Refactor config files for essex

The config files for glance have changed quite
a bit between the Diablo and Essex releases of
OpenStack.

This commit refactors the config files.

deployment/puppet/glance/manifests/api.pp

@@ -43,8 +43,8 @@
 #  $swift_store_create_container_on_put - 'False'
 #
 class glance::api(
-  $log_verbose = false,
-  $log_debug = false,
+  $log_verbose = 'False',
+  $log_debug = 'False',
   $default_store = 'file',
   $bind_host = '0.0.0.0',
   $bind_port = '9292',
@@ -56,16 +56,49 @@ class glance::api(
   $swift_store_user = 'jdoe',
   $swift_store_key = 'a86850deb2742ec3cb41518e26aa2d89',
   $swift_store_container = 'glance',
-  $swift_store_create_container_on_put = 'False'
+  $swift_store_create_container_on_put = 'False',
+  $auth_type = 'keystone',
+  $service_protocol = 'http',
+  $service_host = '127.0.0.1',
+  $service_port = '5000',
+  $auth_host = '127.0.0.1',
+  $auth_port = '35357',
+  $auth_protocol = 'http',
+  $auth_uri = "http://127.0.0.1:5000/",
+  $admin_token = '999888777666',
+  # TODO - I should update this to use a glance specific keystone user
+  $keystone_tenant = 'admin',
+  $keystone_user = 'admin',
+  $keystone_password = 'ChangeMe'
 ) inherits glance {
 
-  file { '/etc/glance/glance-api.conf':
+  # TODO I need to work with Chris to ensure that I understand
+  # his auth requirements
+  if($auth_type == 'keystone') {
+    $context_type = 'context'
+  } else {
+    $context_type = 'auth-context'
+  }
+
+  File {
     ensure  => present,
     owner   => 'glance',
     group   => 'root',
     mode    => '0640',
+    notify  => Service['glance-api'],
+    require => Class['glance'],
+  }
+
+  file { '/etc/glance/glance-api.conf':
     content => template('glance/glance-api.conf.erb'),
-    require => Class['glance']
+  }
+
+  file { '/etc/glance/glance-api-paste.ini':
+    content => template('glance/glance-api-paste.ini.erb'),
+  }
+
+  file { '/etc/glance/glance-cache.conf':
+    content => template('glance/glance-cache.conf.erb'),
   }
 
   service { 'glance-api':

deployment/puppet/glance/manifests/keystone/auth.pp

@@ -0,0 +1,31 @@
+class glance::keystone::auth(
+  $auth_name = 'glance',
+  $password  = 'glance_password',
+  $service   = 'image',
+  $address   = '127.0.0.1',
+  $port      = '9292'
+) {
+
+  Class['keystone::roles::admin'] -> Class['glance::keystone::auth']
+
+  keystone_user { $auth_name:
+    ensure   => present, 
+    password => $password,
+  }
+  keystone_user_role { "${auth_name}@service":
+    roles   => 'admin',
+    require => Keystone_user[$auth_name]
+  }
+  keystone_service { $auth_name:
+    type        => 'image',
+    description => "Openstack Image Service",
+  }
+  keystone_endpoint { $auth_name:
+    region       => 'RegionOne',
+    public_url   => "http://${address}:${port}/v1",
+    admin_url    => "http://${address}:${port}/v1",
+    internal_url => "http://${address}:${port}/v1",
+    require      => Keystone_service[$auth_name]
+  } 
+
+}

deployment/puppet/glance/manifests/registry.pp

@@ -1,22 +1,48 @@
 class glance::registry(
-  $log_verbose = false,
-  $log_debug = false,
+  $log_verbose = 'False',
+  $log_debug = 'False',
   $bind_host = '0.0.0.0',
   $bind_port = '9191',
   $log_file = '/var/log/glance/registry.log',
   $sql_connection = 'sqlite:///var/lib/glance/glance.sqlite',
-  $sql_idle_timeout = '3600'
+  $sql_idle_timeout = '3600',
+  $auth_type = 'keystone',
+  $service_protocol = 'http',
+  $service_host = '127.0.0.1',
+  $service_port = '5000',
+  $auth_host = '127.0.0.1',
+  $auth_port = '35357',
+  $auth_protocol = 'http',
+  $auth_uri = 'http://127.0.0.1:5000/',
+  $admin_token = '999888777666',
+  $keystone_tenant = 'admin',
+  $keystone_user = 'admin',
+  $keystone_password = 'ChangeMe'
 ) inherits glance {
 
-  file { '/etc/glance/glance-registry.conf':
+  if($auth_type == 'keystone') {
+    $context_type = 'context'
+  } else {
+    $context_type = 'auth-context'
+  }
+
+  File {
     ensure  => present,
     owner   => 'glance',
     group   => 'root',
     mode    => '0640',
-    content => template('glance/glance-registry.conf.erb'),
+    notify  => Service['glance-registry'],
     require => Class['glance']
   }
 
+  file { '/etc/glance/glance-registry.conf':
+    content => template('glance/glance-registry.conf.erb'),
+  }
+
+  file { '/etc/glance/glance-registry-paste.ini':
+    content => template('glance/glance-registry-paste.ini.erb'),
+  }
+
   service { 'glance-registry':
     name       => $::glance::params::registry_service_name,
     ensure     => running,

deployment/puppet/glance/manifests/scrubber.pp

@@ -0,0 +1,5 @@
+class glance::scrubber (
+
+) {
+  fail("glance::scrubber needs to be implemented")
+}

deployment/puppet/glance/templates/glance-api-paste.ini.erb

@@ -0,0 +1,87 @@
+# Default minimal pipeline
+[pipeline:glance-api]
+pipeline = versionnegotiation context apiv1app
+
+# Use the following pipeline for keystone auth
+# i.e. in glance-api.conf:
+#   [paste_deploy]
+#   flavor = keystone
+#
+[pipeline:glance-api-keystone]
+pipeline = versionnegotiation authtoken <%= context_type %> apiv1app
+
+# Use the following pipeline to enable transparent caching of image files
+# i.e. in glance-api.conf:
+#   [paste_deploy]
+#   flavor = caching
+#
+[pipeline:glance-api-caching]
+pipeline = versionnegotiation context cache apiv1app
+
+# Use the following pipeline for keystone auth with caching
+# i.e. in glance-api.conf:
+#   [paste_deploy]
+#   flavor = keystone+caching
+#
+[pipeline:glance-api-keystone+caching]
+pipeline = versionnegotiation authtoken <%= context_type %> cache apiv1app
+
+# Use the following pipeline to enable the Image Cache Management API
+# i.e. in glance-api.conf:
+#   [paste_deploy]
+#   flavor = cachemanagement
+#
+[pipeline:glance-api-cachemanagement]
+pipeline = versionnegotiation context cache cachemanage apiv1app
+
+# Use the following pipeline for keystone auth with cache management
+# i.e. in glance-api.conf:
+#   [paste_deploy]
+#   flavor = keystone+cachemanagement
+#
+[pipeline:glance-api-keystone+cachemanagement]
+pipeline = versionnegotiation authtoken <%= context_type %> cache cachemanage apiv1app
+
+[app:apiv1app]
+paste.app_factory = glance.common.wsgi:app_factory
+glance.app_factory = glance.api.v1.router:API
+
+[filter:versionnegotiation]
+paste.filter_factory = glance.common.wsgi:filter_factory
+glance.filter_factory = glance.api.middleware.version_negotiation:VersionNegotiationFilter
+
+[filter:cache]
+paste.filter_factory = glance.common.wsgi:filter_factory
+glance.filter_factory = glance.api.middleware.cache:CacheFilter
+
+[filter:cachemanage]
+paste.filter_factory = glance.common.wsgi:filter_factory
+glance.filter_factory = glance.api.middleware.cache_manage:CacheManageFilter
+
+[filter:context]
+paste.filter_factory = glance.common.wsgi:filter_factory
+glance.filter_factory = glance.common.context:ContextMiddleware
+
+[filter:authtoken]
+paste.filter_factory = keystone.middleware.auth_token:filter_factory
+service_protocol = <%= service_protocol %>
+service_host = <%= service_host %>
+service_port = <%= service_port %>
+auth_host = <%= auth_host %>
+auth_port = <%= auth_port %>
+auth_protocol = <%= auth_protocol %>
+auth_uri = <%= auth_uri %>
+<% if auth_type == 'keystone' -%>
+admin_tenant_name = <%= keystone_tenant %>
+admin_user = <%= keystone_user %>
+admin_password = <%= keystone_password %>
+<% else -%>
+admin_token = <%= admin_token %>
+<% end -%>
+
+<% if context_type == 'auth-context' -%>
+[filter:auth-context]
+paste.filter_factory = glance.common.wsgi:filter_factory
+glance.filter_factory = keystone.middleware.glance_auth_token:KeystoneContextMiddleware
+<% end -%>
+

deployment/puppet/glance/templates/glance-api.conf-sample

@@ -1,67 +0,0 @@
-[DEFAULT]
-# Show more verbose log output (sets INFO log level output)
-verbose = True
-
-# Show debugging output in logs (sets DEBUG log level output)
-debug = False
-
-# Which backend store should Glance use by default is not specified
-# in a request to add a new image to Glance? Default: 'file'
-# Available choices are 'file', 'swift', and 's3'
-default_store = file
-
-# Address to bind the API server
-bind_host = 0.0.0.0
-
-# Port the bind the API server to
-bind_port = 9292
-
-# Address to find the registry server
-registry_host = 0.0.0.0
-
-# Port the registry server is listening on
-registry_port = 9191
-
-# Log to this file. Make sure you do not set the same log
-# file for both the API and registry servers!
-log_file = /var/log/glance/api.log
-
-# ============ Filesystem Store Options ========================
-
-# Directory that the Filesystem backend store
-# writes image data to
-filesystem_store_datadir = /var/lib/glance/images/
-
-# ============ Swift Store Options =============================
-
-# Address where the Swift authentication service lives
-swift_store_auth_address = 127.0.0.1:8080/v1.0/
-
-# User to authenticate against the Swift authentication service
-swift_store_user = jdoe
-
-# Auth key for the user authenticating against the
-# Swift authentication service
-swift_store_key = a86850deb2742ec3cb41518e26aa2d89
-
-# Container within the account that the account should use
-# for storing images in Swift
-swift_store_container = glance
-
-# Do we create the container if it does not exist?
-swift_store_create_container_on_put = False
-
-[pipeline:glance-api]
-pipeline = versionnegotiation apiv1app
-
-[pipeline:versions]
-pipeline = versionsapp
-
-[app:versionsapp]
-paste.app_factory = glance.api.versions:app_factory
-
-[app:apiv1app]
-paste.app_factory = glance.api.v1:app_factory
-
-[filter:versionnegotiation]
-paste.filter_factory = glance.api.middleware.version_negotiation:filter_factory

deployment/puppet/glance/templates/glance-api.conf.erb

@@ -16,15 +16,113 @@ bind_host = <%= bind_host %>
 # Port the bind the API server to
 bind_port = <%= bind_port %>
 
+# Log to this file. Make sure you do not set the same log
+# file for both the API and registry servers!
+log_file = <%= log_file %>
+
+# Backlog requests when creating socket
+backlog = 4096
+
+# Number of Glance API worker processes to start.
+# On machines with more than one CPU increasing this value
+# may improve performance (especially if using SSL with
+# compression turned on). It is typically recommended to set
+# this value to the number of CPUs present on your machine.
+workers = 0
+
+# Role used to identify an authenticated user as administrator
+#admin_role = admin
+
+# ================= Syslog Options ============================
+
+# Send logs to syslog (/dev/log) instead of to file specified
+# by `log_file`
+use_syslog = False
+
+# Facility to use. If unset defaults to LOG_USER.
+# syslog_log_facility = LOG_LOCAL0
+
+# ================= SSL Options ===============================
+
+# Certificate file to use when starting API server securely
+# cert_file = /path/to/certfile
+
+# Private key file to use when starting API server securely
+# key_file = /path/to/keyfile
+
+# ================= Security Options ==========================
+
+# AES key for encrypting store 'location' metadata, including
+# -- if used -- Swift or S3 credentials
+# Should be set to a random string of length 16, 24 or 32 bytes
+# metadata_encryption_key = <16, 24 or 32 char registry metadata key>
+
+# ============ Registry Options ===============================
+
 # Address to find the registry server
 registry_host = <%= registry_host %>
 
 # Port the registry server is listening on
 registry_port = <%= registry_port %>
 
-# Log to this file. Make sure you do not set the same log
-# file for both the API and registry servers!
-log_file = <%= log_file %>
+# What protocol to use when connecting to the registry server?
+# Set to https for secure HTTP communication
+registry_client_protocol = http
+
+# The path to the key file to use in SSL connections to the
+# registry server, if any. Alternately, you may set the
+# GLANCE_CLIENT_KEY_FILE environ variable to a filepath of the key file
+# registry_client_key_file = /path/to/key/file
+
+# The path to the cert file to use in SSL connections to the
+# registry server, if any. Alternately, you may set the
+# GLANCE_CLIENT_CERT_FILE environ variable to a filepath of the cert file
+# registry_client_cert_file = /path/to/cert/file
+
+# The path to the certifying authority cert file to use in SSL connections
+# to the registry server, if any. Alternately, you may set the
+# GLANCE_CLIENT_CA_FILE environ variable to a filepath of the CA cert file
+# registry_client_ca_file = /path/to/ca/file
+
+# ============ Notification System Options =====================
+
+# Notifications can be sent when images are create, updated or deleted.
+# There are three methods of sending notifications, logging (via the
+# log_file directive), rabbit (via a rabbitmq queue), qpid (via a Qpid
+# message queue), or noop (no notifications sent, the default)
+notifier_strategy = noop
+
+# TODO add event queue support
+# Configuration options if sending notifications via rabbitmq (these are
+# the defaults)
+#rabbit_host = localhost
+#rabbit_port = 5672
+#rabbit_use_ssl = false
+#rabbit_userid = guest
+#rabbit_password = guest
+#rabbit_virtual_host = /
+#rabbit_notification_exchange = glance
+#rabbit_notification_topic = glance_notifications
+
+# Configuration options if sending notifications via Qpid (these are
+# the defaults)
+#qpid_notification_exchange = glance
+#qpid_notification_topic = glance_notifications
+#qpid_host = localhost
+#qpid_port = 5672
+#qpid_username =
+#qpid_password =
+#qpid_sasl_mechanisms =
+#qpid_reconnect_timeout = 0
+#qpid_reconnect_limit = 0
+#qpid_reconnect_interval_min = 0
+#qpid_reconnect_interval_max = 0
+#qpid_reconnect_interval = 0
+#qpid_heartbeat = 5
+# Set to 'ssl' to enable SSL
+#qpid_protocol = tcp
+#qpid_tcp_nodelay = True
+
 
 # ============ Filesystem Store Options ========================
 
@@ -51,20 +149,92 @@ swift_store_container = <%= swift_store_container %>
 # Do we create the container if it does not exist?
 swift_store_create_container_on_put = <%= swift_store_create_container_on_put %>
 
-[pipeline:glance-api]
-pipeline = versionnegotiation context apiv1app
 
-[pipeline:versions]
-pipeline = versionsapp
+# What size, in MB, should Glance start chunking image files
+# and do a large object manifest in Swift? By default, this is
+# the maximum object size in Swift, which is 5GB
+swift_store_large_object_size = 5120
 
-[app:versionsapp]
-paste.app_factory = glance.api.versions:app_factory
+# When doing a large object manifest, what size, in MB, should
+# Glance write chunks to Swift? This amount of data is written
+# to a temporary disk buffer during the process of chunking
+# the image file, and the default is 200MB
+swift_store_large_object_chunk_size = 200
 
-[app:apiv1app]
-paste.app_factory = glance.api.v1:app_factory
+# Whether to use ServiceNET to communicate with the Swift storage servers.
+# (If you aren't RACKSPACE, leave this False!)
+#
+# To use ServiceNET for authentication, prefix hostname of
+# `swift_store_auth_address` with 'snet-'.
+# Ex. https://example.com/v1.0/ -> https://snet-example.com/v1.0/
+swift_enable_snet = False
 
-[filter:versionnegotiation]
-paste.filter_factory = glance.api.middleware.version_negotiation:filter_factory
+# ============ S3 Store Options =============================
 
-[filter:context]
-paste.filter_factory = glance.common.context:filter_factory
+# Address where the S3 authentication service lives
+# Valid schemes are 'http://' and 'https://'
+# If no scheme specified,  default to 'http://'
+s3_store_host = 127.0.0.1:8080/v1.0/
+
+# User to authenticate against the S3 authentication service
+s3_store_access_key = <20-char AWS access key>
+
+# Auth key for the user authenticating against the
+# S3 authentication service
+s3_store_secret_key = <40-char AWS secret key>
+
+# Container within the account that the account should use
+# for storing images in S3. Note that S3 has a flat namespace,
+# so you need a unique bucket name for your glance images. An
+# easy way to do this is append your AWS access key to "glance".
+# S3 buckets in AWS *must* be lowercased, so remember to lowercase
+# your AWS access key if you use it in your bucket name below!
+s3_store_bucket = <lowercased 20-char aws access key>glance
+
+# Do we create the bucket if it does not exist?
+s3_store_create_bucket_on_put = False
+
+# When sending images to S3, the data will first be written to a
+# temporary buffer on disk. By default the platform's temporary directory
+# will be used. If required, an alternative directory can be specified here.
+# s3_store_object_buffer_dir = /path/to/dir
+
+# ============ RBD Store Options =============================
+
+# Ceph configuration file path
+# If using cephx authentication, this file should
+# include a reference to the right keyring
+# in a client.<USER> section
+rbd_store_ceph_conf = /etc/ceph/ceph.conf
+
+# RADOS user to authenticate as (only applicable if using cephx)
+rbd_store_user = glance
+
+# RADOS pool in which images are stored
+rbd_store_pool = images
+
+# Images will be chunked into objects of this size (in megabytes).
+# For best performance, this should be a power of two
+rbd_store_chunk_size = 8
+
+# ============ Delayed Delete Options =============================
+
+# Turn on/off delayed delete
+delayed_delete = False
+
+# Delayed delete time in seconds
+scrub_time = 43200
+
+# Directory that the scrubber will use to remind itself of what to delete
+# Make sure this is also set in glance-scrubber.conf
+scrubber_datadir = /var/lib/glance/scrubber
+
+# =============== Image Cache Options =============================
+
+# Base directory that the Image Cache uses
+image_cache_dir = /var/lib/glance/image-cache/
+
+<% if auth_type == 'keystone' -%>
+[paste_deploy]
+flavor = keystone
+<% end -%>

deployment/puppet/glance/templates/glance-cache.conf.erb

@@ -0,0 +1,45 @@
+[DEFAULT]
+# Show more verbose log output (sets INFO log level output)
+verbose = <%= log_verbose %>
+
+# Show debugging output in logs (sets DEBUG log level output)
+debug = <%= log_debug %>
+
+log_file = /var/log/glance/image-cache.log
+
+# Send logs to syslog (/dev/log) instead of to file specified by `log_file`
+use_syslog = False
+
+# Directory that the Image Cache writes data to
+image_cache_dir = /var/lib/glance/image-cache/
+
+# Number of seconds after which we should consider an incomplete image to be
+# stalled and eligible for reaping
+image_cache_stall_time = 86400
+
+# image_cache_invalid_entry_grace_period - seconds
+#
+# If an exception is raised as we're writing to the cache, the cache-entry is
+# deemed invalid and moved to <image_cache_datadir>/invalid so that it can be
+# inspected for debugging purposes.
+#
+# This is number of seconds to leave these invalid images around before they
+# are elibible to be reaped.
+image_cache_invalid_entry_grace_period = 3600
+
+# Max cache size in bytes
+image_cache_max_size = 10737418240
+
+# Address to find the registry server
+registry_host = <%= registry_host %>
+
+# Port the registry server is listening on
+registry_port = <%= registry_port %>
+
+<% if auth_type == 'keystone' -%>
+# Auth settings if using Keystone
+auth_url = http://127.0.0.1:5000/v2.0/
+admin_tenant_name = <%= keystone_tenant %>
+admin_user = <%= keystone_user %>
+admin_password = <%= keystone_password %>
+<% end -%>

deployment/puppet/glance/templates/glance-registry-paste.ini.erb

@@ -0,0 +1,44 @@
+# Default minimal pipeline
+[pipeline:glance-registry]
+pipeline = context registryapp
+
+# Use the following pipeline for keystone auth
+# i.e. in glance-registry.conf:
+#   [paste_deploy]
+#   flavor = keystone
+
+[pipeline:glance-registry-keystone]
+pipeline = authtoken <%= context_type %> registryapp
+
+[app:registryapp]
+paste.app_factory = glance.common.wsgi:app_factory
+glance.app_factory = glance.registry.api.v1:API
+
+[filter:context]
+context_class = glance.registry.context.RequestContext
+paste.filter_factory = glance.common.wsgi:filter_factory
+glance.filter_factory = glance.common.context:ContextMiddleware
+
+[filter:authtoken]
+paste.filter_factory = keystone.middleware.auth_token:filter_factory
+service_protocol = <%= service_protocol %>
+service_host = <%= service_host %>
+service_port = <%= service_port %>
+auth_host = <%= auth_host %>
+auth_port = <%= auth_port %>
+auth_protocol = <%= auth_protocol %>
+auth_uri = <%= auth_uri %>
+<% if auth_type == 'keystone' -%>
+admin_tenant_name = <%= keystone_tenant %>
+admin_user = <%= keystone_user %>
+admin_password = <%= keystone_password %>
+<% else -%>
+admin_token = <%= admin_token %>
+<% end -%>
+
+<% if context_type == 'auth-context' -%>
+[filter:auth-context]
+context_class = glance.registry.context.RequestContext
+paste.filter_factory = glance.common.wsgi:filter_factory
+glance.filter_factory = keystone.middleware.glance_auth_token:KeystoneContextMiddleware
+<% end -%>

deployment/puppet/glance/templates/glance-registry.conf-sample

@@ -1,33 +0,0 @@
-[DEFAULT]
-# Show more verbose log output (sets INFO log level output)
-verbose = True
-
-# Show debugging output in logs (sets DEBUG log level output)
-debug = False
-
-# Address to bind the registry server
-bind_host = 0.0.0.0
-
-# Port the bind the registry server to
-bind_port = 9191
-
-# Log to this file. Make sure you do not set the same log
-# file for both the API and registry servers!
-log_file = /var/log/glance/registry.log
-
-# SQLAlchemy connection string for the reference implementation
-# registry server. Any valid SQLAlchemy connection string is fine.
-# See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine
-sql_connection = sqlite:///glance.sqlite
-
-# Period in seconds after which SQLAlchemy should reestablish its connection
-# to the database.
-#
-# MySQL uses a default `wait_timeout` of 8 hours, after which it will drop
-# idle connections. This can result in 'MySQL Gone Away' exceptions. If you
-# notice this, you can lower this value to ensure that SQLAlchemy reconnects
-# before MySQL can drop the connection.
-sql_idle_timeout = 3600
-
-[app:glance-registry]
-paste.app_factory = glance.registry.server:app_factory

deployment/puppet/glance/templates/glance-registry.conf.erb

@@ -15,6 +15,9 @@ bind_port = <%= bind_port %>
 # file for both the API and registry servers!
 log_file = <%= log_file %>
 
+# Backlog requests when creating socket
+backlog = 4096
+
 # SQLAlchemy connection string for the reference implementation
 # registry server. Any valid SQLAlchemy connection string is fine.
 # See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine
@@ -29,12 +32,32 @@ sql_connection = <%= sql_connection %>
 # before MySQL can drop the connection.
 sql_idle_timeout = <%= sql_idle_timeout %>
 
-[pipeline:glance-registry]
-pipeline = context registryapp
+# Limit the api to return `param_limit_max` items in a call to a container. If
+# a larger `limit` query param is provided, it will be reduced to this value.
+api_limit_max = 1000
 
-[app:registryapp]
-paste.app_factory = glance.registry.server:app_factory
+# If a `limit` query param is not provided in an api request, it will
+# default to `limit_param_default`
+limit_param_default = 25
 
-[filter:context]
-context_class = glance.registry.context.RequestContext
-paste.filter_factory = glance.common.context:filter_factory
+# ================= Syslog Options ============================
+
+# Send logs to syslog (/dev/log) instead of to file specified
+# by `log_file`
+use_syslog = False
+
+# Facility to use. If unset defaults to LOG_USER.
+# syslog_log_facility = LOG_LOCAL1
+
+# ================= SSL Options ===============================
+
+# Certificate file to use when starting registry server securely
+# cert_file = /path/to/certfile
+
+# Private key file to use when starting registry server securely
+# key_file = /path/to/keyfile
+
+<% if auth_type == 'keystone' -%>
+[paste_deploy]
+flavor = keystone
+<% end -%>