Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openstack/keystone/files/keystone.conf
branchs11-update
changeset 3178 77584387a894
parent 3028 5e73a3a3f66a
child 3998 5bd484384122 
--- a/components/openstack/keystone/files/keystone.conf	Wed Jun 11 05:34:04 2014 -0700
+++ b/components/openstack/keystone/files/keystone.conf	Fri Jun 13 09:10:23 2014 -0700
@@ -13,8 +13,8 @@
 
 # The base endpoint URLs for keystone that are advertised to clients
 # (NOTE: this does NOT affect how keystone listens for connections)
-# public_endpoint = http://localhost:%(public_port)d/
-# admin_endpoint = http://localhost:%(admin_port)d/
+# public_endpoint = http://localhost:%(public_port)s/
+# admin_endpoint = http://localhost:%(admin_port)s/
 
 # The port number which the OpenStack Compute service listens on
 # compute_port = 8774
@@ -34,6 +34,15 @@
 # member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
 # member_role_name = _member_
 
+# enforced by optional sizelimit middleware (keystone.middleware:RequestBodySizeLimiter)
+# max_request_body_size = 114688
+
+# limit the sizes of user & tenant ID/names
+# max_param_size = 64
+
+# similar to max_param_size, but provides an exception for token values
+# max_token_size = 8192
+
 # === Logging Options ===
 # Print debugging output
 # (includes plaintext request logging, potentially including passwords)
@@ -73,9 +82,65 @@
 # or a module with notify() method:
 # onready = keystone.common.systemd
 
+# === Notification Options ===
+
+# Notifications can be sent when users or projects are created, updated or
+# deleted. There are three methods of sending notifications: logging (via the
+# log_file directive), rpc (via a message queue) and no_op (no notifications
+# sent, the default)
+
+# notification_driver can be defined multiple times
+# Do nothing driver (the default)
+# notification_driver = keystone.openstack.common.notifier.no_op_notifier
+# Logging driver example (not enabled by default)
+# notification_driver = keystone.openstack.common.notifier.log_notifier
+# RPC driver example (not enabled by default)
+# notification_driver = keystone.openstack.common.notifier.rpc_notifier
+
+# Default notification level for outgoing notifications
+# default_notification_level = INFO
+
+# Default publisher_id for outgoing notifications; included in the payload.
+# default_publisher_id =
+
+# AMQP topics to publish to when using the RPC notification driver.
+# Multiple values can be specified by separating with commas.
+# The actual topic names will be %s.%(default_notification_level)s
+# notification_topics = notifications
+
+# === RPC Options ===
+
+# For Keystone, these options apply only when the RPC notification driver is
+# used.
+
+# The messaging module to use, defaults to kombu.
+# rpc_backend = keystone.openstack.common.rpc.impl_kombu
+
+# Size of RPC thread pool
+# rpc_thread_pool_size = 64
+
+# Size of RPC connection pool
+# rpc_conn_pool_size = 30
+
+# Seconds to wait for a response from call or multicall
+# rpc_response_timeout = 60
+
+# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
+# rpc_cast_timeout = 30
+
+# Modules of exceptions that are permitted to be recreated upon receiving
+# exception data from an rpc call.
+# allowed_rpc_exception_modules = keystone.openstack.common.exception,nova.exception,cinder.exception,exceptions
+
+# If True, use a fake RabbitMQ provider
+# fake_rabbit = False
+
+# AMQP exchange to connect to if using RabbitMQ or Qpid
+# control_exchange = openstack
+
 [sql]
 # The SQLAlchemy connection string used to connect to the database
-# connection = sqlite:////var/lib/keystone/keystone.sqlite
+connection = sqlite:////var/lib/keystone/keystone.sqlite
 
 # the timeout before idle sql connections are reaped
 # idle_timeout = 200
@@ -90,6 +155,20 @@
 # There is nothing special about this domain, other than the fact that it must
 # exist to order to maintain support for your v2 clients.
 # default_domain_id = default
+#
+# A subset (or all) of domains can have their own identity driver, each with
+# their own partial configuration file in a domain configuration directory.
+# Only values specific to the domain need to be placed in the domain specific
+# configuration file. This feature is disabled by default; set
+# domain_specific_drivers_enabled to True to enable.
+# domain_specific_drivers_enabled = False
+# domain_config_dir = /etc/keystone/domains
+
+# Maximum supported length for user passwords; decrease to improve performance.
+# max_password_length = 4096
+
+[credential]
+# driver = keystone.credential.backends.sql.Credential
 
 [trust]
 # driver = keystone.trust.backends.sql.Trust
@@ -97,6 +176,11 @@
 # delegation and impersonation features can be optionally disabled
 # enabled = True
 
+[os_inherit]
+# role-assignment inheritance to projects from owning domain can be
+# optionally enabled
+# enabled = False
+
 [catalog]
 # dynamic, sql-based backend (supports API/CLI-based management commands)
 # driver = keystone.catalog.backends.sql.Catalog
@@ -106,33 +190,132 @@
 
 # template_file = default_catalog.templates
 
+[endpoint_filter]
+# extension for creating associations between project and endpoints in order to
+# provide a tailored catalog for project-scoped token requests.
+# driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
+# return_all_endpoints_if_no_filter = True
+
 [token]
-# driver = keystone.token.backends.kvs.Token
+# Provides token persistence.
+# driver = keystone.token.backends.sql.Token
+
+# Controls the token construction, validation, and revocation operations.
+# Core providers are keystone.token.providers.[pki|uuid].Provider
+# provider =
 
 # Amount of time a token should remain valid (in seconds)
 # expiration = 86400
 
+# External auth mechanisms that should add bind information to token.
+# eg kerberos, x509
+# bind =
+
+# Enforcement policy on tokens presented to keystone with bind information.
+# One of disabled, permissive, strict, required or a specifically required bind
+# mode e.g. kerberos or x509 to require binding to that authentication.
+# enforce_token_bind = permissive
+
+# Token specific caching toggle. This has no effect unless the global caching
+# option is set to True
+# caching = True
+
+# Token specific cache time-to-live (TTL) in seconds.
+# cache_time =
+
+# Revocation-List specific cache time-to-live (TTL) in seconds.
+# revocation_cache_time = 3600
+
+[cache]
+# Global cache functionality toggle.
+# enabled = False
+
+# Prefix for building the configuration dictionary for the cache region. This
+# should not need to be changed unless there is another dogpile.cache region
+# with the same configuration name
+# config_prefix = cache.keystone
+
+# Default TTL, in seconds, for any cached item in the dogpile.cache region.
+# This applies to any cached method that doesn't have an explicit cache
+# expiration time defined for it.
+# expiration_time = 600
+
+# Dogpile.cache backend module. It is recommended that Memcache
+# (dogpile.cache.memcache) or Redis (dogpile.cache.redis) be used in production
+# deployments.  Small workloads (single process) like devstack can use the
+# dogpile.cache.memory backend.
+# backend = keystone.common.cache.noop
+
+# Arguments supplied to the backend module. Specify this option once per
+# argument to be passed to the dogpile.cache backend.
+# Example format: <argname>:<value>
+# backend_argument =
+
+# Proxy Classes to import that will affect the way the dogpile.cache backend
+# functions.  See the dogpile.cache documentation on changing-backend-behavior.
+# Comma delimited list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2
+# proxies =
+
+# Use a key-mangling function (sha1) to ensure fixed length cache-keys. This
+# is toggle-able for debugging purposes, it is highly recommended to always
+# leave this set to True.
+# use_key_mangler = True
+
+# Extra debugging from the cache backend (cache keys, get/set/delete/etc calls)
+# This is only really useful if you need to see the specific cache-backend
+# get/set/delete calls with the keys/values.  Typically this should be left
+# set to False.
+# debug_cache_backend = False
+
 [policy]
 # driver = keystone.policy.backends.sql.Policy
 
 [ec2]
 # driver = keystone.contrib.ec2.backends.kvs.Ec2
 
+[assignment]
+# driver =
+
+# Assignment specific caching toggle. This has no effect unless the global
+# caching option is set to True
+# caching = True
+
+# Assignment specific cache time-to-live (TTL) in seconds.
+# cache_time =
+
+[oauth1]
+# driver = keystone.contrib.oauth1.backends.sql.OAuth1
+
+# The Identity service may include expire attributes.
+# If no such attribute is included, then the token lasts indefinitely.
+# Specify how quickly the request token will expire (in seconds)
+# request_token_duration = 28800
+# Specify how quickly the access token will expire (in seconds)
+# access_token_duration = 86400
+
 [ssl]
 #enable = True
-#certfile = /etc/keystone/ssl/certs/keystone.pem
-#keyfile = /etc/keystone/ssl/private/keystonekey.pem
-#ca_certs = /etc/keystone/ssl/certs/ca.pem
-#cert_required = True
+#certfile = /etc/keystone/pki/certs/ssl_cert.pem
+#keyfile = /etc/keystone/pki/private/ssl_key.pem
+#ca_certs = /etc/keystone/pki/certs/cacert.pem
+#ca_key = /etc/keystone/pki/private/cakey.pem
+#key_size = 1024
+#valid_days = 3650
+#cert_required = False
+#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
 
 [signing]
-#token_format = PKI
-#certfile = /etc/keystone/ssl/certs/signing_cert.pem
-#keyfile = /etc/keystone/ssl/private/signing_key.pem
-#ca_certs = /etc/keystone/ssl/certs/ca.pem
-#key_size = 1024
+# Deprecated in favor of provider in the [token] section
+# Allowed values are PKI or UUID
+#token_format =
+
+#certfile = /etc/keystone/pki/certs/signing_cert.pem
+#keyfile = /etc/keystone/pki/private/signing_key.pem
+#ca_certs = /etc/keystone/pki/certs/cacert.pem
+#ca_key = /etc/keystone/pki/private/cakey.pem
+#key_size = 2048
 #valid_days = 3650
-#ca_password = None
+#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
 
 [ldap]
 # url = ldap://localhost
@@ -158,7 +341,6 @@
 # user_tree_dn = ou=Users,dc=example,dc=com
 # user_filter =
 # user_objectclass = inetOrgPerson
-# user_domain_id_attribute = businessCategory
 # user_id_attribute = cn
 # user_name_attribute = sn
 # user_mail_attribute = email
@@ -166,14 +348,15 @@
 # user_enabled_attribute = enabled
 # user_enabled_mask = 0
 # user_enabled_default = True
-# user_attribute_ignore = tenant_id,tenants
+# user_attribute_ignore = default_project_id,tenants
+# user_default_project_id_attribute =
 # user_allow_create = True
 # user_allow_update = True
 # user_allow_delete = True
 # user_enabled_emulation = False
 # user_enabled_emulation_dn =
 
-# tenant_tree_dn = ou=Groups,dc=example,dc=com
+# tenant_tree_dn = ou=Projects,dc=example,dc=com
 # tenant_filter =
 # tenant_objectclass = groupOfNames
 # tenant_domain_id_attribute = businessCategory
@@ -212,91 +395,34 @@
 # group_allow_update = True
 # group_allow_delete = True
 
+# ldap TLS options
+# if both tls_cacertfile and tls_cacertdir are set then
+# tls_cacertfile will be used and tls_cacertdir is ignored
+# valid options for tls_req_cert are demand, never, and allow
+# use_tls = False
+# tls_cacertfile =
+# tls_cacertdir =
+# tls_req_cert = demand
+
+# Additional attribute mappings can be used to map ldap attributes to internal
+# keystone attributes. This allows keystone to fulfill ldap objectclass
+# requirements. An example to map the description and gecos attributes to a
+# user's name would be:
+# user_additional_attribute_mapping = description:name, gecos:name
+#
+# domain_additional_attribute_mapping =
+# group_additional_attribute_mapping =
+# role_additional_attribute_mapping =
+# project_additional_attribute_mapping =
+# user_additional_attribute_mapping =
+
 [auth]
-methods = password,token
+methods = external,password,token,oauth1
+#external = keystone.auth.plugins.external.ExternalDefault
 password = keystone.auth.plugins.password.Password
 token = keystone.auth.plugins.token.Token
-
-[filter:debug]
-paste.filter_factory = keystone.common.wsgi:Debug.factory
-
-[filter:token_auth]
-paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
-
-[filter:admin_token_auth]
-paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
-
-[filter:xml_body]
-paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
-
-[filter:json_body]
-paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
-
-[filter:user_crud_extension]
-paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
-
-[filter:crud_extension]
-paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
-
-[filter:ec2_extension]
-paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
-
-[filter:s3_extension]
-paste.filter_factory = keystone.contrib.s3:S3Extension.factory
-
-[filter:url_normalize]
-paste.filter_factory = keystone.middleware:NormalizingFilter.factory
-
-[filter:sizelimit]
-paste.filter_factory = keystone.middleware:RequestBodySizeLimiter.factory
-
-[filter:stats_monitoring]
-paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
-
-[filter:stats_reporting]
-paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
+oauth1 = keystone.auth.plugins.oauth1.OAuth
 
-[filter:access_log]
-paste.filter_factory = keystone.contrib.access:AccessLogMiddleware.factory
-
-[app:public_service]
-paste.app_factory = keystone.service:public_app_factory
-
-[app:service_v3]
-paste.app_factory = keystone.service:v3_app_factory
-
-[app:admin_service]
-paste.app_factory = keystone.service:admin_app_factory
-
-[pipeline:public_api]
-pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service
-
-[pipeline:admin_api]
-pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service
-
-[pipeline:api_v3]
-pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension service_v3
-
-[app:public_version_service]
-paste.app_factory = keystone.service:public_version_app_factory
-
-[app:admin_version_service]
-paste.app_factory = keystone.service:admin_version_app_factory
-
-[pipeline:public_version_api]
-pipeline = access_log sizelimit stats_monitoring url_normalize xml_body public_version_service
-
-[pipeline:admin_version_api]
-pipeline = access_log sizelimit stats_monitoring url_normalize xml_body admin_version_service
-
-[composite:main]
-use = egg:Paste#urlmap
-/v2.0 = public_api
-/v3 = api_v3
-/ = public_version_api
-
-[composite:admin]
-use = egg:Paste#urlmap
-/v2.0 = admin_api
-/v3 = api_v3
-/ = admin_version_api
+[paste_deploy]
+# Name of the paste configuration file that defines the available pipelines
+config_file = keystone-paste.ini
upstream/oracle/userland-gate