hcw=#QbNPisimpA))E7cPeuuFe;Rak0wa1kL(0`RB4&4f#Q2bf|
zqzi$~YN?UShA?18{?eFC=N|?~<(+xeiaezXcrhIPdh^=EYt8eAzwKwok0fWakDgMo
zc9G4o=mJ-6dy%L8_(S@9Wj&G5J2F%6Ug#IExMI-nSYc+@r<dr$eKL3y0z8u%R{%yo
z0w7DO0j)H*Iey2yS>d&Buw1d^&BR~9Ia_xC0U~GAB*{^--^8JQ|H*4yubXlG0xwv3
zlI{~lei8zH3tVpGA5h7+NaZqFMyQ4qNi)me15|R}SW@n=mXd(9ay%N~2JnoO#`Cml
z;@@wMfeXSJ{(@|12{M~N_RMpXh>-_ez$Hc{`*P)U`<VNsLERf5i&#Iu0qRkHxIWYO
zI8QX51=J{~afO|p&f@G%{iW-*9R7+^V4uY+H|O0s#xz@|GwMA?!1cx!4-Z2X8NB)Y
zqf{2aI^em(c4H)w-LMYjc|U+HTgC{^BA6?$?%HqedXAkXxBm8NmbmTb23`RnUi%Z^
z-Y$HBLIAX_!8PRYXDSbi!wPg*J3JPFQB7UI=e+ug_$@6j(ZjvxE#`e}=jSXtB*2O@
zT<6$*L%E;-Bzb8#OHj^u_W}jw>Da^n3jk_$+a{vY2l<w06v#=neN}`>0ysY^+UR1l
zi<#_V&`yl}G;3|DHzkm&3(NkW0Im*E@h)qX@%;Ipp%o(rz@|~r=xNY=#$C68kiYF*
z#PRG9lF2giY2LiK?A^OpiWe_#ltBY0ZfF%2kcRXjMIZzO2qQ4^BwcmYRVJhoXu_+8
zd?72mRtSi;OFnkg?3)+iQ;3{r@al1XC?680pYk2#O(OjB^wUqv?%lgh=#~&J<j4pB
zLbPER`VoB)Z{5b>c^~p;RDyTRXx`>)Wn!dFe$H?X-{A~m1R?iPqehufi*JJbF=VS(
zuQm=K28q56SwsF1d}8InH8`Y<P~aTf&yOBGnh@&63FUn-w&5T<$3i56ur(MHE+Zii
z#%A8UdB#wI5!{!Q9>_b8l&a*P67PhD1wmtJZNtXP9x`NzSw@BD!SEE2(xgdahD^jL
zv5J=bA$<%7o(EvxeDlpFwuvPUhWs%q5IhrDmtTIl@$Q!|Uv4b9O$?9mga}PB`Q+O$
z15uVfqX-0wKuX9TG9tEq=bd+&(JBNB@emKkGl!t?n&~sNWBN~l0tF1=5xRh|nSYx&
zaia0eA%8-vkSCrmgi81mXAK8w*|KG3bkU(hhXn5)<Adjn2YuOPm-!|CS+iyt8FAL=
z-@HQ~B<6n0Ew`Kp6`nJ7B0OYQG5N#N#{B80HatXl3c`j*z#*~n-~nRtojZ3nqz%7N
zclhAo!Gq@+8yrQ#T7<*Ej0tvD{1hx$(9{7VO0u3me1zj@$)B<k(}R6Cxwew3<R5AS
zWx@&XKTDP@rhZJ&(0K47><m6ckFuS~dIW$=Y!M@XqEJ}gym^f^#>&$;-g@h;fIWYP
zy9~t``lU^q)_4~TeKA6KK}^`tc$nzI1Ja}jL>hsVI9ATpKFA4C<MHB66W+v0!W-o|
zRsi9N+SoW@R>DAx#2GEnA0TiDpOH0v7h{59z|*B~(C6qwgoGe;95f69;S)v&I8y#R
ze@K~7D+Yk@46Ar3n?6mr#U>lBA<hp+oH%j9#PkU#F;VSI&ecAAe)#ZVGxrB~;IzRN
ziIrzVU`!C(de{gA<uKa7;IZI@(FgMra0bpMfAblH&WM087o!NU1uM!$4om)UUQ&7p
zq<zIC`7@-%YFdJ|6=j%+x815$D`TM<h5;BB+)kb_6r(Xf{!HvLyd$QEa%hN5zL1BV
zgd#T2@Xrpz5(CxFFW{vxnqUG41);o$AAZ<OiZLqCqzJej0mz8BxYI+%nIdLSpQ8`a
ze{3TDPQM{BQefRao^z*8oy=$SF~TM`L8LfW#Qf=Bj2Li^2yHmy)p*CXYu7eL$GP?%
z2M_O?@A0S^;WM{Da*qCOd3N+-pRu1)mNU%6=e}j}8Ab;3B`SdTom6>tgki&Eyw4mZ
z<nAmVe83a~MDzl@F@hKe41kSh5JKVyXP40p+-K(tF*1qiA&@qfs^lN4cd~EaJ~KpO
zc^I)nhIx1=fQF(Vdkledc_-jO$}GR)xApva7P1Fy8Z|>EYhf9_@;3@4?uZp9@eJiV
zla<N2f`~@SBs4NHWTY(eV2Es2PXwYQeMS**8v>_JoigN&Q-pVK6All3h0(QhLll#q
zJkMzO$}6u-cpeX&K4BdrMg}(Dj2SZqTy6R<dDv(`z%PdQU}EJlI-u^1jC>RC*ocL1
z-N46U049t$a3qsk7M_?M0;yK2l7AoqCiV<7;0!^XiKUcy{TKwoIILB6CT7a<F0iyr
z2HOc>X4?6iu#D5f5`XhI!Nc$kQg<eZ9d93!XALp2P>cpKP2a>wf)RlxMIfFKupTmP
zo(bScZ`^Vdc91umKy036ug>{CH_7RgC1%N=N?`S{kgU{UxTIkfw>C4C%L@pw$b!jV
zLLAA3N#hL<MlY;FVsbZD9J`n%|9ERaS|3F~5l{r8g@BTOw2;<v6akMQ;I`8%Jpy~s
z)l~8i8Zv!B5r}UDm;+;_oHMZ^j$;&(3auu0dZo>e6)VimafFJEjk5xe<<duv95J6e
z&(gAU39Jxm(xi!5lI=WoG%;-uhiBrI_4X{#U_}kfBQ>2vAm+)RZR4yEU~-97II%Fv
z#Ew5EmYMOlhh=GlR0Q0D0OZQ58J0~F%Vw1dM<BCg+4n3Qr_9NnUdgl0weW1nw97%+
z`N|>;mV9!S4Qt&=cC#0o#+XD#Hs5^+{%~X80LwGs26h><ERuacY*HgGuPKJfpGL$w
zS&nG1$)1cC>d~voH3+*inDx4BI`N&+XY~;)j#$d+FEKfd=fa93o9F;^GB;fAfJ~`%
zws>;b>-W(^0D@(e8-#Du#~*)e)|<cb$}5JTgFU^{p0r8(V#61knAn(Qmt#ARPGAi@
z9y^Yl-DHIU3WoeS!{?f7u1VNgYtIV8fH~_GJyhLSQcQaOC=vy7WCF`G+0ccBXN@fz
zQT!d)6b|SifA$BkER;qG`LkV}O)7ZuEG4DU`tvUA<`=sY7(+!q>`-KwZ7+`qhny+N
zBel*JPl?R>Zg>%Z{0WcHCRtI(&RM+evSrJfO<19vUTGy{<X{g&WFG)KVKFpz7cS@O
zutV1_!{(@DHe#{noy|=wrwqjNhYwg%&2D0rU)zmd&O_P4i(2gE7L(-9K~P1C6uDqM
ztv!o_rJr~SkTDxjIKgkxqDAN3p2Ln`8aKuR&l^vK%_m8n9qvp1cB7bG)@FyO5WDqU
zY?ENyINs8hEn7@uw2AHTG;TJmVL<$y<;@Whj1bs4$;g5H+5XP?C83^mj%UPKDlAW9
z#KK`)j7Xeki$`h%6?@$z_9PB<10^-}J=K%XXmgx;n>%;zkWa59v;*PWQ*ALaY+@oT
z1Nqy{mCP+b@>Q!=HAh3xPYDHaSYn{$@6;G06?O`f!hIo4?6r*lNgR{p50P@>pgoP#
zsQ`Nl9^Wx3#HI_*24V7tZP|DlkT#wT<i}Yb5I;L~IUfijPVDS(f8=jH6f1+Xe2kDy
zY?){MZ&DsUlWP9X@}|)<%3$bB$6yl~<zfKX;vVc-=Nv+3&rU}kj_;*IB0C$^?AhX>
zUSJc;9U@+25B1zE>JKS%)G&?!q|A;}&fUTLCUHb`D5qE2bAOx|GZ70pv*R7|$J1wr
zEHQpY@_a^HXTv5t?t>wJ`aFFK$A*Xi_0hdRE+PL=y%T$+E8c+b>6rEs1wuc>4msx=
z;w6n8JJ#IZ)3|YCb5yN88;FLCN5fe^cn1E?4#z0i1L17g$A*BMB$=3ObSOM`-<`o$
z71k^Aca}Hj7-2Z<X@8s*!Vwk70S3XIb<V+a9DqeW97n;@Jd6q*1UU&qMeAPGcp+Q2
z)gz_kpHy27<@8GW6;~(X#4virpm4w%&KL7!v`2`Zxdr+nM9)rP4tC=lAA4SxC4Wdg
zsWxh(0LV(7#Q!y&k3gz={-HKdJbxS8_nj!UqXN8QNT2wj-En8Va*Tq#z{Lp%F+#Rx
z`#V7pk`09X6C0H<l*XIlVhd-YEJ9L*u~^~Y?<{XTedHzFg|TyvKrm*(o^?*#7SGD}
zP%GpLB%Z3B$o&X}>R4INKPmDL<@8F9T!Dank3L`p4yRl?k1XZ@Ge)zJHlawuKR6}C
z{0Y(WH}enlYvv?Kj2xWHIPHZ`^bZUUAys}D!7xXsDV10Igi8K4=Fe7g=Z#n_@50k(
zi5J5}$e+f-5;78AIfO?X5ke(iPJ_S;Ax|cUcqSO~capX36s%_OJy(cu6O+`==j{-h
zJ4iV(kUKg3o#l;J&Pj;DkbhEVofG21gR&zZCc`+DlupH{z+T?19mJam5H5v)xh^rW
z6zu7hkT@e$M&wS14Tp;fWIku^2_pch(@*W;j4a`{>-uS<{^lew1~_~+5@0#PSAKuz
za(PqBsZ9Q%dM6C&@C=Ak)2L{u5E!HdiPDg`Jc33-<KhB$_5*P0C-F*_V)8e4gR)YH
zBWZaT4}=(cpyZE7K^}M#c0Dok1{fuKcd%_(cC`<O#W4}hJ6tTmg%ylQn2=&6kiWCM
z@o4OgM}d0&Nu700XQM-5AecwspgW8q#(<C*XR|N@h=n~9UhTN4UGGp&uS{*Zwfz4f
zkg8#ylqiD996Vyy`rE|$<AgKp1r2x$keW>x3=9q%tGFP+uJ<MGjn_cvC8@K+@ya3R
z#Mb$fKTFvX+eL_Rfmof_z&S5?vA6U1p5@J4guU^|N&bu?xXLb+v(5=M**k|BfngvS
z>O0RCcb>tX5?$%L@q<7to?aP0=!dr^F-!gy1|}=<x*19mQ+FnN9Ua~_lS{s5V>22c
zX2@>FXl}ByJA5hEc@{dd2XmHppiLpMv&X@W)f`M%JH348+2Vngq0e~(fml4f(i@ry
zzLqgh{z+Ati6Yk4+n9gw@aP+gfFhs>#3urAP5zwckw1TaUFH>^ZC7g*VFdJa&IkjX
z%Gt*?`KL0rTD&3<lL)x&bk3LrF$RQI@{a)}sfda|G!byq>73E5x7W&2^7op?wZ4i#
z5(wA>);RLR9;?jbEKkmpCy!YgOp4a&oT{wIA)w?RIczm&MIa^-;OGSQ!>}ofO_Q8|
z&%POFiq`3zF$rLd2(9EFBZ^Wn6@g$72z3J`Ww6wj{Vp7y$dTnF_I$AGmgUr`bvkD-
z_19;UM?lFxd5rW4MIh!72=(X`D#|_-yC(*sXHz1_Di8)D92D)-Ib#m|7!g>>KSmU#
zVk!c`AP_3~+XK-K9z1By@VAL$PdHsR+NW~{Q)hiPI0TgZgTqUoRs>=Kfl$Lf?BHcn
zBuAuh2wK*xS<RVO99_cEB+)*dGbX@}Q6ZK5V^nb}wjvNI1n~YLdd{%2iDS??M=RQ=
zb4IF;nr|wf>ZuA)1QY@HBEXqY9C^+eR2eg7bg!T)Sx5+|=N}Sm`jR4`2q*%vjewGW
zZ0k>@R|FIRMIa;ul>9@2O<z(36ahsbwh>VBk8S;_^ooEYpa_J7fRcYmu<1*RfFhs>
q#5Mv-{;{n;m0l501Qdag5coe_zwLlUIiykm0000<MNUMnLSTY6IH(E$

literal 0
HcmV?d00001

diff --git a/doc/source/admin/figures/keystone-federation.svg b/doc/source/admin/figures/keystone-federation.svg
new file mode 100644
index 0000000000..0400405013
--- /dev/null
+++ b/doc/source/admin/figures/keystone-federation.svg
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="383px" height="283px" version="1.1" content="&amp;lt;mxfile userAgent=&amp;quot;Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36&amp;quot; version=&amp;quot;5.5.5.6&amp;quot; editor=&amp;quot;www.draw.io&amp;quot; type=&amp;quot;google&amp;quot;&amp;gt;&amp;lt;diagram&amp;gt;7Vdbbxo9EP01SOlDqmXNJTwSSNKojT4kHto+OnjYtWLWfMbc+uszxuO9cQmKiNqH8IDWZ+yZ8ZmzY2+DDWabB8Pn6ZMWoBpxJDYNNmzEcbfXwn8HbD3QuiEgMVJ4qFkAY/kHCIwIXUoBi8pEq7Wycl4FJzrLYGIrGDdGr6vTplpVo855EiIWwHjC1T76UwqbevSmTek5/BvIJA2RmxFZnvnkJTF6mVG8Rsymu583z3jwRfMXKRd6XYLYHdJqtEbP7mm2GYBy1Aba/Lr7I9Y8bwMZ5XZ6AUybIsKd9Z6hFbXZNTlYcbUkKh4FupJ265IFs5ITaMQdhc5vhVzhY+Ier15gu7A6gy/BiCFLdtqs3QaCdxSBS6KJ5nUqLYznHH2z4RoVhVhqZ4rMc8Vldv3sUvLZgbFAUjuw4x1E230APQNrXPa0gIUikjSbvbYfr4tCN0N50lKRO4Rx0laSuy74xQei+Dy6cWWN7j2mIBN9p2gcTRRfLOSkSg5spP2Fz9HXuE3D32TyvkDsab3GFcbTS7Mj/5gk9uks0RUYLbMVMAOKW7mqZnCIQoow0hJzy6uVVyJUCzdZceEzp1VlodccsdBayBFr1RxZbhKwe452Fc23/a4is0sWuftZ5ONFbv+9IlOgSpF9J0yrte78v3TN/RY7mL3mSiZZg/XdUYblAlPYQ+u8BwEG2dVZqbU6n0c6q/NbFc/CGv0CA620QSTDLo3gVCpVgyiZIWXCbl2flXgo9skwk0K4MAf7tcbZU7WTcIrzABfgCWHwdHapsyHW0EmJEr5sCw/jt1p46wNaeOd44fHF90Uah4MzGhm9wqsN1jm6Go/Kp2Ux+8D5GqAlZlJFlDxLXQqmqPi6tsb9px8u9zxlzMM5vGCI/+aQPeKqaEBXtVORENzf4Rs3iX9J7xfQdszqLeyAtg/14t4HaLt7hrZL98OyuB/FOep+t6xOvxAe+U53UnTidoHDsdUmv74e1bpHRlt6O95+Ocov06e6T6m7FdR8St3dy6gbh8V3lD/hi29VdvcK&amp;lt;/diagram&amp;gt;&amp;lt;/mxfile&amp;gt;" style="background-color: rgb(255, 255, 255);">
+   <defs>
+      <linearGradient x1="0%" y1="0%" x2="0%" y2="100%" id="mx-gradient-dae8fc-1-7ea6e0-1-s-0">
+         <stop offset="0%" style="stop-color:#DAE8FC" />
+         <stop offset="100%" style="stop-color:#7EA6E0" />
+      </linearGradient>
+   </defs>
+   <g transform="translate(0.5,0.5)">
+      <rect x="121" y="46" width="120" height="60" rx="9" ry="9" fill="url(#mx-gradient-dae8fc-1-7ea6e0-1-s-0)" stroke="#6c8ebf" pointer-events="none" />
+      <g transform="translate(140.5,62.5)">
+         <switch>
+            <foreignObject style="overflow:visible;" pointer-events="all" width="80" height="26" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility">
+               <div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; width: 82px; white-space: nowrap; word-wrap: normal; text-align: center;">
+                  <div style="display:inline-block;text-align:inherit;text-decoration:inherit;">
+                     Identity service
+                     <div>(keystone)</div>
+                  </div>
+               </div>
+            </foreignObject>
+            <text x="40" y="19" fill="#000000" text-anchor="middle" font-size="12px" font-family="Helvetica">[Not supported by viewer]</text>
+         </switch>
+      </g>
+      <path d="M 151 106 L 84.91 190.97" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="none" />
+      <path d="M 81.69 195.12 L 83.22 187.44 L 84.91 190.97 L 88.75 191.74 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="none" />
+      <path d="M 211 106 L 277.09 190.97" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="none" />
+      <path d="M 280.31 195.12 L 273.25 191.74 L 277.09 190.97 L 278.78 187.44 Z" fill="#000000" stroke="#000000" stroke-miterlimit="10" pointer-events="none" />
+      <g transform="translate(134.5,2.5)">
+         <switch>
+            <foreignObject style="overflow:visible;" pointer-events="all" width="93" height="36" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility">
+               <div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; overflow: hidden; max-height: 36px; max-width: 116px; width: 93px; white-space: normal; word-wrap: normal; text-align: center;">
+                  <div style="display:inline-block;text-align:inherit;text-decoration:inherit;">
+                     <h2 style="text-align: center">Federation</h2>
+                  </div>
+               </div>
+            </foreignObject>
+            <text x="47" y="24" fill="#000000" text-anchor="middle" font-size="12px" font-family="Helvetica">[Not supported by viewer]</text>
+         </switch>
+      </g>
+      <g transform="translate(4.5,194.5)">
+         <switch>
+            <foreignObject style="overflow:visible;" pointer-events="all" width="143" height="82" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility">
+               <div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; overflow: hidden; max-height: 86px; max-width: 146px; width: 143px; white-space: normal; word-wrap: normal; text-align: center;">
+                  <div style="display:inline-block;text-align:inherit;text-decoration:inherit;">
+                     <h3>Service Provider (SP)</h3>
+                     <div>
+                        <ul>
+                           <li style="text-align: left">SAML v2</li>
+                           <li style="text-align: left">OpenID Connect</li>
+                        </ul>
+                     </div>
+                  </div>
+               </div>
+            </foreignObject>
+            <text x="72" y="47" fill="#000000" text-anchor="middle" font-size="12px" font-family="Helvetica">[Not supported by viewer]</text>
+         </switch>
+      </g>
+      <g transform="translate(219.5,192.5)">
+         <switch>
+            <foreignObject style="overflow:visible;" pointer-events="all" width="153" height="86" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility">
+               <div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; font-size: 12px; font-family: Helvetica; color: rgb(0, 0, 0); line-height: 1.2; vertical-align: top; overflow: hidden; max-height: 86px; max-width: 166px; width: 153px; white-space: normal; word-wrap: normal; text-align: center;">
+                  <div style="display:inline-block;text-align:inherit;text-decoration:inherit;">
+                     <h3>Identity Provider (IdP)</h3>
+                     <div style="text-align: left">
+                        <ul>
+                           <li>Keystone 2 KeyStore</li>
+                           <li>PySAML 2</li>
+                           <li>SAML</li>
+                        </ul>
+                     </div>
+                  </div>
+               </div>
+            </foreignObject>
+            <text x="77" y="49" fill="#000000" text-anchor="middle" font-size="12px" font-family="Helvetica">[Not supported by viewer]</text>
+         </switch>
+      </g>
+   </g>
+</svg>
\ No newline at end of file
diff --git a/doc/source/admin/identity-management.rst b/doc/source/admin/identity-management.rst
index 3c740b7ca1..0537627318 100644
--- a/doc/source/admin/identity-management.rst
+++ b/doc/source/admin/identity-management.rst
@@ -29,3 +29,6 @@ command-line client.
    identity-auth-token-middleware.rst
    identity-service-api-protection.rst
    identity-troubleshoot.rst
+   token-provider.rst
+   federated-identity.rst
+   caching.rst
diff --git a/doc/source/admin/token-provider.rst b/doc/source/admin/token-provider.rst
new file mode 100644
index 0000000000..8de2f09245
--- /dev/null
+++ b/doc/source/admin/token-provider.rst
@@ -0,0 +1,49 @@
+==============
+Token provider
+==============
+
+OpenStack Identity supports customizable token providers. This is specified
+in the ``[token]`` section of the configuration file. The token provider
+controls the token construction, validation, and revocation operations.
+
+You can register your own token provider by configuring the following property:
+
+.. note::
+
+   More commonly, you can use this option to change the token provider to one
+   of the ones built in. Alternatively, you can use it to configure your own
+   token provider.
+
+* ``provider`` - token provider driver.
+  Defaults to ``uuid``.
+  Implemented by :class:`keystone.token.providers.uuid.Provider`. This is the
+  entry point for the token provider in the ``keystone.token.provider``
+  namespace.
+
+Each token format uses different technologies to achieve various performance,
+scaling, and architectural requirements. The Identity service includes
+``fernet``, ``pkiz``, ``pki``, and ``uuid`` token providers.
+
+Below is the detailed list of the token formats:
+
+UUID
+ ``uuid`` tokens must be persisted (using the back end specified in the
+ ``[token] driver`` option), but do not require any extra configuration
+ or setup.
+
+PKI and PKIZ
+ ``pki`` and ``pkiz`` tokens can be validated offline, without making HTTP
+ calls to keystone. However, this format requires that certificates be
+ installed and distributed to facilitate signing tokens and later validating
+ those signatures.
+
+Fernet
+ ``fernet`` tokens do not need to be persisted at all, but require that you run
+ ``keystone-manage fernet_setup`` (also see the
+ ``keystone-manage fernet_rotate`` command).
+
+.. warning::
+
+    UUID, PKI, PKIZ, and Fernet tokens are all bearer tokens. They
+    must be protected from unnecessary disclosure to prevent unauthorized
+    access.
diff --git a/doc/source/configuration/samples/index.rst b/doc/source/configuration/samples/index.rst
new file mode 100644
index 0000000000..1d9e65d9ef
--- /dev/null
+++ b/doc/source/configuration/samples/index.rst
@@ -0,0 +1,13 @@
+==========================
+Sample configuration files
+==========================
+
+You can find the files described in this section in the
+``/etc/keystone`` directory.
+
+.. toctree::
+
+   keystone-conf.rst
+   keystone-paste-ini.rst
+   logging-conf.rst
+   policy-json.rst
diff --git a/doc/source/configuration/samples/keystone-conf.rst b/doc/source/configuration/samples/keystone-conf.rst
new file mode 100644
index 0000000000..683216eb17
--- /dev/null
+++ b/doc/source/configuration/samples/keystone-conf.rst
@@ -0,0 +1,8 @@
+=============
+keystone.conf
+=============
+
+Use the ``keystone.conf`` file to configure most Identity service
+options:
+
+.. literalinclude:: ../../_static/keystone.conf.sample
diff --git a/doc/source/configuration/samples/keystone-paste-ini.rst b/doc/source/configuration/samples/keystone-paste-ini.rst
new file mode 100644
index 0000000000..e3c844b15b
--- /dev/null
+++ b/doc/source/configuration/samples/keystone-paste-ini.rst
@@ -0,0 +1,8 @@
+==================
+keystone-paste.ini
+==================
+
+Use the ``keystone-paste.ini`` file to configure the Web Service Gateway
+Interface (WSGI) middleware pipeline for the Identity service:
+
+.. literalinclude:: ../../../../etc/keystone-paste.ini
diff --git a/doc/source/configuration/samples/logging-conf.rst b/doc/source/configuration/samples/logging-conf.rst
new file mode 100644
index 0000000000..4d4232b617
--- /dev/null
+++ b/doc/source/configuration/samples/logging-conf.rst
@@ -0,0 +1,11 @@
+============
+logging.conf
+============
+
+You can specify a special logging configuration file in the ``keystone.conf``
+configuration file. For example, ``/etc/keystone/logging.conf``.
+
+For details, see the `Python logging module documentation
+<https://docs.python.org/2/howto/logging.html#configuring-logging>`__.
+
+.. literalinclude:: ../../../../etc/logging.conf.sample
diff --git a/doc/source/configuration/samples/policy-json.rst b/doc/source/configuration/samples/policy-json.rst
new file mode 100644
index 0000000000..02b7bb371b
--- /dev/null
+++ b/doc/source/configuration/samples/policy-json.rst
@@ -0,0 +1,8 @@
+===========
+policy.json
+===========
+
+Use the ``policy.json`` file to define additional access controls that apply to
+the Identity service:
+
+.. literalinclude:: ../../_static/keystone.policy.yaml.sample
diff --git a/doc/source/index.rst b/doc/source/index.rst
index a2547adc65..a67bf8eab0 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -96,6 +96,14 @@ Administrator Guides
 
     admin/identity-management.rst
 
+Configuration Options
+~~~~~~~~~~~~~~~~~~~~~
+
+.. toctree::
+    :maxdepth: 2
+
+    configuration/samples/index.rst
+
 API Documentation
 ~~~~~~~~~~~~~~~~~