rubick/rubick/schemas/keystone/2013.1.4.yml

project: keystone
version: '2013.1.4'
parameters:

  - name: admin_token
    type: string
    default: 'ADMIN'
    help: "A 'shared secret' between keystone and other openstack services"

  - name: bind_host
    type: host
    default: '0.0.0.0'
    help: 'The IP address of the network interface to listen on'

  - name: public_port
    type: port
    default: 5000
    help: 'The port number which the public service listens on'

  - name: admin_port
    type: port
    default: 35357
    help: 'The port number which the public admin listens on'

  - name: public_endpoint
    type: string
    default: 'http://localhost:%(public_port)s/'
    help: 'The base endpoint URLs for keystone that are advertised to clients (NOTE: this does NOT affect how keystone listens for connections)'

  - name: admin_endpoint
    type: string
    default: 'http://localhost:%(admin_port)s/'

  - name: compute_port
    type: port
    default: 8774
    help: 'The port number which the OpenStack Compute service listens on'

  - name: policy_file
    type: string
    default: 'policy.json'
    help: 'Path to your policy definition containing identity actions'

  - name: policy_default_rule
    type: string
    default: 'admin_required'
    help: 'Rule to check if no matching policy definition is found FIXME(dolph): This should really be defined as [policy] default_rule'

  - name: member_role_id
    type: string
    default: '9fe2ff9ee4384b1894a90878d3e92bab'
    help: 'Role for migrating membership relationships During a SQL upgrade, the following values will be used to create a new role that will replace records in the user_tenant_membership table with explicit role grants.  After migration, the member_role_id will be used in the API add_user_to_project, and member_role_name will be ignored.'

  - name: member_role_name
    type: string
    default: '_member_'

  - name: max_request_body_size
    type: integer
    default: 114688
    help: 'enforced by optional sizelimit middleware (keystone.middleware:RequestBodySizeLimiter)'

  - name: max_param_size
    type: integer
    default: 64
    help: 'limit the sizes of user & tenant ID/names'

  - name: max_token_size
    type: integer
    default: 8192
    help: 'similar to max_param_size, but provides an exception for token values'

  - name: debug
    type: boolean
    default: False
    help: '=== Logging Options === Print debugging output (includes plaintext request logging, potentially including passwords)'

  - name: verbose
    type: boolean
    default: False
    help: 'Print more verbose output'

  - name: log_file
    type: string
    default: 'keystone.log'
    help: 'Name of log file to output to. If not set, logging will go to stdout.'

  - name: log_dir
    type: string
    default: '/var/log/keystone'
    help: 'The directory to keep log files in (will be prepended to --logfile)'

  - name: use_syslog
    type: boolean
    default: False
    help: 'Use syslog for logging.'

  - name: syslog_log_facility
    type: string
    default: 'LOG_USER'
    help: 'syslog facility to receive log lines'

  - name: log_config
    type: string
    default: 'logging.conf'
    help: 'If this option is specified, the logging configuration file specified is used and overrides any other logging options specified. Please see the Python logging module documentation for details on logging configuration files.'

  - name: log_format
    type: string
    default: '%(asctime)s %(levelname)8s [%(name)s] %(message)s'
    help: 'A logging.Formatter log message format string which may use any of the available logging.LogRecord attributes.'

  - name: log_date_format
    type: string
    default: '%Y-%m-%d %H:%M:%S'
    help: 'Format string for %(asctime)s in log records.'

  - name: onready
    type: string
    default: 'keystone.common.systemd'
    help: 'onready allows you to send a notification when the process is ready to serve For example, to have it notify using systemd, one could set shell command: onready = systemd-notify --ready or a module with notify() method:'

  - name: default_notification_level
    type: string
    default: 'INFO'
    help: 'Default notification level for outgoing notifications'

  - name: default_publisher_id
    type: string
    default: ''
    help: 'Default publisher_id for outgoing notifications; included in the payload.'

  - name: rpc_backend
    type: string
    default: 'keystone.openstack.common.rpc.impl_kombu'
    help: 'The messaging module to use, defaults to kombu.'

  - name: rpc_thread_pool_size
    type: integer
    default: 64
    help: 'Size of RPC thread pool'

  - name: rpc_conn_pool_size
    type: integer
    default: 30
    help: 'Size of RPC connection pool'

  - name: rpc_response_timeout
    type: integer
    default: 60
    help: 'Seconds to wait for a response from call or multicall'

  - name: rpc_cast_timeout
    type: integer
    default: 30
    help: 'Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.'

  - name: fake_rabbit
    type: boolean
    default: False
    help: 'If True, use a fake RabbitMQ provider'

  - name: control_exchange
    type: string
    default: 'openstack'
    help: 'AMQP exchange to connect to if using RabbitMQ or Qpid'

  - name: sql.connection
    type: string
    default: 'sqlite:///keystone.db'
    help: 'The SQLAlchemy connection string used to connect to the database'

  - name: sql.idle_timeout
    type: integer
    default: 200
    help: 'the timeout before idle sql connections are reaped'

  - name: oauth1.driver
    type: string
    default: 'keystone.contrib.oauth1.backends.sql.OAuth1'

  - name: identity.default_domain_id
    type: string
    default: 'default'
    help: 'This references the domain to use for all Identity API v2 requests (which are not aware of domains). A domain with this ID will be created for you by keystone-manage db_sync in migration 008.  The domain referenced by this ID cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. There is nothing special about this domain, other than the fact that it must exist to order to maintain support for your v2 clients.'

  - name: identity.domain_specific_drivers_enabled
    type: boolean
    default: False
    help: 'A subset (or all) of domains can have their own identity driver, each with their own partial configuration file in a domain configuration directory. Only'

  - name: identity.domain_config_dir
    type: string
    default: '/etc/keystone/domains'

  - name: identity.max_password_length
    type: integer
    default: 4096
    help: 'Maximum supported length for user passwords; decrease to improve performance.'

  - name: cache.enabled
    type: boolean
    default: False
    help: 'Global cache functionality toggle.'

  - name: catalog.template_file
    type: string
    default: 'default_catalog.templates'

  - name: endpoint_filter.return_all_endpoints_if_no_filter
    type: boolean
    default: True

  - name: token.provider
    type: string
    default: ''
    help: 'Controls the token construction, validation, and revocation operations. Core providers are keystone.token.providers.[pki|uuid].Provider'

  - name: token.expiration
    type: integer
    default: 86400
    help: 'Amount of time a token should remain valid (in seconds)'

  - name: token.bind
    type: string
    default: ''
    help: 'External auth mechanisms that should add bind information to token. eg kerberos, x509'

  - name: token.enforce_token_bind
    type: string
    default: 'permissive'
    help: 'Enforcement policy on tokens presented to keystone with bind information. One of disabled, permissive, strict, required or a specifically required bind mode e.g. kerberos or x509 to require binding to that authentication.'

  - name: assignment.caching
    type: boolean
    default: True
    help: 'Assignment specific caching toggle. This has no effect unless the global caching option is set to True'

  - name: assignment.cache_time
    type: integer
    default: 0
    help: 'Assignment specific cache time-to-live (TTL) in seconds.'

  - name: token.revocation_cache_time
    type: integer
    default: 3600
    help: 'Revocation-List specific cache time-to-live (TTL) in seconds.'

  - name: cache.config_prefix
    type: string
    default: 'cache.keystone'
    help: 'Prefix for building the configuration dictionary for the cache region. This should not need to be changed unless there is another dogpile.cache region with the same configuration name'

  - name: cache.backend
    type: string
    default: 'keystone.common.cache.noop'
    help: 'Dogpile.cache backend module. It is recommended that Memcache (dogpile.cache.memcache) or Redis (dogpile.cache.redis) be used in production deployments.  Small workloads (single process) like devstack can use the dogpile.cache.memory backend.'

  - name: cache.backend_argument
    type: string
    default: ''
    help: 'Arguments supplied to the backend module. Specify this option once per argument to be passed to the dogpile.cache backend. Example format: <argname>:<value>'

  - name: cache.proxies
    type: string
    default: ''
    help: 'Proxy Classes to import that will affect the way the dogpile.cache backend functions.  See the dogpile.cache documentation on changing-backend-behavior. Comma delimited list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2'

  - name: cache.use_key_mangler
    type: boolean
    default: True
    help: 'Use a key-mangling function (sha1) to ensure fixed length cache-keys. This is toggle-able for debugging purposes, it is highly recommended to always leave this set to True.'

  - name: cache.debug_cache_backend
    type: boolean
    default: False
    help: 'Extra debugging from the cache backend (cache keys, get/set/delete/etc calls) This is only really useful if you need to see the specific cache-backend get/set/delete calls with the keys/values.  Typically this should be left set to False.'

  - name: oauth1.request_token_duration
    type: integer
    default: 28800
    help: 'The Identity service may include expire attributes. If no such attribute is included, then the token lasts indefinitely. Specify how quickly the request token will expire (in seconds)'

  - name: oauth1.access_token_duration
    type: integer
    default: 86400
    help: 'Specify how quickly the access token will expire (in seconds)'

  - name: ssl.enable
    type: boolean
    default: True

  - name: signing.certfile
    type: string
    default: '/etc/keystone/pki/certs/signing_cert.pem'

  - name: signing.keyfile
    type: string
    default: '/etc/keystone/pki/private/signing_key.pem'

  - name: signing.ca_certs
    type: string
    default: '/etc/keystone/pki/certs/cacert.pem'

  - name: signing.ca_key
    type: string
    default: '/etc/keystone/pki/private/cakey.pem'

  - name: signing.key_size
    type: integer
    default: 2048

  - name: signing.valid_days
    type: integer
    default: 3650

  - name: ssl.cert_required
    type: boolean
    default: False

  - name: signing.cert_subject
    type: string
    default: '/CUS/STUnset/LUnset/OUnset/CNwww.example.com'

  - name: signing.token_format
    type: string
    default: ''
    help: 'Deprecated in favor of provider in the [token] section Allowed values are PKI or UUID'

  - name: ldap.url
    type: string
    default: 'ldap://localhost'

  - name: ldap.user
    type: string
    default: 'dcManager,dcexample,dccom'

  - name: auth.password
    type: string
    default: 'keystone.auth.plugins.password.Password'

  - name: ldap.suffix
    type: string
    default: 'cnexample,cncom'

  - name: ldap.use_dumb_member
    type: boolean
    default: False

  - name: ldap.allow_subtree_delete
    type: boolean
    default: False

  - name: ldap.dumb_member
    type: string
    default: 'cndumb,dcexample,dccom'

  - name: ldap.page_size
    type: integer
    default: 0
    help: "Maximum results per page; a value of zero ('0') disables paging (default)"

  - name: ldap.alias_dereferencing
    type: string
    default: 'default'
    help: "The LDAP dereferencing option for queries. This can be either 'never', 'searching', 'always', 'finding' or 'default'. The 'default' option falls back to using default dereferencing configured by your ldap.conf."

  - name: ldap.query_scope
    type: string
    default: 'one'
    help: "The LDAP scope for queries, this can be either 'one' (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree)"

  - name: ldap.user_tree_dn
    type: string
    default: 'ouUsers,dcexample,dccom'

  - name: ldap.user_filter
    type: string
    default: ''

  - name: ldap.user_objectclass
    type: string
    default: 'inetOrgPerson'

  - name: ldap.user_domain_id_attribute
    type: string
    default: 'businessCategory'

  - name: ldap.user_id_attribute
    type: string
    default: 'cn'

  - name: ldap.user_name_attribute
    type: string
    default: 'sn'

  - name: ldap.user_mail_attribute
    type: string
    default: 'email'

  - name: ldap.user_pass_attribute
    type: string
    default: 'userPassword'

  - name: ldap.user_enabled_attribute
    type: string
    default: 'enabled'

  - name: ldap.user_enabled_mask
    type: integer
    default: 0

  - name: ldap.user_enabled_default
    type: boolean
    default: True

  - name: ldap.user_attribute_ignore
    type: string
    default: 'tenant_id,tenants'

  - name: ldap.user_allow_create
    type: boolean
    default: True

  - name: ldap.user_allow_update
    type: boolean
    default: True

  - name: ldap.user_allow_delete
    type: boolean
    default: True

  - name: ldap.user_enabled_emulation
    type: boolean
    default: False

  - name: ldap.user_enabled_emulation_dn
    type: string
    default: ''

  - name: ldap.tenant_tree_dn
    type: string
    default: 'ouProjects,dcexample,dccom'

  - name: ldap.tenant_filter
    type: string
    default: ''

  - name: ldap.tenant_objectclass
    type: string
    default: 'groupOfNames'

  - name: ldap.tenant_domain_id_attribute
    type: string
    default: 'businessCategory'

  - name: ldap.tenant_id_attribute
    type: string
    default: 'cn'

  - name: ldap.tenant_member_attribute
    type: string
    default: 'member'

  - name: ldap.tenant_name_attribute
    type: string
    default: 'ou'

  - name: ldap.tenant_desc_attribute
    type: string
    default: 'desc'

  - name: ldap.tenant_enabled_attribute
    type: string
    default: 'enabled'

  - name: ldap.tenant_attribute_ignore
    type: string
    default: ''

  - name: ldap.tenant_allow_create
    type: boolean
    default: True

  - name: ldap.tenant_allow_update
    type: boolean
    default: True

  - name: ldap.tenant_allow_delete
    type: boolean
    default: True

  - name: ldap.tenant_enabled_emulation
    type: boolean
    default: False

  - name: ldap.tenant_enabled_emulation_dn
    type: string
    default: ''

  - name: ldap.role_tree_dn
    type: string
    default: 'ouRoles,dcexample,dccom'

  - name: ldap.role_filter
    type: string
    default: ''

  - name: ldap.role_objectclass
    type: string
    default: 'organizationalRole'

  - name: ldap.role_id_attribute
    type: string
    default: 'cn'

  - name: ldap.role_name_attribute
    type: string
    default: 'ou'

  - name: ldap.role_member_attribute
    type: string
    default: 'roleOccupant'

  - name: ldap.role_attribute_ignore
    type: string
    default: ''

  - name: ldap.role_allow_create
    type: boolean
    default: True

  - name: ldap.role_allow_update
    type: boolean
    default: True

  - name: ldap.role_allow_delete
    type: boolean
    default: True

  - name: ldap.group_tree_dn
    type: string
    default: ''

  - name: ldap.group_filter
    type: string
    default: ''

  - name: ldap.group_objectclass
    type: string
    default: 'groupOfNames'

  - name: ldap.group_id_attribute
    type: string
    default: 'cn'

  - name: ldap.group_name_attribute
    type: string
    default: 'ou'

  - name: ldap.group_member_attribute
    type: string
    default: 'member'

  - name: ldap.group_desc_attribute
    type: string
    default: 'desc'

  - name: ldap.group_attribute_ignore
    type: string
    default: ''

  - name: ldap.group_allow_create
    type: boolean
    default: True

  - name: ldap.group_allow_update
    type: boolean
    default: True

  - name: ldap.group_allow_delete
    type: boolean
    default: True

  - name: ldap.use_tls
    type: boolean
    default: False
    help: 'ldap TLS options if both tls_cacertfile and tls_cacertdir are set then tls_cacertfile will be used and tls_cacertdir is ignored valid options for tls_req_cert are demand, never, and allow'

  - name: ldap.tls_cacertfile
    type: string
    default: ''

  - name: ldap.tls_cacertdir
    type: string
    default: ''

  - name: ldap.tls_req_cert
    type: string
    default: 'demand'

  - name: ldap.user_additional_attribute_mapping
    type: string
    default: ''

  - name: ldap.domain_additional_attribute_mapping
    type: string
    default: ''

  - name: ldap.group_additional_attribute_mapping
    type: string
    default: ''

  - name: ldap.role_additional_attribute_mapping
    type: string
    default: ''

  - name: ldap.project_additional_attribute_mapping
    type: string
    default: ''

  - name: auth.methods
    type: string
    default: 'external,password,token,oauth1'

  - name: auth.external
    type: string
    default: 'keystone.auth.plugins.external.ExternalDefault'

  - name: auth.token
    type: string
    default: 'keystone.auth.plugins.token.Token'

  - name: auth.oauth1
    type: string
    default: 'keystone.auth.plugins.oauth1.OAuth'

  - name: paste_deploy.config_file
    type: string
    default: 'keystone-paste.ini'
    help: 'Name of the paste configuration file that defines the available pipelines'