1 [DEFAULT] |
1 [DEFAULT] |
2 # A "shared secret" between keystone and other openstack services |
2 |
3 # admin_token = ADMIN |
3 # |
4 |
4 # Options defined in keystone |
5 # The IP address of the network interface to listen on |
5 # |
6 # bind_host = 0.0.0.0 |
6 |
7 |
7 # A "shared secret" that can be used to bootstrap Keystone. |
8 # The port number which the public service listens on |
8 # This "token" does not represent a user, and carries no |
9 # public_port = 5000 |
9 # explicit authorization. To disable in production (highly |
10 |
10 # recommended), remove AdminTokenAuthMiddleware from your |
11 # The port number which the public admin listens on |
11 # paste application pipelines (for example, in keystone- |
12 # admin_port = 35357 |
12 # paste.ini). (string value) |
13 |
13 #admin_token=ADMIN |
14 # The base endpoint URLs for keystone that are advertised to clients |
14 |
15 # (NOTE: this does NOT affect how keystone listens for connections) |
15 # The IP address of the network interface for the public |
16 # public_endpoint = http://localhost:%(public_port)s/ |
16 # service to listen on. (string value) |
17 # admin_endpoint = http://localhost:%(admin_port)s/ |
17 # Deprecated group/name - [DEFAULT]/bind_host |
18 |
18 #public_bind_host=0.0.0.0 |
19 # The port number which the OpenStack Compute service listens on |
19 |
20 # compute_port = 8774 |
20 # The IP address of the network interface for the admin |
21 |
21 # service to listen on. (string value) |
22 # Path to your policy definition containing identity actions |
22 # Deprecated group/name - [DEFAULT]/bind_host |
23 # policy_file = policy.json |
23 #admin_bind_host=0.0.0.0 |
24 |
24 |
25 # Rule to check if no matching policy definition is found |
25 # (Deprecated) The port which the OpenStack Compute service |
26 # FIXME(dolph): This should really be defined as [policy] default_rule |
26 # listens on. This option was only used for string replacement |
27 # policy_default_rule = admin_required |
27 # in the templated catalog backend. Templated catalogs should |
28 |
28 # replace the "$(compute_port)s" substitution with the static |
29 # Role for migrating membership relationships |
29 # port of the compute service. As of Juno, this option is |
30 # During a SQL upgrade, the following values will be used to create a new role |
30 # deprecated and will be removed in the L release. (integer |
31 # that will replace records in the user_tenant_membership table with explicit |
31 # value) |
32 # role grants. After migration, the member_role_id will be used in the API |
32 #compute_port=8774 |
33 # add_user_to_project, and member_role_name will be ignored. |
33 |
34 # member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab |
34 # The port number which the admin service listens on. (integer |
35 # member_role_name = _member_ |
35 # value) |
36 |
36 #admin_port=35357 |
37 # enforced by optional sizelimit middleware (keystone.middleware:RequestBodySizeLimiter) |
37 |
38 # max_request_body_size = 114688 |
38 # The port number which the public service listens on. |
39 |
39 # (integer value) |
40 # limit the sizes of user & tenant ID/names |
40 #public_port=5000 |
41 # max_param_size = 64 |
41 |
42 |
42 # The base public endpoint URL for Keystone that is advertised |
43 # similar to max_param_size, but provides an exception for token values |
43 # to clients (NOTE: this does NOT affect how Keystone listens |
44 # max_token_size = 8192 |
44 # for connections). Defaults to the base host URL of the |
45 |
45 # request. E.g. a request to http://server:5000/v2.0/users |
46 # === Logging Options === |
46 # will default to http://server:5000. You should only need to |
47 # Print debugging output |
47 # set this value if the base URL contains a path (e.g. |
48 # (includes plaintext request logging, potentially including passwords) |
48 # /prefix/v2.0) or the endpoint should be found on a different |
49 # debug = False |
49 # server. (string value) |
50 |
50 #public_endpoint=<None> |
51 # Print more verbose output |
51 |
52 # verbose = False |
52 # The base admin endpoint URL for Keystone that is advertised |
53 |
53 # to clients (NOTE: this does NOT affect how Keystone listens |
54 # Name of log file to output to. If not set, logging will go to stdout. |
54 # for connections). Defaults to the base host URL of the |
55 # log_file = keystone.log |
55 # request. E.g. a request to http://server:35357/v2.0/users |
56 |
56 # will default to http://server:35357. You should only need to |
57 # The directory to keep log files in (will be prepended to --logfile) |
57 # set this value if the base URL contains a path (e.g. |
58 # log_dir = /var/log/keystone |
58 # /prefix/v2.0) or the endpoint should be found on a different |
59 |
59 # server. (string value) |
60 # Use syslog for logging. |
60 #admin_endpoint=<None> |
61 # use_syslog = False |
61 |
62 |
62 # The number of worker processes to serve the public WSGI |
63 # syslog facility to receive log lines |
63 # application. Defaults to number of CPUs (minimum of 2). |
64 # syslog_log_facility = LOG_USER |
64 # (integer value) |
65 |
65 public_workers=2 |
66 # If this option is specified, the logging configuration file specified is |
66 |
67 # used and overrides any other logging options specified. Please see the |
67 # The number of worker processes to serve the admin WSGI |
68 # Python logging module documentation for details on logging configuration |
68 # application. Defaults to number of CPUs (minimum of 2). |
69 # files. |
69 # (integer value) |
70 # log_config = logging.conf |
70 admin_workers=2 |
71 |
71 |
72 # A logging.Formatter log message format string which may use any of the |
72 # Enforced by optional sizelimit middleware |
73 # available logging.LogRecord attributes. |
73 # (keystone.middleware:RequestBodySizeLimiter). (integer |
74 # log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s |
74 # value) |
75 |
75 #max_request_body_size=114688 |
76 # Format string for %(asctime)s in log records. |
76 |
77 # log_date_format = %Y-%m-%d %H:%M:%S |
77 # Limit the sizes of user & project ID/names. (integer value) |
78 |
78 #max_param_size=64 |
79 # onready allows you to send a notification when the process is ready to serve |
79 |
80 # For example, to have it notify using systemd, one could set shell command: |
80 # Similar to max_param_size, but provides an exception for |
81 # onready = systemd-notify --ready |
81 # token values. (integer value) |
82 # or a module with notify() method: |
82 #max_token_size=8192 |
83 # onready = keystone.common.systemd |
83 |
84 |
84 # During a SQL upgrade member_role_id will be used to create a |
85 # === Notification Options === |
85 # new role that will replace records in the assignment table |
86 |
86 # with explicit role grants. After migration, the |
87 # Notifications can be sent when users or projects are created, updated or |
87 # member_role_id will be used in the API add_user_to_project. |
88 # deleted. There are three methods of sending notifications: logging (via the |
88 # (string value) |
89 # log_file directive), rpc (via a message queue) and no_op (no notifications |
89 #member_role_id=9fe2ff9ee4384b1894a90878d3e92bab |
90 # sent, the default) |
90 |
91 |
91 # During a SQL upgrade member_role_name will be used to create |
92 # notification_driver can be defined multiple times |
92 # a new role that will replace records in the assignment table |
93 # Do nothing driver (the default) |
93 # with explicit role grants. After migration, member_role_name |
94 # notification_driver = keystone.openstack.common.notifier.no_op_notifier |
94 # will be ignored. (string value) |
95 # Logging driver example (not enabled by default) |
95 #member_role_name=_member_ |
96 # notification_driver = keystone.openstack.common.notifier.log_notifier |
96 |
97 # RPC driver example (not enabled by default) |
97 # The value passed as the keyword "rounds" to passlib's |
98 # notification_driver = keystone.openstack.common.notifier.rpc_notifier |
98 # encrypt method. (integer value) |
99 |
99 #crypt_strength=40000 |
100 # Default notification level for outgoing notifications |
100 |
101 # default_notification_level = INFO |
101 # Set this to true if you want to enable TCP_KEEPALIVE on |
102 |
102 # server sockets, i.e. sockets used by the Keystone wsgi |
103 # Default publisher_id for outgoing notifications; included in the payload. |
103 # server for client connections. (boolean value) |
104 # default_publisher_id = |
104 #tcp_keepalive=false |
105 |
105 |
106 # AMQP topics to publish to when using the RPC notification driver. |
106 # Sets the value of TCP_KEEPIDLE in seconds for each server |
107 # Multiple values can be specified by separating with commas. |
107 # socket. Only applies if tcp_keepalive is true. Not supported |
108 # The actual topic names will be %s.%(default_notification_level)s |
108 # on OS X. (integer value) |
109 # notification_topics = notifications |
109 #tcp_keepidle=600 |
110 |
110 |
111 # === RPC Options === |
111 # The maximum number of entities that will be returned in a |
112 |
112 # collection, with no limit set by default. This global limit |
113 # For Keystone, these options apply only when the RPC notification driver is |
113 # may be then overridden for a specific driver, by specifying |
114 # used. |
114 # a list_limit in the appropriate section (e.g. [assignment]). |
115 |
115 # (integer value) |
116 # The messaging module to use, defaults to kombu. |
116 #list_limit=<None> |
117 # rpc_backend = keystone.openstack.common.rpc.impl_kombu |
117 |
118 |
118 # Set this to false if you want to enable the ability for |
119 # Size of RPC thread pool |
119 # user, group and project entities to be moved between domains |
120 # rpc_thread_pool_size = 64 |
120 # by updating their domain_id. Allowing such movement is not |
121 |
121 # recommended if the scope of a domain admin is being |
122 # Size of RPC connection pool |
122 # restricted by use of an appropriate policy file (see |
123 # rpc_conn_pool_size = 30 |
123 # policy.v3cloudsample as an example). (boolean value) |
124 |
124 #domain_id_immutable=true |
125 # Seconds to wait for a response from call or multicall |
125 |
126 # rpc_response_timeout = 60 |
126 # If set to true, strict password length checking is performed |
127 |
127 # for password manipulation. If a password exceeds the maximum |
128 # Seconds to wait before a cast expires (TTL). Only supported by impl_zmq. |
128 # length, the operation will fail with an HTTP 403 Forbidden |
129 # rpc_cast_timeout = 30 |
129 # error. If set to false, passwords are automatically |
130 |
130 # truncated to the maximum length. (boolean value) |
131 # Modules of exceptions that are permitted to be recreated upon receiving |
131 #strict_password_check=false |
132 # exception data from an rpc call. |
132 |
133 # allowed_rpc_exception_modules = keystone.openstack.common.exception,nova.exception,cinder.exception,exceptions |
133 |
134 |
134 # |
135 # If True, use a fake RabbitMQ provider |
135 # Options defined in oslo.messaging |
136 # fake_rabbit = False |
136 # |
137 |
137 |
138 # AMQP exchange to connect to if using RabbitMQ or Qpid |
138 # Use durable queues in amqp. (boolean value) |
139 # control_exchange = openstack |
139 # Deprecated group/name - [DEFAULT]/rabbit_durable_queues |
140 |
140 #amqp_durable_queues=false |
141 [sql] |
141 |
142 # The SQLAlchemy connection string used to connect to the database |
142 # Auto-delete queues in amqp. (boolean value) |
143 connection = sqlite:////var/lib/keystone/keystone.sqlite |
143 #amqp_auto_delete=false |
144 |
144 |
145 # the timeout before idle sql connections are reaped |
145 # Size of RPC connection pool. (integer value) |
146 # idle_timeout = 200 |
146 #rpc_conn_pool_size=30 |
|
147 |
|
148 # Qpid broker hostname. (string value) |
|
149 #qpid_hostname=localhost |
|
150 |
|
151 # Qpid broker port. (integer value) |
|
152 #qpid_port=5672 |
|
153 |
|
154 # Qpid HA cluster host:port pairs. (list value) |
|
155 #qpid_hosts=$qpid_hostname:$qpid_port |
|
156 |
|
157 # Username for Qpid connection. (string value) |
|
158 #qpid_username= |
|
159 |
|
160 # Password for Qpid connection. (string value) |
|
161 #qpid_password= |
|
162 |
|
163 # Space separated list of SASL mechanisms to use for auth. |
|
164 # (string value) |
|
165 #qpid_sasl_mechanisms= |
|
166 |
|
167 # Seconds between connection keepalive heartbeats. (integer |
|
168 # value) |
|
169 #qpid_heartbeat=60 |
|
170 |
|
171 # Transport to use, either 'tcp' or 'ssl'. (string value) |
|
172 #qpid_protocol=tcp |
|
173 |
|
174 # Whether to disable the Nagle algorithm. (boolean value) |
|
175 #qpid_tcp_nodelay=true |
|
176 |
|
177 # The number of prefetched messages held by receiver. (integer |
|
178 # value) |
|
179 #qpid_receiver_capacity=1 |
|
180 |
|
181 # The qpid topology version to use. Version 1 is what was |
|
182 # originally used by impl_qpid. Version 2 includes some |
|
183 # backwards-incompatible changes that allow broker federation |
|
184 # to work. Users should update to version 2 when they are |
|
185 # able to take everything down, as it requires a clean break. |
|
186 # (integer value) |
|
187 #qpid_topology_version=1 |
|
188 |
|
189 # SSL version to use (valid only if SSL enabled). valid values |
|
190 # are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some |
|
191 # distributions. (string value) |
|
192 #kombu_ssl_version= |
|
193 |
|
194 # SSL key file (valid only if SSL enabled). (string value) |
|
195 #kombu_ssl_keyfile= |
|
196 |
|
197 # SSL cert file (valid only if SSL enabled). (string value) |
|
198 #kombu_ssl_certfile= |
|
199 |
|
200 # SSL certification authority file (valid only if SSL |
|
201 # enabled). (string value) |
|
202 #kombu_ssl_ca_certs= |
|
203 |
|
204 # How long to wait before reconnecting in response to an AMQP |
|
205 # consumer cancel notification. (floating point value) |
|
206 #kombu_reconnect_delay=1.0 |
|
207 |
|
208 # The RabbitMQ broker address where a single node is used. |
|
209 # (string value) |
|
210 #rabbit_host=localhost |
|
211 |
|
212 # The RabbitMQ broker port where a single node is used. |
|
213 # (integer value) |
|
214 #rabbit_port=5672 |
|
215 |
|
216 # RabbitMQ HA cluster host:port pairs. (list value) |
|
217 #rabbit_hosts=$rabbit_host:$rabbit_port |
|
218 |
|
219 # Connect over SSL for RabbitMQ. (boolean value) |
|
220 #rabbit_use_ssl=false |
|
221 |
|
222 # The RabbitMQ userid. (string value) |
|
223 #rabbit_userid=guest |
|
224 |
|
225 # The RabbitMQ password. (string value) |
|
226 #rabbit_password=guest |
|
227 |
|
228 # the RabbitMQ login method (string value) |
|
229 #rabbit_login_method=AMQPLAIN |
|
230 |
|
231 # The RabbitMQ virtual host. (string value) |
|
232 #rabbit_virtual_host=/ |
|
233 |
|
234 # How frequently to retry connecting with RabbitMQ. (integer |
|
235 # value) |
|
236 #rabbit_retry_interval=1 |
|
237 |
|
238 # How long to backoff for between retries when connecting to |
|
239 # RabbitMQ. (integer value) |
|
240 #rabbit_retry_backoff=2 |
|
241 |
|
242 # Maximum number of RabbitMQ connection retries. Default is 0 |
|
243 # (infinite retry count). (integer value) |
|
244 #rabbit_max_retries=0 |
|
245 |
|
246 # Use HA queues in RabbitMQ (x-ha-policy: all). If you change |
|
247 # this option, you must wipe the RabbitMQ database. (boolean |
|
248 # value) |
|
249 #rabbit_ha_queues=false |
|
250 |
|
251 # If passed, use a fake RabbitMQ provider. (boolean value) |
|
252 #fake_rabbit=false |
|
253 |
|
254 # ZeroMQ bind address. Should be a wildcard (*), an ethernet |
|
255 # interface, or IP. The "host" option should point or resolve |
|
256 # to this address. (string value) |
|
257 #rpc_zmq_bind_address=* |
|
258 |
|
259 # MatchMaker driver. (string value) |
|
260 #rpc_zmq_matchmaker=oslo.messaging._drivers.matchmaker.MatchMakerLocalhost |
|
261 |
|
262 # ZeroMQ receiver listening port. (integer value) |
|
263 #rpc_zmq_port=9501 |
|
264 |
|
265 # Number of ZeroMQ contexts, defaults to 1. (integer value) |
|
266 #rpc_zmq_contexts=1 |
|
267 |
|
268 # Maximum number of ingress messages to locally buffer per |
|
269 # topic. Default is unlimited. (integer value) |
|
270 #rpc_zmq_topic_backlog=<None> |
|
271 |
|
272 # Directory for holding IPC sockets. (string value) |
|
273 #rpc_zmq_ipc_dir=/var/run/openstack |
|
274 |
|
275 # Name of this node. Must be a valid hostname, FQDN, or IP |
|
276 # address. Must match "host" option, if running Nova. (string |
|
277 # value) |
|
278 #rpc_zmq_host=keystone |
|
279 |
|
280 # Seconds to wait before a cast expires (TTL). Only supported |
|
281 # by impl_zmq. (integer value) |
|
282 #rpc_cast_timeout=30 |
|
283 |
|
284 # Heartbeat frequency. (integer value) |
|
285 #matchmaker_heartbeat_freq=300 |
|
286 |
|
287 # Heartbeat time-to-live. (integer value) |
|
288 #matchmaker_heartbeat_ttl=600 |
|
289 |
|
290 # Size of RPC greenthread pool. (integer value) |
|
291 #rpc_thread_pool_size=64 |
|
292 |
|
293 # Driver or drivers to handle sending notifications. (multi |
|
294 # valued) |
|
295 #notification_driver= |
|
296 |
|
297 # AMQP topic used for OpenStack notifications. (list value) |
|
298 # Deprecated group/name - [rpc_notifier2]/topics |
|
299 #notification_topics=notifications |
|
300 |
|
301 # Seconds to wait for a response from a call. (integer value) |
|
302 #rpc_response_timeout=60 |
|
303 |
|
304 # A URL representing the messaging driver to use and its full |
|
305 # configuration. If not set, we fall back to the rpc_backend |
|
306 # option and driver specific configuration. (string value) |
|
307 #transport_url=<None> |
|
308 |
|
309 # The messaging driver to use, defaults to rabbit. Other |
|
310 # drivers include qpid and zmq. (string value) |
|
311 #rpc_backend=rabbit |
|
312 |
|
313 # The default exchange under which topics are scoped. May be |
|
314 # overridden by an exchange name specified in the |
|
315 # transport_url option. (string value) |
|
316 #control_exchange=keystone |
|
317 |
|
318 |
|
319 # |
|
320 # Options defined in keystone.notifications |
|
321 # |
|
322 |
|
323 # Default publisher_id for outgoing notifications (string |
|
324 # value) |
|
325 #default_publisher_id=<None> |
|
326 |
|
327 |
|
328 # |
|
329 # Options defined in keystone.openstack.common.eventlet_backdoor |
|
330 # |
|
331 |
|
332 # Enable eventlet backdoor. Acceptable values are 0, <port>, |
|
333 # and <start>:<end>, where 0 results in listening on a random |
|
334 # tcp port number; <port> results in listening on the |
|
335 # specified port number (and not enabling backdoor if that |
|
336 # port is in use); and <start>:<end> results in listening on |
|
337 # the smallest unused port number within the specified range |
|
338 # of port numbers. The chosen port is displayed in the |
|
339 # service's log file. (string value) |
|
340 #backdoor_port=<None> |
|
341 |
|
342 |
|
343 # |
|
344 # Options defined in keystone.openstack.common.log |
|
345 # |
|
346 |
|
347 # Print debugging output (set logging level to DEBUG instead |
|
348 # of default WARNING level). (boolean value) |
|
349 #debug=false |
|
350 |
|
351 # Print more verbose output (set logging level to INFO instead |
|
352 # of default WARNING level). (boolean value) |
|
353 #verbose=false |
|
354 |
|
355 # Log output to standard error. (boolean value) |
|
356 #use_stderr=true |
|
357 |
|
358 # Format string to use for log messages with context. (string |
|
359 # value) |
|
360 #logging_context_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s |
|
361 |
|
362 # Format string to use for log messages without context. |
|
363 # (string value) |
|
364 #logging_default_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s |
|
365 |
|
366 # Data to append to log format when level is DEBUG. (string |
|
367 # value) |
|
368 #logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d |
|
369 |
|
370 # Prefix each line of exception output with this format. |
|
371 # (string value) |
|
372 #logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s |
|
373 |
|
374 # List of logger=LEVEL pairs. (list value) |
|
375 #default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN |
|
376 |
|
377 # Enables or disables publication of error events. (boolean |
|
378 # value) |
|
379 #publish_errors=false |
|
380 |
|
381 # Enables or disables fatal status of deprecations. (boolean |
|
382 # value) |
|
383 #fatal_deprecations=false |
|
384 |
|
385 # The format for an instance that is passed with the log |
|
386 # message. (string value) |
|
387 #instance_format="[instance: %(uuid)s] " |
|
388 |
|
389 # The format for an instance UUID that is passed with the log |
|
390 # message. (string value) |
|
391 #instance_uuid_format="[instance: %(uuid)s] " |
|
392 |
|
393 # The name of a logging configuration file. This file is |
|
394 # appended to any existing logging configuration files. For |
|
395 # details about logging configuration files, see the Python |
|
396 # logging module documentation. (string value) |
|
397 # Deprecated group/name - [DEFAULT]/log_config |
|
398 #log_config_append=<None> |
|
399 |
|
400 # DEPRECATED. A logging.Formatter log message format string |
|
401 # which may use any of the available logging.LogRecord |
|
402 # attributes. This option is deprecated. Please use |
|
403 # logging_context_format_string and |
|
404 # logging_default_format_string instead. (string value) |
|
405 #log_format=<None> |
|
406 |
|
407 # Format string for %%(asctime)s in log records. Default: |
|
408 # %(default)s . (string value) |
|
409 #log_date_format=%Y-%m-%d %H:%M:%S |
|
410 |
|
411 # (Optional) Name of log file to output to. If no default is |
|
412 # set, logging will go to stdout. (string value) |
|
413 # Deprecated group/name - [DEFAULT]/logfile |
|
414 #log_file=<None> |
|
415 |
|
416 # (Optional) The base directory used for relative --log-file |
|
417 # paths. (string value) |
|
418 # Deprecated group/name - [DEFAULT]/logdir |
|
419 #log_dir=<None> |
|
420 |
|
421 # Use syslog for logging. Existing syslog format is DEPRECATED |
|
422 # during I, and will change in J to honor RFC5424. (boolean |
|
423 # value) |
|
424 #use_syslog=false |
|
425 |
|
426 # (Optional) Enables or disables syslog rfc5424 format for |
|
427 # logging. If enabled, prefixes the MSG part of the syslog |
|
428 # message with APP-NAME (RFC5424). The format without the APP- |
|
429 # NAME is deprecated in I, and will be removed in J. (boolean |
|
430 # value) |
|
431 #use_syslog_rfc_format=false |
|
432 |
|
433 # Syslog facility to receive log lines. (string value) |
|
434 #syslog_log_facility=LOG_USER |
|
435 |
|
436 |
|
437 # |
|
438 # Options defined in keystone.openstack.common.policy |
|
439 # |
|
440 |
|
441 # The JSON file that defines policies. (string value) |
|
442 #policy_file=policy.json |
|
443 |
|
444 # Default rule. Enforced when a requested rule is not found. |
|
445 # (string value) |
|
446 #policy_default_rule=default |
|
447 |
|
448 |
|
449 [assignment] |
|
450 |
|
451 # |
|
452 # Options defined in keystone |
|
453 # |
|
454 |
|
455 # Assignment backend driver. (string value) |
|
456 #driver=<None> |
|
457 |
|
458 # Toggle for assignment caching. This has no effect unless |
|
459 # global caching is enabled. (boolean value) |
|
460 #caching=true |
|
461 |
|
462 # TTL (in seconds) to cache assignment data. This has no |
|
463 # effect unless global caching is enabled. (integer value) |
|
464 #cache_time=<None> |
|
465 |
|
466 # Maximum number of entities that will be returned in an |
|
467 # assignment collection. (integer value) |
|
468 #list_limit=<None> |
|
469 |
|
470 |
|
471 [auth] |
|
472 |
|
473 # |
|
474 # Options defined in keystone |
|
475 # |
|
476 |
|
477 # Default auth methods. (list value) |
|
478 #methods=external,password,token |
|
479 |
|
480 # The password auth plugin module. (string value) |
|
481 #password=keystone.auth.plugins.password.Password |
|
482 |
|
483 # The token auth plugin module. (string value) |
|
484 #token=keystone.auth.plugins.token.Token |
|
485 |
|
486 # The external (REMOTE_USER) auth plugin module. (string |
|
487 # value) |
|
488 #external=keystone.auth.plugins.external.DefaultDomain |
|
489 |
|
490 |
|
491 [cache] |
|
492 |
|
493 # |
|
494 # Options defined in keystone |
|
495 # |
|
496 |
|
497 # Prefix for building the configuration dictionary for the |
|
498 # cache region. This should not need to be changed unless |
|
499 # there is another dogpile.cache region with the same |
|
500 # configuration name. (string value) |
|
501 #config_prefix=cache.keystone |
|
502 |
|
503 # Default TTL, in seconds, for any cached item in the |
|
504 # dogpile.cache region. This applies to any cached method that |
|
505 # doesn't have an explicit cache expiration time defined for |
|
506 # it. (integer value) |
|
507 #expiration_time=600 |
|
508 |
|
509 # Dogpile.cache backend module. It is recommended that |
|
510 # Memcache with pooling (keystone.cache.memcache_pool) or |
|
511 # Redis (dogpile.cache.redis) be used in production |
|
512 # deployments. Small workloads (single process) like devstack |
|
513 # can use the dogpile.cache.memory backend. (string value) |
|
514 #backend=keystone.common.cache.noop |
|
515 |
|
516 # Arguments supplied to the backend module. Specify this |
|
517 # option once per argument to be passed to the dogpile.cache |
|
518 # backend. Example format: "<argname>:<value>". (multi valued) |
|
519 #backend_argument= |
|
520 |
|
521 # Proxy classes to import that will affect the way the |
|
522 # dogpile.cache backend functions. See the dogpile.cache |
|
523 # documentation on changing-backend-behavior. (list value) |
|
524 #proxies= |
|
525 |
|
526 # Global toggle for all caching using the should_cache_fn |
|
527 # mechanism. (boolean value) |
|
528 #enabled=false |
|
529 |
|
530 # Extra debugging from the cache backend (cache keys, |
|
531 # get/set/delete/etc calls). This is only really useful if you |
|
532 # need to see the specific cache-backend get/set/delete calls |
|
533 # with the keys/values. Typically this should be left set to |
|
534 # false. (boolean value) |
|
535 #debug_cache_backend=false |
|
536 |
|
537 # Memcache servers in the format of "host:port". |
|
538 # (dogpile.cache.memcache and keystone.cache.memcache_pool |
|
539 # backends only) (list value) |
|
540 #memcache_servers=localhost:11211 |
|
541 |
|
542 # Number of seconds memcached server is considered dead before |
|
543 # it is tried again. (dogpile.cache.memcache and |
|
544 # keystone.cache.memcache_pool backends only) (integer value) |
|
545 #memcache_dead_retry=300 |
|
546 |
|
547 # Timeout in seconds for every call to a server. |
|
548 # (dogpile.cache.memcache and keystone.cache.memcache_pool |
|
549 # backends only) (integer value) |
|
550 #memcache_socket_timeout=3 |
|
551 |
|
552 # Max total number of open connections to every memcached |
|
553 # server. (keystone.cache.memcache_pool backend only) (integer |
|
554 # value) |
|
555 #memcache_pool_maxsize=10 |
|
556 |
|
557 # Number of seconds a connection to memcached is held unused |
|
558 # in the pool before it is closed. |
|
559 # (keystone.cache.memcache_pool backend only) (integer value) |
|
560 #memcache_pool_unused_timeout=60 |
|
561 |
|
562 # Number of seconds that an operation will wait to get a |
|
563 # memcache client connection. (integer value) |
|
564 #memcache_pool_connection_get_timeout=10 |
|
565 |
|
566 |
|
567 [catalog] |
|
568 |
|
569 # |
|
570 # Options defined in keystone |
|
571 # |
|
572 |
|
573 # Catalog template file name for use with the template catalog |
|
574 # backend. (string value) |
|
575 #template_file=default_catalog.templates |
|
576 |
|
577 # Catalog backend driver. (string value) |
|
578 #driver=keystone.catalog.backends.sql.Catalog |
|
579 |
|
580 # Toggle for catalog caching. This has no effect unless global |
|
581 # caching is enabled. (boolean value) |
|
582 #caching=true |
|
583 |
|
584 # Time to cache catalog data (in seconds). This has no effect |
|
585 # unless global and catalog caching are enabled. (integer |
|
586 # value) |
|
587 #cache_time=<None> |
|
588 |
|
589 # Maximum number of entities that will be returned in a |
|
590 # catalog collection. (integer value) |
|
591 #list_limit=<None> |
|
592 |
|
593 # (Deprecated) List of possible substitutions for use in |
|
594 # formatting endpoints. Use caution when modifying this list. |
|
595 # It will give users with permission to create endpoints the |
|
596 # ability to see those values in your configuration file. This |
|
597 # option will be removed in Juno. (list value) |
|
598 #endpoint_substitution_whitelist=tenant_id,user_id,public_bind_host,admin_bind_host,compute_host,compute_port,admin_port,public_port,public_endpoint,admin_endpoint |
|
599 |
|
600 |
|
601 [credential] |
|
602 |
|
603 # |
|
604 # Options defined in keystone |
|
605 # |
|
606 |
|
607 # Credential backend driver. (string value) |
|
608 #driver=keystone.credential.backends.sql.Credential |
|
609 |
|
610 |
|
611 [database] |
|
612 |
|
613 # |
|
614 # Options defined in oslo.db |
|
615 # |
|
616 |
|
617 # The file name to use with SQLite. (string value) |
|
618 #sqlite_db=oslo.sqlite |
|
619 |
|
620 # If True, SQLite uses synchronous mode. (boolean value) |
|
621 #sqlite_synchronous=true |
|
622 |
|
623 # The back end to use for the database. (string value) |
|
624 # Deprecated group/name - [DEFAULT]/db_backend |
|
625 #backend=sqlalchemy |
|
626 |
|
627 # The SQLAlchemy connection string to use to connect to the |
|
628 # database. (string value) |
|
629 # Deprecated group/name - [DEFAULT]/sql_connection |
|
630 # Deprecated group/name - [DATABASE]/sql_connection |
|
631 # Deprecated group/name - [sql]/connection |
|
632 connection=mysql://%SERVICE_USER%:%SERVICE_PASSWORD%@localhost/keystone |
|
633 |
|
634 # The SQLAlchemy connection string to use to connect to the |
|
635 # slave database. (string value) |
|
636 #slave_connection=<None> |
|
637 |
|
638 # The SQL mode to be used for MySQL sessions. This option, |
|
639 # including the default, overrides any server-set SQL mode. To |
|
640 # use whatever SQL mode is set by the server configuration, |
|
641 # set this to no value. Example: mysql_sql_mode= (string |
|
642 # value) |
|
643 #mysql_sql_mode=TRADITIONAL |
|
644 |
|
645 # Timeout before idle SQL connections are reaped. (integer |
|
646 # value) |
|
647 # Deprecated group/name - [DEFAULT]/sql_idle_timeout |
|
648 # Deprecated group/name - [DATABASE]/sql_idle_timeout |
|
649 # Deprecated group/name - [sql]/idle_timeout |
|
650 #idle_timeout=3600 |
|
651 |
|
652 # Minimum number of SQL connections to keep open in a pool. |
|
653 # (integer value) |
|
654 # Deprecated group/name - [DEFAULT]/sql_min_pool_size |
|
655 # Deprecated group/name - [DATABASE]/sql_min_pool_size |
|
656 #min_pool_size=1 |
|
657 |
|
658 # Maximum number of SQL connections to keep open in a pool. |
|
659 # (integer value) |
|
660 # Deprecated group/name - [DEFAULT]/sql_max_pool_size |
|
661 # Deprecated group/name - [DATABASE]/sql_max_pool_size |
|
662 #max_pool_size=<None> |
|
663 |
|
664 # Maximum db connection retries during startup. Set to -1 to |
|
665 # specify an infinite retry count. (integer value) |
|
666 # Deprecated group/name - [DEFAULT]/sql_max_retries |
|
667 # Deprecated group/name - [DATABASE]/sql_max_retries |
|
668 #max_retries=10 |
|
669 |
|
670 # Interval between retries of opening a SQL connection. |
|
671 # (integer value) |
|
672 # Deprecated group/name - [DEFAULT]/sql_retry_interval |
|
673 # Deprecated group/name - [DATABASE]/reconnect_interval |
|
674 #retry_interval=10 |
|
675 |
|
676 # If set, use this value for max_overflow with SQLAlchemy. |
|
677 # (integer value) |
|
678 # Deprecated group/name - [DEFAULT]/sql_max_overflow |
|
679 # Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow |
|
680 #max_overflow=<None> |
|
681 |
|
682 # Verbosity of SQL debugging information: 0=None, |
|
683 # 100=Everything. (integer value) |
|
684 # Deprecated group/name - [DEFAULT]/sql_connection_debug |
|
685 #connection_debug=0 |
|
686 |
|
687 # Add Python stack traces to SQL as comment strings. (boolean |
|
688 # value) |
|
689 # Deprecated group/name - [DEFAULT]/sql_connection_trace |
|
690 #connection_trace=false |
|
691 |
|
692 # If set, use this value for pool_timeout with SQLAlchemy. |
|
693 # (integer value) |
|
694 # Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout |
|
695 #pool_timeout=<None> |
|
696 |
|
697 # Enable the experimental use of database reconnect on |
|
698 # connection lost. (boolean value) |
|
699 #use_db_reconnect=false |
|
700 |
|
701 # Seconds between database connection retries. (integer value) |
|
702 #db_retry_interval=1 |
|
703 |
|
704 # If True, increases the interval between database connection |
|
705 # retries up to db_max_retry_interval. (boolean value) |
|
706 #db_inc_retry_interval=true |
|
707 |
|
708 # If db_inc_retry_interval is set, the maximum seconds between |
|
709 # database connection retries. (integer value) |
|
710 #db_max_retry_interval=10 |
|
711 |
|
712 # Maximum database connection retries before error is raised. |
|
713 # Set to -1 to specify an infinite retry count. (integer |
|
714 # value) |
|
715 #db_max_retries=20 |
|
716 |
|
717 |
|
718 [ec2] |
|
719 |
|
720 # |
|
721 # Options defined in keystone |
|
722 # |
|
723 |
|
724 # EC2Credential backend driver. (string value) |
|
725 #driver=keystone.contrib.ec2.backends.kvs.Ec2 |
|
726 |
|
727 |
|
728 [endpoint_filter] |
|
729 |
|
730 # |
|
731 # Options defined in keystone |
|
732 # |
|
733 |
|
734 # Endpoint Filter backend driver (string value) |
|
735 #driver=keystone.contrib.endpoint_filter.backends.sql.EndpointFilter |
|
736 |
|
737 # Toggle to return all active endpoints if no filter exists. |
|
738 # (boolean value) |
|
739 #return_all_endpoints_if_no_filter=true |
|
740 |
|
741 |
|
742 [endpoint_policy] |
|
743 |
|
744 # |
|
745 # Options defined in keystone |
|
746 # |
|
747 |
|
748 # Endpoint policy backend driver (string value) |
|
749 #driver=keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy |
|
750 |
|
751 |
|
752 [federation] |
|
753 |
|
754 # |
|
755 # Options defined in keystone |
|
756 # |
|
757 |
|
758 # Federation backend driver. (string value) |
|
759 #driver=keystone.contrib.federation.backends.sql.Federation |
|
760 |
|
761 # Value to be used when filtering assertion parameters from |
|
762 # the environment. (string value) |
|
763 #assertion_prefix= |
|
764 |
147 |
765 |
148 [identity] |
766 [identity] |
149 # driver = keystone.identity.backends.sql.Identity |
767 |
150 |
768 # |
151 # This references the domain to use for all Identity API v2 requests (which are |
769 # Options defined in keystone |
152 # not aware of domains). A domain with this ID will be created for you by |
770 # |
153 # keystone-manage db_sync in migration 008. The domain referenced by this ID |
771 |
154 # cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. |
772 # This references the domain to use for all Identity API v2 |
155 # There is nothing special about this domain, other than the fact that it must |
773 # requests (which are not aware of domains). A domain with |
156 # exist to order to maintain support for your v2 clients. |
774 # this ID will be created for you by keystone-manage db_sync |
157 # default_domain_id = default |
775 # in migration 008. The domain referenced by this ID cannot be |
158 # |
776 # deleted on the v3 API, to prevent accidentally breaking the |
159 # A subset (or all) of domains can have their own identity driver, each with |
777 # v2 API. There is nothing special about this domain, other |
160 # their own partial configuration file in a domain configuration directory. |
778 # than the fact that it must exist to order to maintain |
161 # Only values specific to the domain need to be placed in the domain specific |
779 # support for your v2 clients. (string value) |
|
780 #default_domain_id=default |
|
781 |
|
782 # A subset (or all) of domains can have their own identity |
|
783 # driver, each with their own partial configuration file in a |
|
784 # domain configuration directory. Only values specific to the |
|
785 # domain need to be placed in the domain specific |
162 # configuration file. This feature is disabled by default; set |
786 # configuration file. This feature is disabled by default; set |
163 # domain_specific_drivers_enabled to True to enable. |
787 # to true to enable. (boolean value) |
164 # domain_specific_drivers_enabled = False |
788 #domain_specific_drivers_enabled=false |
165 # domain_config_dir = /etc/keystone/domains |
789 |
166 |
790 # Path for Keystone to locate the domain specific identity |
167 # Maximum supported length for user passwords; decrease to improve performance. |
791 # configuration files if domain_specific_drivers_enabled is |
168 # max_password_length = 4096 |
792 # set to true. (string value) |
169 |
793 #domain_config_dir=/etc/keystone/domains |
170 [credential] |
794 |
171 # driver = keystone.credential.backends.sql.Credential |
795 # Identity backend driver. (string value) |
|
796 #driver=keystone.identity.backends.sql.Identity |
|
797 |
|
798 # Maximum supported length for user passwords; decrease to |
|
799 # improve performance. (integer value) |
|
800 #max_password_length=4096 |
|
801 |
|
802 # Maximum number of entities that will be returned in an |
|
803 # identity collection. (integer value) |
|
804 #list_limit=<None> |
|
805 |
|
806 |
|
807 [identity_mapping] |
|
808 |
|
809 # |
|
810 # Options defined in keystone |
|
811 # |
|
812 |
|
813 # Keystone Identity Mapping backend driver. (string value) |
|
814 #driver=keystone.identity.mapping_backends.sql.Mapping |
|
815 |
|
816 # Public ID generator for user and group entities. The |
|
817 # Keystone identity mapper only supports generators that |
|
818 # produce no more than 64 characters. (string value) |
|
819 #generator=keystone.identity.id_generators.sha256.Generator |
|
820 |
|
821 # The format of user and group IDs changed in Juno for |
|
822 # backends that do not generate UUIDs (e.g. LDAP), with |
|
823 # keystone providing a hash mapping to the underlying |
|
824 # attribute in LDAP. By default this mapping is disabled, |
|
825 # which ensures that existing IDs will not change. Even when |
|
826 # the mapping is enabled by using domain specific drivers, any |
|
827 # users and groups from the default domain being handled by |
|
828 # LDAP will still not be mapped to ensure their IDs remain |
|
829 # backward compatible. Setting this value to False will enable |
|
830 # the mapping for even the default LDAP driver. It is only |
|
831 # safe to do this if you do not already have assignments for |
|
832 # users and groups from the default LDAP domain, and it is |
|
833 # acceptable for Keystone to provide the different IDs to |
|
834 # clients than it did previously. Typically this means that |
|
835 # the only time you can set this value to False is when |
|
836 # configuring a fresh installation. (boolean value) |
|
837 #backward_compatible_ids=true |
|
838 |
|
839 |
|
840 [kvs] |
|
841 |
|
842 # |
|
843 # Options defined in keystone |
|
844 # |
|
845 |
|
846 # Extra dogpile.cache backend modules to register with the |
|
847 # dogpile.cache library. (list value) |
|
848 #backends= |
|
849 |
|
850 # Prefix for building the configuration dictionary for the KVS |
|
851 # region. This should not need to be changed unless there is |
|
852 # another dogpile.cache region with the same configuration |
|
853 # name. (string value) |
|
854 #config_prefix=keystone.kvs |
|
855 |
|
856 # Toggle to disable using a key-mangling function to ensure |
|
857 # fixed length keys. This is toggle-able for debugging |
|
858 # purposes, it is highly recommended to always leave this set |
|
859 # to true. (boolean value) |
|
860 #enable_key_mangler=true |
|
861 |
|
862 # Default lock timeout for distributed locking. (integer |
|
863 # value) |
|
864 #default_lock_timeout=5 |
|
865 |
|
866 |
|
867 [ldap] |
|
868 |
|
869 # |
|
870 # Options defined in keystone |
|
871 # |
|
872 |
|
873 # URL for connecting to the LDAP server. (string value) |
|
874 #url=ldap://localhost |
|
875 |
|
876 # User BindDN to query the LDAP server. (string value) |
|
877 #user=<None> |
|
878 |
|
879 # Password for the BindDN to query the LDAP server. (string |
|
880 # value) |
|
881 #password=<None> |
|
882 |
|
883 # LDAP server suffix (string value) |
|
884 #suffix=cn=example,cn=com |
|
885 |
|
886 # If true, will add a dummy member to groups. This is required |
|
887 # if the objectclass for groups requires the "member" |
|
888 # attribute. (boolean value) |
|
889 #use_dumb_member=false |
|
890 |
|
891 # DN of the "dummy member" to use when "use_dumb_member" is |
|
892 # enabled. (string value) |
|
893 #dumb_member=cn=dumb,dc=nonexistent |
|
894 |
|
895 # Delete subtrees using the subtree delete control. Only |
|
896 # enable this option if your LDAP server supports subtree |
|
897 # deletion. (boolean value) |
|
898 #allow_subtree_delete=false |
|
899 |
|
900 # The LDAP scope for queries, this can be either "one" |
|
901 # (onelevel/singleLevel) or "sub" (subtree/wholeSubtree). |
|
902 # (string value) |
|
903 #query_scope=one |
|
904 |
|
905 # Maximum results per page; a value of zero ("0") disables |
|
906 # paging. (integer value) |
|
907 #page_size=0 |
|
908 |
|
909 # The LDAP dereferencing option for queries. This can be |
|
910 # either "never", "searching", "always", "finding" or |
|
911 # "default". The "default" option falls back to using default |
|
912 # dereferencing configured by your ldap.conf. (string value) |
|
913 #alias_dereferencing=default |
|
914 |
|
915 # Sets the LDAP debugging level for LDAP calls. A value of 0 |
|
916 # means that debugging is not enabled. This value is a |
|
917 # bitmask, consult your LDAP documentation for possible |
|
918 # values. (integer value) |
|
919 #debug_level=<None> |
|
920 |
|
921 # Override the system's default referral chasing behavior for |
|
922 # queries. (boolean value) |
|
923 #chase_referrals=<None> |
|
924 |
|
925 # Search base for users. (string value) |
|
926 #user_tree_dn=<None> |
|
927 |
|
928 # LDAP search filter for users. (string value) |
|
929 #user_filter=<None> |
|
930 |
|
931 # LDAP objectclass for users. (string value) |
|
932 #user_objectclass=inetOrgPerson |
|
933 |
|
934 # LDAP attribute mapped to user id. WARNING: must not be a |
|
935 # multivalued attribute. (string value) |
|
936 #user_id_attribute=cn |
|
937 |
|
938 # LDAP attribute mapped to user name. (string value) |
|
939 #user_name_attribute=sn |
|
940 |
|
941 # LDAP attribute mapped to user email. (string value) |
|
942 #user_mail_attribute=mail |
|
943 |
|
944 # LDAP attribute mapped to password. (string value) |
|
945 #user_pass_attribute=userPassword |
|
946 |
|
947 # LDAP attribute mapped to user enabled flag. (string value) |
|
948 #user_enabled_attribute=enabled |
|
949 |
|
950 # Invert the meaning of the boolean enabled values. Some LDAP |
|
951 # servers use a boolean lock attribute where "true" means an |
|
952 # account is disabled. Setting "user_enabled_invert = true" |
|
953 # will allow these lock attributes to be used. This setting |
|
954 # will have no effect if "user_enabled_mask" or |
|
955 # "user_enabled_emulation" settings are in use. (boolean |
|
956 # value) |
|
957 #user_enabled_invert=false |
|
958 |
|
959 # Bitmask integer to indicate the bit that the enabled value |
|
960 # is stored in if the LDAP server represents "enabled" as a |
|
961 # bit on an integer rather than a boolean. A value of "0" |
|
962 # indicates the mask is not used. If this is not set to "0" |
|
963 # the typical value is "2". This is typically used when |
|
964 # "user_enabled_attribute = userAccountControl". (integer |
|
965 # value) |
|
966 #user_enabled_mask=0 |
|
967 |
|
968 # Default value to enable users. This should match an |
|
969 # appropriate int value if the LDAP server uses non-boolean |
|
970 # (bitmask) values to indicate if a user is enabled or |
|
971 # disabled. If this is not set to "True" the typical value is |
|
972 # "512". This is typically used when "user_enabled_attribute = |
|
973 # userAccountControl". (string value) |
|
974 #user_enabled_default=True |
|
975 |
|
976 # List of attributes stripped off the user on update. (list |
|
977 # value) |
|
978 #user_attribute_ignore=default_project_id,tenants |
|
979 |
|
980 # LDAP attribute mapped to default_project_id for users. |
|
981 # (string value) |
|
982 #user_default_project_id_attribute=<None> |
|
983 |
|
984 # Allow user creation in LDAP backend. (boolean value) |
|
985 #user_allow_create=true |
|
986 |
|
987 # Allow user updates in LDAP backend. (boolean value) |
|
988 #user_allow_update=true |
|
989 |
|
990 # Allow user deletion in LDAP backend. (boolean value) |
|
991 #user_allow_delete=true |
|
992 |
|
993 # If true, Keystone uses an alternative method to determine if |
|
994 # a user is enabled or not by checking if they are a member of |
|
995 # the "user_enabled_emulation_dn" group. (boolean value) |
|
996 #user_enabled_emulation=false |
|
997 |
|
998 # DN of the group entry to hold enabled users when using |
|
999 # enabled emulation. (string value) |
|
1000 #user_enabled_emulation_dn=<None> |
|
1001 |
|
1002 # List of additional LDAP attributes used for mapping |
|
1003 # additional attribute mappings for users. Attribute mapping |
|
1004 # format is <ldap_attr>:<user_attr>, where ldap_attr is the |
|
1005 # attribute in the LDAP entry and user_attr is the Identity |
|
1006 # API attribute. (list value) |
|
1007 #user_additional_attribute_mapping= |
|
1008 |
|
1009 # Search base for projects (string value) |
|
1010 # Deprecated group/name - [ldap]/tenant_tree_dn |
|
1011 #project_tree_dn=<None> |
|
1012 |
|
1013 # LDAP search filter for projects. (string value) |
|
1014 # Deprecated group/name - [ldap]/tenant_filter |
|
1015 #project_filter=<None> |
|
1016 |
|
1017 # LDAP objectclass for projects. (string value) |
|
1018 # Deprecated group/name - [ldap]/tenant_objectclass |
|
1019 #project_objectclass=groupOfNames |
|
1020 |
|
1021 # LDAP attribute mapped to project id. (string value) |
|
1022 # Deprecated group/name - [ldap]/tenant_id_attribute |
|
1023 #project_id_attribute=cn |
|
1024 |
|
1025 # LDAP attribute mapped to project membership for user. |
|
1026 # (string value) |
|
1027 # Deprecated group/name - [ldap]/tenant_member_attribute |
|
1028 #project_member_attribute=member |
|
1029 |
|
1030 # LDAP attribute mapped to project name. (string value) |
|
1031 # Deprecated group/name - [ldap]/tenant_name_attribute |
|
1032 #project_name_attribute=ou |
|
1033 |
|
1034 # LDAP attribute mapped to project description. (string value) |
|
1035 # Deprecated group/name - [ldap]/tenant_desc_attribute |
|
1036 #project_desc_attribute=description |
|
1037 |
|
1038 # LDAP attribute mapped to project enabled. (string value) |
|
1039 # Deprecated group/name - [ldap]/tenant_enabled_attribute |
|
1040 #project_enabled_attribute=enabled |
|
1041 |
|
1042 # LDAP attribute mapped to project domain_id. (string value) |
|
1043 # Deprecated group/name - [ldap]/tenant_domain_id_attribute |
|
1044 #project_domain_id_attribute=businessCategory |
|
1045 |
|
1046 # List of attributes stripped off the project on update. (list |
|
1047 # value) |
|
1048 # Deprecated group/name - [ldap]/tenant_attribute_ignore |
|
1049 #project_attribute_ignore= |
|
1050 |
|
1051 # Allow project creation in LDAP backend. (boolean value) |
|
1052 # Deprecated group/name - [ldap]/tenant_allow_create |
|
1053 #project_allow_create=true |
|
1054 |
|
1055 # Allow project update in LDAP backend. (boolean value) |
|
1056 # Deprecated group/name - [ldap]/tenant_allow_update |
|
1057 #project_allow_update=true |
|
1058 |
|
1059 # Allow project deletion in LDAP backend. (boolean value) |
|
1060 # Deprecated group/name - [ldap]/tenant_allow_delete |
|
1061 #project_allow_delete=true |
|
1062 |
|
1063 # If true, Keystone uses an alternative method to determine if |
|
1064 # a project is enabled or not by checking if they are a member |
|
1065 # of the "project_enabled_emulation_dn" group. (boolean value) |
|
1066 # Deprecated group/name - [ldap]/tenant_enabled_emulation |
|
1067 #project_enabled_emulation=false |
|
1068 |
|
1069 # DN of the group entry to hold enabled projects when using |
|
1070 # enabled emulation. (string value) |
|
1071 # Deprecated group/name - [ldap]/tenant_enabled_emulation_dn |
|
1072 #project_enabled_emulation_dn=<None> |
|
1073 |
|
1074 # Additional attribute mappings for projects. Attribute |
|
1075 # mapping format is <ldap_attr>:<user_attr>, where ldap_attr |
|
1076 # is the attribute in the LDAP entry and user_attr is the |
|
1077 # Identity API attribute. (list value) |
|
1078 # Deprecated group/name - [ldap]/tenant_additional_attribute_mapping |
|
1079 #project_additional_attribute_mapping= |
|
1080 |
|
1081 # Search base for roles. (string value) |
|
1082 #role_tree_dn=<None> |
|
1083 |
|
1084 # LDAP search filter for roles. (string value) |
|
1085 #role_filter=<None> |
|
1086 |
|
1087 # LDAP objectclass for roles. (string value) |
|
1088 #role_objectclass=organizationalRole |
|
1089 |
|
1090 # LDAP attribute mapped to role id. (string value) |
|
1091 #role_id_attribute=cn |
|
1092 |
|
1093 # LDAP attribute mapped to role name. (string value) |
|
1094 #role_name_attribute=ou |
|
1095 |
|
1096 # LDAP attribute mapped to role membership. (string value) |
|
1097 #role_member_attribute=roleOccupant |
|
1098 |
|
1099 # List of attributes stripped off the role on update. (list |
|
1100 # value) |
|
1101 #role_attribute_ignore= |
|
1102 |
|
1103 # Allow role creation in LDAP backend. (boolean value) |
|
1104 #role_allow_create=true |
|
1105 |
|
1106 # Allow role update in LDAP backend. (boolean value) |
|
1107 #role_allow_update=true |
|
1108 |
|
1109 # Allow role deletion in LDAP backend. (boolean value) |
|
1110 #role_allow_delete=true |
|
1111 |
|
1112 # Additional attribute mappings for roles. Attribute mapping |
|
1113 # format is <ldap_attr>:<user_attr>, where ldap_attr is the |
|
1114 # attribute in the LDAP entry and user_attr is the Identity |
|
1115 # API attribute. (list value) |
|
1116 #role_additional_attribute_mapping= |
|
1117 |
|
1118 # Search base for groups. (string value) |
|
1119 #group_tree_dn=<None> |
|
1120 |
|
1121 # LDAP search filter for groups. (string value) |
|
1122 #group_filter=<None> |
|
1123 |
|
1124 # LDAP objectclass for groups. (string value) |
|
1125 #group_objectclass=groupOfNames |
|
1126 |
|
1127 # LDAP attribute mapped to group id. (string value) |
|
1128 #group_id_attribute=cn |
|
1129 |
|
1130 # LDAP attribute mapped to group name. (string value) |
|
1131 #group_name_attribute=ou |
|
1132 |
|
1133 # LDAP attribute mapped to show group membership. (string |
|
1134 # value) |
|
1135 #group_member_attribute=member |
|
1136 |
|
1137 # LDAP attribute mapped to group description. (string value) |
|
1138 #group_desc_attribute=description |
|
1139 |
|
1140 # List of attributes stripped off the group on update. (list |
|
1141 # value) |
|
1142 #group_attribute_ignore= |
|
1143 |
|
1144 # Allow group creation in LDAP backend. (boolean value) |
|
1145 #group_allow_create=true |
|
1146 |
|
1147 # Allow group update in LDAP backend. (boolean value) |
|
1148 #group_allow_update=true |
|
1149 |
|
1150 # Allow group deletion in LDAP backend. (boolean value) |
|
1151 #group_allow_delete=true |
|
1152 |
|
1153 # Additional attribute mappings for groups. Attribute mapping |
|
1154 # format is <ldap_attr>:<user_attr>, where ldap_attr is the |
|
1155 # attribute in the LDAP entry and user_attr is the Identity |
|
1156 # API attribute. (list value) |
|
1157 #group_additional_attribute_mapping= |
|
1158 |
|
1159 # CA certificate file path for communicating with LDAP |
|
1160 # servers. (string value) |
|
1161 #tls_cacertfile=<None> |
|
1162 |
|
1163 # CA certificate directory path for communicating with LDAP |
|
1164 # servers. (string value) |
|
1165 #tls_cacertdir=<None> |
|
1166 |
|
1167 # Enable TLS for communicating with LDAP servers. (boolean |
|
1168 # value) |
|
1169 #use_tls=false |
|
1170 |
|
1171 # Valid options for tls_req_cert are demand, never, and allow. |
|
1172 # (string value) |
|
1173 #tls_req_cert=demand |
|
1174 |
|
1175 # Enable LDAP connection pooling. (boolean value) |
|
1176 #use_pool=false |
|
1177 |
|
1178 # Connection pool size. (integer value) |
|
1179 #pool_size=10 |
|
1180 |
|
1181 # Maximum count of reconnect trials. (integer value) |
|
1182 #pool_retry_max=3 |
|
1183 |
|
1184 # Time span in seconds to wait between two reconnect trials. |
|
1185 # (floating point value) |
|
1186 #pool_retry_delay=0.1 |
|
1187 |
|
1188 # Connector timeout in seconds. Value -1 indicates indefinite |
|
1189 # wait for response. (integer value) |
|
1190 #pool_connection_timeout=-1 |
|
1191 |
|
1192 # Connection lifetime in seconds. (integer value) |
|
1193 #pool_connection_lifetime=600 |
|
1194 |
|
1195 # Enable LDAP connection pooling for end user authentication. |
|
1196 # If use_pool is disabled, then this setting is meaningless |
|
1197 # and is not used at all. (boolean value) |
|
1198 #use_auth_pool=false |
|
1199 |
|
1200 # End user auth connection pool size. (integer value) |
|
1201 #auth_pool_size=100 |
|
1202 |
|
1203 # End user auth connection lifetime in seconds. (integer |
|
1204 # value) |
|
1205 #auth_pool_connection_lifetime=60 |
|
1206 |
|
1207 |
|
1208 [matchmaker_redis] |
|
1209 |
|
1210 # |
|
1211 # Options defined in oslo.messaging |
|
1212 # |
|
1213 |
|
1214 # Host to locate redis. (string value) |
|
1215 #host=127.0.0.1 |
|
1216 |
|
1217 # Use this port to connect to redis host. (integer value) |
|
1218 #port=6379 |
|
1219 |
|
1220 # Password for Redis server (optional). (string value) |
|
1221 #password=<None> |
|
1222 |
|
1223 |
|
1224 [matchmaker_ring] |
|
1225 |
|
1226 # |
|
1227 # Options defined in oslo.messaging |
|
1228 # |
|
1229 |
|
1230 # Matchmaker ring file (JSON). (string value) |
|
1231 # Deprecated group/name - [DEFAULT]/matchmaker_ringfile |
|
1232 #ringfile=/etc/oslo/matchmaker_ring.json |
|
1233 |
|
1234 |
|
1235 [memcache] |
|
1236 |
|
1237 # |
|
1238 # Options defined in keystone |
|
1239 # |
|
1240 |
|
1241 # Memcache servers in the format of "host:port". (list value) |
|
1242 #servers=localhost:11211 |
|
1243 |
|
1244 # Number of seconds memcached server is considered dead before |
|
1245 # it is tried again. This is used by the key value store |
|
1246 # system (e.g. token pooled memcached persistence backend). |
|
1247 # (integer value) |
|
1248 #dead_retry=300 |
|
1249 |
|
1250 # Timeout in seconds for every call to a server. This is used |
|
1251 # by the key value store system (e.g. token pooled memcached |
|
1252 # persistence backend). (integer value) |
|
1253 #socket_timeout=3 |
|
1254 |
|
1255 # Max total number of open connections to every memcached |
|
1256 # server. This is used by the key value store system (e.g. |
|
1257 # token pooled memcached persistence backend). (integer value) |
|
1258 #pool_maxsize=10 |
|
1259 |
|
1260 # Number of seconds a connection to memcached is held unused |
|
1261 # in the pool before it is closed. This is used by the key |
|
1262 # value store system (e.g. token pooled memcached persistence |
|
1263 # backend). (integer value) |
|
1264 #pool_unused_timeout=60 |
|
1265 |
|
1266 # Number of seconds that an operation will wait to get a |
|
1267 # memcache client connection. This is used by the key value |
|
1268 # store system (e.g. token pooled memcached persistence |
|
1269 # backend). (integer value) |
|
1270 #pool_connection_get_timeout=10 |
|
1271 |
|
1272 |
|
1273 [oauth1] |
|
1274 |
|
1275 # |
|
1276 # Options defined in keystone |
|
1277 # |
|
1278 |
|
1279 # Credential backend driver. (string value) |
|
1280 #driver=keystone.contrib.oauth1.backends.sql.OAuth1 |
|
1281 |
|
1282 # Duration (in seconds) for the OAuth Request Token. (integer |
|
1283 # value) |
|
1284 #request_token_duration=28800 |
|
1285 |
|
1286 # Duration (in seconds) for the OAuth Access Token. (integer |
|
1287 # value) |
|
1288 #access_token_duration=86400 |
|
1289 |
|
1290 |
|
1291 [os_inherit] |
|
1292 |
|
1293 # |
|
1294 # Options defined in keystone |
|
1295 # |
|
1296 |
|
1297 # role-assignment inheritance to projects from owning domain |
|
1298 # can be optionally enabled. (boolean value) |
|
1299 #enabled=false |
|
1300 |
|
1301 |
|
1302 [paste_deploy] |
|
1303 |
|
1304 # |
|
1305 # Options defined in keystone |
|
1306 # |
|
1307 |
|
1308 # Name of the paste configuration file that defines the |
|
1309 # available pipelines. (string value) |
|
1310 #config_file=keystone-paste.ini |
|
1311 |
|
1312 |
|
1313 [policy] |
|
1314 |
|
1315 # |
|
1316 # Options defined in keystone |
|
1317 # |
|
1318 |
|
1319 # Policy backend driver. (string value) |
|
1320 #driver=keystone.policy.backends.sql.Policy |
|
1321 |
|
1322 # Maximum number of entities that will be returned in a policy |
|
1323 # collection. (integer value) |
|
1324 #list_limit=<None> |
|
1325 |
|
1326 |
|
1327 [revoke] |
|
1328 |
|
1329 # |
|
1330 # Options defined in keystone |
|
1331 # |
|
1332 |
|
1333 # An implementation of the backend for persisting revocation |
|
1334 # events. (string value) |
|
1335 #driver=keystone.contrib.revoke.backends.sql.Revoke |
|
1336 |
|
1337 # This value (calculated in seconds) is added to token |
|
1338 # expiration before a revocation event may be removed from the |
|
1339 # backend. (integer value) |
|
1340 #expiration_buffer=1800 |
|
1341 |
|
1342 # Toggle for revocation event caching. This has no effect |
|
1343 # unless global caching is enabled. (boolean value) |
|
1344 #caching=true |
|
1345 |
|
1346 |
|
1347 [saml] |
|
1348 |
|
1349 # |
|
1350 # Options defined in keystone |
|
1351 # |
|
1352 |
|
1353 # Default TTL, in seconds, for any generated SAML assertion |
|
1354 # created by Keystone. (integer value) |
|
1355 #assertion_expiration_time=3600 |
|
1356 |
|
1357 # Binary to be called for XML signing. Install the appropriate |
|
1358 # package, specify absolute path or adjust your PATH |
|
1359 # environment variable if the binary cannot be found. (string |
|
1360 # value) |
|
1361 #xmlsec1_binary=xmlsec1 |
|
1362 |
|
1363 # Path of the certfile for SAML signing. For non-production |
|
1364 # environments, you may be interested in using `keystone- |
|
1365 # manage pki_setup` to generate self-signed certificates. |
|
1366 # Note, the path cannot contain a comma. (string value) |
|
1367 #certfile=/etc/keystone/ssl/certs/signing_cert.pem |
|
1368 |
|
1369 # Path of the keyfile for SAML signing. Note, the path cannot |
|
1370 # contain a comma. (string value) |
|
1371 #keyfile=/etc/keystone/ssl/private/signing_key.pem |
|
1372 |
|
1373 # Entity ID value for unique Identity Provider identification. |
|
1374 # Usually FQDN is set with a suffix. A value is required to |
|
1375 # generate IDP Metadata. For example: |
|
1376 # https://keystone.example.com/v3/OS-FEDERATION/saml2/idp |
|
1377 # (string value) |
|
1378 #idp_entity_id=<None> |
|
1379 |
|
1380 # Identity Provider Single-Sign-On service value, required in |
|
1381 # the Identity Provider's metadata. A value is required to |
|
1382 # generate IDP Metadata. For example: |
|
1383 # https://keystone.example.com/v3/OS-FEDERATION/saml2/sso |
|
1384 # (string value) |
|
1385 #idp_sso_endpoint=<None> |
|
1386 |
|
1387 # Language used by the organization. (string value) |
|
1388 #idp_lang=en |
|
1389 |
|
1390 # Organization name the installation belongs to. (string |
|
1391 # value) |
|
1392 #idp_organization_name=<None> |
|
1393 |
|
1394 # Organization name to be displayed. (string value) |
|
1395 #idp_organization_display_name=<None> |
|
1396 |
|
1397 # URL of the organization. (string value) |
|
1398 #idp_organization_url=<None> |
|
1399 |
|
1400 # Company of contact person. (string value) |
|
1401 #idp_contact_company=<None> |
|
1402 |
|
1403 # Given name of contact person (string value) |
|
1404 #idp_contact_name=<None> |
|
1405 |
|
1406 # Surname of contact person. (string value) |
|
1407 #idp_contact_surname=<None> |
|
1408 |
|
1409 # Email address of contact person. (string value) |
|
1410 #idp_contact_email=<None> |
|
1411 |
|
1412 # Telephone number of contact person. (string value) |
|
1413 #idp_contact_telephone=<None> |
|
1414 |
|
1415 # Contact type. Allowed values are: technical, support, |
|
1416 # administrative billing, and other (string value) |
|
1417 #idp_contact_type=other |
|
1418 |
|
1419 # Path to the Identity Provider Metadata file. This file |
|
1420 # should be generated with the keystone-manage |
|
1421 # saml_idp_metadata command. (string value) |
|
1422 #idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml |
|
1423 |
|
1424 |
|
1425 [signing] |
|
1426 |
|
1427 # |
|
1428 # Options defined in keystone |
|
1429 # |
|
1430 |
|
1431 # Deprecated in favor of provider in the [token] section. |
|
1432 # (string value) |
|
1433 #token_format=<None> |
|
1434 |
|
1435 # Path of the certfile for token signing. For non-production |
|
1436 # environments, you may be interested in using `keystone- |
|
1437 # manage pki_setup` to generate self-signed certificates. |
|
1438 # (string value) |
|
1439 #certfile=/etc/keystone/ssl/certs/signing_cert.pem |
|
1440 |
|
1441 # Path of the keyfile for token signing. (string value) |
|
1442 #keyfile=/etc/keystone/ssl/private/signing_key.pem |
|
1443 |
|
1444 # Path of the CA for token signing. (string value) |
|
1445 #ca_certs=/etc/keystone/ssl/certs/ca.pem |
|
1446 |
|
1447 # Path of the CA key for token signing. (string value) |
|
1448 #ca_key=/etc/keystone/ssl/private/cakey.pem |
|
1449 |
|
1450 # Key size (in bits) for token signing cert (auto generated |
|
1451 # certificate). (integer value) |
|
1452 #key_size=2048 |
|
1453 |
|
1454 # Days the token signing cert is valid for (auto generated |
|
1455 # certificate). (integer value) |
|
1456 #valid_days=3650 |
|
1457 |
|
1458 # Certificate subject (auto generated certificate) for token |
|
1459 # signing. (string value) |
|
1460 #cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com |
|
1461 |
|
1462 |
|
1463 [ssl] |
|
1464 |
|
1465 # |
|
1466 # Options defined in keystone |
|
1467 # |
|
1468 |
|
1469 # Toggle for SSL support on the Keystone eventlet servers. |
|
1470 # (boolean value) |
|
1471 #enable=false |
|
1472 |
|
1473 # Path of the certfile for SSL. For non-production |
|
1474 # environments, you may be interested in using `keystone- |
|
1475 # manage ssl_setup` to generate self-signed certificates. |
|
1476 # (string value) |
|
1477 #certfile=/etc/keystone/ssl/certs/keystone.pem |
|
1478 |
|
1479 # Path of the keyfile for SSL. (string value) |
|
1480 #keyfile=/etc/keystone/ssl/private/keystonekey.pem |
|
1481 |
|
1482 # Path of the ca cert file for SSL. (string value) |
|
1483 #ca_certs=/etc/keystone/ssl/certs/ca.pem |
|
1484 |
|
1485 # Path of the CA key file for SSL. (string value) |
|
1486 #ca_key=/etc/keystone/ssl/private/cakey.pem |
|
1487 |
|
1488 # Require client certificate. (boolean value) |
|
1489 #cert_required=false |
|
1490 |
|
1491 # SSL key length (in bits) (auto generated certificate). |
|
1492 # (integer value) |
|
1493 #key_size=1024 |
|
1494 |
|
1495 # Days the certificate is valid for once signed (auto |
|
1496 # generated certificate). (integer value) |
|
1497 #valid_days=3650 |
|
1498 |
|
1499 # SSL certificate subject (auto generated certificate). |
|
1500 # (string value) |
|
1501 #cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost |
|
1502 |
|
1503 |
|
1504 [stats] |
|
1505 |
|
1506 # |
|
1507 # Options defined in keystone |
|
1508 # |
|
1509 |
|
1510 # Stats backend driver. (string value) |
|
1511 #driver=keystone.contrib.stats.backends.kvs.Stats |
|
1512 |
|
1513 |
|
1514 [token] |
|
1515 |
|
1516 # |
|
1517 # Options defined in keystone |
|
1518 # |
|
1519 |
|
1520 # External auth mechanisms that should add bind information to |
|
1521 # token, e.g., kerberos,x509. (list value) |
|
1522 #bind= |
|
1523 |
|
1524 # Enforcement policy on tokens presented to Keystone with bind |
|
1525 # information. One of disabled, permissive, strict, required |
|
1526 # or a specifically required bind mode, e.g., kerberos or x509 |
|
1527 # to require binding to that authentication. (string value) |
|
1528 #enforce_token_bind=permissive |
|
1529 |
|
1530 # Amount of time a token should remain valid (in seconds). |
|
1531 # (integer value) |
|
1532 #expiration=3600 |
|
1533 |
|
1534 # Controls the token construction, validation, and revocation |
|
1535 # operations. Core providers are |
|
1536 # "keystone.token.providers.[pkiz|pki|uuid].Provider". The |
|
1537 # default provider is uuid. (string value) |
|
1538 #provider=<None> |
|
1539 |
|
1540 # Token persistence backend driver. (string value) |
|
1541 #driver=keystone.token.persistence.backends.sql.Token |
|
1542 |
|
1543 # Toggle for token system caching. This has no effect unless |
|
1544 # global caching is enabled. (boolean value) |
|
1545 #caching=true |
|
1546 |
|
1547 # Time to cache the revocation list and the revocation events |
|
1548 # if revoke extension is enabled (in seconds). This has no |
|
1549 # effect unless global and token caching are enabled. (integer |
|
1550 # value) |
|
1551 #revocation_cache_time=3600 |
|
1552 |
|
1553 # Time to cache tokens (in seconds). This has no effect unless |
|
1554 # global and token caching are enabled. (integer value) |
|
1555 #cache_time=<None> |
|
1556 |
|
1557 # Revoke token by token identifier. Setting revoke_by_id to |
|
1558 # true enables various forms of enumerating tokens, e.g. `list |
|
1559 # tokens for user`. These enumerations are processed to |
|
1560 # determine the list of tokens to revoke. Only disable if you |
|
1561 # are switching to using the Revoke extension with a backend |
|
1562 # other than KVS, which stores events in memory. (boolean |
|
1563 # value) |
|
1564 #revoke_by_id=true |
|
1565 |
|
1566 # The hash algorithm to use for PKI tokens. This can be set to |
|
1567 # any algorithm that hashlib supports. WARNING: Before |
|
1568 # changing this value, the auth_token middleware must be |
|
1569 # configured with the hash_algorithms, otherwise token |
|
1570 # revocation will not be processed correctly. (string value) |
|
1571 #hash_algorithm=md5 |
|
1572 |
172 |
1573 |
173 [trust] |
1574 [trust] |
174 # driver = keystone.trust.backends.sql.Trust |
1575 |
175 |
1576 # |
176 # delegation and impersonation features can be optionally disabled |
1577 # Options defined in keystone |
177 # enabled = True |
1578 # |
178 |
1579 |
179 [os_inherit] |
1580 # Delegation and impersonation features can be optionally |
180 # role-assignment inheritance to projects from owning domain can be |
1581 # disabled. (boolean value) |
181 # optionally enabled |
1582 #enabled=true |
182 # enabled = False |
1583 |
183 |
1584 # Trust backend driver. (string value) |
184 [catalog] |
1585 #driver=keystone.trust.backends.sql.Trust |
185 # dynamic, sql-based backend (supports API/CLI-based management commands) |
1586 |
186 # driver = keystone.catalog.backends.sql.Catalog |
1587 |
187 |
|
188 # static, file-based backend (does *NOT* support any management commands) |
|
189 # driver = keystone.catalog.backends.templated.TemplatedCatalog |
|
190 |
|
191 # template_file = default_catalog.templates |
|
192 |
|
193 [endpoint_filter] |
|
194 # extension for creating associations between project and endpoints in order to |
|
195 # provide a tailored catalog for project-scoped token requests. |
|
196 # driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter |
|
197 # return_all_endpoints_if_no_filter = True |
|
198 |
|
199 [token] |
|
200 # Provides token persistence. |
|
201 # driver = keystone.token.backends.sql.Token |
|
202 |
|
203 # Controls the token construction, validation, and revocation operations. |
|
204 # Core providers are keystone.token.providers.[pki|uuid].Provider |
|
205 # provider = |
|
206 |
|
207 # Amount of time a token should remain valid (in seconds) |
|
208 # expiration = 86400 |
|
209 |
|
210 # External auth mechanisms that should add bind information to token. |
|
211 # eg kerberos, x509 |
|
212 # bind = |
|
213 |
|
214 # Enforcement policy on tokens presented to keystone with bind information. |
|
215 # One of disabled, permissive, strict, required or a specifically required bind |
|
216 # mode e.g. kerberos or x509 to require binding to that authentication. |
|
217 # enforce_token_bind = permissive |
|
218 |
|
219 # Token specific caching toggle. This has no effect unless the global caching |
|
220 # option is set to True |
|
221 # caching = True |
|
222 |
|
223 # Token specific cache time-to-live (TTL) in seconds. |
|
224 # cache_time = |
|
225 |
|
226 # Revocation-List specific cache time-to-live (TTL) in seconds. |
|
227 # revocation_cache_time = 3600 |
|
228 |
|
229 [cache] |
|
230 # Global cache functionality toggle. |
|
231 # enabled = False |
|
232 |
|
233 # Prefix for building the configuration dictionary for the cache region. This |
|
234 # should not need to be changed unless there is another dogpile.cache region |
|
235 # with the same configuration name |
|
236 # config_prefix = cache.keystone |
|
237 |
|
238 # Default TTL, in seconds, for any cached item in the dogpile.cache region. |
|
239 # This applies to any cached method that doesn't have an explicit cache |
|
240 # expiration time defined for it. |
|
241 # expiration_time = 600 |
|
242 |
|
243 # Dogpile.cache backend module. It is recommended that Memcache |
|
244 # (dogpile.cache.memcache) or Redis (dogpile.cache.redis) be used in production |
|
245 # deployments. Small workloads (single process) like devstack can use the |
|
246 # dogpile.cache.memory backend. |
|
247 # backend = keystone.common.cache.noop |
|
248 |
|
249 # Arguments supplied to the backend module. Specify this option once per |
|
250 # argument to be passed to the dogpile.cache backend. |
|
251 # Example format: <argname>:<value> |
|
252 # backend_argument = |
|
253 |
|
254 # Proxy Classes to import that will affect the way the dogpile.cache backend |
|
255 # functions. See the dogpile.cache documentation on changing-backend-behavior. |
|
256 # Comma delimited list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2 |
|
257 # proxies = |
|
258 |
|
259 # Use a key-mangling function (sha1) to ensure fixed length cache-keys. This |
|
260 # is toggle-able for debugging purposes, it is highly recommended to always |
|
261 # leave this set to True. |
|
262 # use_key_mangler = True |
|
263 |
|
264 # Extra debugging from the cache backend (cache keys, get/set/delete/etc calls) |
|
265 # This is only really useful if you need to see the specific cache-backend |
|
266 # get/set/delete calls with the keys/values. Typically this should be left |
|
267 # set to False. |
|
268 # debug_cache_backend = False |
|
269 |
|
270 [policy] |
|
271 # driver = keystone.policy.backends.sql.Policy |
|
272 |
|
273 [ec2] |
|
274 # driver = keystone.contrib.ec2.backends.kvs.Ec2 |
|
275 |
|
276 [assignment] |
|
277 # driver = |
|
278 |
|
279 # Assignment specific caching toggle. This has no effect unless the global |
|
280 # caching option is set to True |
|
281 # caching = True |
|
282 |
|
283 # Assignment specific cache time-to-live (TTL) in seconds. |
|
284 # cache_time = |
|
285 |
|
286 [oauth1] |
|
287 # driver = keystone.contrib.oauth1.backends.sql.OAuth1 |
|
288 |
|
289 # The Identity service may include expire attributes. |
|
290 # If no such attribute is included, then the token lasts indefinitely. |
|
291 # Specify how quickly the request token will expire (in seconds) |
|
292 # request_token_duration = 28800 |
|
293 # Specify how quickly the access token will expire (in seconds) |
|
294 # access_token_duration = 86400 |
|
295 |
|
296 [ssl] |
|
297 #enable = True |
|
298 #certfile = /etc/keystone/pki/certs/ssl_cert.pem |
|
299 #keyfile = /etc/keystone/pki/private/ssl_key.pem |
|
300 #ca_certs = /etc/keystone/pki/certs/cacert.pem |
|
301 #ca_key = /etc/keystone/pki/private/cakey.pem |
|
302 #key_size = 1024 |
|
303 #valid_days = 3650 |
|
304 #cert_required = False |
|
305 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost |
|
306 |
|
307 [signing] |
|
308 # Deprecated in favor of provider in the [token] section |
|
309 # Allowed values are PKI or UUID |
|
310 #token_format = |
|
311 |
|
312 #certfile = /etc/keystone/pki/certs/signing_cert.pem |
|
313 #keyfile = /etc/keystone/pki/private/signing_key.pem |
|
314 #ca_certs = /etc/keystone/pki/certs/cacert.pem |
|
315 #ca_key = /etc/keystone/pki/private/cakey.pem |
|
316 #key_size = 2048 |
|
317 #valid_days = 3650 |
|
318 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com |
|
319 |
|
320 [ldap] |
|
321 # url = ldap://localhost |
|
322 # user = dc=Manager,dc=example,dc=com |
|
323 # password = None |
|
324 # suffix = cn=example,cn=com |
|
325 # use_dumb_member = False |
|
326 # allow_subtree_delete = False |
|
327 # dumb_member = cn=dumb,dc=example,dc=com |
|
328 |
|
329 # Maximum results per page; a value of zero ('0') disables paging (default) |
|
330 # page_size = 0 |
|
331 |
|
332 # The LDAP dereferencing option for queries. This can be either 'never', |
|
333 # 'searching', 'always', 'finding' or 'default'. The 'default' option falls |
|
334 # back to using default dereferencing configured by your ldap.conf. |
|
335 # alias_dereferencing = default |
|
336 |
|
337 # The LDAP scope for queries, this can be either 'one' |
|
338 # (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree) |
|
339 # query_scope = one |
|
340 |
|
341 # user_tree_dn = ou=Users,dc=example,dc=com |
|
342 # user_filter = |
|
343 # user_objectclass = inetOrgPerson |
|
344 # user_id_attribute = cn |
|
345 # user_name_attribute = sn |
|
346 # user_mail_attribute = email |
|
347 # user_pass_attribute = userPassword |
|
348 # user_enabled_attribute = enabled |
|
349 # user_enabled_mask = 0 |
|
350 # user_enabled_default = True |
|
351 # user_attribute_ignore = default_project_id,tenants |
|
352 # user_default_project_id_attribute = |
|
353 # user_allow_create = True |
|
354 # user_allow_update = True |
|
355 # user_allow_delete = True |
|
356 # user_enabled_emulation = False |
|
357 # user_enabled_emulation_dn = |
|
358 |
|
359 # tenant_tree_dn = ou=Projects,dc=example,dc=com |
|
360 # tenant_filter = |
|
361 # tenant_objectclass = groupOfNames |
|
362 # tenant_domain_id_attribute = businessCategory |
|
363 # tenant_id_attribute = cn |
|
364 # tenant_member_attribute = member |
|
365 # tenant_name_attribute = ou |
|
366 # tenant_desc_attribute = desc |
|
367 # tenant_enabled_attribute = enabled |
|
368 # tenant_attribute_ignore = |
|
369 # tenant_allow_create = True |
|
370 # tenant_allow_update = True |
|
371 # tenant_allow_delete = True |
|
372 # tenant_enabled_emulation = False |
|
373 # tenant_enabled_emulation_dn = |
|
374 |
|
375 # role_tree_dn = ou=Roles,dc=example,dc=com |
|
376 # role_filter = |
|
377 # role_objectclass = organizationalRole |
|
378 # role_id_attribute = cn |
|
379 # role_name_attribute = ou |
|
380 # role_member_attribute = roleOccupant |
|
381 # role_attribute_ignore = |
|
382 # role_allow_create = True |
|
383 # role_allow_update = True |
|
384 # role_allow_delete = True |
|
385 |
|
386 # group_tree_dn = |
|
387 # group_filter = |
|
388 # group_objectclass = groupOfNames |
|
389 # group_id_attribute = cn |
|
390 # group_name_attribute = ou |
|
391 # group_member_attribute = member |
|
392 # group_desc_attribute = desc |
|
393 # group_attribute_ignore = |
|
394 # group_allow_create = True |
|
395 # group_allow_update = True |
|
396 # group_allow_delete = True |
|
397 |
|
398 # ldap TLS options |
|
399 # if both tls_cacertfile and tls_cacertdir are set then |
|
400 # tls_cacertfile will be used and tls_cacertdir is ignored |
|
401 # valid options for tls_req_cert are demand, never, and allow |
|
402 # use_tls = False |
|
403 # tls_cacertfile = |
|
404 # tls_cacertdir = |
|
405 # tls_req_cert = demand |
|
406 |
|
407 # Additional attribute mappings can be used to map ldap attributes to internal |
|
408 # keystone attributes. This allows keystone to fulfill ldap objectclass |
|
409 # requirements. An example to map the description and gecos attributes to a |
|
410 # user's name would be: |
|
411 # user_additional_attribute_mapping = description:name, gecos:name |
|
412 # |
|
413 # domain_additional_attribute_mapping = |
|
414 # group_additional_attribute_mapping = |
|
415 # role_additional_attribute_mapping = |
|
416 # project_additional_attribute_mapping = |
|
417 # user_additional_attribute_mapping = |
|
418 |
|
419 [auth] |
|
420 methods = external,password,token,oauth1 |
|
421 #external = keystone.auth.plugins.external.ExternalDefault |
|
422 password = keystone.auth.plugins.password.Password |
|
423 token = keystone.auth.plugins.token.Token |
|
424 oauth1 = keystone.auth.plugins.oauth1.OAuth |
|
425 |
|
426 [paste_deploy] |
|
427 # Name of the paste configuration file that defines the available pipelines |
|
428 config_file = keystone-paste.ini |
|