1 [DEFAULT] |
1 [DEFAULT] |
2 |
2 |
3 # |
3 # |
4 # Options defined in keystone |
4 # From keystone |
5 # |
5 # |
6 |
6 |
7 # A "shared secret" that can be used to bootstrap Keystone. |
7 # A "shared secret" that can be used to bootstrap Keystone. This "token" does |
8 # This "token" does not represent a user, and carries no |
8 # not represent a user, and carries no explicit authorization. To disable in |
9 # explicit authorization. To disable in production (highly |
9 # production (highly recommended), remove AdminTokenAuthMiddleware from your |
10 # recommended), remove AdminTokenAuthMiddleware from your |
10 # paste application pipelines (for example, in keystone-paste.ini). (string |
11 # paste application pipelines (for example, in keystone- |
11 # value) |
12 # paste.ini). (string value) |
12 #admin_token = ADMIN |
13 #admin_token=ADMIN |
13 |
14 |
14 # (Deprecated) The port which the OpenStack Compute service listens on. This |
15 # The IP address of the network interface for the public |
15 # option was only used for string replacement in the templated catalog backend. |
16 # service to listen on. (string value) |
16 # Templated catalogs should replace the "$(compute_port)s" substitution with |
17 # Deprecated group/name - [DEFAULT]/bind_host |
17 # the static port of the compute service. As of Juno, this option is deprecated |
18 #public_bind_host=0.0.0.0 |
18 # and will be removed in the L release. (integer value) |
19 |
19 #compute_port = 8774 |
20 # The IP address of the network interface for the admin |
20 |
21 # service to listen on. (string value) |
21 # The base public endpoint URL for Keystone that is advertised to clients |
22 # Deprecated group/name - [DEFAULT]/bind_host |
22 # (NOTE: this does NOT affect how Keystone listens for connections). Defaults |
23 #admin_bind_host=0.0.0.0 |
23 # to the base host URL of the request. E.g. a request to |
24 |
24 # http://server:5000/v3/users will default to http://server:5000. You should |
25 # (Deprecated) The port which the OpenStack Compute service |
25 # only need to set this value if the base URL contains a path (e.g. /prefix/v3) |
26 # listens on. This option was only used for string replacement |
26 # or the endpoint should be found on a different server. (string value) |
27 # in the templated catalog backend. Templated catalogs should |
27 #public_endpoint = <None> |
28 # replace the "$(compute_port)s" substitution with the static |
28 |
29 # port of the compute service. As of Juno, this option is |
29 # The base admin endpoint URL for Keystone that is advertised to clients (NOTE: |
30 # deprecated and will be removed in the L release. (integer |
30 # this does NOT affect how Keystone listens for connections). Defaults to the |
31 # value) |
31 # base host URL of the request. E.g. a request to http://server:35357/v3/users |
32 #compute_port=8774 |
32 # will default to http://server:35357. You should only need to set this value |
33 |
33 # if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be |
34 # The port number which the admin service listens on. (integer |
34 # found on a different server. (string value) |
35 # value) |
35 #admin_endpoint = <None> |
36 #admin_port=35357 |
36 |
37 |
37 # Maximum depth of the project hierarchy. WARNING: setting it to a large value |
38 # The port number which the public service listens on. |
38 # may adversely impact performance. (integer value) |
|
39 #max_project_tree_depth = 5 |
|
40 |
|
41 # Limit the sizes of user & project ID/names. (integer value) |
|
42 #max_param_size = 64 |
|
43 |
|
44 # Similar to max_param_size, but provides an exception for token values. |
39 # (integer value) |
45 # (integer value) |
40 #public_port=5000 |
46 #max_token_size = 8192 |
41 |
47 |
42 # The base public endpoint URL for Keystone that is advertised |
48 # Similar to the member_role_name option, this represents the default role ID |
43 # to clients (NOTE: this does NOT affect how Keystone listens |
49 # used to associate users with their default projects in the v2 API. This will |
44 # for connections). Defaults to the base host URL of the |
50 # be used as the explicit role where one is not specified by the v2 API. |
45 # request. E.g. a request to http://server:5000/v2.0/users |
51 # (string value) |
46 # will default to http://server:5000. You should only need to |
52 #member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab |
47 # set this value if the base URL contains a path (e.g. |
53 |
48 # /prefix/v2.0) or the endpoint should be found on a different |
54 # This is the role name used in combination with the member_role_id option; see |
49 # server. (string value) |
55 # that option for more detail. (string value) |
50 #public_endpoint=<None> |
56 #member_role_name = _member_ |
51 |
57 |
52 # The base admin endpoint URL for Keystone that is advertised |
58 # The value passed as the keyword "rounds" to passlib's encrypt method. |
53 # to clients (NOTE: this does NOT affect how Keystone listens |
|
54 # for connections). Defaults to the base host URL of the |
|
55 # request. E.g. a request to http://server:35357/v2.0/users |
|
56 # will default to http://server:35357. You should only need to |
|
57 # set this value if the base URL contains a path (e.g. |
|
58 # /prefix/v2.0) or the endpoint should be found on a different |
|
59 # server. (string value) |
|
60 #admin_endpoint=<None> |
|
61 |
|
62 # The number of worker processes to serve the public WSGI |
|
63 # application. Defaults to number of CPUs (minimum of 2). |
|
64 # (integer value) |
59 # (integer value) |
65 public_workers=2 |
60 #crypt_strength = 40000 |
66 |
61 |
67 # The number of worker processes to serve the admin WSGI |
62 # The maximum number of entities that will be returned in a collection, with no |
68 # application. Defaults to number of CPUs (minimum of 2). |
63 # limit set by default. This global limit may be then overridden for a specific |
|
64 # driver, by specifying a list_limit in the appropriate section (e.g. |
|
65 # [assignment]). (integer value) |
|
66 #list_limit = <None> |
|
67 |
|
68 # Set this to false if you want to enable the ability for user, group and |
|
69 # project entities to be moved between domains by updating their domain_id. |
|
70 # Allowing such movement is not recommended if the scope of a domain admin is |
|
71 # being restricted by use of an appropriate policy file (see |
|
72 # policy.v3cloudsample as an example). (boolean value) |
|
73 #domain_id_immutable = true |
|
74 |
|
75 # If set to true, strict password length checking is performed for password |
|
76 # manipulation. If a password exceeds the maximum length, the operation will |
|
77 # fail with an HTTP 403 Forbidden error. If set to false, passwords are |
|
78 # automatically truncated to the maximum length. (boolean value) |
|
79 #strict_password_check = false |
|
80 |
|
81 # The HTTP header used to determine the scheme for the original request, even |
|
82 # if it was removed by an SSL terminating proxy. Typical value is |
|
83 # "HTTP_X_FORWARDED_PROTO". (string value) |
|
84 #secure_proxy_ssl_header = <None> |
|
85 |
|
86 # |
|
87 # From keystone.notifications |
|
88 # |
|
89 |
|
90 # Default publisher_id for outgoing notifications (string value) |
|
91 #default_publisher_id = <None> |
|
92 |
|
93 # Define the notification format for Identity Service events. A "basic" |
|
94 # notification has information about the resource being operated on. A "cadf" |
|
95 # notification has the same information, as well as information about the |
|
96 # initiator of the event. Valid options are: basic and cadf (string value) |
|
97 #notification_format = basic |
|
98 |
|
99 # |
|
100 # From keystone.openstack.common.eventlet_backdoor |
|
101 # |
|
102 |
|
103 # Enable eventlet backdoor. Acceptable values are 0, <port>, and |
|
104 # <start>:<end>, where 0 results in listening on a random tcp port number; |
|
105 # <port> results in listening on the specified port number (and not enabling |
|
106 # backdoor if that port is in use); and <start>:<end> results in listening on |
|
107 # the smallest unused port number within the specified range of port numbers. |
|
108 # The chosen port is displayed in the service's log file. (string value) |
|
109 #backdoor_port = <None> |
|
110 |
|
111 # |
|
112 # From oslo.log |
|
113 # |
|
114 |
|
115 # Print debugging output (set logging level to DEBUG instead of default WARNING |
|
116 # level). (boolean value) |
|
117 #debug = false |
|
118 |
|
119 # Print more verbose output (set logging level to INFO instead of default |
|
120 # WARNING level). (boolean value) |
|
121 #verbose = false |
|
122 |
|
123 # The name of a logging configuration file. This file is appended to any |
|
124 # existing logging configuration files. For details about logging configuration |
|
125 # files, see the Python logging module documentation. (string value) |
|
126 # Deprecated group/name - [DEFAULT]/log_config |
|
127 #log_config_append = <None> |
|
128 |
|
129 # DEPRECATED. A logging.Formatter log message format string which may use any |
|
130 # of the available logging.LogRecord attributes. This option is deprecated. |
|
131 # Please use logging_context_format_string and logging_default_format_string |
|
132 # instead. (string value) |
|
133 #log_format = <None> |
|
134 |
|
135 # Format string for %%(asctime)s in log records. Default: %(default)s . (string |
|
136 # value) |
|
137 #log_date_format = %Y-%m-%d %H:%M:%S |
|
138 |
|
139 # (Optional) Name of log file to output to. If no default is set, logging will |
|
140 # go to stdout. (string value) |
|
141 # Deprecated group/name - [DEFAULT]/logfile |
|
142 #log_file = <None> |
|
143 |
|
144 # (Optional) The base directory used for relative --log-file paths. (string |
|
145 # value) |
|
146 # Deprecated group/name - [DEFAULT]/logdir |
|
147 #log_dir = <None> |
|
148 |
|
149 # Use syslog for logging. Existing syslog format is DEPRECATED during I, and |
|
150 # will change in J to honor RFC5424. (boolean value) |
|
151 #use_syslog = false |
|
152 |
|
153 # (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, |
|
154 # prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The |
|
155 # format without the APP-NAME is deprecated in I, and will be removed in J. |
|
156 # (boolean value) |
|
157 #use_syslog_rfc_format = false |
|
158 |
|
159 # Syslog facility to receive log lines. (string value) |
|
160 #syslog_log_facility = LOG_USER |
|
161 |
|
162 # Log output to standard error. (boolean value) |
|
163 #use_stderr = true |
|
164 |
|
165 # Format string to use for log messages with context. (string value) |
|
166 #logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s |
|
167 |
|
168 # Format string to use for log messages without context. (string value) |
|
169 #logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s |
|
170 |
|
171 # Data to append to log format when level is DEBUG. (string value) |
|
172 #logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d |
|
173 |
|
174 # Prefix each line of exception output with this format. (string value) |
|
175 #logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s |
|
176 |
|
177 # List of logger=LEVEL pairs. (list value) |
|
178 #default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN |
|
179 |
|
180 # Enables or disables publication of error events. (boolean value) |
|
181 #publish_errors = false |
|
182 |
|
183 # Enables or disables fatal status of deprecations. (boolean value) |
|
184 #fatal_deprecations = false |
|
185 |
|
186 # The format for an instance that is passed with the log message. (string |
|
187 # value) |
|
188 #instance_format = "[instance: %(uuid)s] " |
|
189 |
|
190 # The format for an instance UUID that is passed with the log message. (string |
|
191 # value) |
|
192 #instance_uuid_format = "[instance: %(uuid)s] " |
|
193 |
|
194 # |
|
195 # From oslo.messaging |
|
196 # |
|
197 |
|
198 # ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. |
|
199 # The "host" option should point or resolve to this address. (string value) |
|
200 #rpc_zmq_bind_address = * |
|
201 |
|
202 # MatchMaker driver. (string value) |
|
203 #rpc_zmq_matchmaker = oslo_messaging._drivers.matchmaker.MatchMakerLocalhost |
|
204 |
|
205 # ZeroMQ receiver listening port. (integer value) |
|
206 #rpc_zmq_port = 9501 |
|
207 |
|
208 # Number of ZeroMQ contexts, defaults to 1. (integer value) |
|
209 #rpc_zmq_contexts = 1 |
|
210 |
|
211 # Maximum number of ingress messages to locally buffer per topic. Default is |
|
212 # unlimited. (integer value) |
|
213 #rpc_zmq_topic_backlog = <None> |
|
214 |
|
215 # Directory for holding IPC sockets. (string value) |
|
216 #rpc_zmq_ipc_dir = /var/run/openstack |
|
217 |
|
218 # Name of this node. Must be a valid hostname, FQDN, or IP address. Must match |
|
219 # "host" option, if running Nova. (string value) |
|
220 #rpc_zmq_host = localhost |
|
221 |
|
222 # Seconds to wait before a cast expires (TTL). Only supported by impl_zmq. |
69 # (integer value) |
223 # (integer value) |
70 admin_workers=2 |
224 #rpc_cast_timeout = 30 |
71 |
225 |
72 # Enforced by optional sizelimit middleware |
|
73 # (keystone.middleware:RequestBodySizeLimiter). (integer |
|
74 # value) |
|
75 #max_request_body_size=114688 |
|
76 |
|
77 # Limit the sizes of user & project ID/names. (integer value) |
|
78 #max_param_size=64 |
|
79 |
|
80 # Similar to max_param_size, but provides an exception for |
|
81 # token values. (integer value) |
|
82 #max_token_size=8192 |
|
83 |
|
84 # During a SQL upgrade member_role_id will be used to create a |
|
85 # new role that will replace records in the assignment table |
|
86 # with explicit role grants. After migration, the |
|
87 # member_role_id will be used in the API add_user_to_project. |
|
88 # (string value) |
|
89 #member_role_id=9fe2ff9ee4384b1894a90878d3e92bab |
|
90 |
|
91 # During a SQL upgrade member_role_name will be used to create |
|
92 # a new role that will replace records in the assignment table |
|
93 # with explicit role grants. After migration, member_role_name |
|
94 # will be ignored. (string value) |
|
95 #member_role_name=_member_ |
|
96 |
|
97 # The value passed as the keyword "rounds" to passlib's |
|
98 # encrypt method. (integer value) |
|
99 #crypt_strength=40000 |
|
100 |
|
101 # Set this to true if you want to enable TCP_KEEPALIVE on |
|
102 # server sockets, i.e. sockets used by the Keystone wsgi |
|
103 # server for client connections. (boolean value) |
|
104 #tcp_keepalive=false |
|
105 |
|
106 # Sets the value of TCP_KEEPIDLE in seconds for each server |
|
107 # socket. Only applies if tcp_keepalive is true. Not supported |
|
108 # on OS X. (integer value) |
|
109 #tcp_keepidle=600 |
|
110 |
|
111 # The maximum number of entities that will be returned in a |
|
112 # collection, with no limit set by default. This global limit |
|
113 # may be then overridden for a specific driver, by specifying |
|
114 # a list_limit in the appropriate section (e.g. [assignment]). |
|
115 # (integer value) |
|
116 #list_limit=<None> |
|
117 |
|
118 # Set this to false if you want to enable the ability for |
|
119 # user, group and project entities to be moved between domains |
|
120 # by updating their domain_id. Allowing such movement is not |
|
121 # recommended if the scope of a domain admin is being |
|
122 # restricted by use of an appropriate policy file (see |
|
123 # policy.v3cloudsample as an example). (boolean value) |
|
124 #domain_id_immutable=true |
|
125 |
|
126 # If set to true, strict password length checking is performed |
|
127 # for password manipulation. If a password exceeds the maximum |
|
128 # length, the operation will fail with an HTTP 403 Forbidden |
|
129 # error. If set to false, passwords are automatically |
|
130 # truncated to the maximum length. (boolean value) |
|
131 #strict_password_check=false |
|
132 |
|
133 |
|
134 # |
|
135 # Options defined in oslo.messaging |
|
136 # |
|
137 |
|
138 # Use durable queues in amqp. (boolean value) |
|
139 # Deprecated group/name - [DEFAULT]/rabbit_durable_queues |
|
140 #amqp_durable_queues=false |
|
141 |
|
142 # Auto-delete queues in amqp. (boolean value) |
|
143 #amqp_auto_delete=false |
|
144 |
|
145 # Size of RPC connection pool. (integer value) |
|
146 #rpc_conn_pool_size=30 |
|
147 |
|
148 # Qpid broker hostname. (string value) |
|
149 #qpid_hostname=localhost |
|
150 |
|
151 # Qpid broker port. (integer value) |
|
152 #qpid_port=5672 |
|
153 |
|
154 # Qpid HA cluster host:port pairs. (list value) |
|
155 #qpid_hosts=$qpid_hostname:$qpid_port |
|
156 |
|
157 # Username for Qpid connection. (string value) |
|
158 #qpid_username= |
|
159 |
|
160 # Password for Qpid connection. (string value) |
|
161 #qpid_password= |
|
162 |
|
163 # Space separated list of SASL mechanisms to use for auth. |
|
164 # (string value) |
|
165 #qpid_sasl_mechanisms= |
|
166 |
|
167 # Seconds between connection keepalive heartbeats. (integer |
|
168 # value) |
|
169 #qpid_heartbeat=60 |
|
170 |
|
171 # Transport to use, either 'tcp' or 'ssl'. (string value) |
|
172 #qpid_protocol=tcp |
|
173 |
|
174 # Whether to disable the Nagle algorithm. (boolean value) |
|
175 #qpid_tcp_nodelay=true |
|
176 |
|
177 # The number of prefetched messages held by receiver. (integer |
|
178 # value) |
|
179 #qpid_receiver_capacity=1 |
|
180 |
|
181 # The qpid topology version to use. Version 1 is what was |
|
182 # originally used by impl_qpid. Version 2 includes some |
|
183 # backwards-incompatible changes that allow broker federation |
|
184 # to work. Users should update to version 2 when they are |
|
185 # able to take everything down, as it requires a clean break. |
|
186 # (integer value) |
|
187 #qpid_topology_version=1 |
|
188 |
|
189 # SSL version to use (valid only if SSL enabled). valid values |
|
190 # are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some |
|
191 # distributions. (string value) |
|
192 #kombu_ssl_version= |
|
193 |
|
194 # SSL key file (valid only if SSL enabled). (string value) |
|
195 #kombu_ssl_keyfile= |
|
196 |
|
197 # SSL cert file (valid only if SSL enabled). (string value) |
|
198 #kombu_ssl_certfile= |
|
199 |
|
200 # SSL certification authority file (valid only if SSL |
|
201 # enabled). (string value) |
|
202 #kombu_ssl_ca_certs= |
|
203 |
|
204 # How long to wait before reconnecting in response to an AMQP |
|
205 # consumer cancel notification. (floating point value) |
|
206 #kombu_reconnect_delay=1.0 |
|
207 |
|
208 # The RabbitMQ broker address where a single node is used. |
|
209 # (string value) |
|
210 #rabbit_host=localhost |
|
211 |
|
212 # The RabbitMQ broker port where a single node is used. |
|
213 # (integer value) |
|
214 #rabbit_port=5672 |
|
215 |
|
216 # RabbitMQ HA cluster host:port pairs. (list value) |
|
217 #rabbit_hosts=$rabbit_host:$rabbit_port |
|
218 |
|
219 # Connect over SSL for RabbitMQ. (boolean value) |
|
220 #rabbit_use_ssl=false |
|
221 |
|
222 # The RabbitMQ userid. (string value) |
|
223 #rabbit_userid=guest |
|
224 |
|
225 # The RabbitMQ password. (string value) |
|
226 #rabbit_password=guest |
|
227 |
|
228 # the RabbitMQ login method (string value) |
|
229 #rabbit_login_method=AMQPLAIN |
|
230 |
|
231 # The RabbitMQ virtual host. (string value) |
|
232 #rabbit_virtual_host=/ |
|
233 |
|
234 # How frequently to retry connecting with RabbitMQ. (integer |
|
235 # value) |
|
236 #rabbit_retry_interval=1 |
|
237 |
|
238 # How long to backoff for between retries when connecting to |
|
239 # RabbitMQ. (integer value) |
|
240 #rabbit_retry_backoff=2 |
|
241 |
|
242 # Maximum number of RabbitMQ connection retries. Default is 0 |
|
243 # (infinite retry count). (integer value) |
|
244 #rabbit_max_retries=0 |
|
245 |
|
246 # Use HA queues in RabbitMQ (x-ha-policy: all). If you change |
|
247 # this option, you must wipe the RabbitMQ database. (boolean |
|
248 # value) |
|
249 #rabbit_ha_queues=false |
|
250 |
|
251 # If passed, use a fake RabbitMQ provider. (boolean value) |
|
252 #fake_rabbit=false |
|
253 |
|
254 # ZeroMQ bind address. Should be a wildcard (*), an ethernet |
|
255 # interface, or IP. The "host" option should point or resolve |
|
256 # to this address. (string value) |
|
257 #rpc_zmq_bind_address=* |
|
258 |
|
259 # MatchMaker driver. (string value) |
|
260 #rpc_zmq_matchmaker=oslo.messaging._drivers.matchmaker.MatchMakerLocalhost |
|
261 |
|
262 # ZeroMQ receiver listening port. (integer value) |
|
263 #rpc_zmq_port=9501 |
|
264 |
|
265 # Number of ZeroMQ contexts, defaults to 1. (integer value) |
|
266 #rpc_zmq_contexts=1 |
|
267 |
|
268 # Maximum number of ingress messages to locally buffer per |
|
269 # topic. Default is unlimited. (integer value) |
|
270 #rpc_zmq_topic_backlog=<None> |
|
271 |
|
272 # Directory for holding IPC sockets. (string value) |
|
273 #rpc_zmq_ipc_dir=/var/run/openstack |
|
274 |
|
275 # Name of this node. Must be a valid hostname, FQDN, or IP |
|
276 # address. Must match "host" option, if running Nova. (string |
|
277 # value) |
|
278 #rpc_zmq_host=keystone |
|
279 |
|
280 # Seconds to wait before a cast expires (TTL). Only supported |
|
281 # by impl_zmq. (integer value) |
|
282 #rpc_cast_timeout=30 |
|
283 |
|
284 # Heartbeat frequency. (integer value) |
226 # Heartbeat frequency. (integer value) |
285 #matchmaker_heartbeat_freq=300 |
227 #matchmaker_heartbeat_freq = 300 |
286 |
228 |
287 # Heartbeat time-to-live. (integer value) |
229 # Heartbeat time-to-live. (integer value) |
288 #matchmaker_heartbeat_ttl=600 |
230 #matchmaker_heartbeat_ttl = 600 |
289 |
231 |
290 # Size of RPC greenthread pool. (integer value) |
232 # Size of RPC thread pool. (integer value) |
291 #rpc_thread_pool_size=64 |
233 #rpc_thread_pool_size = 64 |
292 |
234 |
293 # Driver or drivers to handle sending notifications. (multi |
235 # Driver or drivers to handle sending notifications. (multi valued) |
294 # valued) |
236 #notification_driver = |
295 #notification_driver= |
237 |
296 |
|
297 # AMQP topic used for OpenStack notifications. (list value) |
238 # AMQP topic used for OpenStack notifications. (list value) |
298 # Deprecated group/name - [rpc_notifier2]/topics |
239 # Deprecated group/name - [rpc_notifier2]/topics |
299 #notification_topics=notifications |
240 #notification_topics = notifications |
300 |
241 |
301 # Seconds to wait for a response from a call. (integer value) |
242 # Seconds to wait for a response from a call. (integer value) |
302 #rpc_response_timeout=60 |
243 #rpc_response_timeout = 60 |
303 |
244 |
304 # A URL representing the messaging driver to use and its full |
245 # A URL representing the messaging driver to use and its full configuration. If |
305 # configuration. If not set, we fall back to the rpc_backend |
246 # not set, we fall back to the rpc_backend option and driver specific |
306 # option and driver specific configuration. (string value) |
247 # configuration. (string value) |
307 #transport_url=<None> |
248 #transport_url = <None> |
308 |
249 |
309 # The messaging driver to use, defaults to rabbit. Other |
250 # The messaging driver to use, defaults to rabbit. Other drivers include qpid |
310 # drivers include qpid and zmq. (string value) |
251 # and zmq. (string value) |
311 #rpc_backend=rabbit |
252 #rpc_backend = rabbit |
312 |
253 |
313 # The default exchange under which topics are scoped. May be |
254 # The default exchange under which topics are scoped. May be overridden by an |
314 # overridden by an exchange name specified in the |
255 # exchange name specified in the transport_url option. (string value) |
315 # transport_url option. (string value) |
256 #control_exchange = keystone |
316 #control_exchange=keystone |
257 |
317 |
258 |
318 |
|
319 # |
|
320 # Options defined in keystone.notifications |
|
321 # |
|
322 |
|
323 # Default publisher_id for outgoing notifications (string |
|
324 # value) |
|
325 #default_publisher_id=<None> |
|
326 |
|
327 |
|
328 # |
|
329 # Options defined in keystone.openstack.common.eventlet_backdoor |
|
330 # |
|
331 |
|
332 # Enable eventlet backdoor. Acceptable values are 0, <port>, |
|
333 # and <start>:<end>, where 0 results in listening on a random |
|
334 # tcp port number; <port> results in listening on the |
|
335 # specified port number (and not enabling backdoor if that |
|
336 # port is in use); and <start>:<end> results in listening on |
|
337 # the smallest unused port number within the specified range |
|
338 # of port numbers. The chosen port is displayed in the |
|
339 # service's log file. (string value) |
|
340 #backdoor_port=<None> |
|
341 |
|
342 |
|
343 # |
|
344 # Options defined in keystone.openstack.common.log |
|
345 # |
|
346 |
|
347 # Print debugging output (set logging level to DEBUG instead |
|
348 # of default WARNING level). (boolean value) |
|
349 #debug=false |
|
350 |
|
351 # Print more verbose output (set logging level to INFO instead |
|
352 # of default WARNING level). (boolean value) |
|
353 #verbose=false |
|
354 |
|
355 # Log output to standard error. (boolean value) |
|
356 #use_stderr=true |
|
357 |
|
358 # Format string to use for log messages with context. (string |
|
359 # value) |
|
360 #logging_context_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s |
|
361 |
|
362 # Format string to use for log messages without context. |
|
363 # (string value) |
|
364 #logging_default_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s |
|
365 |
|
366 # Data to append to log format when level is DEBUG. (string |
|
367 # value) |
|
368 #logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d |
|
369 |
|
370 # Prefix each line of exception output with this format. |
|
371 # (string value) |
|
372 #logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s |
|
373 |
|
374 # List of logger=LEVEL pairs. (list value) |
|
375 #default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN |
|
376 |
|
377 # Enables or disables publication of error events. (boolean |
|
378 # value) |
|
379 #publish_errors=false |
|
380 |
|
381 # Enables or disables fatal status of deprecations. (boolean |
|
382 # value) |
|
383 #fatal_deprecations=false |
|
384 |
|
385 # The format for an instance that is passed with the log |
|
386 # message. (string value) |
|
387 #instance_format="[instance: %(uuid)s] " |
|
388 |
|
389 # The format for an instance UUID that is passed with the log |
|
390 # message. (string value) |
|
391 #instance_uuid_format="[instance: %(uuid)s] " |
|
392 |
|
393 # The name of a logging configuration file. This file is |
|
394 # appended to any existing logging configuration files. For |
|
395 # details about logging configuration files, see the Python |
|
396 # logging module documentation. (string value) |
|
397 # Deprecated group/name - [DEFAULT]/log_config |
|
398 #log_config_append=<None> |
|
399 |
|
400 # DEPRECATED. A logging.Formatter log message format string |
|
401 # which may use any of the available logging.LogRecord |
|
402 # attributes. This option is deprecated. Please use |
|
403 # logging_context_format_string and |
|
404 # logging_default_format_string instead. (string value) |
|
405 #log_format=<None> |
|
406 |
|
407 # Format string for %%(asctime)s in log records. Default: |
|
408 # %(default)s . (string value) |
|
409 #log_date_format=%Y-%m-%d %H:%M:%S |
|
410 |
|
411 # (Optional) Name of log file to output to. If no default is |
|
412 # set, logging will go to stdout. (string value) |
|
413 # Deprecated group/name - [DEFAULT]/logfile |
|
414 #log_file=<None> |
|
415 |
|
416 # (Optional) The base directory used for relative --log-file |
|
417 # paths. (string value) |
|
418 # Deprecated group/name - [DEFAULT]/logdir |
|
419 #log_dir=<None> |
|
420 |
|
421 # Use syslog for logging. Existing syslog format is DEPRECATED |
|
422 # during I, and will change in J to honor RFC5424. (boolean |
|
423 # value) |
|
424 #use_syslog=false |
|
425 |
|
426 # (Optional) Enables or disables syslog rfc5424 format for |
|
427 # logging. If enabled, prefixes the MSG part of the syslog |
|
428 # message with APP-NAME (RFC5424). The format without the APP- |
|
429 # NAME is deprecated in I, and will be removed in J. (boolean |
|
430 # value) |
|
431 #use_syslog_rfc_format=false |
|
432 |
|
433 # Syslog facility to receive log lines. (string value) |
|
434 #syslog_log_facility=LOG_USER |
|
435 |
|
436 |
|
437 # |
|
438 # Options defined in keystone.openstack.common.policy |
|
439 # |
|
440 |
|
441 # The JSON file that defines policies. (string value) |
|
442 #policy_file=policy.json |
|
443 |
|
444 # Default rule. Enforced when a requested rule is not found. |
|
445 # (string value) |
|
446 #policy_default_rule=default |
|
447 |
|
448 |
|
449 [assignment] |
259 [assignment] |
450 |
260 |
451 # |
261 # |
452 # Options defined in keystone |
262 # From keystone |
453 # |
263 # |
454 |
264 |
455 # Assignment backend driver. (string value) |
265 # Assignment backend driver. (string value) |
456 #driver=<None> |
266 #driver = <None> |
457 |
267 |
458 # Toggle for assignment caching. This has no effect unless |
268 |
459 # global caching is enabled. (boolean value) |
|
460 #caching=true |
|
461 |
|
462 # TTL (in seconds) to cache assignment data. This has no |
|
463 # effect unless global caching is enabled. (integer value) |
|
464 #cache_time=<None> |
|
465 |
|
466 # Maximum number of entities that will be returned in an |
|
467 # assignment collection. (integer value) |
|
468 #list_limit=<None> |
|
469 |
|
470 |
|
471 [auth] |
269 [auth] |
472 |
270 |
473 # |
271 # |
474 # Options defined in keystone |
272 # From keystone |
475 # |
273 # |
476 |
274 |
477 # Default auth methods. (list value) |
275 # Default auth methods. (list value) |
478 #methods=external,password,token |
276 #methods = external,password,token,oauth1 |
479 |
277 |
480 # The password auth plugin module. (string value) |
278 # The password auth plugin module. (string value) |
481 #password=keystone.auth.plugins.password.Password |
279 #password = keystone.auth.plugins.password.Password |
482 |
280 |
483 # The token auth plugin module. (string value) |
281 # The token auth plugin module. (string value) |
484 #token=keystone.auth.plugins.token.Token |
282 #token = keystone.auth.plugins.token.Token |
485 |
283 |
486 # The external (REMOTE_USER) auth plugin module. (string |
284 # The external (REMOTE_USER) auth plugin module. (string value) |
487 # value) |
285 #external = keystone.auth.plugins.external.DefaultDomain |
488 #external=keystone.auth.plugins.external.DefaultDomain |
286 |
489 |
287 # The oAuth1.0 auth plugin module. (string value) |
490 |
288 #oauth1 = keystone.auth.plugins.oauth1.OAuth |
|
289 |
|
290 |
491 [cache] |
291 [cache] |
492 |
292 |
493 # |
293 # |
494 # Options defined in keystone |
294 # From keystone |
495 # |
295 # |
496 |
296 |
497 # Prefix for building the configuration dictionary for the |
297 # Prefix for building the configuration dictionary for the cache region. This |
498 # cache region. This should not need to be changed unless |
298 # should not need to be changed unless there is another dogpile.cache region |
499 # there is another dogpile.cache region with the same |
299 # with the same configuration name. (string value) |
500 # configuration name. (string value) |
300 #config_prefix = cache.keystone |
501 #config_prefix=cache.keystone |
301 |
502 |
302 # Default TTL, in seconds, for any cached item in the dogpile.cache region. |
503 # Default TTL, in seconds, for any cached item in the |
303 # This applies to any cached method that doesn't have an explicit cache |
504 # dogpile.cache region. This applies to any cached method that |
304 # expiration time defined for it. (integer value) |
505 # doesn't have an explicit cache expiration time defined for |
305 #expiration_time = 600 |
506 # it. (integer value) |
306 |
507 #expiration_time=600 |
307 # Dogpile.cache backend module. It is recommended that Memcache with pooling |
508 |
308 # (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in |
509 # Dogpile.cache backend module. It is recommended that |
309 # production deployments. Small workloads (single process) like devstack can |
510 # Memcache with pooling (keystone.cache.memcache_pool) or |
310 # use the dogpile.cache.memory backend. (string value) |
511 # Redis (dogpile.cache.redis) be used in production |
311 #backend = keystone.common.cache.noop |
512 # deployments. Small workloads (single process) like devstack |
312 |
513 # can use the dogpile.cache.memory backend. (string value) |
313 # Arguments supplied to the backend module. Specify this option once per |
514 #backend=keystone.common.cache.noop |
314 # argument to be passed to the dogpile.cache backend. Example format: |
515 |
315 # "<argname>:<value>". (multi valued) |
516 # Arguments supplied to the backend module. Specify this |
316 #backend_argument = |
517 # option once per argument to be passed to the dogpile.cache |
317 |
518 # backend. Example format: "<argname>:<value>". (multi valued) |
318 # Proxy classes to import that will affect the way the dogpile.cache backend |
519 #backend_argument= |
319 # functions. See the dogpile.cache documentation on changing-backend-behavior. |
520 |
320 # (list value) |
521 # Proxy classes to import that will affect the way the |
321 #proxies = |
522 # dogpile.cache backend functions. See the dogpile.cache |
322 |
523 # documentation on changing-backend-behavior. (list value) |
323 # Global toggle for all caching using the should_cache_fn mechanism. (boolean |
524 #proxies= |
324 # value) |
525 |
325 #enabled = false |
526 # Global toggle for all caching using the should_cache_fn |
326 |
527 # mechanism. (boolean value) |
327 # Extra debugging from the cache backend (cache keys, get/set/delete/etc |
528 #enabled=false |
328 # calls). This is only really useful if you need to see the specific cache- |
529 |
329 # backend get/set/delete calls with the keys/values. Typically this should be |
530 # Extra debugging from the cache backend (cache keys, |
330 # left set to false. (boolean value) |
531 # get/set/delete/etc calls). This is only really useful if you |
331 #debug_cache_backend = false |
532 # need to see the specific cache-backend get/set/delete calls |
332 |
533 # with the keys/values. Typically this should be left set to |
333 # Memcache servers in the format of "host:port". (dogpile.cache.memcache and |
534 # false. (boolean value) |
334 # keystone.cache.memcache_pool backends only). (list value) |
535 #debug_cache_backend=false |
335 #memcache_servers = localhost:11211 |
536 |
336 |
537 # Memcache servers in the format of "host:port". |
337 # Number of seconds memcached server is considered dead before it is tried |
538 # (dogpile.cache.memcache and keystone.cache.memcache_pool |
338 # again. (dogpile.cache.memcache and keystone.cache.memcache_pool backends |
539 # backends only) (list value) |
339 # only). (integer value) |
540 #memcache_servers=localhost:11211 |
340 #memcache_dead_retry = 300 |
541 |
341 |
542 # Number of seconds memcached server is considered dead before |
342 # Timeout in seconds for every call to a server. (dogpile.cache.memcache and |
543 # it is tried again. (dogpile.cache.memcache and |
343 # keystone.cache.memcache_pool backends only). (integer value) |
544 # keystone.cache.memcache_pool backends only) (integer value) |
344 #memcache_socket_timeout = 3 |
545 #memcache_dead_retry=300 |
345 |
546 |
346 # Max total number of open connections to every memcached server. |
547 # Timeout in seconds for every call to a server. |
347 # (keystone.cache.memcache_pool backend only). (integer value) |
548 # (dogpile.cache.memcache and keystone.cache.memcache_pool |
348 #memcache_pool_maxsize = 10 |
549 # backends only) (integer value) |
349 |
550 #memcache_socket_timeout=3 |
350 # Number of seconds a connection to memcached is held unused in the pool before |
551 |
351 # it is closed. (keystone.cache.memcache_pool backend only). (integer value) |
552 # Max total number of open connections to every memcached |
352 #memcache_pool_unused_timeout = 60 |
553 # server. (keystone.cache.memcache_pool backend only) (integer |
353 |
554 # value) |
354 # Number of seconds that an operation will wait to get a memcache client |
555 #memcache_pool_maxsize=10 |
355 # connection. (integer value) |
556 |
356 #memcache_pool_connection_get_timeout = 10 |
557 # Number of seconds a connection to memcached is held unused |
357 |
558 # in the pool before it is closed. |
358 |
559 # (keystone.cache.memcache_pool backend only) (integer value) |
|
560 #memcache_pool_unused_timeout=60 |
|
561 |
|
562 # Number of seconds that an operation will wait to get a |
|
563 # memcache client connection. (integer value) |
|
564 #memcache_pool_connection_get_timeout=10 |
|
565 |
|
566 |
|
567 [catalog] |
359 [catalog] |
568 |
360 |
569 # |
361 # |
570 # Options defined in keystone |
362 # From keystone |
571 # |
363 # |
572 |
364 |
573 # Catalog template file name for use with the template catalog |
365 # Catalog template file name for use with the template catalog backend. (string |
574 # backend. (string value) |
366 # value) |
575 #template_file=default_catalog.templates |
367 #template_file = default_catalog.templates |
576 |
368 |
577 # Catalog backend driver. (string value) |
369 # Catalog backend driver. (string value) |
578 #driver=keystone.catalog.backends.sql.Catalog |
370 #driver = keystone.catalog.backends.sql.Catalog |
579 |
371 |
580 # Toggle for catalog caching. This has no effect unless global |
372 # Toggle for catalog caching. This has no effect unless global caching is |
581 # caching is enabled. (boolean value) |
373 # enabled. (boolean value) |
582 #caching=true |
374 #caching = true |
583 |
375 |
584 # Time to cache catalog data (in seconds). This has no effect |
376 # Time to cache catalog data (in seconds). This has no effect unless global and |
585 # unless global and catalog caching are enabled. (integer |
377 # catalog caching are enabled. (integer value) |
586 # value) |
378 #cache_time = <None> |
587 #cache_time=<None> |
379 |
588 |
380 # Maximum number of entities that will be returned in a catalog collection. |
589 # Maximum number of entities that will be returned in a |
381 # (integer value) |
590 # catalog collection. (integer value) |
382 #list_limit = <None> |
591 #list_limit=<None> |
383 |
592 |
384 |
593 # (Deprecated) List of possible substitutions for use in |
|
594 # formatting endpoints. Use caution when modifying this list. |
|
595 # It will give users with permission to create endpoints the |
|
596 # ability to see those values in your configuration file. This |
|
597 # option will be removed in Juno. (list value) |
|
598 #endpoint_substitution_whitelist=tenant_id,user_id,public_bind_host,admin_bind_host,compute_host,compute_port,admin_port,public_port,public_endpoint,admin_endpoint |
|
599 |
|
600 |
|
601 [credential] |
385 [credential] |
602 |
386 |
603 # |
387 # |
604 # Options defined in keystone |
388 # From keystone |
605 # |
389 # |
606 |
390 |
607 # Credential backend driver. (string value) |
391 # Credential backend driver. (string value) |
608 #driver=keystone.credential.backends.sql.Credential |
392 #driver = keystone.credential.backends.sql.Credential |
609 |
393 |
610 |
394 |
611 [database] |
395 [database] |
612 |
396 |
613 # |
397 # |
614 # Options defined in oslo.db |
398 # From oslo.db |
615 # |
399 # |
616 |
400 |
617 # The file name to use with SQLite. (string value) |
401 # The file name to use with SQLite. (string value) |
618 #sqlite_db=oslo.sqlite |
402 # Deprecated group/name - [DEFAULT]/sqlite_db |
619 |
403 #sqlite_db = oslo.sqlite |
|
404 |
620 # If True, SQLite uses synchronous mode. (boolean value) |
405 # If True, SQLite uses synchronous mode. (boolean value) |
621 #sqlite_synchronous=true |
406 # Deprecated group/name - [DEFAULT]/sqlite_synchronous |
622 |
407 #sqlite_synchronous = true |
|
408 |
623 # The back end to use for the database. (string value) |
409 # The back end to use for the database. (string value) |
624 # Deprecated group/name - [DEFAULT]/db_backend |
410 # Deprecated group/name - [DEFAULT]/db_backend |
625 #backend=sqlalchemy |
411 #backend = sqlalchemy |
626 |
412 |
627 # The SQLAlchemy connection string to use to connect to the |
413 # The SQLAlchemy connection string to use to connect to the database. (string |
628 # database. (string value) |
414 # value) |
629 # Deprecated group/name - [DEFAULT]/sql_connection |
415 # Deprecated group/name - [DEFAULT]/sql_connection |
630 # Deprecated group/name - [DATABASE]/sql_connection |
416 # Deprecated group/name - [DATABASE]/sql_connection |
631 # Deprecated group/name - [sql]/connection |
417 # Deprecated group/name - [sql]/connection |
632 connection=mysql://%SERVICE_USER%:%SERVICE_PASSWORD%@localhost/keystone |
418 connection=mysql://%SERVICE_USER%:%SERVICE_PASSWORD%@localhost/keystone |
633 |
419 |
634 # The SQLAlchemy connection string to use to connect to the |
420 # The SQLAlchemy connection string to use to connect to the slave database. |
635 # slave database. (string value) |
421 # (string value) |
636 #slave_connection=<None> |
422 #slave_connection = <None> |
637 |
423 |
638 # The SQL mode to be used for MySQL sessions. This option, |
424 # The SQL mode to be used for MySQL sessions. This option, including the |
639 # including the default, overrides any server-set SQL mode. To |
425 # default, overrides any server-set SQL mode. To use whatever SQL mode is set |
640 # use whatever SQL mode is set by the server configuration, |
426 # by the server configuration, set this to no value. Example: mysql_sql_mode= |
641 # set this to no value. Example: mysql_sql_mode= (string |
427 # (string value) |
642 # value) |
428 #mysql_sql_mode = TRADITIONAL |
643 #mysql_sql_mode=TRADITIONAL |
429 |
644 |
430 # Timeout before idle SQL connections are reaped. (integer value) |
645 # Timeout before idle SQL connections are reaped. (integer |
|
646 # value) |
|
647 # Deprecated group/name - [DEFAULT]/sql_idle_timeout |
431 # Deprecated group/name - [DEFAULT]/sql_idle_timeout |
648 # Deprecated group/name - [DATABASE]/sql_idle_timeout |
432 # Deprecated group/name - [DATABASE]/sql_idle_timeout |
649 # Deprecated group/name - [sql]/idle_timeout |
433 # Deprecated group/name - [sql]/idle_timeout |
650 #idle_timeout=3600 |
434 #idle_timeout = 3600 |
651 |
435 |
652 # Minimum number of SQL connections to keep open in a pool. |
436 # Minimum number of SQL connections to keep open in a pool. (integer value) |
653 # (integer value) |
|
654 # Deprecated group/name - [DEFAULT]/sql_min_pool_size |
437 # Deprecated group/name - [DEFAULT]/sql_min_pool_size |
655 # Deprecated group/name - [DATABASE]/sql_min_pool_size |
438 # Deprecated group/name - [DATABASE]/sql_min_pool_size |
656 #min_pool_size=1 |
439 #min_pool_size = 1 |
657 |
440 |
658 # Maximum number of SQL connections to keep open in a pool. |
441 # Maximum number of SQL connections to keep open in a pool. (integer value) |
659 # (integer value) |
|
660 # Deprecated group/name - [DEFAULT]/sql_max_pool_size |
442 # Deprecated group/name - [DEFAULT]/sql_max_pool_size |
661 # Deprecated group/name - [DATABASE]/sql_max_pool_size |
443 # Deprecated group/name - [DATABASE]/sql_max_pool_size |
662 #max_pool_size=<None> |
444 #max_pool_size = <None> |
663 |
445 |
664 # Maximum db connection retries during startup. Set to -1 to |
446 # Maximum number of database connection retries during startup. Set to -1 to |
665 # specify an infinite retry count. (integer value) |
447 # specify an infinite retry count. (integer value) |
666 # Deprecated group/name - [DEFAULT]/sql_max_retries |
448 # Deprecated group/name - [DEFAULT]/sql_max_retries |
667 # Deprecated group/name - [DATABASE]/sql_max_retries |
449 # Deprecated group/name - [DATABASE]/sql_max_retries |
668 #max_retries=10 |
450 #max_retries = 10 |
669 |
451 |
670 # Interval between retries of opening a SQL connection. |
452 # Interval between retries of opening a SQL connection. (integer value) |
671 # (integer value) |
|
672 # Deprecated group/name - [DEFAULT]/sql_retry_interval |
453 # Deprecated group/name - [DEFAULT]/sql_retry_interval |
673 # Deprecated group/name - [DATABASE]/reconnect_interval |
454 # Deprecated group/name - [DATABASE]/reconnect_interval |
674 #retry_interval=10 |
455 #retry_interval = 10 |
675 |
456 |
676 # If set, use this value for max_overflow with SQLAlchemy. |
457 # If set, use this value for max_overflow with SQLAlchemy. (integer value) |
677 # (integer value) |
|
678 # Deprecated group/name - [DEFAULT]/sql_max_overflow |
458 # Deprecated group/name - [DEFAULT]/sql_max_overflow |
679 # Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow |
459 # Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow |
680 #max_overflow=<None> |
460 #max_overflow = <None> |
681 |
461 |
682 # Verbosity of SQL debugging information: 0=None, |
462 # Verbosity of SQL debugging information: 0=None, 100=Everything. (integer |
683 # 100=Everything. (integer value) |
463 # value) |
684 # Deprecated group/name - [DEFAULT]/sql_connection_debug |
464 # Deprecated group/name - [DEFAULT]/sql_connection_debug |
685 #connection_debug=0 |
465 #connection_debug = 0 |
686 |
466 |
687 # Add Python stack traces to SQL as comment strings. (boolean |
467 # Add Python stack traces to SQL as comment strings. (boolean value) |
688 # value) |
|
689 # Deprecated group/name - [DEFAULT]/sql_connection_trace |
468 # Deprecated group/name - [DEFAULT]/sql_connection_trace |
690 #connection_trace=false |
469 #connection_trace = false |
691 |
470 |
692 # If set, use this value for pool_timeout with SQLAlchemy. |
471 # If set, use this value for pool_timeout with SQLAlchemy. (integer value) |
|
472 # Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout |
|
473 #pool_timeout = <None> |
|
474 |
|
475 # Enable the experimental use of database reconnect on connection lost. |
|
476 # (boolean value) |
|
477 #use_db_reconnect = false |
|
478 |
|
479 # Seconds between retries of a database transaction. (integer value) |
|
480 #db_retry_interval = 1 |
|
481 |
|
482 # If True, increases the interval between retries of a database operation up to |
|
483 # db_max_retry_interval. (boolean value) |
|
484 #db_inc_retry_interval = true |
|
485 |
|
486 # If db_inc_retry_interval is set, the maximum seconds between retries of a |
|
487 # database operation. (integer value) |
|
488 #db_max_retry_interval = 10 |
|
489 |
|
490 # Maximum retries in case of connection error or deadlock error before error is |
|
491 # raised. Set to -1 to specify an infinite retry count. (integer value) |
|
492 #db_max_retries = 20 |
|
493 |
|
494 |
|
495 [domain_config] |
|
496 |
|
497 # |
|
498 # From keystone |
|
499 # |
|
500 |
|
501 # Domain config backend driver. (string value) |
|
502 #driver = keystone.resource.config_backends.sql.DomainConfig |
|
503 |
|
504 # Toggle for domain config caching. This has no effect unless global caching is |
|
505 # enabled. (boolean value) |
|
506 #caching = true |
|
507 |
|
508 # TTL (in seconds) to cache domain config data. This has no effect unless |
|
509 # domain config caching is enabled. (integer value) |
|
510 #cache_time = 300 |
|
511 |
|
512 |
|
513 [endpoint_filter] |
|
514 |
|
515 # |
|
516 # From keystone |
|
517 # |
|
518 |
|
519 # Endpoint Filter backend driver (string value) |
|
520 #driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter |
|
521 |
|
522 # Toggle to return all active endpoints if no filter exists. (boolean value) |
|
523 #return_all_endpoints_if_no_filter = true |
|
524 |
|
525 |
|
526 [endpoint_policy] |
|
527 |
|
528 # |
|
529 # From keystone |
|
530 # |
|
531 |
|
532 # Endpoint policy backend driver (string value) |
|
533 #driver = keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy |
|
534 |
|
535 |
|
536 [eventlet_server] |
|
537 |
|
538 # |
|
539 # From keystone |
|
540 # |
|
541 |
|
542 # The number of worker processes to serve the public eventlet application. |
|
543 # Defaults to number of CPUs (minimum of 2). (integer value) |
|
544 # Deprecated group/name - [DEFAULT]/public_workers |
|
545 public_workers = 2 |
|
546 |
|
547 # The number of worker processes to serve the admin eventlet application. |
|
548 # Defaults to number of CPUs (minimum of 2). (integer value) |
|
549 # Deprecated group/name - [DEFAULT]/admin_workers |
|
550 admin_workers = 2 |
|
551 |
|
552 # The IP address of the network interface for the public service to listen on. |
|
553 # (string value) |
|
554 # Deprecated group/name - [DEFAULT]/bind_host |
|
555 # Deprecated group/name - [DEFAULT]/public_bind_host |
|
556 #public_bind_host = 0.0.0.0 |
|
557 |
|
558 # The port number which the public service listens on. (integer value) |
|
559 # Deprecated group/name - [DEFAULT]/public_port |
|
560 #public_port = 5000 |
|
561 |
|
562 # The IP address of the network interface for the admin service to listen on. |
|
563 # (string value) |
|
564 # Deprecated group/name - [DEFAULT]/bind_host |
|
565 # Deprecated group/name - [DEFAULT]/admin_bind_host |
|
566 #admin_bind_host = 0.0.0.0 |
|
567 |
|
568 # The port number which the admin service listens on. (integer value) |
|
569 # Deprecated group/name - [DEFAULT]/admin_port |
|
570 #admin_port = 35357 |
|
571 |
|
572 # Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e. |
|
573 # sockets used by the Keystone wsgi server for client connections. (boolean |
|
574 # value) |
|
575 # Deprecated group/name - [DEFAULT]/tcp_keepalive |
|
576 #tcp_keepalive = false |
|
577 |
|
578 # Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only |
|
579 # applies if tcp_keepalive is true. (integer value) |
|
580 # Deprecated group/name - [DEFAULT]/tcp_keepidle |
|
581 #tcp_keepidle = 600 |
|
582 |
|
583 |
|
584 [eventlet_server_ssl] |
|
585 |
|
586 # |
|
587 # From keystone |
|
588 # |
|
589 |
|
590 # Toggle for SSL support on the Keystone eventlet servers. (boolean value) |
|
591 # Deprecated group/name - [ssl]/enable |
|
592 #enable = false |
|
593 |
|
594 # Path of the certfile for SSL. For non-production environments, you may be |
|
595 # interested in using `keystone-manage ssl_setup` to generate self-signed |
|
596 # certificates. (string value) |
|
597 # Deprecated group/name - [ssl]/certfile |
|
598 #certfile = /etc/keystone/ssl/certs/keystone.pem |
|
599 |
|
600 # Path of the keyfile for SSL. (string value) |
|
601 # Deprecated group/name - [ssl]/keyfile |
|
602 #keyfile = /etc/keystone/ssl/private/keystonekey.pem |
|
603 |
|
604 # Path of the CA cert file for SSL. (string value) |
|
605 # Deprecated group/name - [ssl]/ca_certs |
|
606 #ca_certs = /etc/keystone/ssl/certs/ca.pem |
|
607 |
|
608 # Require client certificate. (boolean value) |
|
609 # Deprecated group/name - [ssl]/cert_required |
|
610 #cert_required = false |
|
611 |
|
612 |
|
613 [federation] |
|
614 |
|
615 # |
|
616 # From keystone |
|
617 # |
|
618 |
|
619 # Federation backend driver. (string value) |
|
620 #driver = keystone.contrib.federation.backends.sql.Federation |
|
621 |
|
622 # Value to be used when filtering assertion parameters from the environment. |
|
623 # (string value) |
|
624 #assertion_prefix = |
|
625 |
|
626 # Value to be used to obtain the entity ID of the Identity Provider from the |
|
627 # environment (e.g. if using the mod_shib plugin this value is `Shib-Identity- |
|
628 # Provider`). (string value) |
|
629 #remote_id_attribute = <None> |
|
630 |
|
631 # A domain name that is reserved to allow federated ephemeral users to have a |
|
632 # domain concept. Note that an admin will not be able to create a domain with |
|
633 # this name or update an existing domain to this name. You are not advised to |
|
634 # change this value unless you really have to. Changing this option to empty |
|
635 # string or None will not have any impact and default name will be used. |
|
636 # (string value) |
|
637 #federated_domain_name = Federated |
|
638 |
|
639 # A list of trusted dashboard hosts. Before accepting a Single Sign-On request |
|
640 # to return a token, the origin host must be a member of the trusted_dashboard |
|
641 # list. This configuration option may be repeated for multiple values. For |
|
642 # example: trusted_dashboard=http://acme.com trusted_dashboard=http://beta.com |
|
643 # (multi valued) |
|
644 #trusted_dashboard = |
|
645 |
|
646 # Location of Single Sign-On callback handler, will return a token to a trusted |
|
647 # dashboard host. (string value) |
|
648 #sso_callback_template = /etc/keystone/sso_callback_template.html |
|
649 |
|
650 |
|
651 [fernet_tokens] |
|
652 |
|
653 # |
|
654 # From keystone |
|
655 # |
|
656 |
|
657 # Directory containing Fernet token keys. (string value) |
|
658 #key_repository = /etc/keystone/fernet-keys/ |
|
659 |
|
660 # This controls how many keys are held in rotation by keystone-manage |
|
661 # fernet_rotate before they are discarded. The default value of 3 means that |
|
662 # keystone will maintain one staged key, one primary key, and one secondary |
|
663 # key. Increasing this value means that additional secondary keys will be kept |
|
664 # in the rotation. (integer value) |
|
665 #max_active_keys = 3 |
|
666 |
|
667 |
|
668 [identity] |
|
669 |
|
670 # |
|
671 # From keystone |
|
672 # |
|
673 |
|
674 # This references the domain to use for all Identity API v2 requests (which are |
|
675 # not aware of domains). A domain with this ID will be created for you by |
|
676 # keystone-manage db_sync in migration 008. The domain referenced by this ID |
|
677 # cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. |
|
678 # There is nothing special about this domain, other than the fact that it must |
|
679 # exist to order to maintain support for your v2 clients. (string value) |
|
680 default_domain_id = default |
|
681 |
|
682 # A subset (or all) of domains can have their own identity driver, each with |
|
683 # their own partial configuration options, stored in either the resource |
|
684 # backend or in a file in a domain configuration directory (depending on the |
|
685 # setting of domain_configurations_from_database). Only values specific to the |
|
686 # domain need to be specified in this manner. This feature is disabled by |
|
687 # default; set to true to enable. (boolean value) |
|
688 #domain_specific_drivers_enabled = false |
|
689 |
|
690 # Extract the domain specific configuration options from the resource backend |
|
691 # where they have been stored with the domain data. This feature is disabled by |
|
692 # default (in which case the domain specific options will be loaded from files |
|
693 # in the domain configuration directory); set to true to enable. (boolean |
|
694 # value) |
|
695 #domain_configurations_from_database = false |
|
696 |
|
697 # Path for Keystone to locate the domain specific identity configuration files |
|
698 # if domain_specific_drivers_enabled is set to true. (string value) |
|
699 #domain_config_dir = /etc/keystone/domains |
|
700 |
|
701 # Identity backend driver. (string value) |
|
702 #driver = keystone.identity.backends.sql.Identity |
|
703 |
|
704 # Toggle for identity caching. This has no effect unless global caching is |
|
705 # enabled. (boolean value) |
|
706 #caching = true |
|
707 |
|
708 # Time to cache identity data (in seconds). This has no effect unless global |
|
709 # and identity caching are enabled. (integer value) |
|
710 #cache_time = 600 |
|
711 |
|
712 # Maximum supported length for user passwords; decrease to improve performance. |
693 # (integer value) |
713 # (integer value) |
694 # Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout |
714 #max_password_length = 4096 |
695 #pool_timeout=<None> |
715 |
696 |
716 # Maximum number of entities that will be returned in an identity collection. |
697 # Enable the experimental use of database reconnect on |
717 # (integer value) |
698 # connection lost. (boolean value) |
718 #list_limit = <None> |
699 #use_db_reconnect=false |
719 |
700 |
720 |
701 # Seconds between database connection retries. (integer value) |
721 [identity_mapping] |
702 #db_retry_interval=1 |
722 |
703 |
723 # |
704 # If True, increases the interval between database connection |
724 # From keystone |
705 # retries up to db_max_retry_interval. (boolean value) |
725 # |
706 #db_inc_retry_interval=true |
726 |
707 |
727 # Keystone Identity Mapping backend driver. (string value) |
708 # If db_inc_retry_interval is set, the maximum seconds between |
728 #driver = keystone.identity.mapping_backends.sql.Mapping |
709 # database connection retries. (integer value) |
729 |
710 #db_max_retry_interval=10 |
730 # Public ID generator for user and group entities. The Keystone identity mapper |
711 |
731 # only supports generators that produce no more than 64 characters. (string |
712 # Maximum database connection retries before error is raised. |
732 # value) |
713 # Set to -1 to specify an infinite retry count. (integer |
733 #generator = keystone.identity.id_generators.sha256.Generator |
714 # value) |
734 |
715 #db_max_retries=20 |
735 # The format of user and group IDs changed in Juno for backends that do not |
716 |
736 # generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the |
717 |
737 # underlying attribute in LDAP. By default this mapping is disabled, which |
718 [ec2] |
738 # ensures that existing IDs will not change. Even when the mapping is enabled |
719 |
739 # by using domain specific drivers, any users and groups from the default |
720 # |
740 # domain being handled by LDAP will still not be mapped to ensure their IDs |
721 # Options defined in keystone |
741 # remain backward compatible. Setting this value to False will enable the |
722 # |
742 # mapping for even the default LDAP driver. It is only safe to do this if you |
723 |
743 # do not already have assignments for users and groups from the default LDAP |
724 # EC2Credential backend driver. (string value) |
744 # domain, and it is acceptable for Keystone to provide the different IDs to |
725 #driver=keystone.contrib.ec2.backends.kvs.Ec2 |
745 # clients than it did previously. Typically this means that the only time you |
726 |
746 # can set this value to False is when configuring a fresh installation. |
727 |
|
728 [endpoint_filter] |
|
729 |
|
730 # |
|
731 # Options defined in keystone |
|
732 # |
|
733 |
|
734 # Endpoint Filter backend driver (string value) |
|
735 #driver=keystone.contrib.endpoint_filter.backends.sql.EndpointFilter |
|
736 |
|
737 # Toggle to return all active endpoints if no filter exists. |
|
738 # (boolean value) |
747 # (boolean value) |
739 #return_all_endpoints_if_no_filter=true |
748 #backward_compatible_ids = true |
740 |
749 |
741 |
750 |
742 [endpoint_policy] |
|
743 |
|
744 # |
|
745 # Options defined in keystone |
|
746 # |
|
747 |
|
748 # Endpoint policy backend driver (string value) |
|
749 #driver=keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy |
|
750 |
|
751 |
|
752 [federation] |
|
753 |
|
754 # |
|
755 # Options defined in keystone |
|
756 # |
|
757 |
|
758 # Federation backend driver. (string value) |
|
759 #driver=keystone.contrib.federation.backends.sql.Federation |
|
760 |
|
761 # Value to be used when filtering assertion parameters from |
|
762 # the environment. (string value) |
|
763 #assertion_prefix= |
|
764 |
|
765 |
|
766 [identity] |
|
767 |
|
768 # |
|
769 # Options defined in keystone |
|
770 # |
|
771 |
|
772 # This references the domain to use for all Identity API v2 |
|
773 # requests (which are not aware of domains). A domain with |
|
774 # this ID will be created for you by keystone-manage db_sync |
|
775 # in migration 008. The domain referenced by this ID cannot be |
|
776 # deleted on the v3 API, to prevent accidentally breaking the |
|
777 # v2 API. There is nothing special about this domain, other |
|
778 # than the fact that it must exist to order to maintain |
|
779 # support for your v2 clients. (string value) |
|
780 #default_domain_id=default |
|
781 |
|
782 # A subset (or all) of domains can have their own identity |
|
783 # driver, each with their own partial configuration file in a |
|
784 # domain configuration directory. Only values specific to the |
|
785 # domain need to be placed in the domain specific |
|
786 # configuration file. This feature is disabled by default; set |
|
787 # to true to enable. (boolean value) |
|
788 #domain_specific_drivers_enabled=false |
|
789 |
|
790 # Path for Keystone to locate the domain specific identity |
|
791 # configuration files if domain_specific_drivers_enabled is |
|
792 # set to true. (string value) |
|
793 #domain_config_dir=/etc/keystone/domains |
|
794 |
|
795 # Identity backend driver. (string value) |
|
796 #driver=keystone.identity.backends.sql.Identity |
|
797 |
|
798 # Maximum supported length for user passwords; decrease to |
|
799 # improve performance. (integer value) |
|
800 #max_password_length=4096 |
|
801 |
|
802 # Maximum number of entities that will be returned in an |
|
803 # identity collection. (integer value) |
|
804 #list_limit=<None> |
|
805 |
|
806 |
|
807 [identity_mapping] |
|
808 |
|
809 # |
|
810 # Options defined in keystone |
|
811 # |
|
812 |
|
813 # Keystone Identity Mapping backend driver. (string value) |
|
814 #driver=keystone.identity.mapping_backends.sql.Mapping |
|
815 |
|
816 # Public ID generator for user and group entities. The |
|
817 # Keystone identity mapper only supports generators that |
|
818 # produce no more than 64 characters. (string value) |
|
819 #generator=keystone.identity.id_generators.sha256.Generator |
|
820 |
|
821 # The format of user and group IDs changed in Juno for |
|
822 # backends that do not generate UUIDs (e.g. LDAP), with |
|
823 # keystone providing a hash mapping to the underlying |
|
824 # attribute in LDAP. By default this mapping is disabled, |
|
825 # which ensures that existing IDs will not change. Even when |
|
826 # the mapping is enabled by using domain specific drivers, any |
|
827 # users and groups from the default domain being handled by |
|
828 # LDAP will still not be mapped to ensure their IDs remain |
|
829 # backward compatible. Setting this value to False will enable |
|
830 # the mapping for even the default LDAP driver. It is only |
|
831 # safe to do this if you do not already have assignments for |
|
832 # users and groups from the default LDAP domain, and it is |
|
833 # acceptable for Keystone to provide the different IDs to |
|
834 # clients than it did previously. Typically this means that |
|
835 # the only time you can set this value to False is when |
|
836 # configuring a fresh installation. (boolean value) |
|
837 #backward_compatible_ids=true |
|
838 |
|
839 |
|
840 [kvs] |
751 [kvs] |
841 |
752 |
842 # |
753 # |
843 # Options defined in keystone |
754 # From keystone |
844 # |
755 # |
845 |
756 |
846 # Extra dogpile.cache backend modules to register with the |
757 # Extra dogpile.cache backend modules to register with the dogpile.cache |
847 # dogpile.cache library. (list value) |
758 # library. (list value) |
848 #backends= |
759 #backends = |
849 |
760 |
850 # Prefix for building the configuration dictionary for the KVS |
761 # Prefix for building the configuration dictionary for the KVS region. This |
851 # region. This should not need to be changed unless there is |
762 # should not need to be changed unless there is another dogpile.cache region |
852 # another dogpile.cache region with the same configuration |
763 # with the same configuration name. (string value) |
853 # name. (string value) |
764 #config_prefix = keystone.kvs |
854 #config_prefix=keystone.kvs |
765 |
855 |
766 # Toggle to disable using a key-mangling function to ensure fixed length keys. |
856 # Toggle to disable using a key-mangling function to ensure |
767 # This is toggle-able for debugging purposes, it is highly recommended to |
857 # fixed length keys. This is toggle-able for debugging |
768 # always leave this set to true. (boolean value) |
858 # purposes, it is highly recommended to always leave this set |
769 #enable_key_mangler = true |
859 # to true. (boolean value) |
770 |
860 #enable_key_mangler=true |
771 # Default lock timeout (in seconds) for distributed locking. (integer value) |
861 |
772 #default_lock_timeout = 5 |
862 # Default lock timeout for distributed locking. (integer |
773 |
863 # value) |
774 |
864 #default_lock_timeout=5 |
|
865 |
|
866 |
|
867 [ldap] |
775 [ldap] |
868 |
776 |
869 # |
777 # |
870 # Options defined in keystone |
778 # From keystone |
871 # |
779 # |
872 |
780 |
873 # URL for connecting to the LDAP server. (string value) |
781 # URL for connecting to the LDAP server. (string value) |
874 #url=ldap://localhost |
782 #url = ldap://localhost |
875 |
783 |
876 # User BindDN to query the LDAP server. (string value) |
784 # User BindDN to query the LDAP server. (string value) |
877 #user=<None> |
785 #user = <None> |
878 |
786 |
879 # Password for the BindDN to query the LDAP server. (string |
787 # Password for the BindDN to query the LDAP server. (string value) |
880 # value) |
788 #password = <None> |
881 #password=<None> |
789 |
882 |
|
883 # LDAP server suffix (string value) |
790 # LDAP server suffix (string value) |
884 #suffix=cn=example,cn=com |
791 #suffix = cn=example,cn=com |
885 |
792 |
886 # If true, will add a dummy member to groups. This is required |
793 # If true, will add a dummy member to groups. This is required if the |
887 # if the objectclass for groups requires the "member" |
794 # objectclass for groups requires the "member" attribute. (boolean value) |
888 # attribute. (boolean value) |
795 #use_dumb_member = false |
889 #use_dumb_member=false |
796 |
890 |
797 # DN of the "dummy member" to use when "use_dumb_member" is enabled. (string |
891 # DN of the "dummy member" to use when "use_dumb_member" is |
798 # value) |
892 # enabled. (string value) |
799 #dumb_member = cn=dumb,dc=nonexistent |
893 #dumb_member=cn=dumb,dc=nonexistent |
800 |
894 |
801 # Delete subtrees using the subtree delete control. Only enable this option if |
895 # Delete subtrees using the subtree delete control. Only |
802 # your LDAP server supports subtree deletion. (boolean value) |
896 # enable this option if your LDAP server supports subtree |
803 #allow_subtree_delete = false |
897 # deletion. (boolean value) |
804 |
898 #allow_subtree_delete=false |
805 # The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) |
899 |
806 # or "sub" (subtree/wholeSubtree). (string value) |
900 # The LDAP scope for queries, this can be either "one" |
807 #query_scope = one |
901 # (onelevel/singleLevel) or "sub" (subtree/wholeSubtree). |
808 |
|
809 # Maximum results per page; a value of zero ("0") disables paging. (integer |
|
810 # value) |
|
811 #page_size = 0 |
|
812 |
|
813 # The LDAP dereferencing option for queries. This can be either "never", |
|
814 # "searching", "always", "finding" or "default". The "default" option falls |
|
815 # back to using default dereferencing configured by your ldap.conf. (string |
|
816 # value) |
|
817 #alias_dereferencing = default |
|
818 |
|
819 # Sets the LDAP debugging level for LDAP calls. A value of 0 means that |
|
820 # debugging is not enabled. This value is a bitmask, consult your LDAP |
|
821 # documentation for possible values. (integer value) |
|
822 #debug_level = <None> |
|
823 |
|
824 # Override the system's default referral chasing behavior for queries. (boolean |
|
825 # value) |
|
826 #chase_referrals = <None> |
|
827 |
|
828 # Search base for users. (string value) |
|
829 #user_tree_dn = <None> |
|
830 |
|
831 # LDAP search filter for users. (string value) |
|
832 #user_filter = <None> |
|
833 |
|
834 # LDAP objectclass for users. (string value) |
|
835 #user_objectclass = inetOrgPerson |
|
836 |
|
837 # LDAP attribute mapped to user id. WARNING: must not be a multivalued |
|
838 # attribute. (string value) |
|
839 #user_id_attribute = cn |
|
840 |
|
841 # LDAP attribute mapped to user name. (string value) |
|
842 #user_name_attribute = sn |
|
843 |
|
844 # LDAP attribute mapped to user email. (string value) |
|
845 #user_mail_attribute = mail |
|
846 |
|
847 # LDAP attribute mapped to password. (string value) |
|
848 #user_pass_attribute = userPassword |
|
849 |
|
850 # LDAP attribute mapped to user enabled flag. (string value) |
|
851 #user_enabled_attribute = enabled |
|
852 |
|
853 # Invert the meaning of the boolean enabled values. Some LDAP servers use a |
|
854 # boolean lock attribute where "true" means an account is disabled. Setting |
|
855 # "user_enabled_invert = true" will allow these lock attributes to be used. |
|
856 # This setting will have no effect if "user_enabled_mask" or |
|
857 # "user_enabled_emulation" settings are in use. (boolean value) |
|
858 #user_enabled_invert = false |
|
859 |
|
860 # Bitmask integer to indicate the bit that the enabled value is stored in if |
|
861 # the LDAP server represents "enabled" as a bit on an integer rather than a |
|
862 # boolean. A value of "0" indicates the mask is not used. If this is not set to |
|
863 # "0" the typical value is "2". This is typically used when |
|
864 # "user_enabled_attribute = userAccountControl". (integer value) |
|
865 #user_enabled_mask = 0 |
|
866 |
|
867 # Default value to enable users. This should match an appropriate int value if |
|
868 # the LDAP server uses non-boolean (bitmask) values to indicate if a user is |
|
869 # enabled or disabled. If this is not set to "True" the typical value is "512". |
|
870 # This is typically used when "user_enabled_attribute = userAccountControl". |
902 # (string value) |
871 # (string value) |
903 #query_scope=one |
872 #user_enabled_default = true |
904 |
873 |
905 # Maximum results per page; a value of zero ("0") disables |
874 # List of attributes stripped off the user on update. (list value) |
906 # paging. (integer value) |
875 #user_attribute_ignore = default_project_id,tenants |
907 #page_size=0 |
876 |
908 |
877 # LDAP attribute mapped to default_project_id for users. (string value) |
909 # The LDAP dereferencing option for queries. This can be |
878 #user_default_project_id_attribute = <None> |
910 # either "never", "searching", "always", "finding" or |
879 |
911 # "default". The "default" option falls back to using default |
880 # Allow user creation in LDAP backend. (boolean value) |
912 # dereferencing configured by your ldap.conf. (string value) |
881 #user_allow_create = true |
913 #alias_dereferencing=default |
882 |
914 |
883 # Allow user updates in LDAP backend. (boolean value) |
915 # Sets the LDAP debugging level for LDAP calls. A value of 0 |
884 #user_allow_update = true |
916 # means that debugging is not enabled. This value is a |
885 |
917 # bitmask, consult your LDAP documentation for possible |
886 # Allow user deletion in LDAP backend. (boolean value) |
918 # values. (integer value) |
887 #user_allow_delete = true |
919 #debug_level=<None> |
888 |
920 |
889 # If true, Keystone uses an alternative method to determine if a user is |
921 # Override the system's default referral chasing behavior for |
890 # enabled or not by checking if they are a member of the |
922 # queries. (boolean value) |
891 # "user_enabled_emulation_dn" group. (boolean value) |
923 #chase_referrals=<None> |
892 #user_enabled_emulation = false |
924 |
893 |
925 # Search base for users. (string value) |
894 # DN of the group entry to hold enabled users when using enabled emulation. |
926 #user_tree_dn=<None> |
|
927 |
|
928 # LDAP search filter for users. (string value) |
|
929 #user_filter=<None> |
|
930 |
|
931 # LDAP objectclass for users. (string value) |
|
932 #user_objectclass=inetOrgPerson |
|
933 |
|
934 # LDAP attribute mapped to user id. WARNING: must not be a |
|
935 # multivalued attribute. (string value) |
|
936 #user_id_attribute=cn |
|
937 |
|
938 # LDAP attribute mapped to user name. (string value) |
|
939 #user_name_attribute=sn |
|
940 |
|
941 # LDAP attribute mapped to user email. (string value) |
|
942 #user_mail_attribute=mail |
|
943 |
|
944 # LDAP attribute mapped to password. (string value) |
|
945 #user_pass_attribute=userPassword |
|
946 |
|
947 # LDAP attribute mapped to user enabled flag. (string value) |
|
948 #user_enabled_attribute=enabled |
|
949 |
|
950 # Invert the meaning of the boolean enabled values. Some LDAP |
|
951 # servers use a boolean lock attribute where "true" means an |
|
952 # account is disabled. Setting "user_enabled_invert = true" |
|
953 # will allow these lock attributes to be used. This setting |
|
954 # will have no effect if "user_enabled_mask" or |
|
955 # "user_enabled_emulation" settings are in use. (boolean |
|
956 # value) |
|
957 #user_enabled_invert=false |
|
958 |
|
959 # Bitmask integer to indicate the bit that the enabled value |
|
960 # is stored in if the LDAP server represents "enabled" as a |
|
961 # bit on an integer rather than a boolean. A value of "0" |
|
962 # indicates the mask is not used. If this is not set to "0" |
|
963 # the typical value is "2". This is typically used when |
|
964 # "user_enabled_attribute = userAccountControl". (integer |
|
965 # value) |
|
966 #user_enabled_mask=0 |
|
967 |
|
968 # Default value to enable users. This should match an |
|
969 # appropriate int value if the LDAP server uses non-boolean |
|
970 # (bitmask) values to indicate if a user is enabled or |
|
971 # disabled. If this is not set to "True" the typical value is |
|
972 # "512". This is typically used when "user_enabled_attribute = |
|
973 # userAccountControl". (string value) |
|
974 #user_enabled_default=True |
|
975 |
|
976 # List of attributes stripped off the user on update. (list |
|
977 # value) |
|
978 #user_attribute_ignore=default_project_id,tenants |
|
979 |
|
980 # LDAP attribute mapped to default_project_id for users. |
|
981 # (string value) |
895 # (string value) |
982 #user_default_project_id_attribute=<None> |
896 #user_enabled_emulation_dn = <None> |
983 |
897 |
984 # Allow user creation in LDAP backend. (boolean value) |
898 # List of additional LDAP attributes used for mapping additional attribute |
985 #user_allow_create=true |
899 # mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, |
986 |
900 # where ldap_attr is the attribute in the LDAP entry and user_attr is the |
987 # Allow user updates in LDAP backend. (boolean value) |
901 # Identity API attribute. (list value) |
988 #user_allow_update=true |
902 #user_additional_attribute_mapping = |
989 |
903 |
990 # Allow user deletion in LDAP backend. (boolean value) |
|
991 #user_allow_delete=true |
|
992 |
|
993 # If true, Keystone uses an alternative method to determine if |
|
994 # a user is enabled or not by checking if they are a member of |
|
995 # the "user_enabled_emulation_dn" group. (boolean value) |
|
996 #user_enabled_emulation=false |
|
997 |
|
998 # DN of the group entry to hold enabled users when using |
|
999 # enabled emulation. (string value) |
|
1000 #user_enabled_emulation_dn=<None> |
|
1001 |
|
1002 # List of additional LDAP attributes used for mapping |
|
1003 # additional attribute mappings for users. Attribute mapping |
|
1004 # format is <ldap_attr>:<user_attr>, where ldap_attr is the |
|
1005 # attribute in the LDAP entry and user_attr is the Identity |
|
1006 # API attribute. (list value) |
|
1007 #user_additional_attribute_mapping= |
|
1008 |
|
1009 # Search base for projects (string value) |
904 # Search base for projects (string value) |
1010 # Deprecated group/name - [ldap]/tenant_tree_dn |
905 # Deprecated group/name - [ldap]/tenant_tree_dn |
1011 #project_tree_dn=<None> |
906 #project_tree_dn = <None> |
1012 |
907 |
1013 # LDAP search filter for projects. (string value) |
908 # LDAP search filter for projects. (string value) |
1014 # Deprecated group/name - [ldap]/tenant_filter |
909 # Deprecated group/name - [ldap]/tenant_filter |
1015 #project_filter=<None> |
910 #project_filter = <None> |
1016 |
911 |
1017 # LDAP objectclass for projects. (string value) |
912 # LDAP objectclass for projects. (string value) |
1018 # Deprecated group/name - [ldap]/tenant_objectclass |
913 # Deprecated group/name - [ldap]/tenant_objectclass |
1019 #project_objectclass=groupOfNames |
914 #project_objectclass = groupOfNames |
1020 |
915 |
1021 # LDAP attribute mapped to project id. (string value) |
916 # LDAP attribute mapped to project id. (string value) |
1022 # Deprecated group/name - [ldap]/tenant_id_attribute |
917 # Deprecated group/name - [ldap]/tenant_id_attribute |
1023 #project_id_attribute=cn |
918 #project_id_attribute = cn |
1024 |
919 |
1025 # LDAP attribute mapped to project membership for user. |
920 # LDAP attribute mapped to project membership for user. (string value) |
1026 # (string value) |
|
1027 # Deprecated group/name - [ldap]/tenant_member_attribute |
921 # Deprecated group/name - [ldap]/tenant_member_attribute |
1028 #project_member_attribute=member |
922 #project_member_attribute = member |
1029 |
923 |
1030 # LDAP attribute mapped to project name. (string value) |
924 # LDAP attribute mapped to project name. (string value) |
1031 # Deprecated group/name - [ldap]/tenant_name_attribute |
925 # Deprecated group/name - [ldap]/tenant_name_attribute |
1032 #project_name_attribute=ou |
926 #project_name_attribute = ou |
1033 |
927 |
1034 # LDAP attribute mapped to project description. (string value) |
928 # LDAP attribute mapped to project description. (string value) |
1035 # Deprecated group/name - [ldap]/tenant_desc_attribute |
929 # Deprecated group/name - [ldap]/tenant_desc_attribute |
1036 #project_desc_attribute=description |
930 #project_desc_attribute = description |
1037 |
931 |
1038 # LDAP attribute mapped to project enabled. (string value) |
932 # LDAP attribute mapped to project enabled. (string value) |
1039 # Deprecated group/name - [ldap]/tenant_enabled_attribute |
933 # Deprecated group/name - [ldap]/tenant_enabled_attribute |
1040 #project_enabled_attribute=enabled |
934 #project_enabled_attribute = enabled |
1041 |
935 |
1042 # LDAP attribute mapped to project domain_id. (string value) |
936 # LDAP attribute mapped to project domain_id. (string value) |
1043 # Deprecated group/name - [ldap]/tenant_domain_id_attribute |
937 # Deprecated group/name - [ldap]/tenant_domain_id_attribute |
1044 #project_domain_id_attribute=businessCategory |
938 #project_domain_id_attribute = businessCategory |
1045 |
939 |
1046 # List of attributes stripped off the project on update. (list |
940 # List of attributes stripped off the project on update. (list value) |
1047 # value) |
|
1048 # Deprecated group/name - [ldap]/tenant_attribute_ignore |
941 # Deprecated group/name - [ldap]/tenant_attribute_ignore |
1049 #project_attribute_ignore= |
942 #project_attribute_ignore = |
1050 |
943 |
1051 # Allow project creation in LDAP backend. (boolean value) |
944 # Allow project creation in LDAP backend. (boolean value) |
1052 # Deprecated group/name - [ldap]/tenant_allow_create |
945 # Deprecated group/name - [ldap]/tenant_allow_create |
1053 #project_allow_create=true |
946 #project_allow_create = true |
1054 |
947 |
1055 # Allow project update in LDAP backend. (boolean value) |
948 # Allow project update in LDAP backend. (boolean value) |
1056 # Deprecated group/name - [ldap]/tenant_allow_update |
949 # Deprecated group/name - [ldap]/tenant_allow_update |
1057 #project_allow_update=true |
950 #project_allow_update = true |
1058 |
951 |
1059 # Allow project deletion in LDAP backend. (boolean value) |
952 # Allow project deletion in LDAP backend. (boolean value) |
1060 # Deprecated group/name - [ldap]/tenant_allow_delete |
953 # Deprecated group/name - [ldap]/tenant_allow_delete |
1061 #project_allow_delete=true |
954 #project_allow_delete = true |
1062 |
955 |
1063 # If true, Keystone uses an alternative method to determine if |
956 # If true, Keystone uses an alternative method to determine if a project is |
1064 # a project is enabled or not by checking if they are a member |
957 # enabled or not by checking if they are a member of the |
1065 # of the "project_enabled_emulation_dn" group. (boolean value) |
958 # "project_enabled_emulation_dn" group. (boolean value) |
1066 # Deprecated group/name - [ldap]/tenant_enabled_emulation |
959 # Deprecated group/name - [ldap]/tenant_enabled_emulation |
1067 #project_enabled_emulation=false |
960 #project_enabled_emulation = false |
1068 |
961 |
1069 # DN of the group entry to hold enabled projects when using |
962 # DN of the group entry to hold enabled projects when using enabled emulation. |
1070 # enabled emulation. (string value) |
963 # (string value) |
1071 # Deprecated group/name - [ldap]/tenant_enabled_emulation_dn |
964 # Deprecated group/name - [ldap]/tenant_enabled_emulation_dn |
1072 #project_enabled_emulation_dn=<None> |
965 #project_enabled_emulation_dn = <None> |
1073 |
966 |
1074 # Additional attribute mappings for projects. Attribute |
967 # Additional attribute mappings for projects. Attribute mapping format is |
1075 # mapping format is <ldap_attr>:<user_attr>, where ldap_attr |
968 # <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry |
1076 # is the attribute in the LDAP entry and user_attr is the |
969 # and user_attr is the Identity API attribute. (list value) |
1077 # Identity API attribute. (list value) |
|
1078 # Deprecated group/name - [ldap]/tenant_additional_attribute_mapping |
970 # Deprecated group/name - [ldap]/tenant_additional_attribute_mapping |
1079 #project_additional_attribute_mapping= |
971 #project_additional_attribute_mapping = |
1080 |
972 |
1081 # Search base for roles. (string value) |
973 # Search base for roles. (string value) |
1082 #role_tree_dn=<None> |
974 #role_tree_dn = <None> |
1083 |
975 |
1084 # LDAP search filter for roles. (string value) |
976 # LDAP search filter for roles. (string value) |
1085 #role_filter=<None> |
977 #role_filter = <None> |
1086 |
978 |
1087 # LDAP objectclass for roles. (string value) |
979 # LDAP objectclass for roles. (string value) |
1088 #role_objectclass=organizationalRole |
980 #role_objectclass = organizationalRole |
1089 |
981 |
1090 # LDAP attribute mapped to role id. (string value) |
982 # LDAP attribute mapped to role id. (string value) |
1091 #role_id_attribute=cn |
983 #role_id_attribute = cn |
1092 |
984 |
1093 # LDAP attribute mapped to role name. (string value) |
985 # LDAP attribute mapped to role name. (string value) |
1094 #role_name_attribute=ou |
986 #role_name_attribute = ou |
1095 |
987 |
1096 # LDAP attribute mapped to role membership. (string value) |
988 # LDAP attribute mapped to role membership. (string value) |
1097 #role_member_attribute=roleOccupant |
989 #role_member_attribute = roleOccupant |
1098 |
990 |
1099 # List of attributes stripped off the role on update. (list |
991 # List of attributes stripped off the role on update. (list value) |
1100 # value) |
992 #role_attribute_ignore = |
1101 #role_attribute_ignore= |
993 |
1102 |
|
1103 # Allow role creation in LDAP backend. (boolean value) |
994 # Allow role creation in LDAP backend. (boolean value) |
1104 #role_allow_create=true |
995 #role_allow_create = true |
1105 |
996 |
1106 # Allow role update in LDAP backend. (boolean value) |
997 # Allow role update in LDAP backend. (boolean value) |
1107 #role_allow_update=true |
998 #role_allow_update = true |
1108 |
999 |
1109 # Allow role deletion in LDAP backend. (boolean value) |
1000 # Allow role deletion in LDAP backend. (boolean value) |
1110 #role_allow_delete=true |
1001 #role_allow_delete = true |
1111 |
1002 |
1112 # Additional attribute mappings for roles. Attribute mapping |
1003 # Additional attribute mappings for roles. Attribute mapping format is |
1113 # format is <ldap_attr>:<user_attr>, where ldap_attr is the |
1004 # <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry |
1114 # attribute in the LDAP entry and user_attr is the Identity |
1005 # and user_attr is the Identity API attribute. (list value) |
1115 # API attribute. (list value) |
1006 #role_additional_attribute_mapping = |
1116 #role_additional_attribute_mapping= |
1007 |
1117 |
|
1118 # Search base for groups. (string value) |
1008 # Search base for groups. (string value) |
1119 #group_tree_dn=<None> |
1009 #group_tree_dn = <None> |
1120 |
1010 |
1121 # LDAP search filter for groups. (string value) |
1011 # LDAP search filter for groups. (string value) |
1122 #group_filter=<None> |
1012 #group_filter = <None> |
1123 |
1013 |
1124 # LDAP objectclass for groups. (string value) |
1014 # LDAP objectclass for groups. (string value) |
1125 #group_objectclass=groupOfNames |
1015 #group_objectclass = groupOfNames |
1126 |
1016 |
1127 # LDAP attribute mapped to group id. (string value) |
1017 # LDAP attribute mapped to group id. (string value) |
1128 #group_id_attribute=cn |
1018 #group_id_attribute = cn |
1129 |
1019 |
1130 # LDAP attribute mapped to group name. (string value) |
1020 # LDAP attribute mapped to group name. (string value) |
1131 #group_name_attribute=ou |
1021 #group_name_attribute = ou |
1132 |
1022 |
1133 # LDAP attribute mapped to show group membership. (string |
1023 # LDAP attribute mapped to show group membership. (string value) |
1134 # value) |
1024 #group_member_attribute = member |
1135 #group_member_attribute=member |
1025 |
1136 |
|
1137 # LDAP attribute mapped to group description. (string value) |
1026 # LDAP attribute mapped to group description. (string value) |
1138 #group_desc_attribute=description |
1027 #group_desc_attribute = description |
1139 |
1028 |
1140 # List of attributes stripped off the group on update. (list |
1029 # List of attributes stripped off the group on update. (list value) |
1141 # value) |
1030 #group_attribute_ignore = |
1142 #group_attribute_ignore= |
1031 |
1143 |
|
1144 # Allow group creation in LDAP backend. (boolean value) |
1032 # Allow group creation in LDAP backend. (boolean value) |
1145 #group_allow_create=true |
1033 #group_allow_create = true |
1146 |
1034 |
1147 # Allow group update in LDAP backend. (boolean value) |
1035 # Allow group update in LDAP backend. (boolean value) |
1148 #group_allow_update=true |
1036 #group_allow_update = true |
1149 |
1037 |
1150 # Allow group deletion in LDAP backend. (boolean value) |
1038 # Allow group deletion in LDAP backend. (boolean value) |
1151 #group_allow_delete=true |
1039 #group_allow_delete = true |
1152 |
1040 |
1153 # Additional attribute mappings for groups. Attribute mapping |
1041 # Additional attribute mappings for groups. Attribute mapping format is |
1154 # format is <ldap_attr>:<user_attr>, where ldap_attr is the |
1042 # <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry |
1155 # attribute in the LDAP entry and user_attr is the Identity |
1043 # and user_attr is the Identity API attribute. (list value) |
1156 # API attribute. (list value) |
1044 #group_additional_attribute_mapping = |
1157 #group_additional_attribute_mapping= |
1045 |
1158 |
1046 # CA certificate file path for communicating with LDAP servers. (string value) |
1159 # CA certificate file path for communicating with LDAP |
1047 #tls_cacertfile = <None> |
1160 # servers. (string value) |
1048 |
1161 #tls_cacertfile=<None> |
1049 # CA certificate directory path for communicating with LDAP servers. (string |
1162 |
1050 # value) |
1163 # CA certificate directory path for communicating with LDAP |
1051 #tls_cacertdir = <None> |
1164 # servers. (string value) |
1052 |
1165 #tls_cacertdir=<None> |
1053 # Enable TLS for communicating with LDAP servers. (boolean value) |
1166 |
1054 #use_tls = false |
1167 # Enable TLS for communicating with LDAP servers. (boolean |
1055 |
1168 # value) |
1056 # Valid options for tls_req_cert are demand, never, and allow. (string value) |
1169 #use_tls=false |
1057 #tls_req_cert = demand |
1170 |
1058 |
1171 # Valid options for tls_req_cert are demand, never, and allow. |
|
1172 # (string value) |
|
1173 #tls_req_cert=demand |
|
1174 |
|
1175 # Enable LDAP connection pooling. (boolean value) |
1059 # Enable LDAP connection pooling. (boolean value) |
1176 #use_pool=false |
1060 #use_pool = false |
1177 |
1061 |
1178 # Connection pool size. (integer value) |
1062 # Connection pool size. (integer value) |
1179 #pool_size=10 |
1063 #pool_size = 10 |
1180 |
1064 |
1181 # Maximum count of reconnect trials. (integer value) |
1065 # Maximum count of reconnect trials. (integer value) |
1182 #pool_retry_max=3 |
1066 #pool_retry_max = 3 |
1183 |
1067 |
1184 # Time span in seconds to wait between two reconnect trials. |
1068 # Time span in seconds to wait between two reconnect trials. (floating point |
1185 # (floating point value) |
1069 # value) |
1186 #pool_retry_delay=0.1 |
1070 #pool_retry_delay = 0.1 |
1187 |
1071 |
1188 # Connector timeout in seconds. Value -1 indicates indefinite |
1072 # Connector timeout in seconds. Value -1 indicates indefinite wait for |
1189 # wait for response. (integer value) |
1073 # response. (integer value) |
1190 #pool_connection_timeout=-1 |
1074 #pool_connection_timeout = -1 |
1191 |
1075 |
1192 # Connection lifetime in seconds. (integer value) |
1076 # Connection lifetime in seconds. (integer value) |
1193 #pool_connection_lifetime=600 |
1077 #pool_connection_lifetime = 600 |
1194 |
1078 |
1195 # Enable LDAP connection pooling for end user authentication. |
1079 # Enable LDAP connection pooling for end user authentication. If use_pool is |
1196 # If use_pool is disabled, then this setting is meaningless |
1080 # disabled, then this setting is meaningless and is not used at all. (boolean |
1197 # and is not used at all. (boolean value) |
1081 # value) |
1198 #use_auth_pool=false |
1082 #use_auth_pool = false |
1199 |
1083 |
1200 # End user auth connection pool size. (integer value) |
1084 # End user auth connection pool size. (integer value) |
1201 #auth_pool_size=100 |
1085 #auth_pool_size = 100 |
1202 |
1086 |
1203 # End user auth connection lifetime in seconds. (integer |
1087 # End user auth connection lifetime in seconds. (integer value) |
1204 # value) |
1088 #auth_pool_connection_lifetime = 60 |
1205 #auth_pool_connection_lifetime=60 |
1089 |
1206 |
1090 |
1207 |
|
1208 [matchmaker_redis] |
1091 [matchmaker_redis] |
1209 |
1092 |
1210 # |
1093 # |
1211 # Options defined in oslo.messaging |
1094 # From oslo.messaging |
1212 # |
1095 # |
1213 |
1096 |
1214 # Host to locate redis. (string value) |
1097 # Host to locate redis. (string value) |
1215 #host=127.0.0.1 |
1098 #host = 127.0.0.1 |
1216 |
1099 |
1217 # Use this port to connect to redis host. (integer value) |
1100 # Use this port to connect to redis host. (integer value) |
1218 #port=6379 |
1101 #port = 6379 |
1219 |
1102 |
1220 # Password for Redis server (optional). (string value) |
1103 # Password for Redis server (optional). (string value) |
1221 #password=<None> |
1104 #password = <None> |
1222 |
1105 |
1223 |
1106 |
1224 [matchmaker_ring] |
1107 [matchmaker_ring] |
1225 |
1108 |
1226 # |
1109 # |
1227 # Options defined in oslo.messaging |
1110 # From oslo.messaging |
1228 # |
1111 # |
1229 |
1112 |
1230 # Matchmaker ring file (JSON). (string value) |
1113 # Matchmaker ring file (JSON). (string value) |
1231 # Deprecated group/name - [DEFAULT]/matchmaker_ringfile |
1114 # Deprecated group/name - [DEFAULT]/matchmaker_ringfile |
1232 #ringfile=/etc/oslo/matchmaker_ring.json |
1115 #ringfile = /etc/oslo/matchmaker_ring.json |
1233 |
1116 |
1234 |
1117 |
1235 [memcache] |
1118 [memcache] |
1236 |
1119 |
1237 # |
1120 # |
1238 # Options defined in keystone |
1121 # From keystone |
1239 # |
1122 # |
1240 |
1123 |
1241 # Memcache servers in the format of "host:port". (list value) |
1124 # Memcache servers in the format of "host:port". (list value) |
1242 #servers=localhost:11211 |
1125 #servers = localhost:11211 |
1243 |
1126 |
1244 # Number of seconds memcached server is considered dead before |
1127 # Number of seconds memcached server is considered dead before it is tried |
1245 # it is tried again. This is used by the key value store |
1128 # again. This is used by the key value store system (e.g. token pooled |
1246 # system (e.g. token pooled memcached persistence backend). |
1129 # memcached persistence backend). (integer value) |
|
1130 #dead_retry = 300 |
|
1131 |
|
1132 # Timeout in seconds for every call to a server. This is used by the key value |
|
1133 # store system (e.g. token pooled memcached persistence backend). (integer |
|
1134 # value) |
|
1135 #socket_timeout = 3 |
|
1136 |
|
1137 # Max total number of open connections to every memcached server. This is used |
|
1138 # by the key value store system (e.g. token pooled memcached persistence |
|
1139 # backend). (integer value) |
|
1140 #pool_maxsize = 10 |
|
1141 |
|
1142 # Number of seconds a connection to memcached is held unused in the pool before |
|
1143 # it is closed. This is used by the key value store system (e.g. token pooled |
|
1144 # memcached persistence backend). (integer value) |
|
1145 #pool_unused_timeout = 60 |
|
1146 |
|
1147 # Number of seconds that an operation will wait to get a memcache client |
|
1148 # connection. This is used by the key value store system (e.g. token pooled |
|
1149 # memcached persistence backend). (integer value) |
|
1150 #pool_connection_get_timeout = 10 |
|
1151 |
|
1152 |
|
1153 [oauth1] |
|
1154 |
|
1155 # |
|
1156 # From keystone |
|
1157 # |
|
1158 |
|
1159 # Credential backend driver. (string value) |
|
1160 #driver = keystone.contrib.oauth1.backends.sql.OAuth1 |
|
1161 |
|
1162 # Duration (in seconds) for the OAuth Request Token. (integer value) |
|
1163 #request_token_duration = 28800 |
|
1164 |
|
1165 # Duration (in seconds) for the OAuth Access Token. (integer value) |
|
1166 #access_token_duration = 86400 |
|
1167 |
|
1168 |
|
1169 [os_inherit] |
|
1170 |
|
1171 # |
|
1172 # From keystone |
|
1173 # |
|
1174 |
|
1175 # role-assignment inheritance to projects from owning domain or from projects |
|
1176 # higher in the hierarchy can be optionally enabled. (boolean value) |
|
1177 #enabled = false |
|
1178 |
|
1179 |
|
1180 [oslo_messaging_amqp] |
|
1181 |
|
1182 # |
|
1183 # From oslo.messaging |
|
1184 # |
|
1185 |
|
1186 # address prefix used when sending to a specific server (string value) |
|
1187 # Deprecated group/name - [amqp1]/server_request_prefix |
|
1188 #server_request_prefix = exclusive |
|
1189 |
|
1190 # address prefix used when broadcasting to all servers (string value) |
|
1191 # Deprecated group/name - [amqp1]/broadcast_prefix |
|
1192 #broadcast_prefix = broadcast |
|
1193 |
|
1194 # address prefix when sending to any server in group (string value) |
|
1195 # Deprecated group/name - [amqp1]/group_request_prefix |
|
1196 #group_request_prefix = unicast |
|
1197 |
|
1198 # Name for the AMQP container (string value) |
|
1199 # Deprecated group/name - [amqp1]/container_name |
|
1200 #container_name = <None> |
|
1201 |
|
1202 # Timeout for inactive connections (in seconds) (integer value) |
|
1203 # Deprecated group/name - [amqp1]/idle_timeout |
|
1204 #idle_timeout = 0 |
|
1205 |
|
1206 # Debug: dump AMQP frames to stdout (boolean value) |
|
1207 # Deprecated group/name - [amqp1]/trace |
|
1208 #trace = false |
|
1209 |
|
1210 # CA certificate PEM file for verifing server certificate (string value) |
|
1211 # Deprecated group/name - [amqp1]/ssl_ca_file |
|
1212 #ssl_ca_file = |
|
1213 |
|
1214 # Identifying certificate PEM file to present to clients (string value) |
|
1215 # Deprecated group/name - [amqp1]/ssl_cert_file |
|
1216 #ssl_cert_file = |
|
1217 |
|
1218 # Private key PEM file used to sign cert_file certificate (string value) |
|
1219 # Deprecated group/name - [amqp1]/ssl_key_file |
|
1220 #ssl_key_file = |
|
1221 |
|
1222 # Password for decrypting ssl_key_file (if encrypted) (string value) |
|
1223 # Deprecated group/name - [amqp1]/ssl_key_password |
|
1224 #ssl_key_password = <None> |
|
1225 |
|
1226 # Accept clients using either SSL or plain TCP (boolean value) |
|
1227 # Deprecated group/name - [amqp1]/allow_insecure_clients |
|
1228 #allow_insecure_clients = false |
|
1229 |
|
1230 |
|
1231 [oslo_messaging_qpid] |
|
1232 |
|
1233 # |
|
1234 # From oslo.messaging |
|
1235 # |
|
1236 |
|
1237 # Use durable queues in AMQP. (boolean value) |
|
1238 # Deprecated group/name - [DEFAULT]/rabbit_durable_queues |
|
1239 #amqp_durable_queues = false |
|
1240 |
|
1241 # Auto-delete queues in AMQP. (boolean value) |
|
1242 # Deprecated group/name - [DEFAULT]/amqp_auto_delete |
|
1243 #amqp_auto_delete = false |
|
1244 |
|
1245 # Size of RPC connection pool. (integer value) |
|
1246 # Deprecated group/name - [DEFAULT]/rpc_conn_pool_size |
|
1247 #rpc_conn_pool_size = 30 |
|
1248 |
|
1249 # Qpid broker hostname. (string value) |
|
1250 # Deprecated group/name - [DEFAULT]/qpid_hostname |
|
1251 #qpid_hostname = localhost |
|
1252 |
|
1253 # Qpid broker port. (integer value) |
|
1254 # Deprecated group/name - [DEFAULT]/qpid_port |
|
1255 #qpid_port = 5672 |
|
1256 |
|
1257 # Qpid HA cluster host:port pairs. (list value) |
|
1258 # Deprecated group/name - [DEFAULT]/qpid_hosts |
|
1259 #qpid_hosts = $qpid_hostname:$qpid_port |
|
1260 |
|
1261 # Username for Qpid connection. (string value) |
|
1262 # Deprecated group/name - [DEFAULT]/qpid_username |
|
1263 #qpid_username = |
|
1264 |
|
1265 # Password for Qpid connection. (string value) |
|
1266 # Deprecated group/name - [DEFAULT]/qpid_password |
|
1267 #qpid_password = |
|
1268 |
|
1269 # Space separated list of SASL mechanisms to use for auth. (string value) |
|
1270 # Deprecated group/name - [DEFAULT]/qpid_sasl_mechanisms |
|
1271 #qpid_sasl_mechanisms = |
|
1272 |
|
1273 # Seconds between connection keepalive heartbeats. (integer value) |
|
1274 # Deprecated group/name - [DEFAULT]/qpid_heartbeat |
|
1275 #qpid_heartbeat = 60 |
|
1276 |
|
1277 # Transport to use, either 'tcp' or 'ssl'. (string value) |
|
1278 # Deprecated group/name - [DEFAULT]/qpid_protocol |
|
1279 #qpid_protocol = tcp |
|
1280 |
|
1281 # Whether to disable the Nagle algorithm. (boolean value) |
|
1282 # Deprecated group/name - [DEFAULT]/qpid_tcp_nodelay |
|
1283 #qpid_tcp_nodelay = true |
|
1284 |
|
1285 # The number of prefetched messages held by receiver. (integer value) |
|
1286 # Deprecated group/name - [DEFAULT]/qpid_receiver_capacity |
|
1287 #qpid_receiver_capacity = 1 |
|
1288 |
|
1289 # The qpid topology version to use. Version 1 is what was originally used by |
|
1290 # impl_qpid. Version 2 includes some backwards-incompatible changes that allow |
|
1291 # broker federation to work. Users should update to version 2 when they are |
|
1292 # able to take everything down, as it requires a clean break. (integer value) |
|
1293 # Deprecated group/name - [DEFAULT]/qpid_topology_version |
|
1294 #qpid_topology_version = 1 |
|
1295 |
|
1296 |
|
1297 [oslo_messaging_rabbit] |
|
1298 |
|
1299 # |
|
1300 # From oslo.messaging |
|
1301 # |
|
1302 |
|
1303 # Use durable queues in AMQP. (boolean value) |
|
1304 # Deprecated group/name - [DEFAULT]/rabbit_durable_queues |
|
1305 #amqp_durable_queues = false |
|
1306 |
|
1307 # Auto-delete queues in AMQP. (boolean value) |
|
1308 # Deprecated group/name - [DEFAULT]/amqp_auto_delete |
|
1309 #amqp_auto_delete = false |
|
1310 |
|
1311 # Size of RPC connection pool. (integer value) |
|
1312 # Deprecated group/name - [DEFAULT]/rpc_conn_pool_size |
|
1313 #rpc_conn_pool_size = 30 |
|
1314 |
|
1315 # SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and |
|
1316 # SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some |
|
1317 # distributions. (string value) |
|
1318 # Deprecated group/name - [DEFAULT]/kombu_ssl_version |
|
1319 #kombu_ssl_version = |
|
1320 |
|
1321 # SSL key file (valid only if SSL enabled). (string value) |
|
1322 # Deprecated group/name - [DEFAULT]/kombu_ssl_keyfile |
|
1323 #kombu_ssl_keyfile = |
|
1324 |
|
1325 # SSL cert file (valid only if SSL enabled). (string value) |
|
1326 # Deprecated group/name - [DEFAULT]/kombu_ssl_certfile |
|
1327 #kombu_ssl_certfile = |
|
1328 |
|
1329 # SSL certification authority file (valid only if SSL enabled). (string value) |
|
1330 # Deprecated group/name - [DEFAULT]/kombu_ssl_ca_certs |
|
1331 #kombu_ssl_ca_certs = |
|
1332 |
|
1333 # How long to wait before reconnecting in response to an AMQP consumer cancel |
|
1334 # notification. (floating point value) |
|
1335 # Deprecated group/name - [DEFAULT]/kombu_reconnect_delay |
|
1336 #kombu_reconnect_delay = 1.0 |
|
1337 |
|
1338 # The RabbitMQ broker address where a single node is used. (string value) |
|
1339 # Deprecated group/name - [DEFAULT]/rabbit_host |
|
1340 #rabbit_host = localhost |
|
1341 |
|
1342 # The RabbitMQ broker port where a single node is used. (integer value) |
|
1343 # Deprecated group/name - [DEFAULT]/rabbit_port |
|
1344 #rabbit_port = 5672 |
|
1345 |
|
1346 # RabbitMQ HA cluster host:port pairs. (list value) |
|
1347 # Deprecated group/name - [DEFAULT]/rabbit_hosts |
|
1348 #rabbit_hosts = $rabbit_host:$rabbit_port |
|
1349 |
|
1350 # Connect over SSL for RabbitMQ. (boolean value) |
|
1351 # Deprecated group/name - [DEFAULT]/rabbit_use_ssl |
|
1352 #rabbit_use_ssl = false |
|
1353 |
|
1354 # The RabbitMQ userid. (string value) |
|
1355 # Deprecated group/name - [DEFAULT]/rabbit_userid |
|
1356 #rabbit_userid = guest |
|
1357 |
|
1358 # The RabbitMQ password. (string value) |
|
1359 # Deprecated group/name - [DEFAULT]/rabbit_password |
|
1360 #rabbit_password = guest |
|
1361 |
|
1362 # The RabbitMQ login method. (string value) |
|
1363 # Deprecated group/name - [DEFAULT]/rabbit_login_method |
|
1364 #rabbit_login_method = AMQPLAIN |
|
1365 |
|
1366 # The RabbitMQ virtual host. (string value) |
|
1367 # Deprecated group/name - [DEFAULT]/rabbit_virtual_host |
|
1368 #rabbit_virtual_host = / |
|
1369 |
|
1370 # How frequently to retry connecting with RabbitMQ. (integer value) |
|
1371 #rabbit_retry_interval = 1 |
|
1372 |
|
1373 # How long to backoff for between retries when connecting to RabbitMQ. (integer |
|
1374 # value) |
|
1375 # Deprecated group/name - [DEFAULT]/rabbit_retry_backoff |
|
1376 #rabbit_retry_backoff = 2 |
|
1377 |
|
1378 # Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry |
|
1379 # count). (integer value) |
|
1380 # Deprecated group/name - [DEFAULT]/rabbit_max_retries |
|
1381 #rabbit_max_retries = 0 |
|
1382 |
|
1383 # Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you |
|
1384 # must wipe the RabbitMQ database. (boolean value) |
|
1385 # Deprecated group/name - [DEFAULT]/rabbit_ha_queues |
|
1386 #rabbit_ha_queues = false |
|
1387 |
|
1388 # Number of seconds after which the Rabbit broker is considered down if |
|
1389 # heartbeat's keep-alive fails (0 disable the heartbeat). (integer value) |
|
1390 #heartbeat_timeout_threshold = 60 |
|
1391 |
|
1392 # How often times during the heartbeat_timeout_threshold we check the |
|
1393 # heartbeat. (integer value) |
|
1394 #heartbeat_rate = 2 |
|
1395 |
|
1396 # Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value) |
|
1397 # Deprecated group/name - [DEFAULT]/fake_rabbit |
|
1398 #fake_rabbit = false |
|
1399 |
|
1400 |
|
1401 [oslo_middleware] |
|
1402 |
|
1403 # |
|
1404 # From oslo.middleware |
|
1405 # |
|
1406 |
|
1407 # The maximum body size for each request, in bytes. (integer value) |
|
1408 # Deprecated group/name - [DEFAULT]/osapi_max_request_body_size |
|
1409 # Deprecated group/name - [DEFAULT]/max_request_body_size |
|
1410 #max_request_body_size = 114688 |
|
1411 |
|
1412 |
|
1413 [oslo_policy] |
|
1414 |
|
1415 # |
|
1416 # From oslo.policy |
|
1417 # |
|
1418 |
|
1419 # The JSON file that defines policies. (string value) |
|
1420 # Deprecated group/name - [DEFAULT]/policy_file |
|
1421 #policy_file = policy.json |
|
1422 |
|
1423 # Default rule. Enforced when a requested rule is not found. (string value) |
|
1424 # Deprecated group/name - [DEFAULT]/policy_default_rule |
|
1425 #policy_default_rule = default |
|
1426 |
|
1427 # Directories where policy configuration files are stored. They can be relative |
|
1428 # to any directory in the search path defined by the config_dir option, or |
|
1429 # absolute paths. The file defined by policy_file must exist for these |
|
1430 # directories to be searched. Missing or empty directories are ignored. (multi |
|
1431 # valued) |
|
1432 # Deprecated group/name - [DEFAULT]/policy_dirs |
|
1433 #policy_dirs = policy.d |
|
1434 |
|
1435 |
|
1436 [paste_deploy] |
|
1437 |
|
1438 # |
|
1439 # From keystone |
|
1440 # |
|
1441 |
|
1442 # Name of the paste configuration file that defines the available pipelines. |
|
1443 # (string value) |
|
1444 #config_file = keystone-paste.ini |
|
1445 |
|
1446 |
|
1447 [policy] |
|
1448 |
|
1449 # |
|
1450 # From keystone |
|
1451 # |
|
1452 |
|
1453 # Policy backend driver. (string value) |
|
1454 #driver = keystone.policy.backends.sql.Policy |
|
1455 |
|
1456 # Maximum number of entities that will be returned in a policy collection. |
1247 # (integer value) |
1457 # (integer value) |
1248 #dead_retry=300 |
1458 #list_limit = <None> |
1249 |
1459 |
1250 # Timeout in seconds for every call to a server. This is used |
1460 |
1251 # by the key value store system (e.g. token pooled memcached |
1461 [resource] |
1252 # persistence backend). (integer value) |
1462 |
1253 #socket_timeout=3 |
1463 # |
1254 |
1464 # From keystone |
1255 # Max total number of open connections to every memcached |
1465 # |
1256 # server. This is used by the key value store system (e.g. |
1466 |
1257 # token pooled memcached persistence backend). (integer value) |
1467 # Resource backend driver. If a resource driver is not specified, the |
1258 #pool_maxsize=10 |
1468 # assignment driver will choose the resource driver. (string value) |
1259 |
1469 #driver = <None> |
1260 # Number of seconds a connection to memcached is held unused |
1470 |
1261 # in the pool before it is closed. This is used by the key |
1471 # Toggle for resource caching. This has no effect unless global caching is |
1262 # value store system (e.g. token pooled memcached persistence |
1472 # enabled. (boolean value) |
1263 # backend). (integer value) |
1473 # Deprecated group/name - [assignment]/caching |
1264 #pool_unused_timeout=60 |
1474 #caching = true |
1265 |
1475 |
1266 # Number of seconds that an operation will wait to get a |
1476 # TTL (in seconds) to cache resource data. This has no effect unless global |
1267 # memcache client connection. This is used by the key value |
1477 # caching is enabled. (integer value) |
1268 # store system (e.g. token pooled memcached persistence |
1478 # Deprecated group/name - [assignment]/cache_time |
1269 # backend). (integer value) |
1479 #cache_time = <None> |
1270 #pool_connection_get_timeout=10 |
1480 |
1271 |
1481 # Maximum number of entities that will be returned in a resource collection. |
1272 |
1482 # (integer value) |
1273 [oauth1] |
1483 # Deprecated group/name - [assignment]/list_limit |
1274 |
1484 #list_limit = <None> |
1275 # |
1485 |
1276 # Options defined in keystone |
1486 |
1277 # |
|
1278 |
|
1279 # Credential backend driver. (string value) |
|
1280 #driver=keystone.contrib.oauth1.backends.sql.OAuth1 |
|
1281 |
|
1282 # Duration (in seconds) for the OAuth Request Token. (integer |
|
1283 # value) |
|
1284 #request_token_duration=28800 |
|
1285 |
|
1286 # Duration (in seconds) for the OAuth Access Token. (integer |
|
1287 # value) |
|
1288 #access_token_duration=86400 |
|
1289 |
|
1290 |
|
1291 [os_inherit] |
|
1292 |
|
1293 # |
|
1294 # Options defined in keystone |
|
1295 # |
|
1296 |
|
1297 # role-assignment inheritance to projects from owning domain |
|
1298 # can be optionally enabled. (boolean value) |
|
1299 #enabled=false |
|
1300 |
|
1301 |
|
1302 [paste_deploy] |
|
1303 |
|
1304 # |
|
1305 # Options defined in keystone |
|
1306 # |
|
1307 |
|
1308 # Name of the paste configuration file that defines the |
|
1309 # available pipelines. (string value) |
|
1310 #config_file=keystone-paste.ini |
|
1311 |
|
1312 |
|
1313 [policy] |
|
1314 |
|
1315 # |
|
1316 # Options defined in keystone |
|
1317 # |
|
1318 |
|
1319 # Policy backend driver. (string value) |
|
1320 #driver=keystone.policy.backends.sql.Policy |
|
1321 |
|
1322 # Maximum number of entities that will be returned in a policy |
|
1323 # collection. (integer value) |
|
1324 #list_limit=<None> |
|
1325 |
|
1326 |
|
1327 [revoke] |
1487 [revoke] |
1328 |
1488 |
1329 # |
1489 # |
1330 # Options defined in keystone |
1490 # From keystone |
1331 # |
1491 # |
1332 |
1492 |
1333 # An implementation of the backend for persisting revocation |
1493 # An implementation of the backend for persisting revocation events. (string |
1334 # events. (string value) |
1494 # value) |
1335 #driver=keystone.contrib.revoke.backends.sql.Revoke |
1495 #driver = keystone.contrib.revoke.backends.sql.Revoke |
1336 |
1496 |
1337 # This value (calculated in seconds) is added to token |
1497 # This value (calculated in seconds) is added to token expiration before a |
1338 # expiration before a revocation event may be removed from the |
1498 # revocation event may be removed from the backend. (integer value) |
1339 # backend. (integer value) |
1499 #expiration_buffer = 1800 |
1340 #expiration_buffer=1800 |
1500 |
1341 |
1501 # Toggle for revocation event caching. This has no effect unless global caching |
1342 # Toggle for revocation event caching. This has no effect |
1502 # is enabled. (boolean value) |
1343 # unless global caching is enabled. (boolean value) |
1503 #caching = true |
1344 #caching=true |
1504 |
1345 |
1505 # Time to cache the revocation list and the revocation events (in seconds). |
1346 |
1506 # This has no effect unless global and token caching are enabled. (integer |
|
1507 # value) |
|
1508 # Deprecated group/name - [token]/revocation_cache_time |
|
1509 #cache_time = 3600 |
|
1510 |
|
1511 |
|
1512 [role] |
|
1513 |
|
1514 # |
|
1515 # From keystone |
|
1516 # |
|
1517 |
|
1518 # Role backend driver. (string value) |
|
1519 #driver = <None> |
|
1520 |
|
1521 # Toggle for role caching. This has no effect unless global caching is enabled. |
|
1522 # (boolean value) |
|
1523 #caching = true |
|
1524 |
|
1525 # TTL (in seconds) to cache role data. This has no effect unless global caching |
|
1526 # is enabled. (integer value) |
|
1527 #cache_time = <None> |
|
1528 |
|
1529 # Maximum number of entities that will be returned in a role collection. |
|
1530 # (integer value) |
|
1531 #list_limit = <None> |
|
1532 |
|
1533 |
1347 [saml] |
1534 [saml] |
1348 |
1535 |
1349 # |
1536 # |
1350 # Options defined in keystone |
1537 # From keystone |
1351 # |
1538 # |
1352 |
1539 |
1353 # Default TTL, in seconds, for any generated SAML assertion |
1540 # Default TTL, in seconds, for any generated SAML assertion created by |
1354 # created by Keystone. (integer value) |
1541 # Keystone. (integer value) |
1355 #assertion_expiration_time=3600 |
1542 #assertion_expiration_time = 3600 |
1356 |
1543 |
1357 # Binary to be called for XML signing. Install the appropriate |
1544 # Binary to be called for XML signing. Install the appropriate package, specify |
1358 # package, specify absolute path or adjust your PATH |
1545 # absolute path or adjust your PATH environment variable if the binary cannot |
1359 # environment variable if the binary cannot be found. (string |
1546 # be found. (string value) |
1360 # value) |
1547 #xmlsec1_binary = xmlsec1 |
1361 #xmlsec1_binary=xmlsec1 |
1548 |
1362 |
1549 # Path of the certfile for SAML signing. For non-production environments, you |
1363 # Path of the certfile for SAML signing. For non-production |
1550 # may be interested in using `keystone-manage pki_setup` to generate self- |
1364 # environments, you may be interested in using `keystone- |
1551 # signed certificates. Note, the path cannot contain a comma. (string value) |
1365 # manage pki_setup` to generate self-signed certificates. |
1552 #certfile = /etc/keystone/ssl/certs/signing_cert.pem |
1366 # Note, the path cannot contain a comma. (string value) |
1553 |
1367 #certfile=/etc/keystone/ssl/certs/signing_cert.pem |
1554 # Path of the keyfile for SAML signing. Note, the path cannot contain a comma. |
1368 |
|
1369 # Path of the keyfile for SAML signing. Note, the path cannot |
|
1370 # contain a comma. (string value) |
|
1371 #keyfile=/etc/keystone/ssl/private/signing_key.pem |
|
1372 |
|
1373 # Entity ID value for unique Identity Provider identification. |
|
1374 # Usually FQDN is set with a suffix. A value is required to |
|
1375 # generate IDP Metadata. For example: |
|
1376 # https://keystone.example.com/v3/OS-FEDERATION/saml2/idp |
|
1377 # (string value) |
1555 # (string value) |
1378 #idp_entity_id=<None> |
1556 #keyfile = /etc/keystone/ssl/private/signing_key.pem |
1379 |
1557 |
1380 # Identity Provider Single-Sign-On service value, required in |
1558 # Entity ID value for unique Identity Provider identification. Usually FQDN is |
1381 # the Identity Provider's metadata. A value is required to |
1559 # set with a suffix. A value is required to generate IDP Metadata. For example: |
1382 # generate IDP Metadata. For example: |
1560 # https://keystone.example.com/v3/OS-FEDERATION/saml2/idp (string value) |
1383 # https://keystone.example.com/v3/OS-FEDERATION/saml2/sso |
1561 #idp_entity_id = <None> |
|
1562 |
|
1563 # Identity Provider Single-Sign-On service value, required in the Identity |
|
1564 # Provider's metadata. A value is required to generate IDP Metadata. For |
|
1565 # example: https://keystone.example.com/v3/OS-FEDERATION/saml2/sso (string |
|
1566 # value) |
|
1567 #idp_sso_endpoint = <None> |
|
1568 |
|
1569 # Language used by the organization. (string value) |
|
1570 #idp_lang = en |
|
1571 |
|
1572 # Organization name the installation belongs to. (string value) |
|
1573 #idp_organization_name = <None> |
|
1574 |
|
1575 # Organization name to be displayed. (string value) |
|
1576 #idp_organization_display_name = <None> |
|
1577 |
|
1578 # URL of the organization. (string value) |
|
1579 #idp_organization_url = <None> |
|
1580 |
|
1581 # Company of contact person. (string value) |
|
1582 #idp_contact_company = <None> |
|
1583 |
|
1584 # Given name of contact person (string value) |
|
1585 #idp_contact_name = <None> |
|
1586 |
|
1587 # Surname of contact person. (string value) |
|
1588 #idp_contact_surname = <None> |
|
1589 |
|
1590 # Email address of contact person. (string value) |
|
1591 #idp_contact_email = <None> |
|
1592 |
|
1593 # Telephone number of contact person. (string value) |
|
1594 #idp_contact_telephone = <None> |
|
1595 |
|
1596 # Contact type. Allowed values are: technical, support, administrative billing, |
|
1597 # and other (string value) |
|
1598 #idp_contact_type = other |
|
1599 |
|
1600 # Path to the Identity Provider Metadata file. This file should be generated |
|
1601 # with the keystone-manage saml_idp_metadata command. (string value) |
|
1602 #idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml |
|
1603 |
|
1604 # The prefix to use for the RelayState SAML attribute, used when generating ECP |
|
1605 # wrapped assertions. (string value) |
|
1606 #relay_state_prefix = ss:mem: |
|
1607 |
|
1608 |
|
1609 [signing] |
|
1610 |
|
1611 # |
|
1612 # From keystone |
|
1613 # |
|
1614 |
|
1615 # Path of the certfile for token signing. For non-production environments, you |
|
1616 # may be interested in using `keystone-manage pki_setup` to generate self- |
|
1617 # signed certificates. (string value) |
|
1618 #certfile = /etc/keystone/ssl/certs/signing_cert.pem |
|
1619 |
|
1620 # Path of the keyfile for token signing. (string value) |
|
1621 #keyfile = /etc/keystone/ssl/private/signing_key.pem |
|
1622 |
|
1623 # Path of the CA for token signing. (string value) |
|
1624 #ca_certs = /etc/keystone/ssl/certs/ca.pem |
|
1625 |
|
1626 # Path of the CA key for token signing. (string value) |
|
1627 #ca_key = /etc/keystone/ssl/private/cakey.pem |
|
1628 |
|
1629 # Key size (in bits) for token signing cert (auto generated certificate). |
|
1630 # (integer value) |
|
1631 #key_size = 2048 |
|
1632 |
|
1633 # Days the token signing cert is valid for (auto generated certificate). |
|
1634 # (integer value) |
|
1635 #valid_days = 3650 |
|
1636 |
|
1637 # Certificate subject (auto generated certificate) for token signing. (string |
|
1638 # value) |
|
1639 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com |
|
1640 |
|
1641 |
|
1642 [ssl] |
|
1643 |
|
1644 # |
|
1645 # From keystone |
|
1646 # |
|
1647 |
|
1648 # Path of the CA key file for SSL. (string value) |
|
1649 #ca_key = /etc/keystone/ssl/private/cakey.pem |
|
1650 |
|
1651 # SSL key length (in bits) (auto generated certificate). (integer value) |
|
1652 #key_size = 1024 |
|
1653 |
|
1654 # Days the certificate is valid for once signed (auto generated certificate). |
|
1655 # (integer value) |
|
1656 #valid_days = 3650 |
|
1657 |
|
1658 # SSL certificate subject (auto generated certificate). (string value) |
|
1659 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost |
|
1660 |
|
1661 |
|
1662 [token] |
|
1663 |
|
1664 # |
|
1665 # From keystone |
|
1666 # |
|
1667 |
|
1668 # External auth mechanisms that should add bind information to token, e.g., |
|
1669 # kerberos,x509. (list value) |
|
1670 #bind = |
|
1671 |
|
1672 # Enforcement policy on tokens presented to Keystone with bind information. One |
|
1673 # of disabled, permissive, strict, required or a specifically required bind |
|
1674 # mode, e.g., kerberos or x509 to require binding to that authentication. |
1384 # (string value) |
1675 # (string value) |
1385 #idp_sso_endpoint=<None> |
1676 #enforce_token_bind = permissive |
1386 |
1677 |
1387 # Language used by the organization. (string value) |
1678 # Amount of time a token should remain valid (in seconds). (integer value) |
1388 #idp_lang=en |
1679 #expiration = 3600 |
1389 |
1680 |
1390 # Organization name the installation belongs to. (string |
1681 # Controls the token construction, validation, and revocation operations. Core |
1391 # value) |
1682 # providers are "keystone.token.providers.[fernet|pkiz|pki|uuid].Provider". |
1392 #idp_organization_name=<None> |
|
1393 |
|
1394 # Organization name to be displayed. (string value) |
|
1395 #idp_organization_display_name=<None> |
|
1396 |
|
1397 # URL of the organization. (string value) |
|
1398 #idp_organization_url=<None> |
|
1399 |
|
1400 # Company of contact person. (string value) |
|
1401 #idp_contact_company=<None> |
|
1402 |
|
1403 # Given name of contact person (string value) |
|
1404 #idp_contact_name=<None> |
|
1405 |
|
1406 # Surname of contact person. (string value) |
|
1407 #idp_contact_surname=<None> |
|
1408 |
|
1409 # Email address of contact person. (string value) |
|
1410 #idp_contact_email=<None> |
|
1411 |
|
1412 # Telephone number of contact person. (string value) |
|
1413 #idp_contact_telephone=<None> |
|
1414 |
|
1415 # Contact type. Allowed values are: technical, support, |
|
1416 # administrative billing, and other (string value) |
|
1417 #idp_contact_type=other |
|
1418 |
|
1419 # Path to the Identity Provider Metadata file. This file |
|
1420 # should be generated with the keystone-manage |
|
1421 # saml_idp_metadata command. (string value) |
|
1422 #idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml |
|
1423 |
|
1424 |
|
1425 [signing] |
|
1426 |
|
1427 # |
|
1428 # Options defined in keystone |
|
1429 # |
|
1430 |
|
1431 # Deprecated in favor of provider in the [token] section. |
|
1432 # (string value) |
1683 # (string value) |
1433 #token_format=<None> |
1684 #provider = keystone.token.providers.uuid.Provider |
1434 |
1685 |
1435 # Path of the certfile for token signing. For non-production |
|
1436 # environments, you may be interested in using `keystone- |
|
1437 # manage pki_setup` to generate self-signed certificates. |
|
1438 # (string value) |
|
1439 #certfile=/etc/keystone/ssl/certs/signing_cert.pem |
|
1440 |
|
1441 # Path of the keyfile for token signing. (string value) |
|
1442 #keyfile=/etc/keystone/ssl/private/signing_key.pem |
|
1443 |
|
1444 # Path of the CA for token signing. (string value) |
|
1445 #ca_certs=/etc/keystone/ssl/certs/ca.pem |
|
1446 |
|
1447 # Path of the CA key for token signing. (string value) |
|
1448 #ca_key=/etc/keystone/ssl/private/cakey.pem |
|
1449 |
|
1450 # Key size (in bits) for token signing cert (auto generated |
|
1451 # certificate). (integer value) |
|
1452 #key_size=2048 |
|
1453 |
|
1454 # Days the token signing cert is valid for (auto generated |
|
1455 # certificate). (integer value) |
|
1456 #valid_days=3650 |
|
1457 |
|
1458 # Certificate subject (auto generated certificate) for token |
|
1459 # signing. (string value) |
|
1460 #cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com |
|
1461 |
|
1462 |
|
1463 [ssl] |
|
1464 |
|
1465 # |
|
1466 # Options defined in keystone |
|
1467 # |
|
1468 |
|
1469 # Toggle for SSL support on the Keystone eventlet servers. |
|
1470 # (boolean value) |
|
1471 #enable=false |
|
1472 |
|
1473 # Path of the certfile for SSL. For non-production |
|
1474 # environments, you may be interested in using `keystone- |
|
1475 # manage ssl_setup` to generate self-signed certificates. |
|
1476 # (string value) |
|
1477 #certfile=/etc/keystone/ssl/certs/keystone.pem |
|
1478 |
|
1479 # Path of the keyfile for SSL. (string value) |
|
1480 #keyfile=/etc/keystone/ssl/private/keystonekey.pem |
|
1481 |
|
1482 # Path of the ca cert file for SSL. (string value) |
|
1483 #ca_certs=/etc/keystone/ssl/certs/ca.pem |
|
1484 |
|
1485 # Path of the CA key file for SSL. (string value) |
|
1486 #ca_key=/etc/keystone/ssl/private/cakey.pem |
|
1487 |
|
1488 # Require client certificate. (boolean value) |
|
1489 #cert_required=false |
|
1490 |
|
1491 # SSL key length (in bits) (auto generated certificate). |
|
1492 # (integer value) |
|
1493 #key_size=1024 |
|
1494 |
|
1495 # Days the certificate is valid for once signed (auto |
|
1496 # generated certificate). (integer value) |
|
1497 #valid_days=3650 |
|
1498 |
|
1499 # SSL certificate subject (auto generated certificate). |
|
1500 # (string value) |
|
1501 #cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost |
|
1502 |
|
1503 |
|
1504 [stats] |
|
1505 |
|
1506 # |
|
1507 # Options defined in keystone |
|
1508 # |
|
1509 |
|
1510 # Stats backend driver. (string value) |
|
1511 #driver=keystone.contrib.stats.backends.kvs.Stats |
|
1512 |
|
1513 |
|
1514 [token] |
|
1515 |
|
1516 # |
|
1517 # Options defined in keystone |
|
1518 # |
|
1519 |
|
1520 # External auth mechanisms that should add bind information to |
|
1521 # token, e.g., kerberos,x509. (list value) |
|
1522 #bind= |
|
1523 |
|
1524 # Enforcement policy on tokens presented to Keystone with bind |
|
1525 # information. One of disabled, permissive, strict, required |
|
1526 # or a specifically required bind mode, e.g., kerberos or x509 |
|
1527 # to require binding to that authentication. (string value) |
|
1528 #enforce_token_bind=permissive |
|
1529 |
|
1530 # Amount of time a token should remain valid (in seconds). |
|
1531 # (integer value) |
|
1532 #expiration=3600 |
|
1533 |
|
1534 # Controls the token construction, validation, and revocation |
|
1535 # operations. Core providers are |
|
1536 # "keystone.token.providers.[pkiz|pki|uuid].Provider". The |
|
1537 # default provider is uuid. (string value) |
|
1538 #provider=<None> |
|
1539 |
|
1540 # Token persistence backend driver. (string value) |
1686 # Token persistence backend driver. (string value) |
1541 #driver=keystone.token.persistence.backends.sql.Token |
1687 #driver = keystone.token.persistence.backends.sql.Token |
1542 |
1688 |
1543 # Toggle for token system caching. This has no effect unless |
1689 # Toggle for token system caching. This has no effect unless global caching is |
1544 # global caching is enabled. (boolean value) |
1690 # enabled. (boolean value) |
1545 #caching=true |
1691 #caching = true |
1546 |
1692 |
1547 # Time to cache the revocation list and the revocation events |
1693 # Time to cache tokens (in seconds). This has no effect unless global and token |
1548 # if revoke extension is enabled (in seconds). This has no |
1694 # caching are enabled. (integer value) |
1549 # effect unless global and token caching are enabled. (integer |
1695 #cache_time = <None> |
1550 # value) |
1696 |
1551 #revocation_cache_time=3600 |
1697 # Revoke token by token identifier. Setting revoke_by_id to true enables |
1552 |
1698 # various forms of enumerating tokens, e.g. `list tokens for user`. These |
1553 # Time to cache tokens (in seconds). This has no effect unless |
1699 # enumerations are processed to determine the list of tokens to revoke. Only |
1554 # global and token caching are enabled. (integer value) |
1700 # disable if you are switching to using the Revoke extension with a backend |
1555 #cache_time=<None> |
1701 # other than KVS, which stores events in memory. (boolean value) |
1556 |
1702 #revoke_by_id = true |
1557 # Revoke token by token identifier. Setting revoke_by_id to |
1703 |
1558 # true enables various forms of enumerating tokens, e.g. `list |
1704 # Allow rescoping of scoped token. Setting allow_rescoped_scoped_token to false |
1559 # tokens for user`. These enumerations are processed to |
1705 # prevents a user from exchanging a scoped token for any other token. (boolean |
1560 # determine the list of tokens to revoke. Only disable if you |
1706 # value) |
1561 # are switching to using the Revoke extension with a backend |
1707 #allow_rescope_scoped_token = true |
1562 # other than KVS, which stores events in memory. (boolean |
1708 |
1563 # value) |
1709 # The hash algorithm to use for PKI tokens. This can be set to any algorithm |
1564 #revoke_by_id=true |
1710 # that hashlib supports. WARNING: Before changing this value, the auth_token |
1565 |
1711 # middleware must be configured with the hash_algorithms, otherwise token |
1566 # The hash algorithm to use for PKI tokens. This can be set to |
|
1567 # any algorithm that hashlib supports. WARNING: Before |
|
1568 # changing this value, the auth_token middleware must be |
|
1569 # configured with the hash_algorithms, otherwise token |
|
1570 # revocation will not be processed correctly. (string value) |
1712 # revocation will not be processed correctly. (string value) |
1571 #hash_algorithm=md5 |
1713 #hash_algorithm = md5 |
1572 |
1714 |
1573 |
1715 |
1574 [trust] |
1716 [trust] |
1575 |
1717 |
1576 # |
1718 # |
1577 # Options defined in keystone |
1719 # From keystone |
1578 # |
1720 # |
1579 |
1721 |
1580 # Delegation and impersonation features can be optionally |
1722 # Delegation and impersonation features can be optionally disabled. (boolean |
1581 # disabled. (boolean value) |
1723 # value) |
1582 #enabled=true |
1724 #enabled = true |
1583 |
1725 |
|
1726 # Enable redelegation feature. (boolean value) |
|
1727 #allow_redelegation = false |
|
1728 |
|
1729 # Maximum depth of trust redelegation. (integer value) |
|
1730 #max_redelegation_count = 3 |
|
1731 |
1584 # Trust backend driver. (string value) |
1732 # Trust backend driver. (string value) |
1585 #driver=keystone.trust.backends.sql.Trust |
1733 #driver = keystone.trust.backends.sql.Trust |
1586 |
|
1587 |
|