diff --git a/templates/default/api-paste.ini.erb b/templates/default/api-paste.ini.erb index 9df7365..c7dcd8e 100644 --- a/templates/default/api-paste.ini.erb +++ b/templates/default/api-paste.ini.erb @@ -2,7 +2,7 @@ # heat-api pipeline [pipeline:heat-api] -pipeline = faultwrap versionnegotiation authurl authtoken context apiv1app +pipeline = faultwrap ssl versionnegotiation authurl authtoken context apiv1app # heat-api pipeline for standalone heat # ie. uses alternative auth backend that authenticates users against keystone @@ -13,7 +13,7 @@ pipeline = faultwrap versionnegotiation authurl authtoken context apiv1app # flavor = standalone # [pipeline:heat-api-standalone] -pipeline = faultwrap versionnegotiation authpassword context apiv1app +pipeline = faultwrap ssl versionnegotiation authurl authpassword context apiv1app # heat-api pipeline for custom cloud backends # i.e. in heat.conf: @@ -75,6 +75,10 @@ paste.filter_factory = heat.common.context:ContextMiddleware_filter_factory [filter:ec2authtoken] paste.filter_factory = heat.api.aws.ec2token:EC2Token_filter_factory +[filter:ssl] +paste.filter_factory = heat.common.wsgi:filter_factory +heat.filter_factory = heat.api.openstack:sslmiddleware_filter + # Middleware to set auth_url header appropriately [filter:authurl] paste.filter_factory = heat.common.auth_url:filter_factory diff --git a/templates/default/heat.conf.erb b/templates/default/heat.conf.erb old mode 100644 new mode 100755 index 3b51bf7..99dbcb2 --- a/templates/default/heat.conf.erb +++ b/templates/default/heat.conf.erb @@ -1,16 +1,30 @@ <%= node["openstack"]["orchestration"]["custom_template_banner"] %> [DEFAULT] + +# +# Options defined in heat.api.middleware.ssl +# + +# The HTTP Header that will be used to determine which the +# original request protocol scheme was, even if it was removed +# by an SSL terminator proxy. (string value) +#secure_proxy_ssl_header=X-Forwarded-Proto + # # Options defined in heat.common.config # sql_connection=<%= @sql_connection %> -# The default user for new instances (string value) +# The default user for new instances. This option is +# deprecated and will be removed in the Juno release. If it's +# empty, Heat will use the default user set up with your cloud +# image (for OS::Nova::Server) or 'ec2-user' (for +# AWS::EC2::Instance). (string value) #instance_user=ec2-user -# Driver to use for controlling instances (string value) +# Driver to use for controlling instances. (string value) #instance_driver=heat.engine.nova # Engine identifier for multi-engine distributed lock. If @@ -18,17 +32,19 @@ sql_connection=<%= @sql_connection %> # (string value) #engine_id=generate_uuid -# List of directories to search for Plugins (list value) +# List of directories to search for plug-ins. (list value) #plugin_dirs=/usr/lib64/heat,/usr/lib/heat -# The directory to search for environment files (string value) +# The directory to search for environment files. (string +# value) #environment_dir=/etc/heat/environment.d -# Select deferred auth method, stored password or trusts +# Select deferred auth method, stored password or trusts. # (string value) #deferred_auth_method=password -# Subset of trustor roles to be delegated to heat (list value) +# Subset of trustor roles to be delegated to heat. (list +# value) #trusts_delegated_roles=heat_stack_owner # Maximum resources allowed per top-level stack. (integer @@ -50,33 +66,62 @@ sql_connection=<%= @sql_connection %> # unlimited events per stack. (integer value) #max_events_per_stack=1000 -# Name of the engine node. This can be an opaque identifier.It -# is not necessarily a hostname, FQDN, or IP address. (string -# value) +# RPC timeout for the engine liveness check that is used for +# stack locking. (integer value) +#engine_life_check_timeout=2 + +# onready allows you to send a notification when the heat +# processes are ready to serve. This is either a module with +# the notify() method or a shell command. To enable +# notifications with systemd, one may use the 'systemd-notify +# --ready' shell command or the 'heat.common.systemd' +# notification module. (string value) +#onready= + +# Name of the engine node. This can be an opaque identifier. +# It is not necessarily a hostname, FQDN, or IP address. +# (string value) #host=heat -# seconds between running periodic tasks (integer value) +# Seconds between running periodic tasks. (integer value) #periodic_interval=60 -# URL of the Heat metadata server (string value) +# URL of the Heat metadata server. (string value) heat_metadata_server_url=http://<%= @heat_api_cfn_endpoint.host %>:<%= @heat_api_cfn_endpoint.port %> -# URL of the Heat waitcondition server (string value) +# URL of the Heat waitcondition server. (string value) heat_waitcondition_server_url=http://<%= @heat_api_cfn_endpoint.host %>:<%= @heat_api_cfn_endpoint.port %><%= @heat_api_cfn_endpoint.path %>/waitcondition -# URL of the Heat cloudwatch server (string value) +# URL of the Heat CloudWatch server. (string value) heat_watch_server_url=http://<%= @heat_api_cloudwatch_endpoint.host %>:<%= @heat_api_cloudwatch_endpoint.port %> -# Instance connection to cfn/cw API via https (string value) +# Instance connection to CFN/CW API via https. (string value) #instance_connection_is_secure=0 -# Instance connection to cfn/cw API validate certs if ssl -# (string value) +# Instance connection to CFN/CW API validate certs if SSL is +# used. (string value) #instance_connection_https_validate_certificates=1 -# Keystone role for heat template-defined users (string value) +# Default region name used to get services endpoints. (string +# value) +#region_name_for_services= + +# Keystone role for heat template-defined users. (string +# value) #heat_stack_user_role=heat_stack_user +# Keystone domain ID which contains heat template-defined +# users. (string value) +#stack_user_domain= + +# Keystone username, a user with roles sufficient to manage +# users and projects in the stack_user_domain. (string value) +#stack_domain_admin= + +# Keystone password for stack_domain_admin user. (string +# value) +#stack_domain_admin_password= + # Maximum raw byte size of any template. (integer value) #max_template_size=524288 @@ -89,11 +134,20 @@ heat_watch_server_url=http://<%= @heat_api_cloudwatch_endpoint.host %>:<%= @heat # Options defined in heat.common.crypt # -# Encryption key used for authentication info in database +# Encryption key used for authentication info in database. # (string value) #auth_encryption_key=notgood but just long enough i think +# +# Options defined in heat.common.heat_keystoneclient +# + +# Fully qualified class name to use as a keystone backend. +# (string value) +#keystone_backend=heat.common.heat_keystoneclient.KeystoneClientV3 + + # # Options defined in heat.common.wsgi # @@ -107,7 +161,7 @@ heat_watch_server_url=http://<%= @heat_api_cloudwatch_endpoint.host %>:<%= @heat # Options defined in heat.db.api # -# The backend to use for db (string value) +# The backend to use for db. (string value) #db_backend=sqlalchemy @@ -120,6 +174,15 @@ heat_watch_server_url=http://<%= @heat_api_cloudwatch_endpoint.host %>:<%= @heat #cloud_backend=heat.engine.clients.OpenStackClients +# +# Options defined in heat.engine.resources.loadbalancer +# + +# Custom template for the built-in loadbalancer nested stack. +# (string value) +#loadbalancer_template= + + # # Options defined in heat.openstack.common.db.sqlalchemy.session # @@ -189,7 +252,7 @@ verbose=<%= node["openstack"]["orchestration"]["verbose"] %> #logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s # list of logger=LEVEL pairs (list value) -#default_log_levels=amqplib=WARN,sqlalchemy=WARN,boto=WARN,suds=INFO,keystone=INFO,eventlet.wsgi.server=WARN +#default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,iso8601=WARN # publish error events (boolean value) #publish_errors=false @@ -205,20 +268,12 @@ verbose=<%= node["openstack"]["orchestration"]["verbose"] %> # it like this (string value) #instance_uuid_format="[instance: %(uuid)s] " -# (Optional) In addition to the system's default language log, -# creates an additional log in the given language if such -# language is present in the operating system. This option is -# only enabled if the 'log-file' option is used, and the -# additional log will be created in the same directory of the -# main log, inside a directory named after the locale. This is -# an OSEE-only property. (string value) -#log_additional_locale= - -# If this option is specified, the logging configuration file -# specified is used and overrides any other logging options -# specified. Please see the Python logging module -# documentation for details on logging configuration files. -# (string value) +# The name of logging configuration file. It does not disable +# existing loggers, but just appends specified logging +# configuration to any other existing logging options. Please +# see the Python logging module documentation for details on +# logging configuration files. (string value) +# Deprecated group/name - [DEFAULT]/log_config <% if node["openstack"]["orchestration"]["syslog"]["use"] %> log_config = /etc/openstack/logging.conf <% end %> @@ -236,10 +291,12 @@ log_config = /etc/openstack/logging.conf # (Optional) Name of log file to output to. If no default is # set, logging will go to stdout. (string value) +# Deprecated group/name - [DEFAULT]/logfile #log_file= # (Optional) The base directory used for relative --log-file # paths (string value) +# Deprecated group/name - [DEFAULT]/logdir #log_dir= # Use syslog for logging. (boolean value) @@ -278,7 +335,7 @@ log_config = /etc/openstack/logging.conf # Options defined in heat.openstack.common.notifier.rpc_notifier # -# AMQP topic used for openstack notifications (list value) +# AMQP topic used for OpenStack notifications (list value) #notification_topics=notifications @@ -300,7 +357,7 @@ log_config = /etc/openstack/logging.conf # The messaging module to use, defaults to kombu. (string # value) -#rpc_backend= +#rpc_backend=heat.openstack.common.rpc.impl_kombu # Size of RPC thread pool (integer value) rpc_thread_pool_size=<%= node["openstack"]["orchestration"]["rpc_thread_pool_size"] %> @@ -316,16 +373,16 @@ rpc_response_timeout=<%= node["openstack"]["orchestration"]["rpc_response_timeou # by impl_zmq. (integer value) #rpc_cast_timeout=30 -# Modules of exceptions that are permitted to be recreatedupon -# receiving exception data from an rpc call. (list value) -#allowed_rpc_exception_modules=heat.openstack.common.exception,heat.common.exception,nova.exception,cinder.exception,exceptions +# Modules of exceptions that are permitted to be recreated +# upon receiving exception data from an rpc call. (list value) +#allowed_rpc_exception_modules=nova.exception,cinder.exception,exceptions # If passed, use a fake RabbitMQ provider (boolean value) #fake_rabbit=false # AMQP exchange to connect to if using RabbitMQ or Qpid # (string value) -#control_exchange=openstack +#control_exchange=heat # @@ -333,6 +390,7 @@ rpc_response_timeout=<%= node["openstack"]["orchestration"]["rpc_response_timeou # # Use durable queues in amqp. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_durable_queues #amqp_durable_queues=false # Auto-delete queues in amqp. (boolean value) @@ -357,36 +415,33 @@ rpc_response_timeout=<%= node["openstack"]["orchestration"]["rpc_response_timeou # SSL certification authority file (valid only if SSL enabled) # (string value) #kombu_ssl_ca_certs= + <% if @mq_service_type == "rabbitmq" %> +# RabbitMQ HA cluster host:port pairs (list value) <% if node["openstack"]["mq"]["orchestration"]["rabbit"]["ha"] -%> rabbit_hosts=<%= @rabbit_hosts %> -#### (ListOpt) RabbitMQ HA cluster host:port pairs - -# rabbit_durable_queues=false -#### (BoolOpt) use durable queues in RabbitMQ - -rabbit_ha_queues=True -#### (BoolOpt) use H/A queues in RabbitMQ (x-ha-policy: all).You need to -#### wipe RabbitMQ database when changing this option. <% else -%> +# The RabbitMQ broker address where a single node is used +# (string value) rabbit_host=<%= node["openstack"]["mq"]["orchestration"]["rabbit"]["host"] %> -#### (StrOpt) The RabbitMQ broker address where a single node is used +# The RabbitMQ broker port where a single node is used +# (integer value) rabbit_port=<%= node["openstack"]["mq"]["orchestration"]["rabbit"]["port"] %> -#### (IntOpt) The RabbitMQ broker port where a single node is used <% end -%> + # connect over SSL for RabbitMQ (boolean value) rabbit_use_ssl=<%= node["openstack"]["mq"]["orchestration"]["rabbit"]["use_ssl"] %> +# the RabbitMQ userid (string value) rabbit_userid=<%= node["openstack"]["mq"]["orchestration"]["rabbit"]["userid"] %> -#### (StrOpt) the RabbitMQ userid +# the RabbitMQ password (string value) rabbit_password=<%= @mq_password %> -#### (StrOpt) the RabbitMQ password +# the RabbitMQ virtual host (string value) rabbit_virtual_host=<%= node["openstack"]["mq"]["orchestration"]["rabbit"]["vhost"] %> -#### (StrOpt) the RabbitMQ virtual host # how frequently to retry connecting with RabbitMQ (integer # value) @@ -500,24 +555,267 @@ qpid_reconnect_interval=<%= node["openstack"]["mq"]["orchestration"]["qpid"]["re #matchmaker_heartbeat_ttl=600 -[ssl] +[auth_password] # -# Options defined in heat.openstack.common.sslutils +# Options defined in heat.common.config # -# CA certificate file to use to verify connecting clients -# (string value) +# Allow orchestration of multiple clouds. (boolean value) +#multi_cloud=false + +# Allowed keystone endpoints for auth_uri when multi_cloud is +# enabled. At least one endpoint needs to be specified. (list +# value) +#allowed_auth_uris= + + +[clients] + +# +# Options defined in heat.common.config +# + +# Type of endpoint in Identity service catalog to use for +# communication with the OpenStack service. (string value) +#endpoint_type=publicURL + +# Optional CA cert file to use in SSL connections. (string +# value) #ca_file= -# Certificate file to use when starting the server securely -# (string value) +# Optional PEM-formatted certificate chain file. (string +# value) #cert_file= -# Private key file to use when starting the server securely +# Optional PEM-formatted file that contains the private key. # (string value) #key_file= +# If set, then the server's certificate will not be verified. +# (boolean value) +#insecure=false + + +[clients_ceilometer] + +# +# Options defined in heat.common.config +# + +# Type of endpoint in Identity service catalog to use for +# communication with the OpenStack service. (string value) +#endpoint_type=publicURL + +# Optional CA cert file to use in SSL connections. (string +# value) +#ca_file= + +# Optional PEM-formatted certificate chain file. (string +# value) +#cert_file= + +# Optional PEM-formatted file that contains the private key. +# (string value) +#key_file= + +# If set, then the server's certificate will not be verified. +# (boolean value) +#insecure=false + + +[clients_cinder] + +# +# Options defined in heat.common.config +# + +# Type of endpoint in Identity service catalog to use for +# communication with the OpenStack service. (string value) +#endpoint_type=publicURL + +# Optional CA cert file to use in SSL connections. (string +# value) +#ca_file= + +# Optional PEM-formatted certificate chain file. (string +# value) +#cert_file= + +# Optional PEM-formatted file that contains the private key. +# (string value) +#key_file= + +# If set, then the server's certificate will not be verified. +# (boolean value) +#insecure=false + + +[clients_heat] + +# +# Options defined in heat.common.config +# + +# Type of endpoint in Identity service catalog to use for +# communication with the OpenStack service. (string value) +#endpoint_type=publicURL + +# Optional CA cert file to use in SSL connections. (string +# value) +#ca_file= + +# Optional PEM-formatted certificate chain file. (string +# value) +#cert_file= + +# Optional PEM-formatted file that contains the private key. +# (string value) +#key_file= + +# If set, then the server's certificate will not be verified. +# (boolean value) +#insecure=false + +# Optional heat url in format like +# http://0.0.0.0:8004/v1/%(tenant_id)s. (string value) +#url= + + +[clients_keystone] + +# +# Options defined in heat.common.config +# + +# Type of endpoint in Identity service catalog to use for +# communication with the OpenStack service. (string value) +#endpoint_type=publicURL + +# Optional CA cert file to use in SSL connections. (string +# value) +#ca_file= + +# Optional PEM-formatted certificate chain file. (string +# value) +#cert_file= + +# Optional PEM-formatted file that contains the private key. +# (string value) +#key_file= + +# If set, then the server's certificate will not be verified. +# (boolean value) +#insecure=false + + +[clients_neutron] + +# +# Options defined in heat.common.config +# + +# Type of endpoint in Identity service catalog to use for +# communication with the OpenStack service. (string value) +#endpoint_type=publicURL + +# Optional CA cert file to use in SSL connections. (string +# value) +#ca_file= + +# Optional PEM-formatted certificate chain file. (string +# value) +#cert_file= + +# Optional PEM-formatted file that contains the private key. +# (string value) +#key_file= + +# If set, then the server's certificate will not be verified. +# (boolean value) +#insecure=false + + +[clients_nova] + +# +# Options defined in heat.common.config +# + +# Type of endpoint in Identity service catalog to use for +# communication with the OpenStack service. (string value) +#endpoint_type=publicURL + +# Optional CA cert file to use in SSL connections. (string +# value) +#ca_file= + +# Optional PEM-formatted certificate chain file. (string +# value) +#cert_file= + +# Optional PEM-formatted file that contains the private key. +# (string value) +#key_file= + +# If set, then the server's certificate will not be verified. +# (boolean value) +#insecure=false + + +[clients_swift] + +# +# Options defined in heat.common.config +# + +# Type of endpoint in Identity service catalog to use for +# communication with the OpenStack service. (string value) +#endpoint_type=publicURL + +# Optional CA cert file to use in SSL connections. (string +# value) +#ca_file= + +# Optional PEM-formatted certificate chain file. (string +# value) +#cert_file= + +# Optional PEM-formatted file that contains the private key. +# (string value) +#key_file= + +# If set, then the server's certificate will not be verified. +# (boolean value) +#insecure=false + + +[clients_trove] + +# +# Options defined in heat.common.config +# + +# Type of endpoint in Identity service catalog to use for +# communication with the OpenStack service. (string value) +#endpoint_type=publicURL + +# Optional CA cert file to use in SSL connections. (string +# value) +#ca_file= + +# Optional PEM-formatted certificate chain file. (string +# value) +#cert_file= + +# Optional PEM-formatted file that contains the private key. +# (string value) +#key_file= + +# If set, then the server's certificate will not be verified. +# (boolean value) +#insecure=false + [database] @@ -526,12 +824,9 @@ qpid_reconnect_interval=<%= node["openstack"]["mq"]["orchestration"]["qpid"]["re # # The backend to use for db (string value) +# Deprecated group/name - [DEFAULT]/db_backend #backend=sqlalchemy -# Enable the experimental use of thread pooling for all DB API -# calls (boolean value) -#use_tpool=false - # # Options defined in heat.openstack.common.db.sqlalchemy.session @@ -539,6 +834,9 @@ qpid_reconnect_interval=<%= node["openstack"]["mq"]["orchestration"]["qpid"]["re # The SQLAlchemy connection string used to connect to the # database (string value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection #connection=sqlite:////heat/openstack/common/db/$sqlite_db # The SQLAlchemy connection string used to connect to the @@ -547,74 +845,67 @@ qpid_reconnect_interval=<%= node["openstack"]["mq"]["orchestration"]["qpid"]["re # timeout before idle sql connections are reaped (integer # value) +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout #idle_timeout=3600 # Minimum number of SQL connections to keep open in a pool # (integer value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size #min_pool_size=1 # Maximum number of SQL connections to keep open in a pool # (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size #max_pool_size= # maximum db connection retries during startup. (setting -1 # implies an infinite retry count) (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries #max_retries=10 # interval between retries of opening a sql connection # (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval #retry_interval=10 # If set, use this value for max_overflow with sqlalchemy # (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow #max_overflow= # Verbosity of SQL debugging information. 0=None, # 100=Everything (integer value) +# Deprecated group/name - [DEFAULT]/sql_connection_debug #connection_debug=0 # Add python stack traces to SQL as comment strings (boolean # value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace #connection_trace=false # If set, use this value for pool_timeout with sqlalchemy # (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout #pool_timeout= -[paste_deploy] - -# -# Options defined in heat.common.config -# - -# The flavor to use (string value) -#flavor= - -# The API paste config file to use (string value) -#api_paste_config=api-paste.ini - - -[rpc_notifier2] - -# -# Options defined in heat.openstack.common.notifier.rpc_notifier2 -# - -# AMQP topic(s) used for openstack notifications (list value) -#topics=notifications - - [ec2authtoken] # # Options defined in heat.api.aws.ec2token # -# Authentication Endpoint URI (string value) +# Authentication Endpoint URI. (string value) #auth_uri= -# Allow orchestration of multiple clouds (boolean value) +# Allow orchestration of multiple clouds. (boolean value) #multi_cloud=false # Allowed keystone endpoints for auth_uri when multi_cloud is @@ -623,91 +914,113 @@ qpid_reconnect_interval=<%= node["openstack"]["mq"]["orchestration"]["qpid"]["re #allowed_auth_uris= -[heat_api_cloudwatch] -# -# Options defined in heat.common.wsgi -# - -# Address to bind the server. Useful when selecting a -# particular network interface. (string value) -bind_host=<%= @heat_api_cloudwatch_endpoint.host %> - -# The port on which the server will listen. (integer value) -bind_port=<%= @heat_api_cloudwatch_endpoint.port %> - -# Number of backlog requests to configure the socket with -# (integer value) -#backlog=4096 - -# Location of the SSL Certificate File to use for SSL mode -# (string value) -#cert_file= - -# Location of the SSL Key File to use for enabling SSL mode -# (string value) -#key_file= - -# Number of workers for Heat service (integer value) -#workers=0 - - [heat_api] + # # Options defined in heat.common.wsgi # -# Address to bind the server. Useful when selecting a +# Address to bind the server. Useful when selecting a # particular network interface. (string value) bind_host=<%= @heat_api_endpoint.host %> # The port on which the server will listen. (integer value) bind_port=<%= @heat_api_endpoint.port %> -# Number of backlog requests to configure the socket with +# Number of backlog requests to configure the socket with. # (integer value) #backlog=4096 -# Location of the SSL Certificate File to use for SSL mode +# Location of the SSL certificate file to use for SSL mode. # (string value) #cert_file= -# Location of the SSL Key File to use for enabling SSL mode +# Location of the SSL key file to use for enabling SSL mode. # (string value) #key_file= -# Number of workers for Heat service (integer value) +# Number of workers for Heat service. (integer value) #workers=0 +# Maximum line size of message headers to be accepted. +# max_header_line may need to be increased when using large +# tokens (typically those generated by the Keystone v3 API +# with big service catalogs). (integer value) +#max_header_line=16384 + [heat_api_cfn] + # # Options defined in heat.common.wsgi # -# Address to bind the server. Useful when selecting a +# Address to bind the server. Useful when selecting a # particular network interface. (string value) bind_host=<%= @heat_api_cfn_endpoint.host %> # The port on which the server will listen. (integer value) bind_port=<%= @heat_api_cfn_endpoint.port %> -# Number of backlog requests to configure the socket with +# Number of backlog requests to configure the socket with. # (integer value) #backlog=4096 -# Location of the SSL Certificate File to use for SSL mode +# Location of the SSL certificate file to use for SSL mode. # (string value) #cert_file= -# Location of the SSL Key File to use for enabling SSL mode +# Location of the SSL key file to use for enabling SSL mode. # (string value) #key_file= -# Number of workers for Heat service (integer value) +# Number of workers for Heat service. (integer value) #workers=0 +# Maximum line size of message headers to be accepted. +# max_header_line may need to be increased when using large +# tokens (typically those generated by the Keystone v3 API +# with big service catalogs). (integer value) +#max_header_line=16384 + + +[heat_api_cloudwatch] + +# +# Options defined in heat.common.wsgi +# + +# Address to bind the server. Useful when selecting a +# particular network interface. (string value) +bind_host=<%= @heat_api_cloudwatch_endpoint.host %> + +# The port on which the server will listen. (integer value) +bind_port=<%= @heat_api_cloudwatch_endpoint.port %> + +# Number of backlog requests to configure the socket with. +# (integer value) +#backlog=4096 + +# Location of the SSL certificate file to use for SSL mode. +# (string value) +#cert_file= + +# Location of the SSL key file to use for enabling SSL mode. +# (string value) +#key_file= + +# Number of workers for Heat service. (integer value) +#workers=0 + +# Maximum line size of message headers to be accepted. +# max_header_line may need to be increased when using large +# tokens (typically those generated by the Keystone v3 API +# with big service catalogs.) (integer value) +#max_header_line=16384 + [keystone_authtoken] + # # Options defined in keystoneclient.middleware.auth_token # @@ -747,12 +1060,6 @@ auth_version=<%= node["openstack"]["orchestration"]["api"]["auth"]["version"] %> # with Identity API Server. (integer value) #http_request_max_retries=3 -# Allows to pass in the name of a fake http_handler callback -# function used instead of httplib.HTTPConnection or -# httplib.HTTPSConnection. Useful for unit testing where -# network is not available. (string value) -#http_handler= - # Single shared secret with the Keystone configuration used # for bootstrapping a Keystone installation, or otherwise # bypassing the normal authentication process. (string value) @@ -788,21 +1095,26 @@ admin_tenant_name=<%= node["openstack"]["orchestration"]["service_tenant_name"] # Directory used to cache files related to PKI tokens (string # value) -signing_dir=<%= node["openstack"]["orchestration"]["api"]["auth"]["cache_dir"] %> +#signing_dir= -# If defined, the memcache server(s) to use for caching (list -# value) +# Optionally specify a list of memcached server(s) to use for +# caching. If left undefined, tokens will instead be cached +# in-process. (list value) +# Deprecated group/name - [DEFAULT]/memcache_servers #memcached_servers= -# In order to prevent excessive requests and validations, the -# middleware uses an in-memory cache for the tokens the -# Keystone API returns. This is only valid if memcache_servers -# is defined. Set to -1 to disable caching completely. -# (integer value) +# In order to prevent excessive effort spent validating +# tokens, the middleware caches previously-seen tokens for a +# configurable duration (in seconds). Set to -1 to disable +# caching completely. (integer value) #token_cache_time=300 -# Value only used for unit testing (integer value) -#revocation_cache_time=1 +# Determines the frequency at which the list of revoked tokens +# is retrieved from the Identity service (in seconds). A high +# number of revocation events combined with a low cache +# duration may significantly reduce performance. (integer +# value) +#revocation_cache_time=300 # (optional) if defined, indicate whether token data should be # authenticated or authenticated and encrypted. Acceptable @@ -818,30 +1130,22 @@ signing_dir=<%= node["openstack"]["orchestration"]["api"]["auth"]["cache_dir"] % # value) #memcache_secret_key= +# (optional) indicate whether to set the X-Service-Catalog +# header. If False, middleware will not ask for service +# catalog on token validation and will not set the X-Service- +# Catalog header. (boolean value) +#include_service_catalog=true -[auth_password] - -# -# Options defined in heat.common.config -# - -# Allow orchestration of multiple clouds (boolean value) -#multi_cloud=false - -# Allowed keystone endpoints for auth_uri when multi_cloud is -# enabled. At least one endpoint needs to be specified. (list +# Used to control the use and type of token binding. Can be +# set to: "disabled" to not check token binding. "permissive" +# (default) to validate binding information if the bind type +# is of a form known to the server and ignore it if not. +# "strict" like "permissive" but if the bind type is unknown +# the token will be rejected. "required" any form of token +# binding is needed to be allowed. Finally the name of a +# binding method that must be present in tokens. (string # value) -#allowed_auth_uris= - - -[matchmaker_ring] - -# -# Options defined in heat.openstack.common.rpc.matchmaker_ring -# - -# Matchmaker ring file (JSON) (string value) -#ringfile=/etc/oslo/matchmaker_ring.json +#enforce_token_bind=permissive [matchmaker_redis] @@ -860,3 +1164,67 @@ signing_dir=<%= node["openstack"]["orchestration"]["api"]["auth"]["cache_dir"] % #password= +[matchmaker_ring] + +# +# Options defined in heat.openstack.common.rpc.matchmaker_ring +# + +# Matchmaker ring file (JSON) (string value) +# Deprecated group/name - [DEFAULT]/matchmaker_ringfile +#ringfile=/etc/oslo/matchmaker_ring.json + + +[paste_deploy] + +# +# Options defined in heat.common.config +# + +# The flavor to use. (string value) +#flavor= + +# The API paste config file to use. (string value) +#api_paste_config=api-paste.ini + + +[revision] + +# +# Options defined in heat.common.config +# + +# Heat build revision. If you would prefer to manage your +# build revision separately, you can move this section to a +# different file and add it as another config option. (string +# value) +#heat_revision=unknown + + +[rpc_notifier2] + +# +# Options defined in heat.openstack.common.notifier.rpc_notifier2 +# + +# AMQP topic(s) used for OpenStack notifications (list value) +#topics=notifications + + +[ssl] + +# +# Options defined in heat.openstack.common.sslutils +# + +# CA certificate file to use to verify connecting clients +# (string value) +#ca_file= + +# Certificate file to use when starting the server securely +# (string value) +#cert_file= + +# Private key file to use when starting the server securely +# (string value) +#key_file=