e83cb05bf8
This feature adds a "password-security-compliance" option to the charm to enable setting of keys in the "[security_compliance]" section of the keystone.conf file. This section was added in the Newton release, and so this feature supports this from the Newton release. It also protects the service accounts from two of the PCI-DSS options but setting the user options 'ignore_password_expiry' and 'ignore_change_password_upon_first_use' to True to prevent the cloud from being broken. Change-Id: If7c54fae73188284bd9b03a53626cdf52158b994 Closes-Bug: #1776688
120 lines
2.7 KiB
Plaintext
120 lines
2.7 KiB
Plaintext
# rocky
|
|
###############################################################################
|
|
# [ WARNING ]
|
|
# Configuration file maintained by Juju. Local changes may be overwritten.
|
|
###############################################################################
|
|
[DEFAULT]
|
|
admin_token = {{ token }}
|
|
use_syslog = {{ use_syslog }}
|
|
log_config_append = {{ log_config }}
|
|
debug = {{ debug }}
|
|
public_endpoint = {{ public_endpoint }}
|
|
admin_endpoint = {{ admin_endpoint }}
|
|
|
|
[database]
|
|
{% if database_host -%}
|
|
connection = {{ database_type }}://{{ database_user }}:{{ database_password }}@{{ database_host }}/{{ database }}{% if database_ssl_ca %}?ssl_ca={{ database_ssl_ca }}{% if database_ssl_cert %}&ssl_cert={{ database_ssl_cert }}&ssl_key={{ database_ssl_key }}{% endif %}{% endif %}
|
|
{% else -%}
|
|
connection = sqlite:////var/lib/keystone/keystone.db
|
|
{% endif -%}
|
|
connection_recycle_time = 200
|
|
|
|
[identity]
|
|
driver = {{ identity_backend }}
|
|
{% if default_domain_id -%}
|
|
default_domain_id = {{ default_domain_id }}
|
|
{% endif -%}
|
|
|
|
{% if api_version == 3 -%}
|
|
domain_specific_drivers_enabled = True
|
|
domain_config_dir = {{ domain_config_dir }}
|
|
{% endif -%}
|
|
|
|
[credential]
|
|
driver = sql
|
|
|
|
[trust]
|
|
driver = sql
|
|
|
|
[catalog]
|
|
driver = sql
|
|
|
|
[endpoint_filter]
|
|
|
|
[token]
|
|
expiration = {{ token_expiration }}
|
|
|
|
[fernet_tokens]
|
|
max_active_keys = {{ fernet_max_active_keys }}
|
|
|
|
{% include "parts/section-signing" %}
|
|
|
|
{% include "section-oslo-cache" %}
|
|
|
|
[policy]
|
|
driver = sql
|
|
|
|
[assignment]
|
|
driver = {{ assignment_backend }}
|
|
|
|
[auth]
|
|
methods = {{ auth_methods }}
|
|
|
|
[paste_deploy]
|
|
config_file = {{ paste_config_file }}
|
|
|
|
[extra_headers]
|
|
Distribution = Ubuntu
|
|
|
|
[ldap]
|
|
{% if identity_backend == 'ldap' -%}
|
|
url = {{ ldap_server }}
|
|
user = {{ ldap_user }}
|
|
password = {{ ldap_password }}
|
|
suffix = {{ ldap_suffix }}
|
|
|
|
{% if ldap_config_flags -%}
|
|
{% for key, value in ldap_config_flags.iteritems() -%}
|
|
{{ key }} = {{ value }}
|
|
{% endfor -%}
|
|
{% endif -%}
|
|
|
|
{% if ldap_readonly -%}
|
|
user_allow_create = False
|
|
user_allow_update = False
|
|
user_allow_delete = False
|
|
|
|
tenant_allow_create = False
|
|
tenant_allow_update = False
|
|
tenant_allow_delete = False
|
|
|
|
role_allow_create = False
|
|
role_allow_update = False
|
|
role_allow_delete = False
|
|
|
|
group_allow_create = False
|
|
group_allow_update = False
|
|
group_allow_delete = False
|
|
{% endif -%}
|
|
{% endif -%}
|
|
|
|
{% if api_version == 3 %}
|
|
[resource]
|
|
admin_project_domain_name = {{ admin_domain_name }}
|
|
admin_project_name = admin
|
|
{% endif -%}
|
|
|
|
{% if password_security_compliance %}
|
|
[security_compliance]
|
|
{% for k, v in password_security_compliance.items() -%}
|
|
{{ k }} = {{ v }}
|
|
{% endfor -%}
|
|
{% endif -%}
|
|
|
|
{% include "parts/section-federation" %}
|
|
|
|
{% include "section-oslo-middleware" %}
|
|
# This goes in the section above, selectively
|
|
# Bug #1819134
|
|
max_request_body_size = 114688
|