Update conf file with icehouse release changes

Sync api-paste.ini with ssl support
Sync heat.conf with comment changes and additional sections.

Change-Id: Icff75c6737f37df8466cf2b9d591483d8f917509
Closes-Bug: 1300320

templates/default/api-paste.ini.erb

@@ -2,7 +2,7 @@
 
 # heat-api pipeline
 [pipeline:heat-api]
-pipeline = faultwrap versionnegotiation authurl authtoken context apiv1app
+pipeline = faultwrap ssl versionnegotiation authurl authtoken context apiv1app
 
 # heat-api pipeline for standalone heat
 # ie. uses alternative auth backend that authenticates users against keystone
@@ -13,7 +13,7 @@ pipeline = faultwrap versionnegotiation authurl authtoken context apiv1app
 #   flavor = standalone
 #
 [pipeline:heat-api-standalone]
-pipeline = faultwrap versionnegotiation authpassword context apiv1app
+pipeline = faultwrap ssl versionnegotiation authurl authpassword context apiv1app
 
 # heat-api pipeline for custom cloud backends
 # i.e. in heat.conf:
@@ -75,6 +75,10 @@ paste.filter_factory = heat.common.context:ContextMiddleware_filter_factory
 [filter:ec2authtoken]
 paste.filter_factory = heat.api.aws.ec2token:EC2Token_filter_factory
 
+[filter:ssl]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = heat.api.openstack:sslmiddleware_filter
+
 # Middleware to set auth_url header appropriately
 [filter:authurl]
 paste.filter_factory = heat.common.auth_url:filter_factory

templates/default/heat.conf.erb

@@ -1,16 +1,30 @@
 <%= node["openstack"]["orchestration"]["custom_template_banner"] %>
 
 [DEFAULT]
+
+#
+# Options defined in heat.api.middleware.ssl
+#
+
+# The HTTP Header that will be used to determine which the
+# original request protocol scheme was, even if it was removed
+# by an SSL terminator proxy. (string value)
+#secure_proxy_ssl_header=X-Forwarded-Proto
+
 #
 # Options defined in heat.common.config
 #
 
 sql_connection=<%= @sql_connection %>
 
-# The default user for new instances (string value)
+# The default user for new instances. This option is
+# deprecated and will be removed in the Juno release. If it's
+# empty, Heat will use the default user set up with your cloud
+# image (for OS::Nova::Server) or 'ec2-user' (for
+# AWS::EC2::Instance). (string value)
 #instance_user=ec2-user
 
-# Driver to use for controlling instances (string value)
+# Driver to use for controlling instances. (string value)
 #instance_driver=heat.engine.nova
 
 # Engine identifier for multi-engine distributed lock.  If
@@ -18,17 +32,19 @@ sql_connection=<%= @sql_connection %>
 # (string value)
 #engine_id=generate_uuid
 
-# List of directories to search for Plugins (list value)
+# List of directories to search for plug-ins. (list value)
 #plugin_dirs=/usr/lib64/heat,/usr/lib/heat
 
-# The directory to search for environment files (string value)
+# The directory to search for environment files. (string
+# value)
 #environment_dir=/etc/heat/environment.d
 
-# Select deferred auth method, stored password or trusts
+# Select deferred auth method, stored password or trusts.
 # (string value)
 #deferred_auth_method=password
 
-# Subset of trustor roles to be delegated to heat (list value)
+# Subset of trustor roles to be delegated to heat. (list
+# value)
 #trusts_delegated_roles=heat_stack_owner
 
 # Maximum resources allowed per top-level stack. (integer
@@ -50,33 +66,62 @@ sql_connection=<%= @sql_connection %>
 # unlimited events per stack. (integer value)
 #max_events_per_stack=1000
 
-# Name of the engine node. This can be an opaque identifier.It
-# is not necessarily a hostname, FQDN, or IP address. (string
-# value)
+# RPC timeout for the engine liveness check that is used for
+# stack locking. (integer value)
+#engine_life_check_timeout=2
+
+# onready allows you to send a notification when the heat
+# processes are ready to serve.  This is either a module with
+# the notify() method or a shell command.  To enable
+# notifications with systemd, one may use the 'systemd-notify
+# --ready' shell command or the 'heat.common.systemd'
+# notification module. (string value)
+#onready=<None>
+
+# Name of the engine node. This can be an opaque identifier.
+# It is not necessarily a hostname, FQDN, or IP address.
+# (string value)
 #host=heat
 
-# seconds between running periodic tasks (integer value)
+# Seconds between running periodic tasks. (integer value)
 #periodic_interval=60
 
-# URL of the Heat metadata server (string value)
+# URL of the Heat metadata server. (string value)
 heat_metadata_server_url=http://<%= @heat_api_cfn_endpoint.host %>:<%= @heat_api_cfn_endpoint.port %>
 
-# URL of the Heat waitcondition server (string value)
+# URL of the Heat waitcondition server. (string value)
 heat_waitcondition_server_url=http://<%= @heat_api_cfn_endpoint.host %>:<%= @heat_api_cfn_endpoint.port %><%= @heat_api_cfn_endpoint.path %>/waitcondition
 
-# URL of the Heat cloudwatch server (string value)
+# URL of the Heat CloudWatch server. (string value)
 heat_watch_server_url=http://<%= @heat_api_cloudwatch_endpoint.host %>:<%= @heat_api_cloudwatch_endpoint.port %>
 
-# Instance connection to cfn/cw API via https (string value)
+# Instance connection to CFN/CW API via https. (string value)
 #instance_connection_is_secure=0
 
-# Instance connection to cfn/cw API validate certs if ssl
-# (string value)
+# Instance connection to CFN/CW API validate certs if SSL is
+# used. (string value)
 #instance_connection_https_validate_certificates=1
 
-# Keystone role for heat template-defined users (string value)
+# Default region name used to get services endpoints. (string
+# value)
+#region_name_for_services=<None>
+
+# Keystone role for heat template-defined users. (string
+# value)
 #heat_stack_user_role=heat_stack_user
 
+# Keystone domain ID which contains heat template-defined
+# users. (string value)
+#stack_user_domain=<None>
+
+# Keystone username, a user with roles sufficient to manage
+# users and projects in the stack_user_domain. (string value)
+#stack_domain_admin=<None>
+
+# Keystone password for stack_domain_admin user. (string
+# value)
+#stack_domain_admin_password=<None>
+
 # Maximum raw byte size of any template. (integer value)
 #max_template_size=524288
 
@@ -89,11 +134,20 @@ heat_watch_server_url=http://<%= @heat_api_cloudwatch_endpoint.host %>:<%= @heat
 # Options defined in heat.common.crypt
 #
 
-# Encryption key used for authentication info in database
+# Encryption key used for authentication info in database.
 # (string value)
 #auth_encryption_key=notgood but just long enough i think
 
 
+#
+# Options defined in heat.common.heat_keystoneclient
+#
+
+# Fully qualified class name to use as a keystone backend.
+# (string value)
+#keystone_backend=heat.common.heat_keystoneclient.KeystoneClientV3
+
+
 #
 # Options defined in heat.common.wsgi
 #
@@ -107,7 +161,7 @@ heat_watch_server_url=http://<%= @heat_api_cloudwatch_endpoint.host %>:<%= @heat
 # Options defined in heat.db.api
 #
 
-# The backend to use for db (string value)
+# The backend to use for db. (string value)
 #db_backend=sqlalchemy
 
 
@@ -120,6 +174,15 @@ heat_watch_server_url=http://<%= @heat_api_cloudwatch_endpoint.host %>:<%= @heat
 #cloud_backend=heat.engine.clients.OpenStackClients
 
 
+#
+# Options defined in heat.engine.resources.loadbalancer
+#
+
+# Custom template for the built-in loadbalancer nested stack.
+# (string value)
+#loadbalancer_template=<None>
+
+
 #
 # Options defined in heat.openstack.common.db.sqlalchemy.session
 #
@@ -189,7 +252,7 @@ verbose=<%= node["openstack"]["orchestration"]["verbose"] %>
 #logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s
 
 # list of logger=LEVEL pairs (list value)
-#default_log_levels=amqplib=WARN,sqlalchemy=WARN,boto=WARN,suds=INFO,keystone=INFO,eventlet.wsgi.server=WARN
+#default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,iso8601=WARN
 
 # publish error events (boolean value)
 #publish_errors=false
@@ -205,20 +268,12 @@ verbose=<%= node["openstack"]["orchestration"]["verbose"] %>
 # it like this (string value)
 #instance_uuid_format="[instance: %(uuid)s] "
 
-# (Optional) In addition to the system's default language log,
-# creates an additional log in the given language if such
-# language is present in the operating system. This option is
-# only enabled if the 'log-file' option is used, and the
-# additional log will be created in the same directory of the
-# main log, inside a directory named after the locale. This is
-# an OSEE-only property. (string value)
-#log_additional_locale=<None>
-
-# If this option is specified, the logging configuration file
-# specified is used and overrides any other logging options
-# specified. Please see the Python logging module
-# documentation for details on logging configuration files.
-# (string value)
+# The name of logging configuration file. It does not disable
+# existing loggers, but just appends specified logging
+# configuration to any other existing logging options. Please
+# see the Python logging module documentation for details on
+# logging configuration files. (string value)
+# Deprecated group/name - [DEFAULT]/log_config
 <% if node["openstack"]["orchestration"]["syslog"]["use"] %>
 log_config = /etc/openstack/logging.conf
 <% end %>
@@ -236,10 +291,12 @@ log_config = /etc/openstack/logging.conf
 
 # (Optional) Name of log file to output to. If no default is
 # set, logging will go to stdout. (string value)
+# Deprecated group/name - [DEFAULT]/logfile
 #log_file=<None>
 
 # (Optional) The base directory used for relative --log-file
 # paths (string value)
+# Deprecated group/name - [DEFAULT]/logdir
 #log_dir=<None>
 
 # Use syslog for logging. (boolean value)
@@ -278,7 +335,7 @@ log_config = /etc/openstack/logging.conf
 # Options defined in heat.openstack.common.notifier.rpc_notifier
 #
 
-# AMQP topic used for openstack notifications (list value)
+# AMQP topic used for OpenStack notifications (list value)
 #notification_topics=notifications
 
 
@@ -300,7 +357,7 @@ log_config = /etc/openstack/logging.conf
 
 # The messaging module to use, defaults to kombu. (string
 # value)
-#rpc_backend=
+#rpc_backend=heat.openstack.common.rpc.impl_kombu
 
 # Size of RPC thread pool (integer value)
 rpc_thread_pool_size=<%= node["openstack"]["orchestration"]["rpc_thread_pool_size"] %>
@@ -316,16 +373,16 @@ rpc_response_timeout=<%= node["openstack"]["orchestration"]["rpc_response_timeou
 # by impl_zmq. (integer value)
 #rpc_cast_timeout=30
 
-# Modules of exceptions that are permitted to be recreatedupon
-# receiving exception data from an rpc call. (list value)
-#allowed_rpc_exception_modules=heat.openstack.common.exception,heat.common.exception,nova.exception,cinder.exception,exceptions
+# Modules of exceptions that are permitted to be recreated
+# upon receiving exception data from an rpc call. (list value)
+#allowed_rpc_exception_modules=nova.exception,cinder.exception,exceptions
 
 # If passed, use a fake RabbitMQ provider (boolean value)
 #fake_rabbit=false
 
 # AMQP exchange to connect to if using RabbitMQ or Qpid
 # (string value)
-#control_exchange=openstack
+#control_exchange=heat
 
 
 #
@@ -333,6 +390,7 @@ rpc_response_timeout=<%= node["openstack"]["orchestration"]["rpc_response_timeou
 #
 
 # Use durable queues in amqp. (boolean value)
+# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
 #amqp_durable_queues=false
 
 # Auto-delete queues in amqp. (boolean value)
@@ -357,36 +415,33 @@ rpc_response_timeout=<%= node["openstack"]["orchestration"]["rpc_response_timeou
 # SSL certification authority file (valid only if SSL enabled)
 # (string value)
 #kombu_ssl_ca_certs=
+
 <% if @mq_service_type == "rabbitmq"  %>
+# RabbitMQ HA cluster host:port pairs (list value)
 <% if node["openstack"]["mq"]["orchestration"]["rabbit"]["ha"] -%>
 rabbit_hosts=<%= @rabbit_hosts %>
-#### (ListOpt) RabbitMQ HA cluster host:port pairs
-
-# rabbit_durable_queues=false
-#### (BoolOpt) use durable queues in RabbitMQ
-
-rabbit_ha_queues=True
-#### (BoolOpt) use H/A queues in RabbitMQ (x-ha-policy: all).You need to
-####           wipe RabbitMQ database when changing this option.
 <% else -%>
+# The RabbitMQ broker address where a single node is used
+# (string value)
 rabbit_host=<%= node["openstack"]["mq"]["orchestration"]["rabbit"]["host"] %>
-#### (StrOpt) The RabbitMQ broker address where a single node is used
 
+# The RabbitMQ broker port where a single node is used
+# (integer value)
 rabbit_port=<%= node["openstack"]["mq"]["orchestration"]["rabbit"]["port"] %>
-#### (IntOpt) The RabbitMQ broker port where a single node is used
 <% end -%>
 
+
 # connect over SSL for RabbitMQ (boolean value)
 rabbit_use_ssl=<%= node["openstack"]["mq"]["orchestration"]["rabbit"]["use_ssl"] %>
 
+# the RabbitMQ userid (string value)
 rabbit_userid=<%= node["openstack"]["mq"]["orchestration"]["rabbit"]["userid"] %>
-#### (StrOpt) the RabbitMQ userid
 
+# the RabbitMQ password (string value)
 rabbit_password=<%= @mq_password %>
-#### (StrOpt) the RabbitMQ password
 
+# the RabbitMQ virtual host (string value)
 rabbit_virtual_host=<%= node["openstack"]["mq"]["orchestration"]["rabbit"]["vhost"] %>
-#### (StrOpt) the RabbitMQ virtual host
 
 # how frequently to retry connecting with RabbitMQ (integer
 # value)
@@ -500,24 +555,267 @@ qpid_reconnect_interval=<%= node["openstack"]["mq"]["orchestration"]["qpid"]["re
 #matchmaker_heartbeat_ttl=600
 
 
-[ssl]
+[auth_password]
 
 #
-# Options defined in heat.openstack.common.sslutils
+# Options defined in heat.common.config
 #
 
-# CA certificate file to use to verify connecting clients
-# (string value)
+# Allow orchestration of multiple clouds. (boolean value)
+#multi_cloud=false
+
+# Allowed keystone endpoints for auth_uri when multi_cloud is
+# enabled. At least one endpoint needs to be specified. (list
+# value)
+#allowed_auth_uris=
+
+
+[clients]
+
+#
+# Options defined in heat.common.config
+#
+
+# Type of endpoint in Identity service catalog to use for
+# communication with the OpenStack service. (string value)
+#endpoint_type=publicURL
+
+# Optional CA cert file to use in SSL connections. (string
+# value)
 #ca_file=<None>
 
-# Certificate file to use when starting the server securely
-# (string value)
+# Optional PEM-formatted certificate chain file. (string
+# value)
 #cert_file=<None>
 
-# Private key file to use when starting the server securely
+# Optional PEM-formatted file that contains the private key.
 # (string value)
 #key_file=<None>
 
+# If set, then the server's certificate will not be verified.
+# (boolean value)
+#insecure=false
+
+
+[clients_ceilometer]
+
+#
+# Options defined in heat.common.config
+#
+
+# Type of endpoint in Identity service catalog to use for
+# communication with the OpenStack service. (string value)
+#endpoint_type=publicURL
+
+# Optional CA cert file to use in SSL connections. (string
+# value)
+#ca_file=<None>
+
+# Optional PEM-formatted certificate chain file. (string
+# value)
+#cert_file=<None>
+
+# Optional PEM-formatted file that contains the private key.
+# (string value)
+#key_file=<None>
+
+# If set, then the server's certificate will not be verified.
+# (boolean value)
+#insecure=false
+
+
+[clients_cinder]
+
+#
+# Options defined in heat.common.config
+#
+
+# Type of endpoint in Identity service catalog to use for
+# communication with the OpenStack service. (string value)
+#endpoint_type=publicURL
+
+# Optional CA cert file to use in SSL connections. (string
+# value)
+#ca_file=<None>
+
+# Optional PEM-formatted certificate chain file. (string
+# value)
+#cert_file=<None>
+
+# Optional PEM-formatted file that contains the private key.
+# (string value)
+#key_file=<None>
+
+# If set, then the server's certificate will not be verified.
+# (boolean value)
+#insecure=false
+
+
+[clients_heat]
+
+#
+# Options defined in heat.common.config
+#
+
+# Type of endpoint in Identity service catalog to use for
+# communication with the OpenStack service. (string value)
+#endpoint_type=publicURL
+
+# Optional CA cert file to use in SSL connections. (string
+# value)
+#ca_file=<None>
+
+# Optional PEM-formatted certificate chain file. (string
+# value)
+#cert_file=<None>
+
+# Optional PEM-formatted file that contains the private key.
+# (string value)
+#key_file=<None>
+
+# If set, then the server's certificate will not be verified.
+# (boolean value)
+#insecure=false
+
+# Optional heat url in format like
+# http://0.0.0.0:8004/v1/%(tenant_id)s. (string value)
+#url=<None>
+
+
+[clients_keystone]
+
+#
+# Options defined in heat.common.config
+#
+
+# Type of endpoint in Identity service catalog to use for
+# communication with the OpenStack service. (string value)
+#endpoint_type=publicURL
+
+# Optional CA cert file to use in SSL connections. (string
+# value)
+#ca_file=<None>
+
+# Optional PEM-formatted certificate chain file. (string
+# value)
+#cert_file=<None>
+
+# Optional PEM-formatted file that contains the private key.
+# (string value)
+#key_file=<None>
+
+# If set, then the server's certificate will not be verified.
+# (boolean value)
+#insecure=false
+
+
+[clients_neutron]
+
+#
+# Options defined in heat.common.config
+#
+
+# Type of endpoint in Identity service catalog to use for
+# communication with the OpenStack service. (string value)
+#endpoint_type=publicURL
+
+# Optional CA cert file to use in SSL connections. (string
+# value)
+#ca_file=<None>
+
+# Optional PEM-formatted certificate chain file. (string
+# value)
+#cert_file=<None>
+
+# Optional PEM-formatted file that contains the private key.
+# (string value)
+#key_file=<None>
+
+# If set, then the server's certificate will not be verified.
+# (boolean value)
+#insecure=false
+
+
+[clients_nova]
+
+#
+# Options defined in heat.common.config
+#
+
+# Type of endpoint in Identity service catalog to use for
+# communication with the OpenStack service. (string value)
+#endpoint_type=publicURL
+
+# Optional CA cert file to use in SSL connections. (string
+# value)
+#ca_file=<None>
+
+# Optional PEM-formatted certificate chain file. (string
+# value)
+#cert_file=<None>
+
+# Optional PEM-formatted file that contains the private key.
+# (string value)
+#key_file=<None>
+
+# If set, then the server's certificate will not be verified.
+# (boolean value)
+#insecure=false
+
+
+[clients_swift]
+
+#
+# Options defined in heat.common.config
+#
+
+# Type of endpoint in Identity service catalog to use for
+# communication with the OpenStack service. (string value)
+#endpoint_type=publicURL
+
+# Optional CA cert file to use in SSL connections. (string
+# value)
+#ca_file=<None>
+
+# Optional PEM-formatted certificate chain file. (string
+# value)
+#cert_file=<None>
+
+# Optional PEM-formatted file that contains the private key.
+# (string value)
+#key_file=<None>
+
+# If set, then the server's certificate will not be verified.
+# (boolean value)
+#insecure=false
+
+
+[clients_trove]
+
+#
+# Options defined in heat.common.config
+#
+
+# Type of endpoint in Identity service catalog to use for
+# communication with the OpenStack service. (string value)
+#endpoint_type=publicURL
+
+# Optional CA cert file to use in SSL connections. (string
+# value)
+#ca_file=<None>
+
+# Optional PEM-formatted certificate chain file. (string
+# value)
+#cert_file=<None>
+
+# Optional PEM-formatted file that contains the private key.
+# (string value)
+#key_file=<None>
+
+# If set, then the server's certificate will not be verified.
+# (boolean value)
+#insecure=false
+
 
 [database]
 
@@ -526,12 +824,9 @@ qpid_reconnect_interval=<%= node["openstack"]["mq"]["orchestration"]["qpid"]["re
 #
 
 # The backend to use for db (string value)
+# Deprecated group/name - [DEFAULT]/db_backend
 #backend=sqlalchemy
 
-# Enable the experimental use of thread pooling for all DB API
-# calls (boolean value)
-#use_tpool=false
-
 
 #
 # Options defined in heat.openstack.common.db.sqlalchemy.session
@@ -539,6 +834,9 @@ qpid_reconnect_interval=<%= node["openstack"]["mq"]["orchestration"]["qpid"]["re
 
 # The SQLAlchemy connection string used to connect to the
 # database (string value)
+# Deprecated group/name - [DEFAULT]/sql_connection
+# Deprecated group/name - [DATABASE]/sql_connection
+# Deprecated group/name - [sql]/connection
 #connection=sqlite:////heat/openstack/common/db/$sqlite_db
 
 # The SQLAlchemy connection string used to connect to the
@@ -547,74 +845,67 @@ qpid_reconnect_interval=<%= node["openstack"]["mq"]["orchestration"]["qpid"]["re
 
 # timeout before idle sql connections are reaped (integer
 # value)
+# Deprecated group/name - [DEFAULT]/sql_idle_timeout
+# Deprecated group/name - [DATABASE]/sql_idle_timeout
+# Deprecated group/name - [sql]/idle_timeout
 #idle_timeout=3600
 
 # Minimum number of SQL connections to keep open in a pool
 # (integer value)
+# Deprecated group/name - [DEFAULT]/sql_min_pool_size
+# Deprecated group/name - [DATABASE]/sql_min_pool_size
 #min_pool_size=1
 
 # Maximum number of SQL connections to keep open in a pool
 # (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_pool_size
+# Deprecated group/name - [DATABASE]/sql_max_pool_size
 #max_pool_size=<None>
 
 # maximum db connection retries during startup. (setting -1
 # implies an infinite retry count) (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_retries
+# Deprecated group/name - [DATABASE]/sql_max_retries
 #max_retries=10
 
 # interval between retries of opening a sql connection
 # (integer value)
+# Deprecated group/name - [DEFAULT]/sql_retry_interval
+# Deprecated group/name - [DATABASE]/reconnect_interval
 #retry_interval=10
 
 # If set, use this value for max_overflow with sqlalchemy
 # (integer value)
+# Deprecated group/name - [DEFAULT]/sql_max_overflow
+# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
 #max_overflow=<None>
 
 # Verbosity of SQL debugging information. 0=None,
 # 100=Everything (integer value)
+# Deprecated group/name - [DEFAULT]/sql_connection_debug
 #connection_debug=0
 
 # Add python stack traces to SQL as comment strings (boolean
 # value)
+# Deprecated group/name - [DEFAULT]/sql_connection_trace
 #connection_trace=false
 
 # If set, use this value for pool_timeout with sqlalchemy
 # (integer value)
+# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout
 #pool_timeout=<None>
 
 
-[paste_deploy]
-
-#
-# Options defined in heat.common.config
-#
-
-# The flavor to use (string value)
-#flavor=<None>
-
-# The API paste config file to use (string value)
-#api_paste_config=api-paste.ini
-
-
-[rpc_notifier2]
-
-#
-# Options defined in heat.openstack.common.notifier.rpc_notifier2
-#
-
-# AMQP topic(s) used for openstack notifications (list value)
-#topics=notifications
-
-
 [ec2authtoken]
 
 #
 # Options defined in heat.api.aws.ec2token
 #
 
-# Authentication Endpoint URI (string value)
+# Authentication Endpoint URI. (string value)
 #auth_uri=<None>
 
-# Allow orchestration of multiple clouds (boolean value)
+# Allow orchestration of multiple clouds. (boolean value)
 #multi_cloud=false
 
 # Allowed keystone endpoints for auth_uri when multi_cloud is
@@ -623,35 +914,8 @@ qpid_reconnect_interval=<%= node["openstack"]["mq"]["orchestration"]["qpid"]["re
 #allowed_auth_uris=
 
 
-[heat_api_cloudwatch]
-#
-# Options defined in heat.common.wsgi
-#
-
-# Address to bind the server.  Useful when selecting a
-# particular network interface. (string value)
-bind_host=<%= @heat_api_cloudwatch_endpoint.host %>
-
-# The port on which the server will listen. (integer value)
-bind_port=<%= @heat_api_cloudwatch_endpoint.port %>
-
-# Number of backlog requests to configure the socket with
-# (integer value)
-#backlog=4096
-
-# Location of the SSL Certificate File to use for SSL mode
-# (string value)
-#cert_file=<None>
-
-# Location of the SSL Key File to use for enabling SSL mode
-# (string value)
-#key_file=<None>
-
-# Number of workers for Heat service (integer value)
-#workers=0
-
-
 [heat_api]
+
 #
 # Options defined in heat.common.wsgi
 #
@@ -663,23 +927,30 @@ bind_host=<%= @heat_api_endpoint.host %>
 # The port on which the server will listen. (integer value)
 bind_port=<%= @heat_api_endpoint.port %>
 
-# Number of backlog requests to configure the socket with
+# Number of backlog requests to configure the socket with.
 # (integer value)
 #backlog=4096
 
-# Location of the SSL Certificate File to use for SSL mode
+# Location of the SSL certificate file to use for SSL mode.
 # (string value)
 #cert_file=<None>
 
-# Location of the SSL Key File to use for enabling SSL mode
+# Location of the SSL key file to use for enabling SSL mode.
 # (string value)
 #key_file=<None>
 
-# Number of workers for Heat service (integer value)
+# Number of workers for Heat service. (integer value)
 #workers=0
 
+# Maximum line size of message headers to be accepted.
+# max_header_line may need to be increased when using large
+# tokens (typically those generated by the Keystone v3 API
+# with big service catalogs). (integer value)
+#max_header_line=16384
+
 
 [heat_api_cfn]
+
 #
 # Options defined in heat.common.wsgi
 #
@@ -691,23 +962,65 @@ bind_host=<%= @heat_api_cfn_endpoint.host %>
 # The port on which the server will listen. (integer value)
 bind_port=<%= @heat_api_cfn_endpoint.port %>
 
-# Number of backlog requests to configure the socket with
+# Number of backlog requests to configure the socket with.
 # (integer value)
 #backlog=4096
 
-# Location of the SSL Certificate File to use for SSL mode
+# Location of the SSL certificate file to use for SSL mode.
 # (string value)
 #cert_file=<None>
 
-# Location of the SSL Key File to use for enabling SSL mode
+# Location of the SSL key file to use for enabling SSL mode.
 # (string value)
 #key_file=<None>
 
-# Number of workers for Heat service (integer value)
+# Number of workers for Heat service. (integer value)
 #workers=0
 
+# Maximum line size of message headers to be accepted.
+# max_header_line may need to be increased when using large
+# tokens (typically those generated by the Keystone v3 API
+# with big service catalogs). (integer value)
+#max_header_line=16384
+
+
+[heat_api_cloudwatch]
+
+#
+# Options defined in heat.common.wsgi
+#
+
+# Address to bind the server. Useful when selecting a
+# particular network interface. (string value)
+bind_host=<%= @heat_api_cloudwatch_endpoint.host %>
+
+# The port on which the server will listen. (integer value)
+bind_port=<%= @heat_api_cloudwatch_endpoint.port %>
+
+# Number of backlog requests to configure the socket with.
+# (integer value)
+#backlog=4096
+
+# Location of the SSL certificate file to use for SSL mode.
+# (string value)
+#cert_file=<None>
+
+# Location of the SSL key file to use for enabling SSL mode.
+# (string value)
+#key_file=<None>
+
+# Number of workers for Heat service. (integer value)
+#workers=0
+
+# Maximum line size of message headers to be accepted.
+# max_header_line may need to be increased when using large
+# tokens (typically those generated by the Keystone v3 API
+# with big service catalogs.) (integer value)
+#max_header_line=16384
+
 
 [keystone_authtoken]
+
 #
 # Options defined in keystoneclient.middleware.auth_token
 #
@@ -747,12 +1060,6 @@ auth_version=<%= node["openstack"]["orchestration"]["api"]["auth"]["version"] %>
 # with Identity API Server. (integer value)
 #http_request_max_retries=3
 
-# Allows to pass in the name of a fake http_handler callback
-# function used instead of httplib.HTTPConnection or
-# httplib.HTTPSConnection. Useful for unit testing where
-# network is not available. (string value)
-#http_handler=<None>
-
 # Single shared secret with the Keystone configuration used
 # for bootstrapping a Keystone installation, or otherwise
 # bypassing the normal authentication process. (string value)
@@ -788,21 +1095,26 @@ admin_tenant_name=<%= node["openstack"]["orchestration"]["service_tenant_name"]
 
 # Directory used to cache files related to PKI tokens (string
 # value)
-signing_dir=<%= node["openstack"]["orchestration"]["api"]["auth"]["cache_dir"] %>
+#signing_dir=<None>
 
-# If defined, the memcache server(s) to use for caching (list
-# value)
+# Optionally specify a list of memcached server(s) to use for
+# caching. If left undefined, tokens will instead be cached
+# in-process. (list value)
+# Deprecated group/name - [DEFAULT]/memcache_servers
 #memcached_servers=<None>
 
-# In order to prevent excessive requests and validations, the
-# middleware uses an in-memory cache for the tokens the
-# Keystone API returns. This is only valid if memcache_servers
-# is defined. Set to -1 to disable caching completely.
-# (integer value)
+# In order to prevent excessive effort spent validating
+# tokens, the middleware caches previously-seen tokens for a
+# configurable duration (in seconds). Set to -1 to disable
+# caching completely. (integer value)
 #token_cache_time=300
 
-# Value only used for unit testing (integer value)
-#revocation_cache_time=1
+# Determines the frequency at which the list of revoked tokens
+# is retrieved from the Identity service (in seconds). A high
+# number of revocation events combined with a low cache
+# duration may significantly reduce performance. (integer
+# value)
+#revocation_cache_time=300
 
 # (optional) if defined, indicate whether token data should be
 # authenticated or authenticated and encrypted. Acceptable
@@ -818,30 +1130,22 @@ signing_dir=<%= node["openstack"]["orchestration"]["api"]["auth"]["cache_dir"] %
 # value)
 #memcache_secret_key=<None>
 
+# (optional) indicate whether to set the X-Service-Catalog
+# header. If False, middleware will not ask for service
+# catalog on token validation and will not set the X-Service-
+# Catalog header. (boolean value)
+#include_service_catalog=true
 
-[auth_password]
-
-#
-# Options defined in heat.common.config
-#
-
-# Allow orchestration of multiple clouds (boolean value)
-#multi_cloud=false
-
-# Allowed keystone endpoints for auth_uri when multi_cloud is
-# enabled. At least one endpoint needs to be specified. (list
+# Used to control the use and type of token binding. Can be
+# set to: "disabled" to not check token binding. "permissive"
+# (default) to validate binding information if the bind type
+# is of a form known to the server and ignore it if not.
+# "strict" like "permissive" but if the bind type is unknown
+# the token will be rejected. "required" any form of token
+# binding is needed to be allowed. Finally the name of a
+# binding method that must be present in tokens. (string
 # value)
-#allowed_auth_uris=
-
-
-[matchmaker_ring]
-
-#
-# Options defined in heat.openstack.common.rpc.matchmaker_ring
-#
-
-# Matchmaker ring file (JSON) (string value)
-#ringfile=/etc/oslo/matchmaker_ring.json
+#enforce_token_bind=permissive
 
 
 [matchmaker_redis]
@@ -860,3 +1164,67 @@ signing_dir=<%= node["openstack"]["orchestration"]["api"]["auth"]["cache_dir"] %
 #password=<None>
 
 
+[matchmaker_ring]
+
+#
+# Options defined in heat.openstack.common.rpc.matchmaker_ring
+#
+
+# Matchmaker ring file (JSON) (string value)
+# Deprecated group/name - [DEFAULT]/matchmaker_ringfile
+#ringfile=/etc/oslo/matchmaker_ring.json
+
+
+[paste_deploy]
+
+#
+# Options defined in heat.common.config
+#
+
+# The flavor to use. (string value)
+#flavor=<None>
+
+# The API paste config file to use. (string value)
+#api_paste_config=api-paste.ini
+
+
+[revision]
+
+#
+# Options defined in heat.common.config
+#
+
+# Heat build revision. If you would prefer to manage your
+# build revision separately, you can move this section to a
+# different file and add it as another config option. (string
+# value)
+#heat_revision=unknown
+
+
+[rpc_notifier2]
+
+#
+# Options defined in heat.openstack.common.notifier.rpc_notifier2
+#
+
+# AMQP topic(s) used for OpenStack notifications (list value)
+#topics=notifications
+
+
+[ssl]
+
+#
+# Options defined in heat.openstack.common.sslutils
+#
+
+# CA certificate file to use to verify connecting clients
+# (string value)
+#ca_file=<None>
+
+# Certificate file to use when starting the server securely
+# (string value)
+#cert_file=<None>
+
+# Private key file to use when starting the server securely
+# (string value)
+#key_file=<None>