|
1 [DEFAULT] |
|
2 # A "shared secret" between keystone and other openstack services |
|
3 # admin_token = ADMIN |
|
4 |
|
5 # The IP address of the network interface to listen on |
|
6 # bind_host = 0.0.0.0 |
|
7 |
|
8 # The port number which the public service listens on |
|
9 # public_port = 5000 |
|
10 |
|
11 # The port number which the public admin listens on |
|
12 # admin_port = 35357 |
|
13 |
|
14 # The base endpoint URLs for keystone that are advertised to clients |
|
15 # (NOTE: this does NOT affect how keystone listens for connections) |
|
16 # public_endpoint = http://localhost:%(public_port)d/ |
|
17 # admin_endpoint = http://localhost:%(admin_port)d/ |
|
18 |
|
19 # The port number which the OpenStack Compute service listens on |
|
20 # compute_port = 8774 |
|
21 |
|
22 # Path to your policy definition containing identity actions |
|
23 # policy_file = policy.json |
|
24 |
|
25 # Rule to check if no matching policy definition is found |
|
26 # FIXME(dolph): This should really be defined as [policy] default_rule |
|
27 # policy_default_rule = admin_required |
|
28 |
|
29 # Role for migrating membership relationships |
|
30 # During a SQL upgrade, the following values will be used to create a new role |
|
31 # that will replace records in the user_tenant_membership table with explicit |
|
32 # role grants. After migration, the member_role_id will be used in the API |
|
33 # add_user_to_project, and member_role_name will be ignored. |
|
34 # member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab |
|
35 # member_role_name = _member_ |
|
36 |
|
37 # === Logging Options === |
|
38 # Print debugging output |
|
39 # (includes plaintext request logging, potentially including passwords) |
|
40 # debug = False |
|
41 |
|
42 # Print more verbose output |
|
43 # verbose = False |
|
44 |
|
45 # Name of log file to output to. If not set, logging will go to stdout. |
|
46 # log_file = keystone.log |
|
47 |
|
48 # The directory to keep log files in (will be prepended to --logfile) |
|
49 # log_dir = /var/log/keystone |
|
50 |
|
51 # Use syslog for logging. |
|
52 # use_syslog = False |
|
53 |
|
54 # syslog facility to receive log lines |
|
55 # syslog_log_facility = LOG_USER |
|
56 |
|
57 # If this option is specified, the logging configuration file specified is |
|
58 # used and overrides any other logging options specified. Please see the |
|
59 # Python logging module documentation for details on logging configuration |
|
60 # files. |
|
61 # log_config = logging.conf |
|
62 |
|
63 # A logging.Formatter log message format string which may use any of the |
|
64 # available logging.LogRecord attributes. |
|
65 # log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s |
|
66 |
|
67 # Format string for %(asctime)s in log records. |
|
68 # log_date_format = %Y-%m-%d %H:%M:%S |
|
69 |
|
70 # onready allows you to send a notification when the process is ready to serve |
|
71 # For example, to have it notify using systemd, one could set shell command: |
|
72 # onready = systemd-notify --ready |
|
73 # or a module with notify() method: |
|
74 # onready = keystone.common.systemd |
|
75 |
|
76 [sql] |
|
77 # The SQLAlchemy connection string used to connect to the database |
|
78 # connection = sqlite:////var/lib/keystone/keystone.sqlite |
|
79 |
|
80 # the timeout before idle sql connections are reaped |
|
81 # idle_timeout = 200 |
|
82 |
|
83 [identity] |
|
84 # driver = keystone.identity.backends.sql.Identity |
|
85 |
|
86 # This references the domain to use for all Identity API v2 requests (which are |
|
87 # not aware of domains). A domain with this ID will be created for you by |
|
88 # keystone-manage db_sync in migration 008. The domain referenced by this ID |
|
89 # cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. |
|
90 # There is nothing special about this domain, other than the fact that it must |
|
91 # exist to order to maintain support for your v2 clients. |
|
92 # default_domain_id = default |
|
93 |
|
94 [trust] |
|
95 # driver = keystone.trust.backends.sql.Trust |
|
96 |
|
97 # delegation and impersonation features can be optionally disabled |
|
98 # enabled = True |
|
99 |
|
100 [catalog] |
|
101 # dynamic, sql-based backend (supports API/CLI-based management commands) |
|
102 # driver = keystone.catalog.backends.sql.Catalog |
|
103 |
|
104 # static, file-based backend (does *NOT* support any management commands) |
|
105 # driver = keystone.catalog.backends.templated.TemplatedCatalog |
|
106 |
|
107 # template_file = default_catalog.templates |
|
108 |
|
109 [token] |
|
110 # driver = keystone.token.backends.kvs.Token |
|
111 |
|
112 # Amount of time a token should remain valid (in seconds) |
|
113 # expiration = 86400 |
|
114 |
|
115 [policy] |
|
116 # driver = keystone.policy.backends.sql.Policy |
|
117 |
|
118 [ec2] |
|
119 # driver = keystone.contrib.ec2.backends.kvs.Ec2 |
|
120 |
|
121 [ssl] |
|
122 #enable = True |
|
123 #certfile = /etc/keystone/ssl/certs/keystone.pem |
|
124 #keyfile = /etc/keystone/ssl/private/keystonekey.pem |
|
125 #ca_certs = /etc/keystone/ssl/certs/ca.pem |
|
126 #cert_required = True |
|
127 |
|
128 [signing] |
|
129 #token_format = PKI |
|
130 #certfile = /etc/keystone/ssl/certs/signing_cert.pem |
|
131 #keyfile = /etc/keystone/ssl/private/signing_key.pem |
|
132 #ca_certs = /etc/keystone/ssl/certs/ca.pem |
|
133 #key_size = 1024 |
|
134 #valid_days = 3650 |
|
135 #ca_password = None |
|
136 |
|
137 [ldap] |
|
138 # url = ldap://localhost |
|
139 # user = dc=Manager,dc=example,dc=com |
|
140 # password = None |
|
141 # suffix = cn=example,cn=com |
|
142 # use_dumb_member = False |
|
143 # allow_subtree_delete = False |
|
144 # dumb_member = cn=dumb,dc=example,dc=com |
|
145 |
|
146 # Maximum results per page; a value of zero ('0') disables paging (default) |
|
147 # page_size = 0 |
|
148 |
|
149 # The LDAP dereferencing option for queries. This can be either 'never', |
|
150 # 'searching', 'always', 'finding' or 'default'. The 'default' option falls |
|
151 # back to using default dereferencing configured by your ldap.conf. |
|
152 # alias_dereferencing = default |
|
153 |
|
154 # The LDAP scope for queries, this can be either 'one' |
|
155 # (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree) |
|
156 # query_scope = one |
|
157 |
|
158 # user_tree_dn = ou=Users,dc=example,dc=com |
|
159 # user_filter = |
|
160 # user_objectclass = inetOrgPerson |
|
161 # user_domain_id_attribute = businessCategory |
|
162 # user_id_attribute = cn |
|
163 # user_name_attribute = sn |
|
164 # user_mail_attribute = email |
|
165 # user_pass_attribute = userPassword |
|
166 # user_enabled_attribute = enabled |
|
167 # user_enabled_mask = 0 |
|
168 # user_enabled_default = True |
|
169 # user_attribute_ignore = tenant_id,tenants |
|
170 # user_allow_create = True |
|
171 # user_allow_update = True |
|
172 # user_allow_delete = True |
|
173 # user_enabled_emulation = False |
|
174 # user_enabled_emulation_dn = |
|
175 |
|
176 # tenant_tree_dn = ou=Groups,dc=example,dc=com |
|
177 # tenant_filter = |
|
178 # tenant_objectclass = groupOfNames |
|
179 # tenant_domain_id_attribute = businessCategory |
|
180 # tenant_id_attribute = cn |
|
181 # tenant_member_attribute = member |
|
182 # tenant_name_attribute = ou |
|
183 # tenant_desc_attribute = desc |
|
184 # tenant_enabled_attribute = enabled |
|
185 # tenant_attribute_ignore = |
|
186 # tenant_allow_create = True |
|
187 # tenant_allow_update = True |
|
188 # tenant_allow_delete = True |
|
189 # tenant_enabled_emulation = False |
|
190 # tenant_enabled_emulation_dn = |
|
191 |
|
192 # role_tree_dn = ou=Roles,dc=example,dc=com |
|
193 # role_filter = |
|
194 # role_objectclass = organizationalRole |
|
195 # role_id_attribute = cn |
|
196 # role_name_attribute = ou |
|
197 # role_member_attribute = roleOccupant |
|
198 # role_attribute_ignore = |
|
199 # role_allow_create = True |
|
200 # role_allow_update = True |
|
201 # role_allow_delete = True |
|
202 |
|
203 # group_tree_dn = |
|
204 # group_filter = |
|
205 # group_objectclass = groupOfNames |
|
206 # group_id_attribute = cn |
|
207 # group_name_attribute = ou |
|
208 # group_member_attribute = member |
|
209 # group_desc_attribute = desc |
|
210 # group_attribute_ignore = |
|
211 # group_allow_create = True |
|
212 # group_allow_update = True |
|
213 # group_allow_delete = True |
|
214 |
|
215 [auth] |
|
216 methods = password,token |
|
217 password = keystone.auth.plugins.password.Password |
|
218 token = keystone.auth.plugins.token.Token |
|
219 |
|
220 [filter:debug] |
|
221 paste.filter_factory = keystone.common.wsgi:Debug.factory |
|
222 |
|
223 [filter:token_auth] |
|
224 paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory |
|
225 |
|
226 [filter:admin_token_auth] |
|
227 paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory |
|
228 |
|
229 [filter:xml_body] |
|
230 paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory |
|
231 |
|
232 [filter:json_body] |
|
233 paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory |
|
234 |
|
235 [filter:user_crud_extension] |
|
236 paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory |
|
237 |
|
238 [filter:crud_extension] |
|
239 paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory |
|
240 |
|
241 [filter:ec2_extension] |
|
242 paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory |
|
243 |
|
244 [filter:s3_extension] |
|
245 paste.filter_factory = keystone.contrib.s3:S3Extension.factory |
|
246 |
|
247 [filter:url_normalize] |
|
248 paste.filter_factory = keystone.middleware:NormalizingFilter.factory |
|
249 |
|
250 [filter:sizelimit] |
|
251 paste.filter_factory = keystone.middleware:RequestBodySizeLimiter.factory |
|
252 |
|
253 [filter:stats_monitoring] |
|
254 paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory |
|
255 |
|
256 [filter:stats_reporting] |
|
257 paste.filter_factory = keystone.contrib.stats:StatsExtension.factory |
|
258 |
|
259 [filter:access_log] |
|
260 paste.filter_factory = keystone.contrib.access:AccessLogMiddleware.factory |
|
261 |
|
262 [app:public_service] |
|
263 paste.app_factory = keystone.service:public_app_factory |
|
264 |
|
265 [app:service_v3] |
|
266 paste.app_factory = keystone.service:v3_app_factory |
|
267 |
|
268 [app:admin_service] |
|
269 paste.app_factory = keystone.service:admin_app_factory |
|
270 |
|
271 [pipeline:public_api] |
|
272 pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service |
|
273 |
|
274 [pipeline:admin_api] |
|
275 pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service |
|
276 |
|
277 [pipeline:api_v3] |
|
278 pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension service_v3 |
|
279 |
|
280 [app:public_version_service] |
|
281 paste.app_factory = keystone.service:public_version_app_factory |
|
282 |
|
283 [app:admin_version_service] |
|
284 paste.app_factory = keystone.service:admin_version_app_factory |
|
285 |
|
286 [pipeline:public_version_api] |
|
287 pipeline = access_log sizelimit stats_monitoring url_normalize xml_body public_version_service |
|
288 |
|
289 [pipeline:admin_version_api] |
|
290 pipeline = access_log sizelimit stats_monitoring url_normalize xml_body admin_version_service |
|
291 |
|
292 [composite:main] |
|
293 use = egg:Paste#urlmap |
|
294 /v2.0 = public_api |
|
295 /v3 = api_v3 |
|
296 / = public_version_api |
|
297 |
|
298 [composite:admin] |
|
299 use = egg:Paste#urlmap |
|
300 /v2.0 = admin_api |
|
301 /v3 = api_v3 |
|
302 / = admin_version_api |