1 [DEFAULT] |
1 [DEFAULT] |
2 |
2 |
3 # |
3 # |
4 # From keystone |
4 # From keystone |
5 # |
5 # |
6 |
6 |
7 # A "shared secret" that can be used to bootstrap Keystone. This "token" does |
7 # A "shared secret" that can be used to bootstrap Keystone. This "token" does |
8 # not represent a user, and carries no explicit authorization. To disable in |
8 # not represent a user, and carries no explicit authorization. To disable in |
9 # production (highly recommended), remove AdminTokenAuthMiddleware from your |
9 # production (highly recommended), remove AdminTokenAuthMiddleware from your |
10 # paste application pipelines (for example, in keystone-paste.ini). (string |
10 # paste application pipelines (for example, in keystone-paste.ini). (string |
11 # value) |
11 # value) |
12 #admin_token = ADMIN |
12 #admin_token = ADMIN |
13 |
13 |
14 # (Deprecated) The port which the OpenStack Compute service listens on. This |
14 # (Deprecated) The port which the OpenStack Compute service listens on. This |
15 # option was only used for string replacement in the templated catalog backend. |
15 # option was only used for string replacement in the templated catalog backend. |
16 # Templated catalogs should replace the "$(compute_port)s" substitution with |
16 # Templated catalogs should replace the "$(compute_port)s" substitution with |
17 # the static port of the compute service. As of Juno, this option is deprecated |
17 # the static port of the compute service. As of Juno, this option is deprecated |
18 # and will be removed in the L release. (integer value) |
18 # and will be removed in the L release. (integer value) |
19 #compute_port = 8774 |
19 #compute_port = 8774 |
20 |
20 |
21 # The base public endpoint URL for Keystone that is advertised to clients |
21 # The base public endpoint URL for Keystone that is advertised to clients |
22 # (NOTE: this does NOT affect how Keystone listens for connections). Defaults |
22 # (NOTE: this does NOT affect how Keystone listens for connections). Defaults |
23 # to the base host URL of the request. E.g. a request to |
23 # to the base host URL of the request. E.g. a request to |
24 # http://server:5000/v3/users will default to http://server:5000. You should |
24 # http://server:5000/v3/users will default to http://server:5000. You should |
25 # only need to set this value if the base URL contains a path (e.g. /prefix/v3) |
25 # only need to set this value if the base URL contains a path (e.g. /prefix/v3) |
26 # or the endpoint should be found on a different server. (string value) |
26 # or the endpoint should be found on a different server. (string value) |
27 #public_endpoint = <None> |
27 #public_endpoint = <None> |
28 |
28 |
29 # The base admin endpoint URL for Keystone that is advertised to clients (NOTE: |
29 # The base admin endpoint URL for Keystone that is advertised to clients (NOTE: |
30 # this does NOT affect how Keystone listens for connections). Defaults to the |
30 # this does NOT affect how Keystone listens for connections). Defaults to the |
31 # base host URL of the request. E.g. a request to http://server:35357/v3/users |
31 # base host URL of the request. E.g. a request to http://server:35357/v3/users |
32 # will default to http://server:35357. You should only need to set this value |
32 # will default to http://server:35357. You should only need to set this value |
33 # if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be |
33 # if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be |
34 # found on a different server. (string value) |
34 # found on a different server. (string value) |
35 #admin_endpoint = <None> |
35 #admin_endpoint = <None> |
36 |
36 |
37 # Maximum depth of the project hierarchy. WARNING: setting it to a large value |
37 # Maximum depth of the project hierarchy. WARNING: setting it to a large value |
38 # may adversely impact performance. (integer value) |
38 # may adversely impact performance. (integer value) |
39 #max_project_tree_depth = 5 |
39 #max_project_tree_depth = 5 |
40 |
40 |
41 # Limit the sizes of user & project ID/names. (integer value) |
41 # Limit the sizes of user & project ID/names. (integer value) |
42 #max_param_size = 64 |
42 #max_param_size = 64 |
43 |
43 |
44 # Similar to max_param_size, but provides an exception for token values. |
44 # Similar to max_param_size, but provides an exception for token values. |
45 # (integer value) |
45 # (integer value) |
46 #max_token_size = 8192 |
46 #max_token_size = 8192 |
47 |
47 |
48 # Similar to the member_role_name option, this represents the default role ID |
48 # Similar to the member_role_name option, this represents the default role ID |
49 # used to associate users with their default projects in the v2 API. This will |
49 # used to associate users with their default projects in the v2 API. This will |
50 # be used as the explicit role where one is not specified by the v2 API. |
50 # be used as the explicit role where one is not specified by the v2 API. |
51 # (string value) |
51 # (string value) |
52 #member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab |
52 #member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab |
53 |
53 |
54 # This is the role name used in combination with the member_role_id option; see |
54 # This is the role name used in combination with the member_role_id option; see |
55 # that option for more detail. (string value) |
55 # that option for more detail. (string value) |
56 #member_role_name = _member_ |
56 #member_role_name = _member_ |
57 |
57 |
58 # The value passed as the keyword "rounds" to passlib's encrypt method. |
58 # The value passed as the keyword "rounds" to passlib's encrypt method. |
59 # (integer value) |
59 # (integer value) |
60 #crypt_strength = 40000 |
60 #crypt_strength = 40000 |
61 |
61 |
62 # The maximum number of entities that will be returned in a collection, with no |
62 # The maximum number of entities that will be returned in a collection, with no |
63 # limit set by default. This global limit may be then overridden for a specific |
63 # limit set by default. This global limit may be then overridden for a specific |
64 # driver, by specifying a list_limit in the appropriate section (e.g. |
64 # driver, by specifying a list_limit in the appropriate section (e.g. |
65 # [assignment]). (integer value) |
65 # [assignment]). (integer value) |
66 #list_limit = <None> |
66 #list_limit = <None> |
67 |
67 |
68 # Set this to false if you want to enable the ability for user, group and |
68 # Set this to false if you want to enable the ability for user, group and |
69 # project entities to be moved between domains by updating their domain_id. |
69 # project entities to be moved between domains by updating their domain_id. |
70 # Allowing such movement is not recommended if the scope of a domain admin is |
70 # Allowing such movement is not recommended if the scope of a domain admin is |
71 # being restricted by use of an appropriate policy file (see |
71 # being restricted by use of an appropriate policy file (see |
72 # policy.v3cloudsample as an example). (boolean value) |
72 # policy.v3cloudsample as an example). (boolean value) |
73 #domain_id_immutable = true |
73 #domain_id_immutable = true |
74 |
74 |
75 # If set to true, strict password length checking is performed for password |
75 # If set to true, strict password length checking is performed for password |
76 # manipulation. If a password exceeds the maximum length, the operation will |
76 # manipulation. If a password exceeds the maximum length, the operation will |
77 # fail with an HTTP 403 Forbidden error. If set to false, passwords are |
77 # fail with an HTTP 403 Forbidden error. If set to false, passwords are |
78 # automatically truncated to the maximum length. (boolean value) |
78 # automatically truncated to the maximum length. (boolean value) |
79 #strict_password_check = false |
79 #strict_password_check = false |
80 |
80 |
81 # The HTTP header used to determine the scheme for the original request, even |
81 # The HTTP header used to determine the scheme for the original request, even |
82 # if it was removed by an SSL terminating proxy. Typical value is |
82 # if it was removed by an SSL terminating proxy. Typical value is |
83 # "HTTP_X_FORWARDED_PROTO". (string value) |
83 # "HTTP_X_FORWARDED_PROTO". (string value) |
84 #secure_proxy_ssl_header = <None> |
84 #secure_proxy_ssl_header = <None> |
85 |
85 |
86 # |
86 # |
87 # From keystone.notifications |
87 # From keystone.notifications |
88 # |
88 # |
89 |
89 |
90 # Default publisher_id for outgoing notifications (string value) |
90 # Default publisher_id for outgoing notifications (string value) |
91 #default_publisher_id = <None> |
91 #default_publisher_id = <None> |
92 |
92 |
93 # Define the notification format for Identity Service events. A "basic" |
93 # Define the notification format for Identity Service events. A "basic" |
94 # notification has information about the resource being operated on. A "cadf" |
94 # notification has information about the resource being operated on. A "cadf" |
95 # notification has the same information, as well as information about the |
95 # notification has the same information, as well as information about the |
96 # initiator of the event. Valid options are: basic and cadf (string value) |
96 # initiator of the event. Valid options are: basic and cadf (string value) |
97 #notification_format = basic |
97 #notification_format = basic |
98 |
98 |
99 # |
99 # |
100 # From keystone.openstack.common.eventlet_backdoor |
100 # From keystone.openstack.common.eventlet_backdoor |
101 # |
101 # |
102 |
102 |
103 # Enable eventlet backdoor. Acceptable values are 0, <port>, and |
103 # Enable eventlet backdoor. Acceptable values are 0, <port>, and |
104 # <start>:<end>, where 0 results in listening on a random tcp port number; |
104 # <start>:<end>, where 0 results in listening on a random tcp port number; |
105 # <port> results in listening on the specified port number (and not enabling |
105 # <port> results in listening on the specified port number (and not enabling |
106 # backdoor if that port is in use); and <start>:<end> results in listening on |
106 # backdoor if that port is in use); and <start>:<end> results in listening on |
107 # the smallest unused port number within the specified range of port numbers. |
107 # the smallest unused port number within the specified range of port numbers. |
108 # The chosen port is displayed in the service's log file. (string value) |
108 # The chosen port is displayed in the service's log file. (string value) |
109 #backdoor_port = <None> |
109 #backdoor_port = <None> |
110 |
110 |
111 # |
111 # |
112 # From oslo.log |
112 # From oslo.log |
113 # |
113 # |
114 |
114 |
115 # Print debugging output (set logging level to DEBUG instead of default WARNING |
115 # Print debugging output (set logging level to DEBUG instead of default WARNING |
116 # level). (boolean value) |
116 # level). (boolean value) |
117 #debug = false |
117 #debug = false |
118 |
118 |
119 # Print more verbose output (set logging level to INFO instead of default |
119 # Print more verbose output (set logging level to INFO instead of default |
120 # WARNING level). (boolean value) |
120 # WARNING level). (boolean value) |
121 #verbose = false |
121 #verbose = false |
122 |
122 |
123 # The name of a logging configuration file. This file is appended to any |
123 # The name of a logging configuration file. This file is appended to any |
124 # existing logging configuration files. For details about logging configuration |
124 # existing logging configuration files. For details about logging configuration |
125 # files, see the Python logging module documentation. (string value) |
125 # files, see the Python logging module documentation. (string value) |
126 # Deprecated group/name - [DEFAULT]/log_config |
126 # Deprecated group/name - [DEFAULT]/log_config |
127 #log_config_append = <None> |
127 #log_config_append = <None> |
128 |
128 |
129 # DEPRECATED. A logging.Formatter log message format string which may use any |
129 # DEPRECATED. A logging.Formatter log message format string which may use any |
130 # of the available logging.LogRecord attributes. This option is deprecated. |
130 # of the available logging.LogRecord attributes. This option is deprecated. |
131 # Please use logging_context_format_string and logging_default_format_string |
131 # Please use logging_context_format_string and logging_default_format_string |
132 # instead. (string value) |
132 # instead. (string value) |
133 #log_format = <None> |
133 #log_format = <None> |
134 |
134 |
135 # Format string for %%(asctime)s in log records. Default: %(default)s . (string |
135 # Format string for %%(asctime)s in log records. Default: %(default)s . (string |
136 # value) |
136 # value) |
137 #log_date_format = %Y-%m-%d %H:%M:%S |
137 #log_date_format = %Y-%m-%d %H:%M:%S |
138 |
138 |
139 # (Optional) Name of log file to output to. If no default is set, logging will |
139 # (Optional) Name of log file to output to. If no default is set, logging will |
140 # go to stdout. (string value) |
140 # go to stdout. (string value) |
141 # Deprecated group/name - [DEFAULT]/logfile |
141 # Deprecated group/name - [DEFAULT]/logfile |
142 #log_file = <None> |
142 #log_file = <None> |
143 |
143 |
144 # (Optional) The base directory used for relative --log-file paths. (string |
144 # (Optional) The base directory used for relative --log-file paths. (string |
145 # value) |
145 # value) |
146 # Deprecated group/name - [DEFAULT]/logdir |
146 # Deprecated group/name - [DEFAULT]/logdir |
147 #log_dir = <None> |
147 #log_dir = <None> |
148 |
148 |
149 # Use syslog for logging. Existing syslog format is DEPRECATED during I, and |
149 # Use syslog for logging. Existing syslog format is DEPRECATED during I, and |
150 # will change in J to honor RFC5424. (boolean value) |
150 # will change in J to honor RFC5424. (boolean value) |
151 #use_syslog = false |
151 #use_syslog = false |
152 |
152 |
153 # (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, |
153 # (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, |
154 # prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The |
154 # prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The |
155 # format without the APP-NAME is deprecated in I, and will be removed in J. |
155 # format without the APP-NAME is deprecated in I, and will be removed in J. |
156 # (boolean value) |
156 # (boolean value) |
157 #use_syslog_rfc_format = false |
157 #use_syslog_rfc_format = false |
158 |
158 |
159 # Syslog facility to receive log lines. (string value) |
159 # Syslog facility to receive log lines. (string value) |
160 #syslog_log_facility = LOG_USER |
160 #syslog_log_facility = LOG_USER |
161 |
161 |
162 # Log output to standard error. (boolean value) |
162 # Log output to standard error. (boolean value) |
163 #use_stderr = true |
163 #use_stderr = true |
164 |
164 |
165 # Format string to use for log messages with context. (string value) |
165 # Format string to use for log messages with context. (string value) |
166 #logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s |
166 #logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s |
167 |
167 |
168 # Format string to use for log messages without context. (string value) |
168 # Format string to use for log messages without context. (string value) |
169 #logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s |
169 #logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s |
170 |
170 |
171 # Data to append to log format when level is DEBUG. (string value) |
171 # Data to append to log format when level is DEBUG. (string value) |
172 #logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d |
172 #logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d |
173 |
173 |
174 # Prefix each line of exception output with this format. (string value) |
174 # Prefix each line of exception output with this format. (string value) |
175 #logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s |
175 #logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s |
176 |
176 |
177 # List of logger=LEVEL pairs. (list value) |
177 # List of logger=LEVEL pairs. (list value) |
178 #default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN |
178 #default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN |
179 |
179 |
180 # Enables or disables publication of error events. (boolean value) |
180 # Enables or disables publication of error events. (boolean value) |
181 #publish_errors = false |
181 #publish_errors = false |
182 |
182 |
183 # Enables or disables fatal status of deprecations. (boolean value) |
183 # Enables or disables fatal status of deprecations. (boolean value) |
184 #fatal_deprecations = false |
184 #fatal_deprecations = false |
185 |
185 |
186 # The format for an instance that is passed with the log message. (string |
186 # The format for an instance that is passed with the log message. (string |
187 # value) |
187 # value) |
188 #instance_format = "[instance: %(uuid)s] " |
188 #instance_format = "[instance: %(uuid)s] " |
189 |
189 |
190 # The format for an instance UUID that is passed with the log message. (string |
190 # The format for an instance UUID that is passed with the log message. (string |
191 # value) |
191 # value) |
192 #instance_uuid_format = "[instance: %(uuid)s] " |
192 #instance_uuid_format = "[instance: %(uuid)s] " |
193 |
193 |
194 # |
194 # |
195 # From oslo.messaging |
195 # From oslo.messaging |
196 # |
196 # |
197 |
197 |
198 # ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. |
198 # ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. |
199 # The "host" option should point or resolve to this address. (string value) |
199 # The "host" option should point or resolve to this address. (string value) |
200 #rpc_zmq_bind_address = * |
200 #rpc_zmq_bind_address = * |
201 |
201 |
202 # MatchMaker driver. (string value) |
202 # MatchMaker driver. (string value) |
203 #rpc_zmq_matchmaker = oslo_messaging._drivers.matchmaker.MatchMakerLocalhost |
203 #rpc_zmq_matchmaker = local |
204 |
204 |
205 # ZeroMQ receiver listening port. (integer value) |
205 # ZeroMQ receiver listening port. (integer value) |
206 #rpc_zmq_port = 9501 |
206 #rpc_zmq_port = 9501 |
207 |
207 |
208 # Number of ZeroMQ contexts, defaults to 1. (integer value) |
208 # Number of ZeroMQ contexts, defaults to 1. (integer value) |
209 #rpc_zmq_contexts = 1 |
209 #rpc_zmq_contexts = 1 |
210 |
210 |
211 # Maximum number of ingress messages to locally buffer per topic. Default is |
211 # Maximum number of ingress messages to locally buffer per topic. Default is |
212 # unlimited. (integer value) |
212 # unlimited. (integer value) |
213 #rpc_zmq_topic_backlog = <None> |
213 #rpc_zmq_topic_backlog = <None> |
214 |
214 |
215 # Directory for holding IPC sockets. (string value) |
215 # Directory for holding IPC sockets. (string value) |
216 #rpc_zmq_ipc_dir = /var/run/openstack |
216 #rpc_zmq_ipc_dir = /var/run/openstack |
217 |
217 |
218 # Name of this node. Must be a valid hostname, FQDN, or IP address. Must match |
218 # Name of this node. Must be a valid hostname, FQDN, or IP address. Must match |
219 # "host" option, if running Nova. (string value) |
219 # "host" option, if running Nova. (string value) |
220 #rpc_zmq_host = localhost |
220 #rpc_zmq_host = localhost |
221 |
221 |
222 # Seconds to wait before a cast expires (TTL). Only supported by impl_zmq. |
222 # Seconds to wait before a cast expires (TTL). Only supported by impl_zmq. |
223 # (integer value) |
223 # (integer value) |
224 #rpc_cast_timeout = 30 |
224 #rpc_cast_timeout = 30 |
225 |
225 |
226 # Heartbeat frequency. (integer value) |
226 # Heartbeat frequency. (integer value) |
227 #matchmaker_heartbeat_freq = 300 |
227 #matchmaker_heartbeat_freq = 300 |
228 |
228 |
229 # Heartbeat time-to-live. (integer value) |
229 # Heartbeat time-to-live. (integer value) |
230 #matchmaker_heartbeat_ttl = 600 |
230 #matchmaker_heartbeat_ttl = 600 |
231 |
231 |
232 # Size of RPC thread pool. (integer value) |
232 # Size of RPC thread pool. (integer value) |
233 #rpc_thread_pool_size = 64 |
233 #rpc_thread_pool_size = 64 |
234 |
234 |
235 # Driver or drivers to handle sending notifications. (multi valued) |
235 # Driver or drivers to handle sending notifications. (multi valued) |
236 #notification_driver = |
236 #notification_driver = |
237 |
237 |
238 # AMQP topic used for OpenStack notifications. (list value) |
238 # AMQP topic used for OpenStack notifications. (list value) |
239 # Deprecated group/name - [rpc_notifier2]/topics |
239 # Deprecated group/name - [rpc_notifier2]/topics |
240 #notification_topics = notifications |
240 #notification_topics = notifications |
241 |
241 |
242 # Seconds to wait for a response from a call. (integer value) |
242 # Seconds to wait for a response from a call. (integer value) |
243 #rpc_response_timeout = 60 |
243 #rpc_response_timeout = 60 |
244 |
244 |
245 # A URL representing the messaging driver to use and its full configuration. If |
245 # A URL representing the messaging driver to use and its full configuration. If |
246 # not set, we fall back to the rpc_backend option and driver specific |
246 # not set, we fall back to the rpc_backend option and driver specific |
247 # configuration. (string value) |
247 # configuration. (string value) |
248 #transport_url = <None> |
248 #transport_url = <None> |
249 |
249 |
250 # The messaging driver to use, defaults to rabbit. Other drivers include qpid |
250 # The messaging driver to use, defaults to rabbit. Other drivers include qpid |
251 # and zmq. (string value) |
251 # and zmq. (string value) |
252 #rpc_backend = rabbit |
252 #rpc_backend = rabbit |
253 |
253 |
254 # The default exchange under which topics are scoped. May be overridden by an |
254 # The default exchange under which topics are scoped. May be overridden by an |
255 # exchange name specified in the transport_url option. (string value) |
255 # exchange name specified in the transport_url option. (string value) |
256 #control_exchange = keystone |
256 #control_exchange = keystone |
257 |
257 |
258 |
258 |
259 [assignment] |
259 [assignment] |
260 |
260 |
261 # |
261 # |
262 # From keystone |
262 # From keystone |
263 # |
263 # |
264 |
264 |
265 # Assignment backend driver. (string value) |
265 # Assignment backend driver. (string value) |
266 #driver = <None> |
266 #driver = <None> |
267 |
267 |
268 |
268 |
269 [auth] |
269 [auth] |
270 |
270 |
271 # |
271 # |
272 # From keystone |
272 # From keystone |
273 # |
273 # |
274 |
274 |
275 # Default auth methods. (list value) |
275 # Default auth methods. (list value) |
276 #methods = external,password,token,oauth1 |
276 #methods = external,password,token,oauth1 |
277 |
277 |
278 # The password auth plugin module. (string value) |
278 # The password auth plugin module. (string value) |
279 #password = keystone.auth.plugins.password.Password |
279 #password = keystone.auth.plugins.password.Password |
280 |
280 |
281 # The token auth plugin module. (string value) |
281 # The token auth plugin module. (string value) |
282 #token = keystone.auth.plugins.token.Token |
282 #token = keystone.auth.plugins.token.Token |
283 |
283 |
284 # The external (REMOTE_USER) auth plugin module. (string value) |
284 # The external (REMOTE_USER) auth plugin module. (string value) |
285 #external = keystone.auth.plugins.external.DefaultDomain |
285 #external = keystone.auth.plugins.external.DefaultDomain |
286 |
286 |
287 # The oAuth1.0 auth plugin module. (string value) |
287 # The oAuth1.0 auth plugin module. (string value) |
288 #oauth1 = keystone.auth.plugins.oauth1.OAuth |
288 #oauth1 = keystone.auth.plugins.oauth1.OAuth |
289 |
289 |
290 |
290 |
291 [cache] |
291 [cache] |
292 |
292 |
293 # |
293 # |
294 # From keystone |
294 # From keystone |
295 # |
295 # |
296 |
296 |
297 # Prefix for building the configuration dictionary for the cache region. This |
297 # Prefix for building the configuration dictionary for the cache region. This |
298 # should not need to be changed unless there is another dogpile.cache region |
298 # should not need to be changed unless there is another dogpile.cache region |
299 # with the same configuration name. (string value) |
299 # with the same configuration name. (string value) |
300 #config_prefix = cache.keystone |
300 #config_prefix = cache.keystone |
301 |
301 |
302 # Default TTL, in seconds, for any cached item in the dogpile.cache region. |
302 # Default TTL, in seconds, for any cached item in the dogpile.cache region. |
303 # This applies to any cached method that doesn't have an explicit cache |
303 # This applies to any cached method that doesn't have an explicit cache |
304 # expiration time defined for it. (integer value) |
304 # expiration time defined for it. (integer value) |
305 #expiration_time = 600 |
305 #expiration_time = 600 |
306 |
306 |
307 # Dogpile.cache backend module. It is recommended that Memcache with pooling |
307 # Dogpile.cache backend module. It is recommended that Memcache with pooling |
308 # (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in |
308 # (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in |
309 # production deployments. Small workloads (single process) like devstack can |
309 # production deployments. Small workloads (single process) like devstack can |
310 # use the dogpile.cache.memory backend. (string value) |
310 # use the dogpile.cache.memory backend. (string value) |
311 #backend = keystone.common.cache.noop |
311 #backend = keystone.common.cache.noop |
312 |
312 |
313 # Arguments supplied to the backend module. Specify this option once per |
313 # Arguments supplied to the backend module. Specify this option once per |
314 # argument to be passed to the dogpile.cache backend. Example format: |
314 # argument to be passed to the dogpile.cache backend. Example format: |
315 # "<argname>:<value>". (multi valued) |
315 # "<argname>:<value>". (multi valued) |
316 #backend_argument = |
316 #backend_argument = |
317 |
317 |
318 # Proxy classes to import that will affect the way the dogpile.cache backend |
318 # Proxy classes to import that will affect the way the dogpile.cache backend |
319 # functions. See the dogpile.cache documentation on changing-backend-behavior. |
319 # functions. See the dogpile.cache documentation on changing-backend-behavior. |
320 # (list value) |
320 # (list value) |
321 #proxies = |
321 #proxies = |
322 |
322 |
323 # Global toggle for all caching using the should_cache_fn mechanism. (boolean |
323 # Global toggle for all caching using the should_cache_fn mechanism. (boolean |
324 # value) |
324 # value) |
325 #enabled = false |
325 #enabled = false |
326 |
326 |
327 # Extra debugging from the cache backend (cache keys, get/set/delete/etc |
327 # Extra debugging from the cache backend (cache keys, get/set/delete/etc |
328 # calls). This is only really useful if you need to see the specific cache- |
328 # calls). This is only really useful if you need to see the specific cache- |
329 # backend get/set/delete calls with the keys/values. Typically this should be |
329 # backend get/set/delete calls with the keys/values. Typically this should be |
330 # left set to false. (boolean value) |
330 # left set to false. (boolean value) |
331 #debug_cache_backend = false |
331 #debug_cache_backend = false |
332 |
332 |
333 # Memcache servers in the format of "host:port". (dogpile.cache.memcache and |
333 # Memcache servers in the format of "host:port". (dogpile.cache.memcache and |
334 # keystone.cache.memcache_pool backends only). (list value) |
334 # keystone.cache.memcache_pool backends only). (list value) |
335 #memcache_servers = localhost:11211 |
335 #memcache_servers = localhost:11211 |
336 |
336 |
337 # Number of seconds memcached server is considered dead before it is tried |
337 # Number of seconds memcached server is considered dead before it is tried |
338 # again. (dogpile.cache.memcache and keystone.cache.memcache_pool backends |
338 # again. (dogpile.cache.memcache and keystone.cache.memcache_pool backends |
339 # only). (integer value) |
339 # only). (integer value) |
340 #memcache_dead_retry = 300 |
340 #memcache_dead_retry = 300 |
341 |
341 |
342 # Timeout in seconds for every call to a server. (dogpile.cache.memcache and |
342 # Timeout in seconds for every call to a server. (dogpile.cache.memcache and |
343 # keystone.cache.memcache_pool backends only). (integer value) |
343 # keystone.cache.memcache_pool backends only). (integer value) |
344 #memcache_socket_timeout = 3 |
344 #memcache_socket_timeout = 3 |
345 |
345 |
346 # Max total number of open connections to every memcached server. |
346 # Max total number of open connections to every memcached server. |
347 # (keystone.cache.memcache_pool backend only). (integer value) |
347 # (keystone.cache.memcache_pool backend only). (integer value) |
348 #memcache_pool_maxsize = 10 |
348 #memcache_pool_maxsize = 10 |
349 |
349 |
350 # Number of seconds a connection to memcached is held unused in the pool before |
350 # Number of seconds a connection to memcached is held unused in the pool before |
351 # it is closed. (keystone.cache.memcache_pool backend only). (integer value) |
351 # it is closed. (keystone.cache.memcache_pool backend only). (integer value) |
352 #memcache_pool_unused_timeout = 60 |
352 #memcache_pool_unused_timeout = 60 |
353 |
353 |
354 # Number of seconds that an operation will wait to get a memcache client |
354 # Number of seconds that an operation will wait to get a memcache client |
355 # connection. (integer value) |
355 # connection. (integer value) |
356 #memcache_pool_connection_get_timeout = 10 |
356 #memcache_pool_connection_get_timeout = 10 |
357 |
357 |
358 |
358 |
359 [catalog] |
359 [catalog] |
360 |
360 |
361 # |
361 # |
362 # From keystone |
362 # From keystone |
363 # |
363 # |
364 |
364 |
365 # Catalog template file name for use with the template catalog backend. (string |
365 # Catalog template file name for use with the template catalog backend. (string |
366 # value) |
366 # value) |
367 #template_file = default_catalog.templates |
367 #template_file = default_catalog.templates |
368 |
368 |
369 # Catalog backend driver. (string value) |
369 # Catalog backend driver. (string value) |
370 #driver = keystone.catalog.backends.sql.Catalog |
370 #driver = keystone.catalog.backends.sql.Catalog |
371 |
371 |
372 # Toggle for catalog caching. This has no effect unless global caching is |
372 # Toggle for catalog caching. This has no effect unless global caching is |
373 # enabled. (boolean value) |
373 # enabled. (boolean value) |
374 #caching = true |
374 #caching = true |
375 |
375 |
376 # Time to cache catalog data (in seconds). This has no effect unless global and |
376 # Time to cache catalog data (in seconds). This has no effect unless global and |
377 # catalog caching are enabled. (integer value) |
377 # catalog caching are enabled. (integer value) |
378 #cache_time = <None> |
378 #cache_time = <None> |
379 |
379 |
380 # Maximum number of entities that will be returned in a catalog collection. |
380 # Maximum number of entities that will be returned in a catalog collection. |
381 # (integer value) |
381 # (integer value) |
382 #list_limit = <None> |
382 #list_limit = <None> |
383 |
383 |
384 |
384 |
385 [credential] |
385 [credential] |
386 |
386 |
387 # |
387 # |
388 # From keystone |
388 # From keystone |
389 # |
389 # |
390 |
390 |
391 # Credential backend driver. (string value) |
391 # Credential backend driver. (string value) |
392 #driver = keystone.credential.backends.sql.Credential |
392 #driver = keystone.credential.backends.sql.Credential |
393 |
393 |
394 |
394 |
395 [database] |
395 [database] |
396 |
396 |
397 # |
397 # |
398 # From oslo.db |
398 # From oslo.db |
399 # |
399 # |
400 |
400 |
401 # The file name to use with SQLite. (string value) |
401 # The file name to use with SQLite. (string value) |
402 # Deprecated group/name - [DEFAULT]/sqlite_db |
402 # Deprecated group/name - [DEFAULT]/sqlite_db |
403 #sqlite_db = oslo.sqlite |
403 #sqlite_db = oslo.sqlite |
404 |
404 |
405 # If True, SQLite uses synchronous mode. (boolean value) |
405 # If True, SQLite uses synchronous mode. (boolean value) |
406 # Deprecated group/name - [DEFAULT]/sqlite_synchronous |
406 # Deprecated group/name - [DEFAULT]/sqlite_synchronous |
407 #sqlite_synchronous = true |
407 #sqlite_synchronous = true |
408 |
408 |
409 # The back end to use for the database. (string value) |
409 # The back end to use for the database. (string value) |
410 # Deprecated group/name - [DEFAULT]/db_backend |
410 # Deprecated group/name - [DEFAULT]/db_backend |
411 #backend = sqlalchemy |
411 #backend = sqlalchemy |
412 |
412 |
413 # The SQLAlchemy connection string to use to connect to the database. (string |
413 # The SQLAlchemy connection string to use to connect to the database. (string |
414 # value) |
414 # value) |
415 # Deprecated group/name - [DEFAULT]/sql_connection |
415 # Deprecated group/name - [DEFAULT]/sql_connection |
416 # Deprecated group/name - [DATABASE]/sql_connection |
416 # Deprecated group/name - [DATABASE]/sql_connection |
417 # Deprecated group/name - [sql]/connection |
417 # Deprecated group/name - [sql]/connection |
418 connection=mysql://%SERVICE_USER%:%SERVICE_PASSWORD%@localhost/keystone |
418 connection = mysql://%SERVICE_USER%:%SERVICE_PASSWORD%@localhost/keystone |
419 |
419 |
420 # The SQLAlchemy connection string to use to connect to the slave database. |
420 # The SQLAlchemy connection string to use to connect to the slave database. |
421 # (string value) |
421 # (string value) |
422 #slave_connection = <None> |
422 #slave_connection = <None> |
423 |
423 |
424 # The SQL mode to be used for MySQL sessions. This option, including the |
424 # The SQL mode to be used for MySQL sessions. This option, including the |
425 # default, overrides any server-set SQL mode. To use whatever SQL mode is set |
425 # default, overrides any server-set SQL mode. To use whatever SQL mode is set |
426 # by the server configuration, set this to no value. Example: mysql_sql_mode= |
426 # by the server configuration, set this to no value. Example: mysql_sql_mode= |
427 # (string value) |
427 # (string value) |
428 #mysql_sql_mode = TRADITIONAL |
428 #mysql_sql_mode = TRADITIONAL |
429 |
429 |
430 # Timeout before idle SQL connections are reaped. (integer value) |
430 # Timeout before idle SQL connections are reaped. (integer value) |
431 # Deprecated group/name - [DEFAULT]/sql_idle_timeout |
431 # Deprecated group/name - [DEFAULT]/sql_idle_timeout |
432 # Deprecated group/name - [DATABASE]/sql_idle_timeout |
432 # Deprecated group/name - [DATABASE]/sql_idle_timeout |
433 # Deprecated group/name - [sql]/idle_timeout |
433 # Deprecated group/name - [sql]/idle_timeout |
434 #idle_timeout = 3600 |
434 #idle_timeout = 3600 |
435 |
435 |
436 # Minimum number of SQL connections to keep open in a pool. (integer value) |
436 # Minimum number of SQL connections to keep open in a pool. (integer value) |
437 # Deprecated group/name - [DEFAULT]/sql_min_pool_size |
437 # Deprecated group/name - [DEFAULT]/sql_min_pool_size |
438 # Deprecated group/name - [DATABASE]/sql_min_pool_size |
438 # Deprecated group/name - [DATABASE]/sql_min_pool_size |
439 #min_pool_size = 1 |
439 #min_pool_size = 1 |
440 |
440 |
441 # Maximum number of SQL connections to keep open in a pool. (integer value) |
441 # Maximum number of SQL connections to keep open in a pool. (integer value) |
442 # Deprecated group/name - [DEFAULT]/sql_max_pool_size |
442 # Deprecated group/name - [DEFAULT]/sql_max_pool_size |
443 # Deprecated group/name - [DATABASE]/sql_max_pool_size |
443 # Deprecated group/name - [DATABASE]/sql_max_pool_size |
444 #max_pool_size = <None> |
444 #max_pool_size = <None> |
445 |
445 |
446 # Maximum number of database connection retries during startup. Set to -1 to |
446 # Maximum number of database connection retries during startup. Set to -1 to |
447 # specify an infinite retry count. (integer value) |
447 # specify an infinite retry count. (integer value) |
448 # Deprecated group/name - [DEFAULT]/sql_max_retries |
448 # Deprecated group/name - [DEFAULT]/sql_max_retries |
449 # Deprecated group/name - [DATABASE]/sql_max_retries |
449 # Deprecated group/name - [DATABASE]/sql_max_retries |
450 #max_retries = 10 |
450 #max_retries = 10 |
451 |
451 |
452 # Interval between retries of opening a SQL connection. (integer value) |
452 # Interval between retries of opening a SQL connection. (integer value) |
453 # Deprecated group/name - [DEFAULT]/sql_retry_interval |
453 # Deprecated group/name - [DEFAULT]/sql_retry_interval |
454 # Deprecated group/name - [DATABASE]/reconnect_interval |
454 # Deprecated group/name - [DATABASE]/reconnect_interval |
455 #retry_interval = 10 |
455 #retry_interval = 10 |
456 |
456 |
457 # If set, use this value for max_overflow with SQLAlchemy. (integer value) |
457 # If set, use this value for max_overflow with SQLAlchemy. (integer value) |
458 # Deprecated group/name - [DEFAULT]/sql_max_overflow |
458 # Deprecated group/name - [DEFAULT]/sql_max_overflow |
459 # Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow |
459 # Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow |
460 #max_overflow = <None> |
460 #max_overflow = <None> |
461 |
461 |
462 # Verbosity of SQL debugging information: 0=None, 100=Everything. (integer |
462 # Verbosity of SQL debugging information: 0=None, 100=Everything. (integer |
463 # value) |
463 # value) |
464 # Deprecated group/name - [DEFAULT]/sql_connection_debug |
464 # Deprecated group/name - [DEFAULT]/sql_connection_debug |
465 #connection_debug = 0 |
465 #connection_debug = 0 |
466 |
466 |
467 # Add Python stack traces to SQL as comment strings. (boolean value) |
467 # Add Python stack traces to SQL as comment strings. (boolean value) |
468 # Deprecated group/name - [DEFAULT]/sql_connection_trace |
468 # Deprecated group/name - [DEFAULT]/sql_connection_trace |
469 #connection_trace = false |
469 #connection_trace = false |
470 |
470 |
471 # If set, use this value for pool_timeout with SQLAlchemy. (integer value) |
471 # If set, use this value for pool_timeout with SQLAlchemy. (integer value) |
472 # Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout |
472 # Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout |
473 #pool_timeout = <None> |
473 #pool_timeout = <None> |
474 |
474 |
475 # Enable the experimental use of database reconnect on connection lost. |
475 # Enable the experimental use of database reconnect on connection lost. |
476 # (boolean value) |
476 # (boolean value) |
477 #use_db_reconnect = false |
477 #use_db_reconnect = false |
478 |
478 |
479 # Seconds between retries of a database transaction. (integer value) |
479 # Seconds between retries of a database transaction. (integer value) |
480 #db_retry_interval = 1 |
480 #db_retry_interval = 1 |
481 |
481 |
482 # If True, increases the interval between retries of a database operation up to |
482 # If True, increases the interval between retries of a database operation up to |
483 # db_max_retry_interval. (boolean value) |
483 # db_max_retry_interval. (boolean value) |
484 #db_inc_retry_interval = true |
484 #db_inc_retry_interval = true |
485 |
485 |
486 # If db_inc_retry_interval is set, the maximum seconds between retries of a |
486 # If db_inc_retry_interval is set, the maximum seconds between retries of a |
487 # database operation. (integer value) |
487 # database operation. (integer value) |
488 #db_max_retry_interval = 10 |
488 #db_max_retry_interval = 10 |
489 |
489 |
490 # Maximum retries in case of connection error or deadlock error before error is |
490 # Maximum retries in case of connection error or deadlock error before error is |
491 # raised. Set to -1 to specify an infinite retry count. (integer value) |
491 # raised. Set to -1 to specify an infinite retry count. (integer value) |
492 #db_max_retries = 20 |
492 #db_max_retries = 20 |
493 |
493 |
494 |
494 |
495 [domain_config] |
495 [domain_config] |
496 |
496 |
497 # |
497 # |
498 # From keystone |
498 # From keystone |
499 # |
499 # |
500 |
500 |
501 # Domain config backend driver. (string value) |
501 # Domain config backend driver. (string value) |
502 #driver = keystone.resource.config_backends.sql.DomainConfig |
502 #driver = keystone.resource.config_backends.sql.DomainConfig |
503 |
503 |
504 # Toggle for domain config caching. This has no effect unless global caching is |
504 # Toggle for domain config caching. This has no effect unless global caching is |
505 # enabled. (boolean value) |
505 # enabled. (boolean value) |
506 #caching = true |
506 #caching = true |
507 |
507 |
508 # TTL (in seconds) to cache domain config data. This has no effect unless |
508 # TTL (in seconds) to cache domain config data. This has no effect unless |
509 # domain config caching is enabled. (integer value) |
509 # domain config caching is enabled. (integer value) |
510 #cache_time = 300 |
510 #cache_time = 300 |
511 |
511 |
512 |
512 |
513 [endpoint_filter] |
513 [endpoint_filter] |
514 |
514 |
515 # |
515 # |
516 # From keystone |
516 # From keystone |
517 # |
517 # |
518 |
518 |
519 # Endpoint Filter backend driver (string value) |
519 # Endpoint Filter backend driver (string value) |
520 #driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter |
520 #driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter |
521 |
521 |
522 # Toggle to return all active endpoints if no filter exists. (boolean value) |
522 # Toggle to return all active endpoints if no filter exists. (boolean value) |
523 #return_all_endpoints_if_no_filter = true |
523 #return_all_endpoints_if_no_filter = true |
524 |
524 |
525 |
525 |
526 [endpoint_policy] |
526 [endpoint_policy] |
527 |
527 |
528 # |
528 # |
529 # From keystone |
529 # From keystone |
530 # |
530 # |
531 |
531 |
532 # Endpoint policy backend driver (string value) |
532 # Endpoint policy backend driver (string value) |
533 #driver = keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy |
533 #driver = keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy |
534 |
534 |
535 |
535 |
536 [eventlet_server] |
536 [eventlet_server] |
537 |
537 |
538 # |
538 # |
539 # From keystone |
539 # From keystone |
540 # |
540 # |
541 |
541 |
542 # The number of worker processes to serve the public eventlet application. |
542 # The number of worker processes to serve the public eventlet application. |
543 # Defaults to number of CPUs (minimum of 2). (integer value) |
543 # Defaults to number of CPUs (minimum of 2). (integer value) |
544 # Deprecated group/name - [DEFAULT]/public_workers |
544 # Deprecated group/name - [DEFAULT]/public_workers |
545 public_workers = 2 |
545 public_workers = 2 |
546 |
546 |
547 # The number of worker processes to serve the admin eventlet application. |
547 # The number of worker processes to serve the admin eventlet application. |
548 # Defaults to number of CPUs (minimum of 2). (integer value) |
548 # Defaults to number of CPUs (minimum of 2). (integer value) |
549 # Deprecated group/name - [DEFAULT]/admin_workers |
549 # Deprecated group/name - [DEFAULT]/admin_workers |
550 admin_workers = 2 |
550 admin_workers = 2 |
551 |
551 |
552 # The IP address of the network interface for the public service to listen on. |
552 # The IP address of the network interface for the public service to listen on. |
553 # (string value) |
553 # (string value) |
554 # Deprecated group/name - [DEFAULT]/bind_host |
554 # Deprecated group/name - [DEFAULT]/bind_host |
555 # Deprecated group/name - [DEFAULT]/public_bind_host |
555 # Deprecated group/name - [DEFAULT]/public_bind_host |
556 #public_bind_host = 0.0.0.0 |
556 #public_bind_host = 0.0.0.0 |
557 |
557 |
558 # The port number which the public service listens on. (integer value) |
558 # The port number which the public service listens on. (integer value) |
559 # Deprecated group/name - [DEFAULT]/public_port |
559 # Deprecated group/name - [DEFAULT]/public_port |
560 #public_port = 5000 |
560 #public_port = 5000 |
561 |
561 |
562 # The IP address of the network interface for the admin service to listen on. |
562 # The IP address of the network interface for the admin service to listen on. |
563 # (string value) |
563 # (string value) |
564 # Deprecated group/name - [DEFAULT]/bind_host |
564 # Deprecated group/name - [DEFAULT]/bind_host |
565 # Deprecated group/name - [DEFAULT]/admin_bind_host |
565 # Deprecated group/name - [DEFAULT]/admin_bind_host |
566 #admin_bind_host = 0.0.0.0 |
566 #admin_bind_host = 0.0.0.0 |
567 |
567 |
568 # The port number which the admin service listens on. (integer value) |
568 # The port number which the admin service listens on. (integer value) |
569 # Deprecated group/name - [DEFAULT]/admin_port |
569 # Deprecated group/name - [DEFAULT]/admin_port |
570 #admin_port = 35357 |
570 #admin_port = 35357 |
571 |
571 |
|
572 # If set to false, disables keepalives on the server; all connections will be |
|
573 # closed after serving one request. (boolean value) |
|
574 #wsgi_keep_alive = true |
|
575 |
|
576 # Timeout for socket operations on a client connection. If an incoming |
|
577 # connection is idle for this number of seconds it will be closed. A value of |
|
578 # '0' means wait forever. (integer value) |
|
579 #client_socket_timeout = 900 |
|
580 |
572 # Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e. |
581 # Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e. |
573 # sockets used by the Keystone wsgi server for client connections. (boolean |
582 # sockets used by the Keystone wsgi server for client connections. (boolean |
574 # value) |
583 # value) |
575 # Deprecated group/name - [DEFAULT]/tcp_keepalive |
584 # Deprecated group/name - [DEFAULT]/tcp_keepalive |
576 #tcp_keepalive = false |
585 #tcp_keepalive = false |
577 |
586 |
578 # Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only |
587 # Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only |
579 # applies if tcp_keepalive is true. (integer value) |
588 # applies if tcp_keepalive is true. (integer value) |
580 # Deprecated group/name - [DEFAULT]/tcp_keepidle |
589 # Deprecated group/name - [DEFAULT]/tcp_keepidle |
581 #tcp_keepidle = 600 |
590 #tcp_keepidle = 600 |
582 |
591 |
583 |
592 |
584 [eventlet_server_ssl] |
593 [eventlet_server_ssl] |
585 |
594 |
586 # |
595 # |
587 # From keystone |
596 # From keystone |
588 # |
597 # |
589 |
598 |
590 # Toggle for SSL support on the Keystone eventlet servers. (boolean value) |
599 # Toggle for SSL support on the Keystone eventlet servers. (boolean value) |
591 # Deprecated group/name - [ssl]/enable |
600 # Deprecated group/name - [ssl]/enable |
592 #enable = false |
601 #enable = false |
593 |
602 |
594 # Path of the certfile for SSL. For non-production environments, you may be |
603 # Path of the certfile for SSL. For non-production environments, you may be |
595 # interested in using `keystone-manage ssl_setup` to generate self-signed |
604 # interested in using `keystone-manage ssl_setup` to generate self-signed |
596 # certificates. (string value) |
605 # certificates. (string value) |
597 # Deprecated group/name - [ssl]/certfile |
606 # Deprecated group/name - [ssl]/certfile |
598 #certfile = /etc/keystone/ssl/certs/keystone.pem |
607 #certfile = /etc/keystone/ssl/certs/keystone.pem |
599 |
608 |
600 # Path of the keyfile for SSL. (string value) |
609 # Path of the keyfile for SSL. (string value) |
601 # Deprecated group/name - [ssl]/keyfile |
610 # Deprecated group/name - [ssl]/keyfile |
602 #keyfile = /etc/keystone/ssl/private/keystonekey.pem |
611 #keyfile = /etc/keystone/ssl/private/keystonekey.pem |
603 |
612 |
604 # Path of the CA cert file for SSL. (string value) |
613 # Path of the CA cert file for SSL. (string value) |
605 # Deprecated group/name - [ssl]/ca_certs |
614 # Deprecated group/name - [ssl]/ca_certs |
606 #ca_certs = /etc/keystone/ssl/certs/ca.pem |
615 #ca_certs = /etc/keystone/ssl/certs/ca.pem |
607 |
616 |
608 # Require client certificate. (boolean value) |
617 # Require client certificate. (boolean value) |
609 # Deprecated group/name - [ssl]/cert_required |
618 # Deprecated group/name - [ssl]/cert_required |
610 #cert_required = false |
619 #cert_required = false |
611 |
620 |
612 |
621 |
613 [federation] |
622 [federation] |
614 |
623 |
615 # |
624 # |
616 # From keystone |
625 # From keystone |
617 # |
626 # |
618 |
627 |
619 # Federation backend driver. (string value) |
628 # Federation backend driver. (string value) |
620 #driver = keystone.contrib.federation.backends.sql.Federation |
629 #driver = keystone.contrib.federation.backends.sql.Federation |
621 |
630 |
622 # Value to be used when filtering assertion parameters from the environment. |
631 # Value to be used when filtering assertion parameters from the environment. |
623 # (string value) |
632 # (string value) |
624 #assertion_prefix = |
633 #assertion_prefix = |
625 |
634 |
626 # Value to be used to obtain the entity ID of the Identity Provider from the |
635 # Value to be used to obtain the entity ID of the Identity Provider from the |
627 # environment (e.g. if using the mod_shib plugin this value is `Shib-Identity- |
636 # environment (e.g. if using the mod_shib plugin this value is `Shib-Identity- |
628 # Provider`). (string value) |
637 # Provider`). (string value) |
629 #remote_id_attribute = <None> |
638 #remote_id_attribute = <None> |
630 |
639 |
631 # A domain name that is reserved to allow federated ephemeral users to have a |
640 # A domain name that is reserved to allow federated ephemeral users to have a |
632 # domain concept. Note that an admin will not be able to create a domain with |
641 # domain concept. Note that an admin will not be able to create a domain with |
633 # this name or update an existing domain to this name. You are not advised to |
642 # this name or update an existing domain to this name. You are not advised to |
634 # change this value unless you really have to. Changing this option to empty |
643 # change this value unless you really have to. Changing this option to empty |
635 # string or None will not have any impact and default name will be used. |
644 # string or None will not have any impact and default name will be used. |
636 # (string value) |
645 # (string value) |
637 #federated_domain_name = Federated |
646 #federated_domain_name = Federated |
638 |
647 |
639 # A list of trusted dashboard hosts. Before accepting a Single Sign-On request |
648 # A list of trusted dashboard hosts. Before accepting a Single Sign-On request |
640 # to return a token, the origin host must be a member of the trusted_dashboard |
649 # to return a token, the origin host must be a member of the trusted_dashboard |
641 # list. This configuration option may be repeated for multiple values. For |
650 # list. This configuration option may be repeated for multiple values. For |
642 # example: trusted_dashboard=http://acme.com trusted_dashboard=http://beta.com |
651 # example: trusted_dashboard=http://acme.com trusted_dashboard=http://beta.com |
643 # (multi valued) |
652 # (multi valued) |
644 #trusted_dashboard = |
653 #trusted_dashboard = |
645 |
654 |
646 # Location of Single Sign-On callback handler, will return a token to a trusted |
655 # Location of Single Sign-On callback handler, will return a token to a trusted |
647 # dashboard host. (string value) |
656 # dashboard host. (string value) |
648 #sso_callback_template = /etc/keystone/sso_callback_template.html |
657 #sso_callback_template = /etc/keystone/sso_callback_template.html |
649 |
658 |
650 |
659 |
651 [fernet_tokens] |
660 [fernet_tokens] |
652 |
661 |
653 # |
662 # |
654 # From keystone |
663 # From keystone |
655 # |
664 # |
656 |
665 |
657 # Directory containing Fernet token keys. (string value) |
666 # Directory containing Fernet token keys. (string value) |
658 #key_repository = /etc/keystone/fernet-keys/ |
667 #key_repository = /etc/keystone/fernet-keys/ |
659 |
668 |
660 # This controls how many keys are held in rotation by keystone-manage |
669 # This controls how many keys are held in rotation by keystone-manage |
661 # fernet_rotate before they are discarded. The default value of 3 means that |
670 # fernet_rotate before they are discarded. The default value of 3 means that |
662 # keystone will maintain one staged key, one primary key, and one secondary |
671 # keystone will maintain one staged key, one primary key, and one secondary |
663 # key. Increasing this value means that additional secondary keys will be kept |
672 # key. Increasing this value means that additional secondary keys will be kept |
664 # in the rotation. (integer value) |
673 # in the rotation. (integer value) |
665 #max_active_keys = 3 |
674 #max_active_keys = 3 |
666 |
675 |
667 |
676 |
668 [identity] |
677 [identity] |
669 |
678 |
670 # |
679 # |
671 # From keystone |
680 # From keystone |
672 # |
681 # |
673 |
682 |
674 # This references the domain to use for all Identity API v2 requests (which are |
683 # This references the domain to use for all Identity API v2 requests (which are |
675 # not aware of domains). A domain with this ID will be created for you by |
684 # not aware of domains). A domain with this ID will be created for you by |
676 # keystone-manage db_sync in migration 008. The domain referenced by this ID |
685 # keystone-manage db_sync in migration 008. The domain referenced by this ID |
677 # cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. |
686 # cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. |
678 # There is nothing special about this domain, other than the fact that it must |
687 # There is nothing special about this domain, other than the fact that it must |
679 # exist to order to maintain support for your v2 clients. (string value) |
688 # exist to order to maintain support for your v2 clients. (string value) |
680 default_domain_id = default |
689 #default_domain_id = default |
681 |
690 |
682 # A subset (or all) of domains can have their own identity driver, each with |
691 # A subset (or all) of domains can have their own identity driver, each with |
683 # their own partial configuration options, stored in either the resource |
692 # their own partial configuration options, stored in either the resource |
684 # backend or in a file in a domain configuration directory (depending on the |
693 # backend or in a file in a domain configuration directory (depending on the |
685 # setting of domain_configurations_from_database). Only values specific to the |
694 # setting of domain_configurations_from_database). Only values specific to the |
686 # domain need to be specified in this manner. This feature is disabled by |
695 # domain need to be specified in this manner. This feature is disabled by |
687 # default; set to true to enable. (boolean value) |
696 # default; set to true to enable. (boolean value) |
688 #domain_specific_drivers_enabled = false |
697 #domain_specific_drivers_enabled = false |
689 |
698 |
690 # Extract the domain specific configuration options from the resource backend |
699 # Extract the domain specific configuration options from the resource backend |
691 # where they have been stored with the domain data. This feature is disabled by |
700 # where they have been stored with the domain data. This feature is disabled by |
692 # default (in which case the domain specific options will be loaded from files |
701 # default (in which case the domain specific options will be loaded from files |
693 # in the domain configuration directory); set to true to enable. (boolean |
702 # in the domain configuration directory); set to true to enable. (boolean |
694 # value) |
703 # value) |
695 #domain_configurations_from_database = false |
704 #domain_configurations_from_database = false |
696 |
705 |
697 # Path for Keystone to locate the domain specific identity configuration files |
706 # Path for Keystone to locate the domain specific identity configuration files |
698 # if domain_specific_drivers_enabled is set to true. (string value) |
707 # if domain_specific_drivers_enabled is set to true. (string value) |
699 #domain_config_dir = /etc/keystone/domains |
708 #domain_config_dir = /etc/keystone/domains |
700 |
709 |
701 # Identity backend driver. (string value) |
710 # Identity backend driver. (string value) |
702 #driver = keystone.identity.backends.sql.Identity |
711 #driver = keystone.identity.backends.sql.Identity |
703 |
712 |
704 # Toggle for identity caching. This has no effect unless global caching is |
713 # Toggle for identity caching. This has no effect unless global caching is |
705 # enabled. (boolean value) |
714 # enabled. (boolean value) |
706 #caching = true |
715 #caching = true |
707 |
716 |
708 # Time to cache identity data (in seconds). This has no effect unless global |
717 # Time to cache identity data (in seconds). This has no effect unless global |
709 # and identity caching are enabled. (integer value) |
718 # and identity caching are enabled. (integer value) |
710 #cache_time = 600 |
719 #cache_time = 600 |
711 |
720 |
712 # Maximum supported length for user passwords; decrease to improve performance. |
721 # Maximum supported length for user passwords; decrease to improve performance. |
713 # (integer value) |
722 # (integer value) |
714 #max_password_length = 4096 |
723 #max_password_length = 4096 |
715 |
724 |
716 # Maximum number of entities that will be returned in an identity collection. |
725 # Maximum number of entities that will be returned in an identity collection. |
717 # (integer value) |
726 # (integer value) |
718 #list_limit = <None> |
727 #list_limit = <None> |
719 |
728 |
720 |
729 |
721 [identity_mapping] |
730 [identity_mapping] |
722 |
731 |
723 # |
732 # |
724 # From keystone |
733 # From keystone |
725 # |
734 # |
726 |
735 |
727 # Keystone Identity Mapping backend driver. (string value) |
736 # Keystone Identity Mapping backend driver. (string value) |
728 #driver = keystone.identity.mapping_backends.sql.Mapping |
737 #driver = keystone.identity.mapping_backends.sql.Mapping |
729 |
738 |
730 # Public ID generator for user and group entities. The Keystone identity mapper |
739 # Public ID generator for user and group entities. The Keystone identity mapper |
731 # only supports generators that produce no more than 64 characters. (string |
740 # only supports generators that produce no more than 64 characters. (string |
732 # value) |
741 # value) |
733 #generator = keystone.identity.id_generators.sha256.Generator |
742 #generator = keystone.identity.id_generators.sha256.Generator |
734 |
743 |
735 # The format of user and group IDs changed in Juno for backends that do not |
744 # The format of user and group IDs changed in Juno for backends that do not |
736 # generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the |
745 # generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the |
737 # underlying attribute in LDAP. By default this mapping is disabled, which |
746 # underlying attribute in LDAP. By default this mapping is disabled, which |
738 # ensures that existing IDs will not change. Even when the mapping is enabled |
747 # ensures that existing IDs will not change. Even when the mapping is enabled |
739 # by using domain specific drivers, any users and groups from the default |
748 # by using domain specific drivers, any users and groups from the default |
744 # domain, and it is acceptable for Keystone to provide the different IDs to |
753 # domain, and it is acceptable for Keystone to provide the different IDs to |
745 # clients than it did previously. Typically this means that the only time you |
754 # clients than it did previously. Typically this means that the only time you |
746 # can set this value to False is when configuring a fresh installation. |
755 # can set this value to False is when configuring a fresh installation. |
747 # (boolean value) |
756 # (boolean value) |
748 #backward_compatible_ids = true |
757 #backward_compatible_ids = true |
749 |
758 |
750 |
759 |
751 [kvs] |
760 [kvs] |
752 |
761 |
753 # |
762 # |
754 # From keystone |
763 # From keystone |
755 # |
764 # |
756 |
765 |
757 # Extra dogpile.cache backend modules to register with the dogpile.cache |
766 # Extra dogpile.cache backend modules to register with the dogpile.cache |
758 # library. (list value) |
767 # library. (list value) |
759 #backends = |
768 #backends = |
760 |
769 |
761 # Prefix for building the configuration dictionary for the KVS region. This |
770 # Prefix for building the configuration dictionary for the KVS region. This |
762 # should not need to be changed unless there is another dogpile.cache region |
771 # should not need to be changed unless there is another dogpile.cache region |
763 # with the same configuration name. (string value) |
772 # with the same configuration name. (string value) |
764 #config_prefix = keystone.kvs |
773 #config_prefix = keystone.kvs |
765 |
774 |
766 # Toggle to disable using a key-mangling function to ensure fixed length keys. |
775 # Toggle to disable using a key-mangling function to ensure fixed length keys. |
767 # This is toggle-able for debugging purposes, it is highly recommended to |
776 # This is toggle-able for debugging purposes, it is highly recommended to |
768 # always leave this set to true. (boolean value) |
777 # always leave this set to true. (boolean value) |
769 #enable_key_mangler = true |
778 #enable_key_mangler = true |
770 |
779 |
771 # Default lock timeout (in seconds) for distributed locking. (integer value) |
780 # Default lock timeout (in seconds) for distributed locking. (integer value) |
772 #default_lock_timeout = 5 |
781 #default_lock_timeout = 5 |
773 |
782 |
774 |
783 |
775 [ldap] |
784 [ldap] |
776 |
785 |
777 # |
786 # |
778 # From keystone |
787 # From keystone |
779 # |
788 # |
780 |
789 |
781 # URL for connecting to the LDAP server. (string value) |
790 # URL for connecting to the LDAP server. (string value) |
782 #url = ldap://localhost |
791 #url = ldap://localhost |
783 |
792 |
784 # User BindDN to query the LDAP server. (string value) |
793 # User BindDN to query the LDAP server. (string value) |
785 #user = <None> |
794 #user = <None> |
786 |
795 |
787 # Password for the BindDN to query the LDAP server. (string value) |
796 # Password for the BindDN to query the LDAP server. (string value) |
788 #password = <None> |
797 #password = <None> |
789 |
798 |
790 # LDAP server suffix (string value) |
799 # LDAP server suffix (string value) |
791 #suffix = cn=example,cn=com |
800 #suffix = cn=example,cn=com |
792 |
801 |
793 # If true, will add a dummy member to groups. This is required if the |
802 # If true, will add a dummy member to groups. This is required if the |
794 # objectclass for groups requires the "member" attribute. (boolean value) |
803 # objectclass for groups requires the "member" attribute. (boolean value) |
795 #use_dumb_member = false |
804 #use_dumb_member = false |
796 |
805 |
797 # DN of the "dummy member" to use when "use_dumb_member" is enabled. (string |
806 # DN of the "dummy member" to use when "use_dumb_member" is enabled. (string |
798 # value) |
807 # value) |
799 #dumb_member = cn=dumb,dc=nonexistent |
808 #dumb_member = cn=dumb,dc=nonexistent |
800 |
809 |
801 # Delete subtrees using the subtree delete control. Only enable this option if |
810 # Delete subtrees using the subtree delete control. Only enable this option if |
802 # your LDAP server supports subtree deletion. (boolean value) |
811 # your LDAP server supports subtree deletion. (boolean value) |
803 #allow_subtree_delete = false |
812 #allow_subtree_delete = false |
804 |
813 |
805 # The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) |
814 # The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) |
806 # or "sub" (subtree/wholeSubtree). (string value) |
815 # or "sub" (subtree/wholeSubtree). (string value) |
807 #query_scope = one |
816 #query_scope = one |
808 |
817 |
809 # Maximum results per page; a value of zero ("0") disables paging. (integer |
818 # Maximum results per page; a value of zero ("0") disables paging. (integer |
810 # value) |
819 # value) |
811 #page_size = 0 |
820 #page_size = 0 |
812 |
821 |
813 # The LDAP dereferencing option for queries. This can be either "never", |
822 # The LDAP dereferencing option for queries. This can be either "never", |
814 # "searching", "always", "finding" or "default". The "default" option falls |
823 # "searching", "always", "finding" or "default". The "default" option falls |
815 # back to using default dereferencing configured by your ldap.conf. (string |
824 # back to using default dereferencing configured by your ldap.conf. (string |
816 # value) |
825 # value) |
817 #alias_dereferencing = default |
826 #alias_dereferencing = default |
818 |
827 |
819 # Sets the LDAP debugging level for LDAP calls. A value of 0 means that |
828 # Sets the LDAP debugging level for LDAP calls. A value of 0 means that |
820 # debugging is not enabled. This value is a bitmask, consult your LDAP |
829 # debugging is not enabled. This value is a bitmask, consult your LDAP |
821 # documentation for possible values. (integer value) |
830 # documentation for possible values. (integer value) |
822 #debug_level = <None> |
831 #debug_level = <None> |
823 |
832 |
824 # Override the system's default referral chasing behavior for queries. (boolean |
833 # Override the system's default referral chasing behavior for queries. (boolean |
825 # value) |
834 # value) |
826 #chase_referrals = <None> |
835 #chase_referrals = <None> |
827 |
836 |
828 # Search base for users. (string value) |
837 # Search base for users. (string value) |
829 #user_tree_dn = <None> |
838 #user_tree_dn = <None> |
830 |
839 |
831 # LDAP search filter for users. (string value) |
840 # LDAP search filter for users. (string value) |
832 #user_filter = <None> |
841 #user_filter = <None> |
833 |
842 |
834 # LDAP objectclass for users. (string value) |
843 # LDAP objectclass for users. (string value) |
835 #user_objectclass = inetOrgPerson |
844 #user_objectclass = inetOrgPerson |
836 |
845 |
837 # LDAP attribute mapped to user id. WARNING: must not be a multivalued |
846 # LDAP attribute mapped to user id. WARNING: must not be a multivalued |
838 # attribute. (string value) |
847 # attribute. (string value) |
839 #user_id_attribute = cn |
848 #user_id_attribute = cn |
840 |
849 |
841 # LDAP attribute mapped to user name. (string value) |
850 # LDAP attribute mapped to user name. (string value) |
842 #user_name_attribute = sn |
851 #user_name_attribute = sn |
843 |
852 |
844 # LDAP attribute mapped to user email. (string value) |
853 # LDAP attribute mapped to user email. (string value) |
845 #user_mail_attribute = mail |
854 #user_mail_attribute = mail |
846 |
855 |
847 # LDAP attribute mapped to password. (string value) |
856 # LDAP attribute mapped to password. (string value) |
848 #user_pass_attribute = userPassword |
857 #user_pass_attribute = userPassword |
849 |
858 |
850 # LDAP attribute mapped to user enabled flag. (string value) |
859 # LDAP attribute mapped to user enabled flag. (string value) |
851 #user_enabled_attribute = enabled |
860 #user_enabled_attribute = enabled |
852 |
861 |
853 # Invert the meaning of the boolean enabled values. Some LDAP servers use a |
862 # Invert the meaning of the boolean enabled values. Some LDAP servers use a |
854 # boolean lock attribute where "true" means an account is disabled. Setting |
863 # boolean lock attribute where "true" means an account is disabled. Setting |
855 # "user_enabled_invert = true" will allow these lock attributes to be used. |
864 # "user_enabled_invert = true" will allow these lock attributes to be used. |
856 # This setting will have no effect if "user_enabled_mask" or |
865 # This setting will have no effect if "user_enabled_mask" or |
857 # "user_enabled_emulation" settings are in use. (boolean value) |
866 # "user_enabled_emulation" settings are in use. (boolean value) |
858 #user_enabled_invert = false |
867 #user_enabled_invert = false |
859 |
868 |
860 # Bitmask integer to indicate the bit that the enabled value is stored in if |
869 # Bitmask integer to indicate the bit that the enabled value is stored in if |
861 # the LDAP server represents "enabled" as a bit on an integer rather than a |
870 # the LDAP server represents "enabled" as a bit on an integer rather than a |
862 # boolean. A value of "0" indicates the mask is not used. If this is not set to |
871 # boolean. A value of "0" indicates the mask is not used. If this is not set to |
863 # "0" the typical value is "2". This is typically used when |
872 # "0" the typical value is "2". This is typically used when |
864 # "user_enabled_attribute = userAccountControl". (integer value) |
873 # "user_enabled_attribute = userAccountControl". (integer value) |
865 #user_enabled_mask = 0 |
874 #user_enabled_mask = 0 |
866 |
875 |
867 # Default value to enable users. This should match an appropriate int value if |
876 # Default value to enable users. This should match an appropriate int value if |
868 # the LDAP server uses non-boolean (bitmask) values to indicate if a user is |
877 # the LDAP server uses non-boolean (bitmask) values to indicate if a user is |
869 # enabled or disabled. If this is not set to "True" the typical value is "512". |
878 # enabled or disabled. If this is not set to "True" the typical value is "512". |
870 # This is typically used when "user_enabled_attribute = userAccountControl". |
879 # This is typically used when "user_enabled_attribute = userAccountControl". |
871 # (string value) |
880 # (string value) |
872 #user_enabled_default = true |
881 #user_enabled_default = True |
873 |
882 |
874 # List of attributes stripped off the user on update. (list value) |
883 # List of attributes stripped off the user on update. (list value) |
875 #user_attribute_ignore = default_project_id,tenants |
884 #user_attribute_ignore = default_project_id,tenants |
876 |
885 |
877 # LDAP attribute mapped to default_project_id for users. (string value) |
886 # LDAP attribute mapped to default_project_id for users. (string value) |
878 #user_default_project_id_attribute = <None> |
887 #user_default_project_id_attribute = <None> |
879 |
888 |
880 # Allow user creation in LDAP backend. (boolean value) |
889 # Allow user creation in LDAP backend. (boolean value) |
881 #user_allow_create = true |
890 #user_allow_create = true |
882 |
891 |
883 # Allow user updates in LDAP backend. (boolean value) |
892 # Allow user updates in LDAP backend. (boolean value) |
884 #user_allow_update = true |
893 #user_allow_update = true |
885 |
894 |
886 # Allow user deletion in LDAP backend. (boolean value) |
895 # Allow user deletion in LDAP backend. (boolean value) |
887 #user_allow_delete = true |
896 #user_allow_delete = true |
888 |
897 |
889 # If true, Keystone uses an alternative method to determine if a user is |
898 # If true, Keystone uses an alternative method to determine if a user is |
890 # enabled or not by checking if they are a member of the |
899 # enabled or not by checking if they are a member of the |
891 # "user_enabled_emulation_dn" group. (boolean value) |
900 # "user_enabled_emulation_dn" group. (boolean value) |
892 #user_enabled_emulation = false |
901 #user_enabled_emulation = false |
893 |
902 |
894 # DN of the group entry to hold enabled users when using enabled emulation. |
903 # DN of the group entry to hold enabled users when using enabled emulation. |
895 # (string value) |
904 # (string value) |
896 #user_enabled_emulation_dn = <None> |
905 #user_enabled_emulation_dn = <None> |
897 |
906 |
898 # List of additional LDAP attributes used for mapping additional attribute |
907 # List of additional LDAP attributes used for mapping additional attribute |
899 # mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, |
908 # mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, |
900 # where ldap_attr is the attribute in the LDAP entry and user_attr is the |
909 # where ldap_attr is the attribute in the LDAP entry and user_attr is the |
901 # Identity API attribute. (list value) |
910 # Identity API attribute. (list value) |
902 #user_additional_attribute_mapping = |
911 #user_additional_attribute_mapping = |
903 |
912 |
904 # Search base for projects (string value) |
913 # Search base for projects (string value) |
905 # Deprecated group/name - [ldap]/tenant_tree_dn |
914 # Deprecated group/name - [ldap]/tenant_tree_dn |
906 #project_tree_dn = <None> |
915 #project_tree_dn = <None> |
907 |
916 |
908 # LDAP search filter for projects. (string value) |
917 # LDAP search filter for projects. (string value) |
909 # Deprecated group/name - [ldap]/tenant_filter |
918 # Deprecated group/name - [ldap]/tenant_filter |
910 #project_filter = <None> |
919 #project_filter = <None> |
911 |
920 |
912 # LDAP objectclass for projects. (string value) |
921 # LDAP objectclass for projects. (string value) |
913 # Deprecated group/name - [ldap]/tenant_objectclass |
922 # Deprecated group/name - [ldap]/tenant_objectclass |
914 #project_objectclass = groupOfNames |
923 #project_objectclass = groupOfNames |
915 |
924 |
916 # LDAP attribute mapped to project id. (string value) |
925 # LDAP attribute mapped to project id. (string value) |
917 # Deprecated group/name - [ldap]/tenant_id_attribute |
926 # Deprecated group/name - [ldap]/tenant_id_attribute |
918 #project_id_attribute = cn |
927 #project_id_attribute = cn |
919 |
928 |
920 # LDAP attribute mapped to project membership for user. (string value) |
929 # LDAP attribute mapped to project membership for user. (string value) |
921 # Deprecated group/name - [ldap]/tenant_member_attribute |
930 # Deprecated group/name - [ldap]/tenant_member_attribute |
922 #project_member_attribute = member |
931 #project_member_attribute = member |
923 |
932 |
924 # LDAP attribute mapped to project name. (string value) |
933 # LDAP attribute mapped to project name. (string value) |
925 # Deprecated group/name - [ldap]/tenant_name_attribute |
934 # Deprecated group/name - [ldap]/tenant_name_attribute |
926 #project_name_attribute = ou |
935 #project_name_attribute = ou |
927 |
936 |
928 # LDAP attribute mapped to project description. (string value) |
937 # LDAP attribute mapped to project description. (string value) |
929 # Deprecated group/name - [ldap]/tenant_desc_attribute |
938 # Deprecated group/name - [ldap]/tenant_desc_attribute |
930 #project_desc_attribute = description |
939 #project_desc_attribute = description |
931 |
940 |
932 # LDAP attribute mapped to project enabled. (string value) |
941 # LDAP attribute mapped to project enabled. (string value) |
933 # Deprecated group/name - [ldap]/tenant_enabled_attribute |
942 # Deprecated group/name - [ldap]/tenant_enabled_attribute |
934 #project_enabled_attribute = enabled |
943 #project_enabled_attribute = enabled |
935 |
944 |
936 # LDAP attribute mapped to project domain_id. (string value) |
945 # LDAP attribute mapped to project domain_id. (string value) |
937 # Deprecated group/name - [ldap]/tenant_domain_id_attribute |
946 # Deprecated group/name - [ldap]/tenant_domain_id_attribute |
938 #project_domain_id_attribute = businessCategory |
947 #project_domain_id_attribute = businessCategory |
939 |
948 |
940 # List of attributes stripped off the project on update. (list value) |
949 # List of attributes stripped off the project on update. (list value) |
941 # Deprecated group/name - [ldap]/tenant_attribute_ignore |
950 # Deprecated group/name - [ldap]/tenant_attribute_ignore |
942 #project_attribute_ignore = |
951 #project_attribute_ignore = |
943 |
952 |
944 # Allow project creation in LDAP backend. (boolean value) |
953 # Allow project creation in LDAP backend. (boolean value) |
945 # Deprecated group/name - [ldap]/tenant_allow_create |
954 # Deprecated group/name - [ldap]/tenant_allow_create |
946 #project_allow_create = true |
955 #project_allow_create = true |
947 |
956 |
948 # Allow project update in LDAP backend. (boolean value) |
957 # Allow project update in LDAP backend. (boolean value) |
949 # Deprecated group/name - [ldap]/tenant_allow_update |
958 # Deprecated group/name - [ldap]/tenant_allow_update |
950 #project_allow_update = true |
959 #project_allow_update = true |
951 |
960 |
952 # Allow project deletion in LDAP backend. (boolean value) |
961 # Allow project deletion in LDAP backend. (boolean value) |
953 # Deprecated group/name - [ldap]/tenant_allow_delete |
962 # Deprecated group/name - [ldap]/tenant_allow_delete |
954 #project_allow_delete = true |
963 #project_allow_delete = true |
955 |
964 |
956 # If true, Keystone uses an alternative method to determine if a project is |
965 # If true, Keystone uses an alternative method to determine if a project is |
957 # enabled or not by checking if they are a member of the |
966 # enabled or not by checking if they are a member of the |
958 # "project_enabled_emulation_dn" group. (boolean value) |
967 # "project_enabled_emulation_dn" group. (boolean value) |
959 # Deprecated group/name - [ldap]/tenant_enabled_emulation |
968 # Deprecated group/name - [ldap]/tenant_enabled_emulation |
960 #project_enabled_emulation = false |
969 #project_enabled_emulation = false |
961 |
970 |
962 # DN of the group entry to hold enabled projects when using enabled emulation. |
971 # DN of the group entry to hold enabled projects when using enabled emulation. |
963 # (string value) |
972 # (string value) |
964 # Deprecated group/name - [ldap]/tenant_enabled_emulation_dn |
973 # Deprecated group/name - [ldap]/tenant_enabled_emulation_dn |
965 #project_enabled_emulation_dn = <None> |
974 #project_enabled_emulation_dn = <None> |
966 |
975 |
967 # Additional attribute mappings for projects. Attribute mapping format is |
976 # Additional attribute mappings for projects. Attribute mapping format is |
968 # <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry |
977 # <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry |
969 # and user_attr is the Identity API attribute. (list value) |
978 # and user_attr is the Identity API attribute. (list value) |
970 # Deprecated group/name - [ldap]/tenant_additional_attribute_mapping |
979 # Deprecated group/name - [ldap]/tenant_additional_attribute_mapping |
971 #project_additional_attribute_mapping = |
980 #project_additional_attribute_mapping = |
972 |
981 |
973 # Search base for roles. (string value) |
982 # Search base for roles. (string value) |
974 #role_tree_dn = <None> |
983 #role_tree_dn = <None> |
975 |
984 |
976 # LDAP search filter for roles. (string value) |
985 # LDAP search filter for roles. (string value) |
977 #role_filter = <None> |
986 #role_filter = <None> |
978 |
987 |
979 # LDAP objectclass for roles. (string value) |
988 # LDAP objectclass for roles. (string value) |
980 #role_objectclass = organizationalRole |
989 #role_objectclass = organizationalRole |
981 |
990 |
982 # LDAP attribute mapped to role id. (string value) |
991 # LDAP attribute mapped to role id. (string value) |
983 #role_id_attribute = cn |
992 #role_id_attribute = cn |
984 |
993 |
985 # LDAP attribute mapped to role name. (string value) |
994 # LDAP attribute mapped to role name. (string value) |
986 #role_name_attribute = ou |
995 #role_name_attribute = ou |
987 |
996 |
988 # LDAP attribute mapped to role membership. (string value) |
997 # LDAP attribute mapped to role membership. (string value) |
989 #role_member_attribute = roleOccupant |
998 #role_member_attribute = roleOccupant |
990 |
999 |
991 # List of attributes stripped off the role on update. (list value) |
1000 # List of attributes stripped off the role on update. (list value) |
992 #role_attribute_ignore = |
1001 #role_attribute_ignore = |
993 |
1002 |
994 # Allow role creation in LDAP backend. (boolean value) |
1003 # Allow role creation in LDAP backend. (boolean value) |
995 #role_allow_create = true |
1004 #role_allow_create = true |
996 |
1005 |
997 # Allow role update in LDAP backend. (boolean value) |
1006 # Allow role update in LDAP backend. (boolean value) |
998 #role_allow_update = true |
1007 #role_allow_update = true |
999 |
1008 |
1000 # Allow role deletion in LDAP backend. (boolean value) |
1009 # Allow role deletion in LDAP backend. (boolean value) |
1001 #role_allow_delete = true |
1010 #role_allow_delete = true |
1002 |
1011 |
1003 # Additional attribute mappings for roles. Attribute mapping format is |
1012 # Additional attribute mappings for roles. Attribute mapping format is |
1004 # <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry |
1013 # <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry |
1005 # and user_attr is the Identity API attribute. (list value) |
1014 # and user_attr is the Identity API attribute. (list value) |
1006 #role_additional_attribute_mapping = |
1015 #role_additional_attribute_mapping = |
1007 |
1016 |
1008 # Search base for groups. (string value) |
1017 # Search base for groups. (string value) |
1009 #group_tree_dn = <None> |
1018 #group_tree_dn = <None> |
1010 |
1019 |
1011 # LDAP search filter for groups. (string value) |
1020 # LDAP search filter for groups. (string value) |
1012 #group_filter = <None> |
1021 #group_filter = <None> |
1013 |
1022 |
1014 # LDAP objectclass for groups. (string value) |
1023 # LDAP objectclass for groups. (string value) |
1015 #group_objectclass = groupOfNames |
1024 #group_objectclass = groupOfNames |
1016 |
1025 |
1017 # LDAP attribute mapped to group id. (string value) |
1026 # LDAP attribute mapped to group id. (string value) |
1018 #group_id_attribute = cn |
1027 #group_id_attribute = cn |
1019 |
1028 |
1020 # LDAP attribute mapped to group name. (string value) |
1029 # LDAP attribute mapped to group name. (string value) |
1021 #group_name_attribute = ou |
1030 #group_name_attribute = ou |
1022 |
1031 |
1023 # LDAP attribute mapped to show group membership. (string value) |
1032 # LDAP attribute mapped to show group membership. (string value) |
1024 #group_member_attribute = member |
1033 #group_member_attribute = member |
1025 |
1034 |
1026 # LDAP attribute mapped to group description. (string value) |
1035 # LDAP attribute mapped to group description. (string value) |
1027 #group_desc_attribute = description |
1036 #group_desc_attribute = description |
1028 |
1037 |
1029 # List of attributes stripped off the group on update. (list value) |
1038 # List of attributes stripped off the group on update. (list value) |
1030 #group_attribute_ignore = |
1039 #group_attribute_ignore = |
1031 |
1040 |
1032 # Allow group creation in LDAP backend. (boolean value) |
1041 # Allow group creation in LDAP backend. (boolean value) |
1033 #group_allow_create = true |
1042 #group_allow_create = true |
1034 |
1043 |
1035 # Allow group update in LDAP backend. (boolean value) |
1044 # Allow group update in LDAP backend. (boolean value) |
1036 #group_allow_update = true |
1045 #group_allow_update = true |
1037 |
1046 |
1038 # Allow group deletion in LDAP backend. (boolean value) |
1047 # Allow group deletion in LDAP backend. (boolean value) |
1039 #group_allow_delete = true |
1048 #group_allow_delete = true |
1040 |
1049 |
1041 # Additional attribute mappings for groups. Attribute mapping format is |
1050 # Additional attribute mappings for groups. Attribute mapping format is |
1042 # <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry |
1051 # <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry |
1043 # and user_attr is the Identity API attribute. (list value) |
1052 # and user_attr is the Identity API attribute. (list value) |
1044 #group_additional_attribute_mapping = |
1053 #group_additional_attribute_mapping = |
1045 |
1054 |
1046 # CA certificate file path for communicating with LDAP servers. (string value) |
1055 # CA certificate file path for communicating with LDAP servers. (string value) |
1047 #tls_cacertfile = <None> |
1056 #tls_cacertfile = <None> |
1048 |
1057 |
1049 # CA certificate directory path for communicating with LDAP servers. (string |
1058 # CA certificate directory path for communicating with LDAP servers. (string |
1050 # value) |
1059 # value) |
1051 #tls_cacertdir = <None> |
1060 #tls_cacertdir = <None> |
1052 |
1061 |
1053 # Enable TLS for communicating with LDAP servers. (boolean value) |
1062 # Enable TLS for communicating with LDAP servers. (boolean value) |
1054 #use_tls = false |
1063 #use_tls = false |
1055 |
1064 |
1056 # Valid options for tls_req_cert are demand, never, and allow. (string value) |
1065 # Valid options for tls_req_cert are demand, never, and allow. (string value) |
1057 #tls_req_cert = demand |
1066 #tls_req_cert = demand |
1058 |
1067 |
1059 # Enable LDAP connection pooling. (boolean value) |
1068 # Enable LDAP connection pooling. (boolean value) |
1060 #use_pool = false |
1069 #use_pool = false |
1061 |
1070 |
1062 # Connection pool size. (integer value) |
1071 # Connection pool size. (integer value) |
1063 #pool_size = 10 |
1072 #pool_size = 10 |
1064 |
1073 |
1065 # Maximum count of reconnect trials. (integer value) |
1074 # Maximum count of reconnect trials. (integer value) |
1066 #pool_retry_max = 3 |
1075 #pool_retry_max = 3 |
1067 |
1076 |
1068 # Time span in seconds to wait between two reconnect trials. (floating point |
1077 # Time span in seconds to wait between two reconnect trials. (floating point |
1069 # value) |
1078 # value) |
1070 #pool_retry_delay = 0.1 |
1079 #pool_retry_delay = 0.1 |
1071 |
1080 |
1072 # Connector timeout in seconds. Value -1 indicates indefinite wait for |
1081 # Connector timeout in seconds. Value -1 indicates indefinite wait for |
1073 # response. (integer value) |
1082 # response. (integer value) |
1074 #pool_connection_timeout = -1 |
1083 #pool_connection_timeout = -1 |
1075 |
1084 |
1076 # Connection lifetime in seconds. (integer value) |
1085 # Connection lifetime in seconds. (integer value) |
1077 #pool_connection_lifetime = 600 |
1086 #pool_connection_lifetime = 600 |
1078 |
1087 |
1079 # Enable LDAP connection pooling for end user authentication. If use_pool is |
1088 # Enable LDAP connection pooling for end user authentication. If use_pool is |
1080 # disabled, then this setting is meaningless and is not used at all. (boolean |
1089 # disabled, then this setting is meaningless and is not used at all. (boolean |
1081 # value) |
1090 # value) |
1082 #use_auth_pool = false |
1091 #use_auth_pool = false |
1083 |
1092 |
1084 # End user auth connection pool size. (integer value) |
1093 # End user auth connection pool size. (integer value) |
1085 #auth_pool_size = 100 |
1094 #auth_pool_size = 100 |
1086 |
1095 |
1087 # End user auth connection lifetime in seconds. (integer value) |
1096 # End user auth connection lifetime in seconds. (integer value) |
1088 #auth_pool_connection_lifetime = 60 |
1097 #auth_pool_connection_lifetime = 60 |
1089 |
1098 |
1090 |
1099 |
1091 [matchmaker_redis] |
1100 [matchmaker_redis] |
1092 |
1101 |
1093 # |
1102 # |
1094 # From oslo.messaging |
1103 # From oslo.messaging |
1095 # |
1104 # |
1096 |
1105 |
1097 # Host to locate redis. (string value) |
1106 # Host to locate redis. (string value) |
1098 #host = 127.0.0.1 |
1107 #host = 127.0.0.1 |
1099 |
1108 |
1100 # Use this port to connect to redis host. (integer value) |
1109 # Use this port to connect to redis host. (integer value) |
1101 #port = 6379 |
1110 #port = 6379 |
1102 |
1111 |
1103 # Password for Redis server (optional). (string value) |
1112 # Password for Redis server (optional). (string value) |
1104 #password = <None> |
1113 #password = <None> |
1105 |
1114 |
1106 |
1115 |
1107 [matchmaker_ring] |
1116 [matchmaker_ring] |
1108 |
1117 |
1109 # |
1118 # |
1110 # From oslo.messaging |
1119 # From oslo.messaging |
1111 # |
1120 # |
1112 |
1121 |
1113 # Matchmaker ring file (JSON). (string value) |
1122 # Matchmaker ring file (JSON). (string value) |
1114 # Deprecated group/name - [DEFAULT]/matchmaker_ringfile |
1123 # Deprecated group/name - [DEFAULT]/matchmaker_ringfile |
1115 #ringfile = /etc/oslo/matchmaker_ring.json |
1124 #ringfile = /etc/oslo/matchmaker_ring.json |
1116 |
1125 |
1117 |
1126 |
1118 [memcache] |
1127 [memcache] |
1119 |
1128 |
1120 # |
1129 # |
1121 # From keystone |
1130 # From keystone |
1122 # |
1131 # |
1123 |
1132 |
1124 # Memcache servers in the format of "host:port". (list value) |
1133 # Memcache servers in the format of "host:port". (list value) |
1125 #servers = localhost:11211 |
1134 #servers = localhost:11211 |
1126 |
1135 |
1127 # Number of seconds memcached server is considered dead before it is tried |
1136 # Number of seconds memcached server is considered dead before it is tried |
1128 # again. This is used by the key value store system (e.g. token pooled |
1137 # again. This is used by the key value store system (e.g. token pooled |
1129 # memcached persistence backend). (integer value) |
1138 # memcached persistence backend). (integer value) |
1130 #dead_retry = 300 |
1139 #dead_retry = 300 |
1131 |
1140 |
1132 # Timeout in seconds for every call to a server. This is used by the key value |
1141 # Timeout in seconds for every call to a server. This is used by the key value |
1133 # store system (e.g. token pooled memcached persistence backend). (integer |
1142 # store system (e.g. token pooled memcached persistence backend). (integer |
1134 # value) |
1143 # value) |
1135 #socket_timeout = 3 |
1144 #socket_timeout = 3 |
1136 |
1145 |
1137 # Max total number of open connections to every memcached server. This is used |
1146 # Max total number of open connections to every memcached server. This is used |
1138 # by the key value store system (e.g. token pooled memcached persistence |
1147 # by the key value store system (e.g. token pooled memcached persistence |
1139 # backend). (integer value) |
1148 # backend). (integer value) |
1140 #pool_maxsize = 10 |
1149 #pool_maxsize = 10 |
1141 |
1150 |
1142 # Number of seconds a connection to memcached is held unused in the pool before |
1151 # Number of seconds a connection to memcached is held unused in the pool before |
1143 # it is closed. This is used by the key value store system (e.g. token pooled |
1152 # it is closed. This is used by the key value store system (e.g. token pooled |
1144 # memcached persistence backend). (integer value) |
1153 # memcached persistence backend). (integer value) |
1145 #pool_unused_timeout = 60 |
1154 #pool_unused_timeout = 60 |
1146 |
1155 |
1147 # Number of seconds that an operation will wait to get a memcache client |
1156 # Number of seconds that an operation will wait to get a memcache client |
1148 # connection. This is used by the key value store system (e.g. token pooled |
1157 # connection. This is used by the key value store system (e.g. token pooled |
1149 # memcached persistence backend). (integer value) |
1158 # memcached persistence backend). (integer value) |
1150 #pool_connection_get_timeout = 10 |
1159 #pool_connection_get_timeout = 10 |
1151 |
1160 |
1152 |
1161 |
1153 [oauth1] |
1162 [oauth1] |
1154 |
1163 |
1155 # |
1164 # |
1156 # From keystone |
1165 # From keystone |
1157 # |
1166 # |
1158 |
1167 |
1159 # Credential backend driver. (string value) |
1168 # Credential backend driver. (string value) |
1160 #driver = keystone.contrib.oauth1.backends.sql.OAuth1 |
1169 #driver = keystone.contrib.oauth1.backends.sql.OAuth1 |
1161 |
1170 |
1162 # Duration (in seconds) for the OAuth Request Token. (integer value) |
1171 # Duration (in seconds) for the OAuth Request Token. (integer value) |
1163 #request_token_duration = 28800 |
1172 #request_token_duration = 28800 |
1164 |
1173 |
1165 # Duration (in seconds) for the OAuth Access Token. (integer value) |
1174 # Duration (in seconds) for the OAuth Access Token. (integer value) |
1166 #access_token_duration = 86400 |
1175 #access_token_duration = 86400 |
1167 |
1176 |
1168 |
1177 |
1169 [os_inherit] |
1178 [os_inherit] |
1170 |
1179 |
1171 # |
1180 # |
1172 # From keystone |
1181 # From keystone |
1173 # |
1182 # |
1174 |
1183 |
1175 # role-assignment inheritance to projects from owning domain or from projects |
1184 # role-assignment inheritance to projects from owning domain or from projects |
1176 # higher in the hierarchy can be optionally enabled. (boolean value) |
1185 # higher in the hierarchy can be optionally enabled. (boolean value) |
1177 #enabled = false |
1186 #enabled = false |
1178 |
1187 |
1179 |
1188 |
1180 [oslo_messaging_amqp] |
1189 [oslo_messaging_amqp] |
1181 |
1190 |
1182 # |
1191 # |
1183 # From oslo.messaging |
1192 # From oslo.messaging |
1184 # |
1193 # |
1185 |
1194 |
1186 # address prefix used when sending to a specific server (string value) |
1195 # address prefix used when sending to a specific server (string value) |
1187 # Deprecated group/name - [amqp1]/server_request_prefix |
1196 # Deprecated group/name - [amqp1]/server_request_prefix |
1188 #server_request_prefix = exclusive |
1197 #server_request_prefix = exclusive |
1189 |
1198 |
1190 # address prefix used when broadcasting to all servers (string value) |
1199 # address prefix used when broadcasting to all servers (string value) |
1191 # Deprecated group/name - [amqp1]/broadcast_prefix |
1200 # Deprecated group/name - [amqp1]/broadcast_prefix |
1192 #broadcast_prefix = broadcast |
1201 #broadcast_prefix = broadcast |
1193 |
1202 |
1194 # address prefix when sending to any server in group (string value) |
1203 # address prefix when sending to any server in group (string value) |
1195 # Deprecated group/name - [amqp1]/group_request_prefix |
1204 # Deprecated group/name - [amqp1]/group_request_prefix |
1196 #group_request_prefix = unicast |
1205 #group_request_prefix = unicast |
1197 |
1206 |
1198 # Name for the AMQP container (string value) |
1207 # Name for the AMQP container (string value) |
1199 # Deprecated group/name - [amqp1]/container_name |
1208 # Deprecated group/name - [amqp1]/container_name |
1200 #container_name = <None> |
1209 #container_name = <None> |
1201 |
1210 |
1202 # Timeout for inactive connections (in seconds) (integer value) |
1211 # Timeout for inactive connections (in seconds) (integer value) |
1203 # Deprecated group/name - [amqp1]/idle_timeout |
1212 # Deprecated group/name - [amqp1]/idle_timeout |
1204 #idle_timeout = 0 |
1213 #idle_timeout = 0 |
1205 |
1214 |
1206 # Debug: dump AMQP frames to stdout (boolean value) |
1215 # Debug: dump AMQP frames to stdout (boolean value) |
1207 # Deprecated group/name - [amqp1]/trace |
1216 # Deprecated group/name - [amqp1]/trace |
1208 #trace = false |
1217 #trace = false |
1209 |
1218 |
1210 # CA certificate PEM file for verifing server certificate (string value) |
1219 # CA certificate PEM file for verifing server certificate (string value) |
1211 # Deprecated group/name - [amqp1]/ssl_ca_file |
1220 # Deprecated group/name - [amqp1]/ssl_ca_file |
1212 #ssl_ca_file = |
1221 #ssl_ca_file = |
1213 |
1222 |
1214 # Identifying certificate PEM file to present to clients (string value) |
1223 # Identifying certificate PEM file to present to clients (string value) |
1215 # Deprecated group/name - [amqp1]/ssl_cert_file |
1224 # Deprecated group/name - [amqp1]/ssl_cert_file |
1216 #ssl_cert_file = |
1225 #ssl_cert_file = |
1217 |
1226 |
1218 # Private key PEM file used to sign cert_file certificate (string value) |
1227 # Private key PEM file used to sign cert_file certificate (string value) |
1219 # Deprecated group/name - [amqp1]/ssl_key_file |
1228 # Deprecated group/name - [amqp1]/ssl_key_file |
1220 #ssl_key_file = |
1229 #ssl_key_file = |
1221 |
1230 |
1222 # Password for decrypting ssl_key_file (if encrypted) (string value) |
1231 # Password for decrypting ssl_key_file (if encrypted) (string value) |
1223 # Deprecated group/name - [amqp1]/ssl_key_password |
1232 # Deprecated group/name - [amqp1]/ssl_key_password |
1224 #ssl_key_password = <None> |
1233 #ssl_key_password = <None> |
1225 |
1234 |
1226 # Accept clients using either SSL or plain TCP (boolean value) |
1235 # Accept clients using either SSL or plain TCP (boolean value) |
1227 # Deprecated group/name - [amqp1]/allow_insecure_clients |
1236 # Deprecated group/name - [amqp1]/allow_insecure_clients |
1228 #allow_insecure_clients = false |
1237 #allow_insecure_clients = false |
1229 |
1238 |
1230 |
1239 |
1231 [oslo_messaging_qpid] |
1240 [oslo_messaging_qpid] |
1232 |
1241 |
1233 # |
1242 # |
1234 # From oslo.messaging |
1243 # From oslo.messaging |
1235 # |
1244 # |
1236 |
1245 |
1237 # Use durable queues in AMQP. (boolean value) |
1246 # Use durable queues in AMQP. (boolean value) |
1238 # Deprecated group/name - [DEFAULT]/rabbit_durable_queues |
1247 # Deprecated group/name - [DEFAULT]/rabbit_durable_queues |
1239 #amqp_durable_queues = false |
1248 #amqp_durable_queues = false |
1240 |
1249 |
1241 # Auto-delete queues in AMQP. (boolean value) |
1250 # Auto-delete queues in AMQP. (boolean value) |
1242 # Deprecated group/name - [DEFAULT]/amqp_auto_delete |
1251 # Deprecated group/name - [DEFAULT]/amqp_auto_delete |
1243 #amqp_auto_delete = false |
1252 #amqp_auto_delete = false |
1244 |
1253 |
1245 # Size of RPC connection pool. (integer value) |
1254 # Size of RPC connection pool. (integer value) |
1246 # Deprecated group/name - [DEFAULT]/rpc_conn_pool_size |
1255 # Deprecated group/name - [DEFAULT]/rpc_conn_pool_size |
1247 #rpc_conn_pool_size = 30 |
1256 #rpc_conn_pool_size = 30 |
1248 |
1257 |
1249 # Qpid broker hostname. (string value) |
1258 # Qpid broker hostname. (string value) |
1250 # Deprecated group/name - [DEFAULT]/qpid_hostname |
1259 # Deprecated group/name - [DEFAULT]/qpid_hostname |
1251 #qpid_hostname = localhost |
1260 #qpid_hostname = localhost |
1252 |
1261 |
1253 # Qpid broker port. (integer value) |
1262 # Qpid broker port. (integer value) |
1254 # Deprecated group/name - [DEFAULT]/qpid_port |
1263 # Deprecated group/name - [DEFAULT]/qpid_port |
1255 #qpid_port = 5672 |
1264 #qpid_port = 5672 |
1256 |
1265 |
1257 # Qpid HA cluster host:port pairs. (list value) |
1266 # Qpid HA cluster host:port pairs. (list value) |
1258 # Deprecated group/name - [DEFAULT]/qpid_hosts |
1267 # Deprecated group/name - [DEFAULT]/qpid_hosts |
1259 #qpid_hosts = $qpid_hostname:$qpid_port |
1268 #qpid_hosts = $qpid_hostname:$qpid_port |
1260 |
1269 |
1261 # Username for Qpid connection. (string value) |
1270 # Username for Qpid connection. (string value) |
1262 # Deprecated group/name - [DEFAULT]/qpid_username |
1271 # Deprecated group/name - [DEFAULT]/qpid_username |
1263 #qpid_username = |
1272 #qpid_username = |
1264 |
1273 |
1265 # Password for Qpid connection. (string value) |
1274 # Password for Qpid connection. (string value) |
1266 # Deprecated group/name - [DEFAULT]/qpid_password |
1275 # Deprecated group/name - [DEFAULT]/qpid_password |
1267 #qpid_password = |
1276 #qpid_password = |
1268 |
1277 |
1269 # Space separated list of SASL mechanisms to use for auth. (string value) |
1278 # Space separated list of SASL mechanisms to use for auth. (string value) |
1270 # Deprecated group/name - [DEFAULT]/qpid_sasl_mechanisms |
1279 # Deprecated group/name - [DEFAULT]/qpid_sasl_mechanisms |
1271 #qpid_sasl_mechanisms = |
1280 #qpid_sasl_mechanisms = |
1272 |
1281 |
1273 # Seconds between connection keepalive heartbeats. (integer value) |
1282 # Seconds between connection keepalive heartbeats. (integer value) |
1274 # Deprecated group/name - [DEFAULT]/qpid_heartbeat |
1283 # Deprecated group/name - [DEFAULT]/qpid_heartbeat |
1275 #qpid_heartbeat = 60 |
1284 #qpid_heartbeat = 60 |
1276 |
1285 |
1277 # Transport to use, either 'tcp' or 'ssl'. (string value) |
1286 # Transport to use, either 'tcp' or 'ssl'. (string value) |
1278 # Deprecated group/name - [DEFAULT]/qpid_protocol |
1287 # Deprecated group/name - [DEFAULT]/qpid_protocol |
1279 #qpid_protocol = tcp |
1288 #qpid_protocol = tcp |
1280 |
1289 |
1281 # Whether to disable the Nagle algorithm. (boolean value) |
1290 # Whether to disable the Nagle algorithm. (boolean value) |
1282 # Deprecated group/name - [DEFAULT]/qpid_tcp_nodelay |
1291 # Deprecated group/name - [DEFAULT]/qpid_tcp_nodelay |
1283 #qpid_tcp_nodelay = true |
1292 #qpid_tcp_nodelay = true |
1284 |
1293 |
1285 # The number of prefetched messages held by receiver. (integer value) |
1294 # The number of prefetched messages held by receiver. (integer value) |
1286 # Deprecated group/name - [DEFAULT]/qpid_receiver_capacity |
1295 # Deprecated group/name - [DEFAULT]/qpid_receiver_capacity |
1287 #qpid_receiver_capacity = 1 |
1296 #qpid_receiver_capacity = 1 |
1288 |
1297 |
1289 # The qpid topology version to use. Version 1 is what was originally used by |
1298 # The qpid topology version to use. Version 1 is what was originally used by |
1290 # impl_qpid. Version 2 includes some backwards-incompatible changes that allow |
1299 # impl_qpid. Version 2 includes some backwards-incompatible changes that allow |
1291 # broker federation to work. Users should update to version 2 when they are |
1300 # broker federation to work. Users should update to version 2 when they are |
1292 # able to take everything down, as it requires a clean break. (integer value) |
1301 # able to take everything down, as it requires a clean break. (integer value) |
1293 # Deprecated group/name - [DEFAULT]/qpid_topology_version |
1302 # Deprecated group/name - [DEFAULT]/qpid_topology_version |
1294 #qpid_topology_version = 1 |
1303 #qpid_topology_version = 1 |
1295 |
1304 |
1296 |
1305 |
1297 [oslo_messaging_rabbit] |
1306 [oslo_messaging_rabbit] |
1298 |
1307 |
1299 # |
1308 # |
1300 # From oslo.messaging |
1309 # From oslo.messaging |
1301 # |
1310 # |
1302 |
1311 |
1303 # Use durable queues in AMQP. (boolean value) |
1312 # Use durable queues in AMQP. (boolean value) |
1304 # Deprecated group/name - [DEFAULT]/rabbit_durable_queues |
1313 # Deprecated group/name - [DEFAULT]/rabbit_durable_queues |
1305 #amqp_durable_queues = false |
1314 #amqp_durable_queues = false |
1306 |
1315 |
1307 # Auto-delete queues in AMQP. (boolean value) |
1316 # Auto-delete queues in AMQP. (boolean value) |
1308 # Deprecated group/name - [DEFAULT]/amqp_auto_delete |
1317 # Deprecated group/name - [DEFAULT]/amqp_auto_delete |
1309 #amqp_auto_delete = false |
1318 #amqp_auto_delete = false |
1310 |
1319 |
1311 # Size of RPC connection pool. (integer value) |
1320 # Size of RPC connection pool. (integer value) |
1312 # Deprecated group/name - [DEFAULT]/rpc_conn_pool_size |
1321 # Deprecated group/name - [DEFAULT]/rpc_conn_pool_size |
1313 #rpc_conn_pool_size = 30 |
1322 #rpc_conn_pool_size = 30 |
1314 |
1323 |
1315 # SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and |
1324 # SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and |
1316 # SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some |
1325 # SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some |
1317 # distributions. (string value) |
1326 # distributions. (string value) |
1318 # Deprecated group/name - [DEFAULT]/kombu_ssl_version |
1327 # Deprecated group/name - [DEFAULT]/kombu_ssl_version |
1319 #kombu_ssl_version = |
1328 #kombu_ssl_version = |
1320 |
1329 |
1321 # SSL key file (valid only if SSL enabled). (string value) |
1330 # SSL key file (valid only if SSL enabled). (string value) |
1322 # Deprecated group/name - [DEFAULT]/kombu_ssl_keyfile |
1331 # Deprecated group/name - [DEFAULT]/kombu_ssl_keyfile |
1323 #kombu_ssl_keyfile = |
1332 #kombu_ssl_keyfile = |
1324 |
1333 |
1325 # SSL cert file (valid only if SSL enabled). (string value) |
1334 # SSL cert file (valid only if SSL enabled). (string value) |
1326 # Deprecated group/name - [DEFAULT]/kombu_ssl_certfile |
1335 # Deprecated group/name - [DEFAULT]/kombu_ssl_certfile |
1327 #kombu_ssl_certfile = |
1336 #kombu_ssl_certfile = |
1328 |
1337 |
1329 # SSL certification authority file (valid only if SSL enabled). (string value) |
1338 # SSL certification authority file (valid only if SSL enabled). (string value) |
1330 # Deprecated group/name - [DEFAULT]/kombu_ssl_ca_certs |
1339 # Deprecated group/name - [DEFAULT]/kombu_ssl_ca_certs |
1331 #kombu_ssl_ca_certs = |
1340 #kombu_ssl_ca_certs = |
1332 |
1341 |
1333 # How long to wait before reconnecting in response to an AMQP consumer cancel |
1342 # How long to wait before reconnecting in response to an AMQP consumer cancel |
1334 # notification. (floating point value) |
1343 # notification. (floating point value) |
1335 # Deprecated group/name - [DEFAULT]/kombu_reconnect_delay |
1344 # Deprecated group/name - [DEFAULT]/kombu_reconnect_delay |
1336 #kombu_reconnect_delay = 1.0 |
1345 #kombu_reconnect_delay = 1.0 |
1337 |
1346 |
1338 # The RabbitMQ broker address where a single node is used. (string value) |
1347 # The RabbitMQ broker address where a single node is used. (string value) |
1339 # Deprecated group/name - [DEFAULT]/rabbit_host |
1348 # Deprecated group/name - [DEFAULT]/rabbit_host |
1340 #rabbit_host = localhost |
1349 #rabbit_host = localhost |
1341 |
1350 |
1342 # The RabbitMQ broker port where a single node is used. (integer value) |
1351 # The RabbitMQ broker port where a single node is used. (integer value) |
1343 # Deprecated group/name - [DEFAULT]/rabbit_port |
1352 # Deprecated group/name - [DEFAULT]/rabbit_port |
1344 #rabbit_port = 5672 |
1353 #rabbit_port = 5672 |
1345 |
1354 |
1346 # RabbitMQ HA cluster host:port pairs. (list value) |
1355 # RabbitMQ HA cluster host:port pairs. (list value) |
1347 # Deprecated group/name - [DEFAULT]/rabbit_hosts |
1356 # Deprecated group/name - [DEFAULT]/rabbit_hosts |
1348 #rabbit_hosts = $rabbit_host:$rabbit_port |
1357 #rabbit_hosts = $rabbit_host:$rabbit_port |
1349 |
1358 |
1350 # Connect over SSL for RabbitMQ. (boolean value) |
1359 # Connect over SSL for RabbitMQ. (boolean value) |
1351 # Deprecated group/name - [DEFAULT]/rabbit_use_ssl |
1360 # Deprecated group/name - [DEFAULT]/rabbit_use_ssl |
1352 #rabbit_use_ssl = false |
1361 #rabbit_use_ssl = false |
1353 |
1362 |
1354 # The RabbitMQ userid. (string value) |
1363 # The RabbitMQ userid. (string value) |
1355 # Deprecated group/name - [DEFAULT]/rabbit_userid |
1364 # Deprecated group/name - [DEFAULT]/rabbit_userid |
1356 #rabbit_userid = guest |
1365 #rabbit_userid = guest |
1357 |
1366 |
1358 # The RabbitMQ password. (string value) |
1367 # The RabbitMQ password. (string value) |
1359 # Deprecated group/name - [DEFAULT]/rabbit_password |
1368 # Deprecated group/name - [DEFAULT]/rabbit_password |
1360 #rabbit_password = guest |
1369 #rabbit_password = guest |
1361 |
1370 |
1362 # The RabbitMQ login method. (string value) |
1371 # The RabbitMQ login method. (string value) |
1363 # Deprecated group/name - [DEFAULT]/rabbit_login_method |
1372 # Deprecated group/name - [DEFAULT]/rabbit_login_method |
1364 #rabbit_login_method = AMQPLAIN |
1373 #rabbit_login_method = AMQPLAIN |
1365 |
1374 |
1366 # The RabbitMQ virtual host. (string value) |
1375 # The RabbitMQ virtual host. (string value) |
1367 # Deprecated group/name - [DEFAULT]/rabbit_virtual_host |
1376 # Deprecated group/name - [DEFAULT]/rabbit_virtual_host |
1368 #rabbit_virtual_host = / |
1377 #rabbit_virtual_host = / |
1369 |
1378 |
1370 # How frequently to retry connecting with RabbitMQ. (integer value) |
1379 # How frequently to retry connecting with RabbitMQ. (integer value) |
1371 #rabbit_retry_interval = 1 |
1380 #rabbit_retry_interval = 1 |
1372 |
1381 |
1373 # How long to backoff for between retries when connecting to RabbitMQ. (integer |
1382 # How long to backoff for between retries when connecting to RabbitMQ. (integer |
1374 # value) |
1383 # value) |
1375 # Deprecated group/name - [DEFAULT]/rabbit_retry_backoff |
1384 # Deprecated group/name - [DEFAULT]/rabbit_retry_backoff |
1376 #rabbit_retry_backoff = 2 |
1385 #rabbit_retry_backoff = 2 |
1377 |
1386 |
1378 # Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry |
1387 # Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry |
1379 # count). (integer value) |
1388 # count). (integer value) |
1380 # Deprecated group/name - [DEFAULT]/rabbit_max_retries |
1389 # Deprecated group/name - [DEFAULT]/rabbit_max_retries |
1381 #rabbit_max_retries = 0 |
1390 #rabbit_max_retries = 0 |
1382 |
1391 |
1383 # Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you |
1392 # Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you |
1384 # must wipe the RabbitMQ database. (boolean value) |
1393 # must wipe the RabbitMQ database. (boolean value) |
1385 # Deprecated group/name - [DEFAULT]/rabbit_ha_queues |
1394 # Deprecated group/name - [DEFAULT]/rabbit_ha_queues |
1386 #rabbit_ha_queues = false |
1395 #rabbit_ha_queues = false |
1387 |
1396 |
1388 # Number of seconds after which the Rabbit broker is considered down if |
1397 # Number of seconds after which the Rabbit broker is considered down if |
1389 # heartbeat's keep-alive fails (0 disable the heartbeat). (integer value) |
1398 # heartbeat's keep-alive fails (0 disables the heartbeat, >0 enables it. |
1390 #heartbeat_timeout_threshold = 60 |
1399 # Enabling heartbeats requires kombu>=3.0.7 and amqp>=1.4.0). EXPERIMENTAL |
1391 |
1400 # (integer value) |
|
1401 #heartbeat_timeout_threshold = 0 |
|
1402 |
1392 # How often times during the heartbeat_timeout_threshold we check the |
1403 # How often times during the heartbeat_timeout_threshold we check the |
1393 # heartbeat. (integer value) |
1404 # heartbeat. (integer value) |
1394 #heartbeat_rate = 2 |
1405 #heartbeat_rate = 2 |
1395 |
1406 |
1396 # Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value) |
1407 # Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value) |
1397 # Deprecated group/name - [DEFAULT]/fake_rabbit |
1408 # Deprecated group/name - [DEFAULT]/fake_rabbit |
1398 #fake_rabbit = false |
1409 #fake_rabbit = false |
1399 |
1410 |
1400 |
1411 |
1401 [oslo_middleware] |
1412 [oslo_middleware] |
1402 |
1413 |
1403 # |
1414 # |
1404 # From oslo.middleware |
1415 # From oslo.middleware |
1405 # |
1416 # |
1406 |
1417 |
1407 # The maximum body size for each request, in bytes. (integer value) |
1418 # The maximum body size for each request, in bytes. (integer value) |
1408 # Deprecated group/name - [DEFAULT]/osapi_max_request_body_size |
1419 # Deprecated group/name - [DEFAULT]/osapi_max_request_body_size |
1409 # Deprecated group/name - [DEFAULT]/max_request_body_size |
1420 # Deprecated group/name - [DEFAULT]/max_request_body_size |
1410 #max_request_body_size = 114688 |
1421 #max_request_body_size = 114688 |
1411 |
1422 |
1412 |
1423 |
1413 [oslo_policy] |
1424 [oslo_policy] |
1414 |
1425 |
1415 # |
1426 # |
1416 # From oslo.policy |
1427 # From oslo.policy |
1417 # |
1428 # |
1418 |
1429 |
1419 # The JSON file that defines policies. (string value) |
1430 # The JSON file that defines policies. (string value) |
1420 # Deprecated group/name - [DEFAULT]/policy_file |
1431 # Deprecated group/name - [DEFAULT]/policy_file |
1421 #policy_file = policy.json |
1432 #policy_file = policy.json |
1422 |
1433 |
1423 # Default rule. Enforced when a requested rule is not found. (string value) |
1434 # Default rule. Enforced when a requested rule is not found. (string value) |
1424 # Deprecated group/name - [DEFAULT]/policy_default_rule |
1435 # Deprecated group/name - [DEFAULT]/policy_default_rule |
1425 #policy_default_rule = default |
1436 #policy_default_rule = default |
1426 |
1437 |
1427 # Directories where policy configuration files are stored. They can be relative |
1438 # Directories where policy configuration files are stored. They can be relative |
1428 # to any directory in the search path defined by the config_dir option, or |
1439 # to any directory in the search path defined by the config_dir option, or |
1429 # absolute paths. The file defined by policy_file must exist for these |
1440 # absolute paths. The file defined by policy_file must exist for these |
1430 # directories to be searched. Missing or empty directories are ignored. (multi |
1441 # directories to be searched. Missing or empty directories are ignored. (multi |
1431 # valued) |
1442 # valued) |
1432 # Deprecated group/name - [DEFAULT]/policy_dirs |
1443 # Deprecated group/name - [DEFAULT]/policy_dirs |
1433 #policy_dirs = policy.d |
1444 #policy_dirs = policy.d |
1434 |
1445 |
1435 |
1446 |
1436 [paste_deploy] |
1447 [paste_deploy] |
1437 |
1448 |
1438 # |
1449 # |
1439 # From keystone |
1450 # From keystone |
1440 # |
1451 # |
1441 |
1452 |
1442 # Name of the paste configuration file that defines the available pipelines. |
1453 # Name of the paste configuration file that defines the available pipelines. |
1443 # (string value) |
1454 # (string value) |
1444 #config_file = keystone-paste.ini |
1455 #config_file = keystone-paste.ini |
1445 |
1456 |
1446 |
1457 |
1447 [policy] |
1458 [policy] |
1448 |
1459 |
1449 # |
1460 # |
1450 # From keystone |
1461 # From keystone |
1451 # |
1462 # |
1452 |
1463 |
1453 # Policy backend driver. (string value) |
1464 # Policy backend driver. (string value) |
1454 #driver = keystone.policy.backends.sql.Policy |
1465 #driver = keystone.policy.backends.sql.Policy |
1455 |
1466 |
1456 # Maximum number of entities that will be returned in a policy collection. |
1467 # Maximum number of entities that will be returned in a policy collection. |
1457 # (integer value) |
1468 # (integer value) |
1458 #list_limit = <None> |
1469 #list_limit = <None> |
1459 |
1470 |
1460 |
1471 |
1461 [resource] |
1472 [resource] |
1462 |
1473 |
1463 # |
1474 # |
1464 # From keystone |
1475 # From keystone |
1465 # |
1476 # |
1466 |
1477 |
1467 # Resource backend driver. If a resource driver is not specified, the |
1478 # Resource backend driver. If a resource driver is not specified, the |
1468 # assignment driver will choose the resource driver. (string value) |
1479 # assignment driver will choose the resource driver. (string value) |
1469 #driver = <None> |
1480 #driver = <None> |
1470 |
1481 |
1471 # Toggle for resource caching. This has no effect unless global caching is |
1482 # Toggle for resource caching. This has no effect unless global caching is |
1472 # enabled. (boolean value) |
1483 # enabled. (boolean value) |
1473 # Deprecated group/name - [assignment]/caching |
1484 # Deprecated group/name - [assignment]/caching |
1474 #caching = true |
1485 #caching = true |
1475 |
1486 |
1476 # TTL (in seconds) to cache resource data. This has no effect unless global |
1487 # TTL (in seconds) to cache resource data. This has no effect unless global |
1477 # caching is enabled. (integer value) |
1488 # caching is enabled. (integer value) |
1478 # Deprecated group/name - [assignment]/cache_time |
1489 # Deprecated group/name - [assignment]/cache_time |
1479 #cache_time = <None> |
1490 #cache_time = <None> |
1480 |
1491 |
1481 # Maximum number of entities that will be returned in a resource collection. |
1492 # Maximum number of entities that will be returned in a resource collection. |
1482 # (integer value) |
1493 # (integer value) |
1483 # Deprecated group/name - [assignment]/list_limit |
1494 # Deprecated group/name - [assignment]/list_limit |
1484 #list_limit = <None> |
1495 #list_limit = <None> |
1485 |
1496 |
1486 |
1497 |
1487 [revoke] |
1498 [revoke] |
1488 |
1499 |
1489 # |
1500 # |
1490 # From keystone |
1501 # From keystone |
1491 # |
1502 # |
1492 |
1503 |
1493 # An implementation of the backend for persisting revocation events. (string |
1504 # An implementation of the backend for persisting revocation events. (string |
1494 # value) |
1505 # value) |
1495 #driver = keystone.contrib.revoke.backends.sql.Revoke |
1506 #driver = keystone.contrib.revoke.backends.sql.Revoke |
1496 |
1507 |
1497 # This value (calculated in seconds) is added to token expiration before a |
1508 # This value (calculated in seconds) is added to token expiration before a |
1498 # revocation event may be removed from the backend. (integer value) |
1509 # revocation event may be removed from the backend. (integer value) |
1499 #expiration_buffer = 1800 |
1510 #expiration_buffer = 1800 |
1500 |
1511 |
1501 # Toggle for revocation event caching. This has no effect unless global caching |
1512 # Toggle for revocation event caching. This has no effect unless global caching |
1502 # is enabled. (boolean value) |
1513 # is enabled. (boolean value) |
1503 #caching = true |
1514 #caching = true |
1504 |
1515 |
1505 # Time to cache the revocation list and the revocation events (in seconds). |
1516 # Time to cache the revocation list and the revocation events (in seconds). |
1506 # This has no effect unless global and token caching are enabled. (integer |
1517 # This has no effect unless global and token caching are enabled. (integer |
1507 # value) |
1518 # value) |
1508 # Deprecated group/name - [token]/revocation_cache_time |
1519 # Deprecated group/name - [token]/revocation_cache_time |
1509 #cache_time = 3600 |
1520 #cache_time = 3600 |
1510 |
1521 |
1511 |
1522 |
1512 [role] |
1523 [role] |
1513 |
1524 |
1514 # |
1525 # |
1515 # From keystone |
1526 # From keystone |
1516 # |
1527 # |
1517 |
1528 |
1518 # Role backend driver. (string value) |
1529 # Role backend driver. (string value) |
1519 #driver = <None> |
1530 #driver = <None> |
1520 |
1531 |
1521 # Toggle for role caching. This has no effect unless global caching is enabled. |
1532 # Toggle for role caching. This has no effect unless global caching is enabled. |
1522 # (boolean value) |
1533 # (boolean value) |
1523 #caching = true |
1534 #caching = true |
1524 |
1535 |
1525 # TTL (in seconds) to cache role data. This has no effect unless global caching |
1536 # TTL (in seconds) to cache role data. This has no effect unless global caching |
1526 # is enabled. (integer value) |
1537 # is enabled. (integer value) |
1527 #cache_time = <None> |
1538 #cache_time = <None> |
1528 |
1539 |
1529 # Maximum number of entities that will be returned in a role collection. |
1540 # Maximum number of entities that will be returned in a role collection. |
1530 # (integer value) |
1541 # (integer value) |
1531 #list_limit = <None> |
1542 #list_limit = <None> |
1532 |
1543 |
1533 |
1544 |
1534 [saml] |
1545 [saml] |
1535 |
1546 |
1536 # |
1547 # |
1537 # From keystone |
1548 # From keystone |
1538 # |
1549 # |
1539 |
1550 |
1540 # Default TTL, in seconds, for any generated SAML assertion created by |
1551 # Default TTL, in seconds, for any generated SAML assertion created by |
1541 # Keystone. (integer value) |
1552 # Keystone. (integer value) |
1542 #assertion_expiration_time = 3600 |
1553 #assertion_expiration_time = 3600 |
1543 |
1554 |
1544 # Binary to be called for XML signing. Install the appropriate package, specify |
1555 # Binary to be called for XML signing. Install the appropriate package, specify |
1545 # absolute path or adjust your PATH environment variable if the binary cannot |
1556 # absolute path or adjust your PATH environment variable if the binary cannot |
1546 # be found. (string value) |
1557 # be found. (string value) |
1547 #xmlsec1_binary = xmlsec1 |
1558 #xmlsec1_binary = xmlsec1 |
1548 |
1559 |
1549 # Path of the certfile for SAML signing. For non-production environments, you |
1560 # Path of the certfile for SAML signing. For non-production environments, you |
1550 # may be interested in using `keystone-manage pki_setup` to generate self- |
1561 # may be interested in using `keystone-manage pki_setup` to generate self- |
1551 # signed certificates. Note, the path cannot contain a comma. (string value) |
1562 # signed certificates. Note, the path cannot contain a comma. (string value) |
1552 #certfile = /etc/keystone/ssl/certs/signing_cert.pem |
1563 #certfile = /etc/keystone/ssl/certs/signing_cert.pem |
1553 |
1564 |
1554 # Path of the keyfile for SAML signing. Note, the path cannot contain a comma. |
1565 # Path of the keyfile for SAML signing. Note, the path cannot contain a comma. |
1555 # (string value) |
1566 # (string value) |
1556 #keyfile = /etc/keystone/ssl/private/signing_key.pem |
1567 #keyfile = /etc/keystone/ssl/private/signing_key.pem |
1557 |
1568 |
1558 # Entity ID value for unique Identity Provider identification. Usually FQDN is |
1569 # Entity ID value for unique Identity Provider identification. Usually FQDN is |
1559 # set with a suffix. A value is required to generate IDP Metadata. For example: |
1570 # set with a suffix. A value is required to generate IDP Metadata. For example: |
1560 # https://keystone.example.com/v3/OS-FEDERATION/saml2/idp (string value) |
1571 # https://keystone.example.com/v3/OS-FEDERATION/saml2/idp (string value) |
1561 #idp_entity_id = <None> |
1572 #idp_entity_id = <None> |
1562 |
1573 |
1563 # Identity Provider Single-Sign-On service value, required in the Identity |
1574 # Identity Provider Single-Sign-On service value, required in the Identity |
1564 # Provider's metadata. A value is required to generate IDP Metadata. For |
1575 # Provider's metadata. A value is required to generate IDP Metadata. For |
1565 # example: https://keystone.example.com/v3/OS-FEDERATION/saml2/sso (string |
1576 # example: https://keystone.example.com/v3/OS-FEDERATION/saml2/sso (string |
1566 # value) |
1577 # value) |
1567 #idp_sso_endpoint = <None> |
1578 #idp_sso_endpoint = <None> |
1568 |
1579 |
1569 # Language used by the organization. (string value) |
1580 # Language used by the organization. (string value) |
1570 #idp_lang = en |
1581 #idp_lang = en |
1571 |
1582 |
1572 # Organization name the installation belongs to. (string value) |
1583 # Organization name the installation belongs to. (string value) |
1573 #idp_organization_name = <None> |
1584 #idp_organization_name = <None> |
1574 |
1585 |
1575 # Organization name to be displayed. (string value) |
1586 # Organization name to be displayed. (string value) |
1576 #idp_organization_display_name = <None> |
1587 #idp_organization_display_name = <None> |
1577 |
1588 |
1578 # URL of the organization. (string value) |
1589 # URL of the organization. (string value) |
1579 #idp_organization_url = <None> |
1590 #idp_organization_url = <None> |
1580 |
1591 |
1581 # Company of contact person. (string value) |
1592 # Company of contact person. (string value) |
1582 #idp_contact_company = <None> |
1593 #idp_contact_company = <None> |
1583 |
1594 |
1584 # Given name of contact person (string value) |
1595 # Given name of contact person (string value) |
1585 #idp_contact_name = <None> |
1596 #idp_contact_name = <None> |
1586 |
1597 |
1587 # Surname of contact person. (string value) |
1598 # Surname of contact person. (string value) |
1588 #idp_contact_surname = <None> |
1599 #idp_contact_surname = <None> |
1589 |
1600 |
1590 # Email address of contact person. (string value) |
1601 # Email address of contact person. (string value) |
1591 #idp_contact_email = <None> |
1602 #idp_contact_email = <None> |
1592 |
1603 |
1593 # Telephone number of contact person. (string value) |
1604 # Telephone number of contact person. (string value) |
1594 #idp_contact_telephone = <None> |
1605 #idp_contact_telephone = <None> |
1595 |
1606 |
1596 # Contact type. Allowed values are: technical, support, administrative billing, |
1607 # Contact type. Allowed values are: technical, support, administrative billing, |
1597 # and other (string value) |
1608 # and other (string value) |
1598 #idp_contact_type = other |
1609 #idp_contact_type = other |
1599 |
1610 |
1600 # Path to the Identity Provider Metadata file. This file should be generated |
1611 # Path to the Identity Provider Metadata file. This file should be generated |
1601 # with the keystone-manage saml_idp_metadata command. (string value) |
1612 # with the keystone-manage saml_idp_metadata command. (string value) |
1602 #idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml |
1613 #idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml |
1603 |
1614 |
1604 # The prefix to use for the RelayState SAML attribute, used when generating ECP |
1615 # The prefix to use for the RelayState SAML attribute, used when generating ECP |
1605 # wrapped assertions. (string value) |
1616 # wrapped assertions. (string value) |
1606 #relay_state_prefix = ss:mem: |
1617 #relay_state_prefix = ss:mem: |
1607 |
1618 |
1608 |
1619 |
1609 [signing] |
1620 [signing] |
1610 |
1621 |
1611 # |
1622 # |
1612 # From keystone |
1623 # From keystone |
1613 # |
1624 # |
1614 |
1625 |
1615 # Path of the certfile for token signing. For non-production environments, you |
1626 # Path of the certfile for token signing. For non-production environments, you |
1616 # may be interested in using `keystone-manage pki_setup` to generate self- |
1627 # may be interested in using `keystone-manage pki_setup` to generate self- |
1617 # signed certificates. (string value) |
1628 # signed certificates. (string value) |
1618 #certfile = /etc/keystone/ssl/certs/signing_cert.pem |
1629 #certfile = /etc/keystone/ssl/certs/signing_cert.pem |
1619 |
1630 |
1620 # Path of the keyfile for token signing. (string value) |
1631 # Path of the keyfile for token signing. (string value) |
1621 #keyfile = /etc/keystone/ssl/private/signing_key.pem |
1632 #keyfile = /etc/keystone/ssl/private/signing_key.pem |
1622 |
1633 |
1623 # Path of the CA for token signing. (string value) |
1634 # Path of the CA for token signing. (string value) |
1624 #ca_certs = /etc/keystone/ssl/certs/ca.pem |
1635 #ca_certs = /etc/keystone/ssl/certs/ca.pem |
1625 |
1636 |
1626 # Path of the CA key for token signing. (string value) |
1637 # Path of the CA key for token signing. (string value) |
1627 #ca_key = /etc/keystone/ssl/private/cakey.pem |
1638 #ca_key = /etc/keystone/ssl/private/cakey.pem |
1628 |
1639 |
1629 # Key size (in bits) for token signing cert (auto generated certificate). |
1640 # Key size (in bits) for token signing cert (auto generated certificate). |
1630 # (integer value) |
1641 # (integer value) |
1631 #key_size = 2048 |
1642 #key_size = 2048 |
1632 |
1643 |
1633 # Days the token signing cert is valid for (auto generated certificate). |
1644 # Days the token signing cert is valid for (auto generated certificate). |
1634 # (integer value) |
1645 # (integer value) |
1635 #valid_days = 3650 |
1646 #valid_days = 3650 |
1636 |
1647 |
1637 # Certificate subject (auto generated certificate) for token signing. (string |
1648 # Certificate subject (auto generated certificate) for token signing. (string |
1638 # value) |
1649 # value) |
1639 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com |
1650 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com |
1640 |
1651 |
1641 |
1652 |
1642 [ssl] |
1653 [ssl] |
1643 |
1654 |
1644 # |
1655 # |
1645 # From keystone |
1656 # From keystone |
1646 # |
1657 # |
1647 |
1658 |
1648 # Path of the CA key file for SSL. (string value) |
1659 # Path of the CA key file for SSL. (string value) |
1649 #ca_key = /etc/keystone/ssl/private/cakey.pem |
1660 #ca_key = /etc/keystone/ssl/private/cakey.pem |
1650 |
1661 |
1651 # SSL key length (in bits) (auto generated certificate). (integer value) |
1662 # SSL key length (in bits) (auto generated certificate). (integer value) |
1652 #key_size = 1024 |
1663 #key_size = 1024 |
1653 |
1664 |
1654 # Days the certificate is valid for once signed (auto generated certificate). |
1665 # Days the certificate is valid for once signed (auto generated certificate). |
1655 # (integer value) |
1666 # (integer value) |
1656 #valid_days = 3650 |
1667 #valid_days = 3650 |
1657 |
1668 |
1658 # SSL certificate subject (auto generated certificate). (string value) |
1669 # SSL certificate subject (auto generated certificate). (string value) |
1659 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost |
1670 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost |
1660 |
1671 |
1661 |
1672 |
1662 [token] |
1673 [token] |
1663 |
1674 |
1664 # |
1675 # |
1665 # From keystone |
1676 # From keystone |
1666 # |
1677 # |
1667 |
1678 |
1668 # External auth mechanisms that should add bind information to token, e.g., |
1679 # External auth mechanisms that should add bind information to token, e.g., |
1669 # kerberos,x509. (list value) |
1680 # kerberos,x509. (list value) |
1670 #bind = |
1681 #bind = |
1671 |
1682 |
1672 # Enforcement policy on tokens presented to Keystone with bind information. One |
1683 # Enforcement policy on tokens presented to Keystone with bind information. One |
1673 # of disabled, permissive, strict, required or a specifically required bind |
1684 # of disabled, permissive, strict, required or a specifically required bind |
1674 # mode, e.g., kerberos or x509 to require binding to that authentication. |
1685 # mode, e.g., kerberos or x509 to require binding to that authentication. |
1675 # (string value) |
1686 # (string value) |
1676 #enforce_token_bind = permissive |
1687 #enforce_token_bind = permissive |
1677 |
1688 |
1678 # Amount of time a token should remain valid (in seconds). (integer value) |
1689 # Amount of time a token should remain valid (in seconds). (integer value) |
1679 #expiration = 3600 |
1690 #expiration = 3600 |
1680 |
1691 |
1681 # Controls the token construction, validation, and revocation operations. Core |
1692 # Controls the token construction, validation, and revocation operations. Core |
1682 # providers are "keystone.token.providers.[fernet|pkiz|pki|uuid].Provider". |
1693 # providers are "keystone.token.providers.[fernet|pkiz|pki|uuid].Provider". |
1683 # (string value) |
1694 # (string value) |
1684 #provider = keystone.token.providers.uuid.Provider |
1695 #provider = keystone.token.providers.uuid.Provider |
1685 |
1696 |
1686 # Token persistence backend driver. (string value) |
1697 # Token persistence backend driver. (string value) |
1687 #driver = keystone.token.persistence.backends.sql.Token |
1698 #driver = keystone.token.persistence.backends.sql.Token |
1688 |
1699 |
1689 # Toggle for token system caching. This has no effect unless global caching is |
1700 # Toggle for token system caching. This has no effect unless global caching is |
1690 # enabled. (boolean value) |
1701 # enabled. (boolean value) |
1691 #caching = true |
1702 #caching = true |
1692 |
1703 |
1693 # Time to cache tokens (in seconds). This has no effect unless global and token |
1704 # Time to cache tokens (in seconds). This has no effect unless global and token |
1694 # caching are enabled. (integer value) |
1705 # caching are enabled. (integer value) |
1695 #cache_time = <None> |
1706 #cache_time = <None> |
1696 |
1707 |
1697 # Revoke token by token identifier. Setting revoke_by_id to true enables |
1708 # Revoke token by token identifier. Setting revoke_by_id to true enables |
1698 # various forms of enumerating tokens, e.g. `list tokens for user`. These |
1709 # various forms of enumerating tokens, e.g. `list tokens for user`. These |
1699 # enumerations are processed to determine the list of tokens to revoke. Only |
1710 # enumerations are processed to determine the list of tokens to revoke. Only |
1700 # disable if you are switching to using the Revoke extension with a backend |
1711 # disable if you are switching to using the Revoke extension with a backend |
1701 # other than KVS, which stores events in memory. (boolean value) |
1712 # other than KVS, which stores events in memory. (boolean value) |
1702 #revoke_by_id = true |
1713 #revoke_by_id = true |
1703 |
1714 |
1704 # Allow rescoping of scoped token. Setting allow_rescoped_scoped_token to false |
1715 # Allow rescoping of scoped token. Setting allow_rescoped_scoped_token to false |
1705 # prevents a user from exchanging a scoped token for any other token. (boolean |
1716 # prevents a user from exchanging a scoped token for any other token. (boolean |
1706 # value) |
1717 # value) |
1707 #allow_rescope_scoped_token = true |
1718 #allow_rescope_scoped_token = true |
1708 |
1719 |
1709 # The hash algorithm to use for PKI tokens. This can be set to any algorithm |
1720 # The hash algorithm to use for PKI tokens. This can be set to any algorithm |
1710 # that hashlib supports. WARNING: Before changing this value, the auth_token |
1721 # that hashlib supports. WARNING: Before changing this value, the auth_token |
1711 # middleware must be configured with the hash_algorithms, otherwise token |
1722 # middleware must be configured with the hash_algorithms, otherwise token |
1712 # revocation will not be processed correctly. (string value) |
1723 # revocation will not be processed correctly. (string value) |
1713 #hash_algorithm = md5 |
1724 #hash_algorithm = md5 |
1714 |
1725 |
1715 |
1726 |
1716 [trust] |
1727 [trust] |
1717 |
1728 |
1718 # |
1729 # |
1719 # From keystone |
1730 # From keystone |
1720 # |
1731 # |
1721 |
1732 |
1722 # Delegation and impersonation features can be optionally disabled. (boolean |
1733 # Delegation and impersonation features can be optionally disabled. (boolean |
1723 # value) |
1734 # value) |
1724 #enabled = true |
1735 #enabled = true |
1725 |
1736 |
1726 # Enable redelegation feature. (boolean value) |
1737 # Enable redelegation feature. (boolean value) |
1727 #allow_redelegation = false |
1738 #allow_redelegation = false |
1728 |
1739 |
1729 # Maximum depth of trust redelegation. (integer value) |
1740 # Maximum depth of trust redelegation. (integer value) |
1730 #max_redelegation_count = 3 |
1741 #max_redelegation_count = 3 |
1731 |
1742 |
1732 # Trust backend driver. (string value) |
1743 # Trust backend driver. (string value) |
1733 #driver = keystone.trust.backends.sql.Trust |
1744 #driver = keystone.trust.backends.sql.Trust |