From b3ff5046dd636a8b008be229053841021b8e9988 Mon Sep 17 00:00:00 2001 From: Andrey Pavlov Date: Mon, 10 Aug 2015 08:51:58 +0300 Subject: [PATCH] cleanup configs Change-Id: I1eebc28d5965a7ce4ad817bdec280ef9f17be1fd --- devstack/plugin.sh | 14 +- etc/ec2api/api-paste.ini | 10 - etc/ec2api/ec2api.conf.sample | 478 ---------------------------------- 3 files changed, 1 insertion(+), 501 deletions(-) delete mode 100644 etc/ec2api/ec2api.conf.sample diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 107d99a5..711e8e59 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -161,8 +161,7 @@ function configure_ec2api { mkdir_chown_stack "$EC2API_CONF_DIR" # Generate ec2api configuration file and configure common parameters. - oslo-config-generator --namespace keystonemiddleware.auth_token \ - --namespace ec2api \ + oslo-config-generator --namespace ec2api \ --namespace oslo.db \ --namespace oslo.messaging \ > $EC2API_CONF_FILE @@ -178,17 +177,6 @@ function configure_ec2api { # ec2api Api Configuration #------------------------- - # Setup keystone_authtoken section - iniset $EC2API_CONF_FILE keystone_authtoken auth_uri "http://${KEYSTONE_AUTH_HOST}:5000/v2.0" - iniset $EC2API_CONF_FILE keystone_authtoken auth_host $KEYSTONE_AUTH_HOST - iniset $EC2API_CONF_FILE keystone_authtoken auth_port $KEYSTONE_AUTH_PORT - iniset $EC2API_CONF_FILE keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL - iniset $EC2API_CONF_FILE keystone_authtoken cafile $KEYSTONE_SSL_CA - iniset $EC2API_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME - iniset $EC2API_CONF_FILE keystone_authtoken admin_user $EC2API_ADMIN_USER - iniset $EC2API_CONF_FILE keystone_authtoken admin_password $SERVICE_PASSWORD - iniset $EC2API_CONF_FILE keystone_authtoken signing_dir $EC2API_KEYSTONE_SIGNING_DIR - iniset $EC2API_CONF_FILE DEFAULT admin_tenant_name $SERVICE_TENANT_NAME iniset $EC2API_CONF_FILE DEFAULT admin_user $EC2API_ADMIN_USER iniset $EC2API_CONF_FILE DEFAULT admin_password $SERVICE_PASSWORD diff --git a/etc/ec2api/api-paste.ini b/etc/ec2api/api-paste.ini index 42a97321..010c94b9 100644 --- a/etc/ec2api/api-paste.ini +++ b/etc/ec2api/api-paste.ini @@ -37,13 +37,3 @@ pipeline = ec2apifaultwrap logrequest metaapp [app:metaapp] paste.app_factory = ec2api.metadata:MetadataRequestHandler.factory - -########## -# Shared # -########## - -[filter:keystonecontext] -paste.filter_factory = ec2api.api.auth:EC2KeystoneContext.factory - -[filter:authtoken] -paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory diff --git a/etc/ec2api/ec2api.conf.sample b/etc/ec2api/ec2api.conf.sample deleted file mode 100644 index 5093fed0..00000000 --- a/etc/ec2api/ec2api.conf.sample +++ /dev/null @@ -1,478 +0,0 @@ -[DEFAULT] - -# -# Options defined in ec2api.context -# - -# Admin user (string value) -#admin_user= - -# Admin password (string value) -#admin_password= - -# Admin tenant name (string value) -#admin_tenant_name= - - -# -# Options defined in ec2api.exception -# - -# Make exception message format errors fatal (boolean value) -#fatal_exception_format_errors=false - - -# -# Options defined in ec2api.paths -# - -# Directory where the ec2api python module is installed -# (string value) -#pybasedir=/home/apavlov/stackforge/ec2-api - -# Directory where ec2api binaries are installed (string value) -#bindir=/usr/local/bin - -# Top-level directory for maintaining ec2api's state (string -# value) -#state_path=$pybasedir - - -# -# Options defined in ec2api.service -# - -# The IP address on which the EC2 API will listen. (string -# value) -#ec2api_listen=0.0.0.0 - -# The port on which the EC2 API will listen. (integer value) -#ec2api_listen_port=8788 - -# Enable ssl connections or not for EC2 API (boolean value) -#ec2api_use_ssl=false - -# Number of workers for EC2 API service. The default will be -# equal to the number of CPUs available. (integer value) -#ec2api_workers= - -# The IP address on which the metadata API will listen. -# (string value) -#metadata_listen=0.0.0.0 - -# The port on which the metadata API will listen. (integer -# value) -#metadata_listen_port=8789 - -# Enable ssl connections or not for EC2 API Metadata (boolean -# value) -#metadata_use_ssl=false - -# Number of workers for metadata service. The default will be -# the number of CPUs available. (integer value) -#metadata_workers= - -# Maximum time since last check-in for up service (integer -# value) -#service_down_time=60 - - -# -# Options defined in ec2api.utils -# - -# Explicitly specify the temporary working directory (string -# value) -#tempdir= - - -# -# Options defined in ec2api.wsgi -# - -# File name for the paste.deploy config for ec2api (string -# value) -#api_paste_config=api-paste.ini - -# A python format string that is used as the template to -# generate log lines. The following values can be formatted -# into it: client_ip, date_time, request_line, status_code, -# body_length, wall_seconds. (string value) -#wsgi_log_format=%(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f - -# CA certificate file to use to verify connecting clients -# (string value) -#ssl_ca_file= - -# SSL certificate of API server (string value) -#ssl_cert_file= - -# SSL private key of API server (string value) -#ssl_key_file= - -# Sets the value of TCP_KEEPIDLE in seconds for each server -# socket. Not supported on OS X. (integer value) -#tcp_keepidle=600 - -# Size of the pool of greenthreads used by wsgi (integer -# value) -#wsgi_default_pool_size=1000 - -# Maximum line size of message headers to be accepted. -# max_header_line may need to be increased when using large -# tokens (typically those generated by the Keystone v3 API -# with big service catalogs). (integer value) -#max_header_line=16384 - - -# -# Options defined in ec2api.api -# - -# URL to get token from ec2 request. (string value) -#keystone_url=http://localhost:5000/v2.0 - -# URL to get token from ec2 request. (string value) -#keystone_ec2_tokens_url=$keystone_url/ec2tokens - -# Time in seconds before ec2 timestamp expires (integer value) -#ec2_timestamp_expiry=300 - - -# -# Options defined in ec2api.api.auth -# - -# whether to use per-user rate limiting for the api. (boolean -# value) -#api_rate_limit=false - -# Treat X-Forwarded-For as the canonical remote address. Only -# enable this if you have a sanitizing proxy. (boolean value) -#use_forwarded_for=false - - -# -# Options defined in ec2api.api.availability_zone -# - -# The availability_zone to show internal services under -# (string value) -#internal_service_availability_zone=internal - -# IP address of this host (string value) -#my_ip=10.0.0.1 - -# The IP address of the EC2 API server (string value) -#ec2_host=$my_ip - -# The port of the EC2 API server (integer value) -#ec2_port=8788 - -# The protocol to use when connecting to the EC2 API server -# (http, https) (string value) -#ec2_scheme=http - -# The path prefix used to call the ec2 API server (string -# value) -#ec2_path=/ - -# List of region=fqdn pairs separated by commas (list value) -#region_list= - - -# -# Options defined in ec2api.api.common -# - -# True if server supports Neutron for full VPC access (boolean -# value) -#full_vpc_support=true - - -# -# Options defined in ec2api.api.dhcp_options -# - -# MTU size to set by DHCP for instances. Corresponds with the -# network_device_mtu in ec2api.conf. (integer value) -#network_device_mtu=1500 - - -# -# Options defined in ec2api.api.image -# - -# The topic cert nodes listen on (string value) -#cert_topic=cert - -# Parent directory for tempdir used for image decryption -# (string value) -#image_decryption_dir=/tmp - -# Hostname or IP for OpenStack to use when accessing the S3 -# api (string value) -#s3_host=$my_ip - -# Port used when accessing the S3 api (integer value) -#s3_port=3334 - -# Whether to use SSL when talking to S3 (boolean value) -#s3_use_ssl=false - -# Whether to affix the tenant id to the access key when -# downloading from S3 (boolean value) -#s3_affix_tenant=false - - -# -# Options defined in ec2api.api.instance -# - -# Return the IP address as private dns hostname in describe -# instances (boolean value) -#ec2_private_dns_show_ip=false - - -# -# Options defined in ec2api.api.internet_gateway -# - -# Name of the external network, which is used to connectVPCs -# to Internet and to allocate Elastic IPs (string value) -#external_network= - - -# -# Options defined in ec2api.s3.s3server -# - -# Path to S3 buckets (string value) -#buckets_path=$state_path/buckets - -# IP address for S3 API to listen (string value) -#s3_listen=0.0.0.0 - -# Port for S3 API to listen (integer value) -#s3_listen_port=3334 - - -[None] - -# -# Options defined in ec2api.openstack.common.eventlet_backdoor -# - -# Enable eventlet backdoor. Acceptable values are 0, , -# and :, where 0 results in listening on a random -# tcp port number; results in listening on the -# specified port number (and not enabling backdoor if that -# port is in use); and : results in listening on -# the smallest unused port number within the specified range -# of port numbers. The chosen port is displayed in the -# service's log file. (string value) -#backdoor_port= - - -[database] - -# -# Options defined in ec2api.db.api -# - -# Enable the experimental use of thread pooling for all DB API -# calls (boolean value) -# Deprecated group/name - [DEFAULT]/dbapi_use_tpool -#use_tpool=false - - -[keystone_authtoken] - -# -# Options defined in keystoneclient.middleware.auth_token -# - -# Prefix to prepend at the beginning of the path. Deprecated, -# use identity_uri. (string value) -#auth_admin_prefix= - -# Host providing the admin Identity API endpoint. Deprecated, -# use identity_uri. (string value) -#auth_host=127.0.0.1 - -# Port of the admin Identity API endpoint. Deprecated, use -# identity_uri. (integer value) -#auth_port=35357 - -# Protocol of the admin Identity API endpoint (http or https). -# Deprecated, use identity_uri. (string value) -#auth_protocol=https - -# Complete public Identity API endpoint (string value) -#auth_uri= - -# Complete admin Identity API endpoint. This should specify -# the unversioned root endpoint e.g. https://localhost:35357/ -# (string value) -#identity_uri= - -# API version of the admin Identity API endpoint (string -# value) -#auth_version= - -# Do not handle authorization requests within the middleware, -# but delegate the authorization decision to downstream WSGI -# components (boolean value) -#delay_auth_decision=false - -# Request timeout value for communicating with Identity API -# server. (boolean value) -#http_connect_timeout= - -# How many times are we trying to reconnect when communicating -# with Identity API Server. (integer value) -#http_request_max_retries=3 - -# This option is deprecated and may be removed in a future -# release. Single shared secret with the Keystone -# configuration used for bootstrapping a Keystone -# installation, or otherwise bypassing the normal -# authentication process. This option should not be used, use -# `admin_user` and `admin_password` instead. (string value) -#admin_token= - -# Keystone account username (string value) -#admin_user= - -# Keystone account password (string value) -#admin_password= - -# Keystone service account tenant name to validate user tokens -# (string value) -#admin_tenant_name=admin - -# Env key for the swift cache (string value) -#cache= - -# Required if Keystone server requires client certificate -# (string value) -#certfile= - -# Required if Keystone server requires client certificate -# (string value) -#keyfile= - -# A PEM encoded Certificate Authority to use when verifying -# HTTPs connections. Defaults to system CAs. (string value) -#cafile= - -# Verify HTTPS connections. (boolean value) -#insecure=false - -# Directory used to cache files related to PKI tokens (string -# value) -#signing_dir= - -# Optionally specify a list of memcached server(s) to use for -# caching. If left undefined, tokens will instead be cached -# in-process. (list value) -# Deprecated group/name - [DEFAULT]/memcache_servers -#memcached_servers= - -# In order to prevent excessive effort spent validating -# tokens, the middleware caches previously-seen tokens for a -# configurable duration (in seconds). Set to -1 to disable -# caching completely. (integer value) -#token_cache_time=300 - -# Determines the frequency at which the list of revoked tokens -# is retrieved from the Identity service (in seconds). A high -# number of revocation events combined with a low cache -# duration may significantly reduce performance. (integer -# value) -#revocation_cache_time=10 - -# (optional) if defined, indicate whether token data should be -# authenticated or authenticated and encrypted. Acceptable -# values are MAC or ENCRYPT. If MAC, token data is -# authenticated (with HMAC) in the cache. If ENCRYPT, token -# data is encrypted and authenticated in the cache. If the -# value is not one of these options or empty, auth_token will -# raise an exception on initialization. (string value) -#memcache_security_strategy= - -# (optional, mandatory if memcache_security_strategy is -# defined) this string is used for key derivation. (string -# value) -#memcache_secret_key= - -# (optional) indicate whether to set the X-Service-Catalog -# header. If False, middleware will not ask for service -# catalog on token validation and will not set the X-Service- -# Catalog header. (boolean value) -#include_service_catalog=true - -# Used to control the use and type of token binding. Can be -# set to: "disabled" to not check token binding. "permissive" -# (default) to validate binding information if the bind type -# is of a form known to the server and ignore it if not. -# "strict" like "permissive" but if the bind type is unknown -# the token will be rejected. "required" any form of token -# binding is needed to be allowed. Finally the name of a -# binding method that must be present in tokens. (string -# value) -#enforce_token_bind=permissive - -# If true, the revocation list will be checked for cached -# tokens. This requires that PKI tokens are configured on the -# Keystone server. (boolean value) -#check_revocations_for_cached=false - -# Hash algorithms to use for hashing PKI tokens. This may be a -# single algorithm or multiple. The algorithms are those -# supported by Python standard hashlib.new(). The hashes will -# be tried in the order given, so put the preferred one first -# for performance. The result of the first hash will be stored -# in the cache. This will typically be set to multiple values -# only while migrating from a less secure algorithm to a more -# secure one. Once all the old tokens are expired this option -# should be set to a single value for better performance. -# (list value) -#hash_algorithms=md5 - - -[metadata] - -# -# Options defined in ec2api.metadata -# - -# IP address used by Nova metadata server. (string value) -#nova_metadata_ip=127.0.0.1 - -# TCP Port used by Nova metadata server. (integer value) -#nova_metadata_port=8775 - -# Protocol to access nova metadata, http or https (string -# value) -#nova_metadata_protocol=http - -# Allow to perform insecure SSL (https) requests to nova -# metadata (boolean value) -#nova_metadata_insecure=false - -# Certificate Authority public key (CA cert) file for ssl -# (string value) -#auth_ca_cert= - -# Client certificate for nova metadata api server. (string -# value) -#nova_client_cert= - -# Private key of client certificate. (string value) -#nova_client_priv_key= - -# Shared secret to sign instance-id request (string value) -#metadata_proxy_shared_secret= - -