Define default settings explicitly (openstack_auth)

This commit also moves descriptions of settings defined in openstack_auth from openstack_dashboard/settings.py and local_settings.py(.example) to openstack_auth/settings.py. Note that if openstack_dashboard has different default settings from openstack_auth defaults, they are now moved to openstack_dashboard/defaults.py. Part of blueprint ini-based-configuration Change-Id: I59eebc388de0bcbd4d1fe35c6138efbd3e04c5b8
2019-04-14 07:55:38 +09:00 · 2019-04-14 07:55:38 +09:00 · e56e076ea8
commit e56e076ea8
parent a629d100be
12 changed files with 265 additions and 250 deletions
--- a/horizon/test/settings.py
+++ b/horizon/test/settings.py
@ -19,6 +19,7 @@
 import os
 import socket
 from openstack_auth.defaults import *  # noqa: F403,H303
 from openstack_dashboard.utils import settings as settings_utils
 socket.setdefaulttimeout(1)
--- a/openstack_auth/backend.py
+++ b/openstack_auth/backend.py
@ -44,14 +44,8 @@ class KeystoneBackend(object):
    @property
    def auth_plugins(self):
        if self._auth_plugins is None:
-            plugins = getattr(
+            plugins = settings.AUTHENTICATION_PLUGINS
                settings,
                'AUTHENTICATION_PLUGINS',
                ['openstack_auth.plugin.password.PasswordPlugin',
                 'openstack_auth.plugin.token.TokenPlugin'])
            self._auth_plugins = [import_string(p)() for p in plugins]
        return self._auth_plugins
    def get_user(self, user_id):
@ -174,7 +168,7 @@ class KeystoneBackend(object):
                region_name = id_endpoint['region']
                break
-        interface = getattr(settings, 'OPENSTACK_ENDPOINT_TYPE', 'public')
+        interface = settings.OPENSTACK_ENDPOINT_TYPE
        endpoint, url_fixed = utils.fix_auth_url_version_prefix(
            scoped_auth_ref.service_catalog.url_for(
@ -215,7 +209,7 @@ class KeystoneBackend(object):
                    request.session['domain_token'] = domain_auth_ref
            request.user = user
-            timeout = getattr(settings, "SESSION_TIMEOUT", 3600)
+            timeout = settings.SESSION_TIMEOUT
            token_life = user.token.expires - datetime.datetime.now(pytz.utc)
            session_time = min(timeout, int(token_life.total_seconds()))
            request.session.set_expiry(session_time)
--- a/openstack_auth/defaults.py
+++ b/openstack_auth/defaults.py
@ -0,0 +1,168 @@
 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
 #    not use this file except in compliance with the License. You may obtain
 #    a copy of the License at
 #
 #         http://www.apache.org/licenses/LICENSE-2.0
 #
 #    Unless required by applicable law or agreed to in writing, software
 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
 # NOTE: The following are from Django settings.
 # LOGIN_URL
 # LOGIN_REDIRECT_URL
 # SESSION_ENGINE
 # USE_TZ
 # WEBROOT is the location relative to Webserver root
 # should end with a slash in openstack_dashboard.settings..
 WEBROOT = '/'
 # TODO(amotoki): What is the right default value in openstack_auth?
 LOGIN_ERROR = 'error/'
 OPENSTACK_KEYSTONE_URL = "http://localhost:5000/v3"
 # OPENSTACK_KEYSTONE_URL = 'http://localhost/identity/v3'
 # TODO(amotoki): The default value in openstack_dashboard is different:
 # publicURL. It should be consistent.
 OPENSTACK_ENDPOINT_TYPE = 'public'
 OPENSTACK_SSL_NO_VERIFY = False
 # TODO(amotoki): Is it correct?
 OPENSTACK_SSL_CACERT = True
 OPENSTACK_API_VERSIONS = {
    'identity': 3,
 }
 AUTHENTICATION_PLUGINS = ['openstack_auth.plugin.password.PasswordPlugin',
                          'openstack_auth.plugin.token.TokenPlugin']
 # This SESSION_TIMEOUT is a method to supercede the token timeout with a
 # shorter horizon session timeout (in seconds). If SESSION_REFRESH is True (the
 # default) SESSION_TIMEOUT acts like an idle timeout rather than being a hard
 # limit, but will never exceed the token expiry. If your token expires in 60
 # minutes, a value of 1800 will log users out after 30 minutes of inactivity,
 # or 60 minutes with activity. Setting SESSION_REFRESH to False will make
 # SESSION_TIMEOUT act like a hard limit on session times.
 SESSION_TIMEOUT = 3600
 TOKEN_TIMEOUT_MARGIN = 0
 AVAILABLE_REGIONS = []
 # For setting the default service region on a per-endpoint basis. Note that the
 # default value for this setting is {}, and below is just an example of how it
 # should be specified.
 # A key of '*' is an optional global default if no other key matches.
 # Example:
 # DEFAULT_SERVICE_REGIONS = {
 #     '*': 'RegionOne'
 #     OPENSTACK_KEYSTONE_URL: 'RegionTwo'
 # }
 DEFAULT_SERVICE_REGIONS = {}
 SECURE_PROXY_ADDR_HEADER = False
 # Password will have an expiration date when using keystone v3 and enabling
 # the feature.
 # This setting allows you to set the number of days that the user will be
 # alerted prior to the password expiration.
 # Once the password expires keystone will deny the access and users must
 # contact an admin to change their password.
 PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = -1
 OPENSTACK_KEYSTONE_ADMIN_ROLES = ['admin']
 OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False
 # Set this to True if you want available domains displayed as a dropdown menu
 # on the login screen. It is strongly advised NOT to enable this for public
 # clouds, as advertising enabled domains to unauthenticated customers
 # irresponsibly exposes private information. This should only be used for
 # private clouds where the dashboard sits behind a corporate firewall.
 OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False
 # If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to
 # set the available domains to choose from. This is a list of pairs whose first
 # value is the domain name and the second is the display name.
 # Example:
 # OPENSTACK_KEYSTONE_DOMAIN_CHOICES = (
 #   ('Default', 'Default'),
 # )
 OPENSTACK_KEYSTONE_DOMAIN_CHOICES = ()
 OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'
 # Enables keystone web single-sign-on if set to True.
 WEBSSO_ENABLED = False
 # Authentication mechanism to be selected as default.
 # The value must be a key from WEBSSO_CHOICES.
 WEBSSO_INITIAL_CHOICE = 'credentials'
 # The list of authentication mechanisms which include keystone
 # federation protocols and identity provider/federation protocol
 # mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol
 # IDs are 'saml2' and 'oidc'  which represent SAML 2.0, OpenID
 # Connect respectively.
 # Do not remove the mandatory credentials mechanism.
 # Note: The last two tuples are sample mapping keys to a identity provider
 # and federation protocol combination (WEBSSO_IDP_MAPPING).
 # Example:
 # WEBSSO_CHOICES = (
 #     ("credentials", _("Keystone Credentials")),
 #     ("oidc", _("OpenID Connect")),
 #     ("saml2", _("Security Assertion Markup Language")),
 #     ("acme_oidc", "ACME - OpenID Connect"),
 #     ("acme_saml2", "ACME - SAML2"),
 # )
 WEBSSO_CHOICES = ()
 # A dictionary of specific identity provider and federation protocol
 # combinations. From the selected authentication mechanism, the value
 # will be looked up as keys in the dictionary. If a match is found,
 # it will redirect the user to a identity provider and federation protocol
 # specific WebSSO endpoint in keystone, otherwise it will use the value
 # as the protocol_id when redirecting to the WebSSO by protocol endpoint.
 # NOTE: The value is expected to be a tuple formatted as:
 # (<idp_id>, <protocol_id>).
 # Example:
 # WEBSSO_IDP_MAPPING = {
 #     "acme_oidc": ("acme", "oidc"),
 #     "acme_saml2": ("acme", "saml2"),
 # }
 WEBSSO_IDP_MAPPING = {}
 # Enables redirection on login to the identity provider defined on
 # WEBSSO_DEFAULT_REDIRECT_PROTOCOL and WEBSSO_DEFAULT_REDIRECT_REGION
 WEBSSO_DEFAULT_REDIRECT = False
 # Specifies the protocol to use for default redirection on login
 WEBSSO_DEFAULT_REDIRECT_PROTOCOL = None
 # Specifies the region to which the connection will be established on login
 WEBSSO_DEFAULT_REDIRECT_REGION = OPENSTACK_KEYSTONE_URL
 # Enables redirection on logout to the method specified on the identity
 # provider. Once logout the client will be redirected to the address specified
 # in this variable.
 WEBSSO_DEFAULT_REDIRECT_LOGOUT = None
 # If set this URL will be used for web single-sign-on authentication
 # instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment
 # scenarios where network segmentation is used per security requirement.
 # In this case, the controllers are not reachable from public network.
 # Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL
 # if it is set to the internal endpoint.
 # Example: WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3"
 WEBSSO_KEYSTONE_URL = None
 # The Keystone Provider drop down uses Keystone to Keystone federation
 # to switch between Keystone service providers.
 # Set display name for Identity Provider (dropdown display name)
 KEYSTONE_PROVIDER_IDP_NAME = 'Local Keystone'
 # This id is used for only for comparison with the service provider IDs.
 # This ID should not match any service provider IDs.
 KEYSTONE_PROVIDER_IDP_ID = 'localkeystone'
 POLICY_FILES_PATH = ''
 POLICY_FILES = {}
 POLICY_DIRS = {}
--- a/openstack_auth/forms.py
+++ b/openstack_auth/forms.py
@ -31,7 +31,7 @@ LOG = logging.getLogger(__name__)
 def get_region_endpoint(region_id):
    if region_id == "default":
        return settings.OPENSTACK_KEYSTONE_URL
-    all_regions = getattr(settings, 'AVAILABLE_REGIONS', [])
+    all_regions = settings.AVAILABLE_REGIONS
    return all_regions[int(region_id)][0]
@ -65,19 +65,13 @@ class Login(django_auth_forms.AuthenticationForm):
    def __init__(self, *args, **kwargs):
        super(Login, self).__init__(*args, **kwargs)
        fields_ordering = ['username', 'password', 'region']
-        if getattr(settings,
+        if settings.OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT:
                   'OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT',
                   False):
            last_domain = self.request.COOKIES.get('login_domain', None)
-            if getattr(settings,
+            if settings.OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN:
                       'OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN',
                       False):
                self.fields['domain'] = forms.ChoiceField(
                    label=_("Domain"),
                    initial=last_domain,
-                    choices=getattr(settings,
+                    choices=settings.OPENSTACK_KEYSTONE_DOMAIN_CHOICES)
                                    'OPENSTACK_KEYSTONE_DOMAIN_CHOICES',
                                    ()))
            else:
                self.fields['domain'] = forms.CharField(
                    initial=last_domain,
@ -96,17 +90,17 @@ class Login(django_auth_forms.AuthenticationForm):
        # if websso is enabled and keystone version supported
        # prepend the websso_choices select input to the form
        if utils.is_websso_enabled():
-            initial = getattr(settings, 'WEBSSO_INITIAL_CHOICE', 'credentials')
+            initial = settings.WEBSSO_INITIAL_CHOICE
            self.fields['auth_type'] = forms.ChoiceField(
                label=_("Authenticate using"),
-                choices=getattr(settings, 'WEBSSO_CHOICES', ()),
+                choices=settings.WEBSSO_CHOICES,
                required=False,
                initial=initial)
            # add auth_type to the top of the list
            fields_ordering.insert(0, 'auth_type')
        # websso is enabled, but keystone version is not supported
-        elif getattr(settings, 'WEBSSO_ENABLED', False):
+        elif settings.WEBSSO_ENABLED:
            msg = ("Websso is enabled but horizon is not configured to work " +
                   "with keystone version 3 or above.")
            LOG.warning(msg)
@ -115,7 +109,7 @@ class Login(django_auth_forms.AuthenticationForm):
    @staticmethod
    def get_region_choices():
-        all_regions = getattr(settings, 'AVAILABLE_REGIONS', [])
+        all_regions = settings.AVAILABLE_REGIONS
        if all_regions:
            regions = [("%d" % i, name) for i, (url, name) in
                       enumerate(all_regions)]
@ -125,9 +119,7 @@ class Login(django_auth_forms.AuthenticationForm):
    @sensitive_variables()
    def clean(self):
-        default_domain = getattr(settings,
+        default_domain = settings.OPENSTACK_KEYSTONE_DEFAULT_DOMAIN
                                 'OPENSTACK_KEYSTONE_DEFAULT_DOMAIN',
                                 'Default')
        username = self.cleaned_data.get('username')
        password = self.cleaned_data.get('password')
        domain = self.cleaned_data.get('domain', default_domain)
--- a/openstack_auth/plugin/k2k.py
+++ b/openstack_auth/plugin/k2k.py
@ -49,8 +49,7 @@ class K2KAuthPlugin(base.BasePlugin):
        if utils.get_keystone_version() < 3 or not service_provider:
            return None
-        keystone_idp_id = getattr(settings, 'KEYSTONE_PROVIDER_IDP_ID',
+        keystone_idp_id = settings.KEYSTONE_PROVIDER_IDP_ID
                                  'localkeystone')
        if service_provider == keystone_idp_id:
            return None
--- a/openstack_auth/policy.py
+++ b/openstack_auth/policy.py
@ -27,7 +27,7 @@ from openstack_auth import utils as auth_utils
 LOG = logging.getLogger(__name__)
 _ENFORCER = None
-_BASE_PATH = getattr(settings, 'POLICY_FILES_PATH', '')
+_BASE_PATH = settings.POLICY_FILES_PATH
 def _get_policy_conf(policy_file, policy_dirs=None):
@ -47,9 +47,9 @@ def _get_policy_conf(policy_file, policy_dirs=None):
 def _get_policy_file_with_full_path(service):
-    policy_files = getattr(settings, 'POLICY_FILES', {})
+    policy_files = settings.POLICY_FILES
    policy_file = os.path.join(_BASE_PATH, policy_files[service])
-    policy_dirs = getattr(settings, 'POLICY_DIRS', {}).get(service, [])
+    policy_dirs = settings.POLICY_DIRS.get(service, [])
    policy_dirs = [os.path.join(_BASE_PATH, policy_dir)
                   for policy_dir in policy_dirs]
    return policy_file, policy_dirs
@ -59,7 +59,7 @@ def _get_enforcer():
    global _ENFORCER
    if not _ENFORCER:
        _ENFORCER = {}
-        policy_files = getattr(settings, 'POLICY_FILES', {})
+        policy_files = settings.POLICY_FILES
        for service in policy_files.keys():
            policy_file, policy_dirs = _get_policy_file_with_full_path(service)
            conf = _get_policy_conf(policy_file, policy_dirs)
--- a/openstack_auth/tests/settings.py
+++ b/openstack_auth/tests/settings.py
@ -13,6 +13,8 @@
 import os
 from openstack_auth.defaults import *  # noqa: F403,H303
 ALLOWED_HOSTS = ['*']
 DATABASES = {'default': {'ENGINE': 'django.db.backends.sqlite3'}}
@ -38,22 +40,14 @@ MIDDLEWARE = [
 AUTHENTICATION_BACKENDS = ['openstack_auth.backend.KeystoneBackend']
 OPENSTACK_KEYSTONE_URL = "http://localhost:5000/v3"
 ROOT_URLCONF = 'openstack_auth.tests.urls'
-LOGIN_REDIRECT_URL = '/'
+LOGIN_REDIRECT_URL = WEBROOT
 SECRET_KEY = 'badcafe'
 OPENSTACK_API_VERSIONS = {
    "identity": 3
 }
 USE_TZ = True
 OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False
 OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'domain'
 # NOTE(saschpe): The openstack_auth.user.Token object isn't
@ -74,27 +68,6 @@ TEMPLATES = [
    },
 ]
 LOGGING = {
    'version': 1,
    'disable_existing_loggers': False,
    'handlers': {
        'null': {
            'level': 'DEBUG',
            'class': 'logging.NullHandler',
        },
        'test': {
            'level': 'ERROR',
            'class': 'logging.StreamHandler',
        }
    },
    'loggers': {
        'openstack_auth': {
            'handlers': ['test'],
            'propagate': False,
        },
    }
 }
 AUTH_USER_MODEL = 'openstack_auth.User'
 LOGGING = {
--- a/openstack_auth/utils.py
+++ b/openstack_auth/utils.py
@ -91,7 +91,7 @@ def is_token_valid(token, margin=None):
    if expiration is None:
        return False
    if margin is None:
-        margin = getattr(settings, 'TOKEN_TIMEOUT_MARGIN', 0)
+        margin = settings.TOKEN_TIMEOUT_MARGIN
    expiration = expiration - datetime.timedelta(seconds=margin)
    if settings.USE_TZ and timezone.is_naive(expiration):
        # Presumes that the Keystone is using UTC.
@ -102,12 +102,12 @@ def is_token_valid(token, margin=None):
 # Helper for figuring out keystone version
 # Implementation will change when API version discovery is available
 def get_keystone_version():
-    return getattr(settings, 'OPENSTACK_API_VERSIONS', {}).get('identity', 3)
+    return settings.OPENSTACK_API_VERSIONS['identity']
 def get_session():
-    insecure = getattr(settings, 'OPENSTACK_SSL_NO_VERIFY', False)
+    insecure = settings.OPENSTACK_SSL_NO_VERIFY
-    verify = getattr(settings, 'OPENSTACK_SSL_CACERT', True)
+    verify = settings.OPENSTACK_SSL_CACERT
    if insecure:
        verify = False
@ -124,7 +124,7 @@ def get_keystone_client():
 def is_websso_enabled():
    """Websso is supported in Keystone version 3."""
-    websso_enabled = getattr(settings, 'WEBSSO_ENABLED', False)
+    websso_enabled = settings.WEBSSO_ENABLED
    keystonev3_plus = (get_keystone_version() >= 3)
    return websso_enabled and keystonev3_plus
@ -134,28 +134,26 @@ def is_websso_default_redirect():
    As with websso, this is only supported in Keystone version 3.
    """
-    websso_default_redirect = getattr(settings,
+    websso_default_redirect = settings.WEBSSO_DEFAULT_REDIRECT
                                      'WEBSSO_DEFAULT_REDIRECT', False)
    keystonev3_plus = (get_keystone_version() >= 3)
    return websso_default_redirect and keystonev3_plus
 def get_websso_default_redirect_protocol():
-    return getattr(settings, 'WEBSSO_DEFAULT_REDIRECT_PROTOCOL', None)
+    return settings.WEBSSO_DEFAULT_REDIRECT_PROTOCOL
 def get_websso_default_redirect_region():
-    return getattr(settings, 'WEBSSO_DEFAULT_REDIRECT_REGION',
+    return settings.WEBSSO_DEFAULT_REDIRECT_REGION
                   settings.OPENSTACK_KEYSTONE_URL)
 def get_websso_default_redirect_logout():
-    return getattr(settings, 'WEBSSO_DEFAULT_REDIRECT_LOGOUT', None)
+    return settings.WEBSSO_DEFAULT_REDIRECT_LOGOUT
 def build_absolute_uri(request, relative_url):
    """Ensure absolute_uri are relative to WEBROOT."""
-    webroot = getattr(settings, 'WEBROOT', '')
+    webroot = settings.WEBROOT
    if webroot.endswith("/") and relative_url.startswith("/"):
        webroot = webroot[:-1]
@ -222,7 +220,7 @@ def get_websso_url(request, auth_url, websso_auth):
    """
    origin = build_absolute_uri(request, '/auth/websso/')
-    idp_mapping = getattr(settings, 'WEBSSO_IDP_MAPPING', {})
+    idp_mapping = settings.WEBSSO_IDP_MAPPING
    idp_id, protocol_id = idp_mapping.get(websso_auth,
                                          (None, websso_auth))
@ -386,11 +384,9 @@ def default_services_region(service_catalog, request=None,
        if request:
            region_options.append(request.COOKIES.get('services_region'))
        if ks_endpoint:
-            default_service_regions = getattr(
+            default_service_regions = settings.DEFAULT_SERVICE_REGIONS
                settings, 'DEFAULT_SERVICE_REGIONS', {})
            region_options.append(default_service_regions.get(ks_endpoint))
-        region_options.append(
+        region_options.append(settings.DEFAULT_SERVICE_REGIONS.get('*'))
            getattr(settings, 'DEFAULT_SERVICE_REGIONS', {}).get('*'))
        for region in region_options:
            if region in available_regions:
@ -425,7 +421,7 @@ def get_endpoint_region(endpoint):
 def using_cookie_backed_sessions():
-    engine = getattr(settings, 'SESSION_ENGINE', '')
+    engine = settings.SESSION_ENGINE
    return "signed_cookies" in engine
@ -442,8 +438,7 @@ def get_admin_roles():
    """
    admin_roles = {role.lower() for role
-                   in getattr(settings, 'OPENSTACK_KEYSTONE_ADMIN_ROLES',
+                   in settings.OPENSTACK_KEYSTONE_ADMIN_ROLES}
                              ['admin'])}
    return admin_roles
@ -490,9 +485,7 @@ def get_client_ip(request):
    :returns: Possible client ip address
    :rtype: string
    """
-    _SECURE_PROXY_ADDR_HEADER = getattr(
+    _SECURE_PROXY_ADDR_HEADER = settings.SECURE_PROXY_ADDR_HEADER
        settings, 'SECURE_PROXY_ADDR_HEADER', False
    )
    if _SECURE_PROXY_ADDR_HEADER:
        return request.META.get(
            _SECURE_PROXY_ADDR_HEADER,
@ -530,10 +523,8 @@ def store_initial_k2k_session(auth_url, request, scoped_auth_ref,
        providers = getattr(providers, '_service_providers', None)
    if providers:
-        keystone_idp_name = getattr(settings, 'KEYSTONE_PROVIDER_IDP_NAME',
+        keystone_idp_name = settings.KEYSTONE_PROVIDER_IDP_NAME
-                                    'Local Keystone')
+        keystone_idp_id = settings.KEYSTONE_PROVIDER_IDP_ID
        keystone_idp_id = getattr(
            settings, 'KEYSTONE_PROVIDER_IDP_ID', 'localkeystone')
        keystone_identity_provider = {'name': keystone_idp_name,
                                      'id': keystone_idp_id}
        # (edtubill) We will use the IDs as the display names
--- a/openstack_auth/views.py
+++ b/openstack_auth/views.py
@ -69,8 +69,9 @@ def login(request):
        auth_type = request.POST.get('auth_type', 'credentials')
        if utils.is_websso_enabled() and auth_type != 'credentials':
            region_id = request.POST.get('region')
-            auth_url = getattr(settings, 'WEBSSO_KEYSTONE_URL',
+            auth_url = getattr(settings, 'WEBSSO_KEYSTONE_URL', None)
-                               forms.get_region_endpoint(region_id))
+            if auth_url is None:
                auth_url = forms.get_region_endpoint(region_id)
            url = utils.get_websso_url(request, auth_url, auth_type)
            return shortcuts.redirect(url)
@ -88,7 +89,7 @@ def login(request):
    initial = {}
    current_region = request.session.get('region_endpoint', None)
    requested_region = request.GET.get('region', None)
-    regions = dict(getattr(settings, "AVAILABLE_REGIONS", []))
+    regions = dict(settings.AVAILABLE_REGIONS)
    if requested_region in regions and requested_region != current_region:
        initial.update({'region': requested_region})
@ -97,7 +98,7 @@ def login(request):
    else:
        form = functional.curry(forms.Login, initial=initial)
-    choices = getattr(settings, 'WEBSSO_CHOICES', ())
+    choices = settings.WEBSSO_CHOICES
    extra_context = {
        'redirect_field_name': auth.REDIRECT_FIELD_NAME,
        'csrf_failure': request.GET.get('csrf_failure'),
@ -136,8 +137,7 @@ def login(request):
        request.session['region_endpoint'] = region
        request.session['region_name'] = region_name
        expiration_time = request.user.time_until_expiration()
-        threshold_days = getattr(
+        threshold_days = settings.PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS
            settings, 'PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS', -1)
        if expiration_time is not None and \
                expiration_time.days <= threshold_days:
            expiration_time = str(expiration_time).rsplit(':', 1)[0]
@ -307,8 +307,7 @@ def switch_keystone_provider(request, keystone_provider=None,
        redirect_to = settings.LOGIN_REDIRECT_URL
    unscoped_auth_ref = None
-    keystone_idp_id = getattr(
+    keystone_idp_id = settings.KEYSTONE_PROVIDER_IDP_ID
        settings, 'KEYSTONE_PROVIDER_IDP_ID', 'localkeystone')
    if keystone_provider == keystone_idp_id:
        current_plugin = plugin.TokenPlugin()
--- a/openstack_dashboard/defaults.py
+++ b/openstack_dashboard/defaults.py
@ -12,14 +12,23 @@
 """Default settings for openstack_dashboard"""
 import os
 from django.utils.translation import ugettext_lazy as _
-# This must be configured
+from openstack_auth.defaults import *  # noqa: F403,H303
-# OPENSTACK_KEYSTONE_URL = 'http://localhost/identity/v3'
+
 def _get_root_path():
    return os.path.dirname(os.path.abspath(__file__))
 # -------------------------------------------
 # Override openstack_auth and Django settings
 # -------------------------------------------
 WEBROOT = '/'  # from openstack_auth
 # WEBROOT is the location relative to Webserver root
 # should end with a slash.
 WEBROOT = '/'
 # NOTE: The following are calculated baed on WEBROOT
 # after loading local_settings
 # LOGIN_URL = WEBROOT + 'auth/login/'
@ -27,7 +36,7 @@ WEBROOT = '/'
 # LOGIN_ERROR = WEBROOT + 'auth/error/'
 LOGIN_URL = None
 LOGOUT_URL = None
-LOGIN_ERROR = None
+LOGIN_ERROR = None  # from openstack_auth
 # NOTE: The following are calculated baed on WEBROOT
 # after loading local_settings
 # LOGIN_REDIRECT_URL can be used as an alternative for
@ -43,6 +52,42 @@ MEDIA_URL = None
 STATIC_ROOT = None
 STATIC_URL = None
 # The Horizon Policy Enforcement engine uses these values to load per service
 # policy rule files. The content of these files should match the files the
 # OpenStack services are using to determine role based access control in the
 # target installation.
 # Path to directory containing policy.json files
 POLICY_FILES_PATH = os.path.join(_get_root_path(), "conf")
 # Map of local copy of service policy files.
 # Please insure that your identity policy file matches the one being used on
 # your keystone servers. There is an alternate policy file that may be used
 # in the Keystone v3 multi-domain case, policy.v3cloudsample.json.
 # This file is not included in the Horizon repository by default but can be
 # found at
 # http://git.openstack.org/cgit/openstack/keystone/tree/etc/ \
 # policy.v3cloudsample.json
 # Having matching policy files on the Horizon and Keystone servers is essential
 # for normal operation. This holds true for all services and their policy files.
 POLICY_FILES = {
    'identity': 'keystone_policy.json',
    'compute': 'nova_policy.json',
    'volume': 'cinder_policy.json',
    'image': 'glance_policy.json',
    'network': 'neutron_policy.json',
 }
 # Services for which horizon has extra policies are defined
 # in POLICY_DIRS by default.
 POLICY_DIRS = {
    'compute': ['nova_policy.d'],
    'volume': ['cinder_policy.d'],
 }
 # ----------------------------------------
 # openstack_dashboard settings
 # ----------------------------------------
 # Dict used to restrict user private subnet cidr range.
 # An empty list means that user input will not be restricted
 # for a corresponding IP version. By default, there is
--- a/openstack_dashboard/local/local_settings.py.example
+++ b/openstack_dashboard/local/local_settings.py.example
@ -39,20 +39,6 @@ DEBUG = True
 #CSRF_COOKIE_SECURE = True
 #SESSION_COOKIE_SECURE = True
 # Set this to True if you want available domains displayed as a dropdown menu
 # on the login screen. It is strongly advised NOT to enable this for public
 # clouds, as advertising enabled domains to unauthenticated customers
 # irresponsibly exposes private information. This should only be used for
 # private clouds where the dashboard sits behind a corporate firewall.
 #OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False
 # If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to
 # set the available domains to choose from. This is a list of pairs whose first
 # value is the domain name and the second is the display name.
 #OPENSTACK_KEYSTONE_DOMAIN_CHOICES = (
 #  ('Default', 'Default'),
 #)
 # If provided, a "Report Bug" link will be displayed in the site header
 # which links to the value of this setting (ideally a URL containing
 # information on how to report issues).
@ -122,81 +108,6 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
 OPENSTACK_HOST = "127.0.0.1"
 OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
 # For setting the default service region on a per-endpoint basis. Note that the
 # default value for this setting is {}, and below is just an example of how it
 # should be specified.
 # A key of '*' is an optional global default if no other key matches.
 #DEFAULT_SERVICE_REGIONS = {
 #    '*': 'RegionOne'
 #    OPENSTACK_KEYSTONE_URL: 'RegionTwo'
 #}
 # Enables keystone web single-sign-on if set to True.
 #WEBSSO_ENABLED = False
 # Authentication mechanism to be selected as default.
 # The value must be a key from WEBSSO_CHOICES.
 #WEBSSO_INITIAL_CHOICE = "credentials"
 # The list of authentication mechanisms which include keystone
 # federation protocols and identity provider/federation protocol
 # mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol
 # IDs are 'saml2' and 'oidc'  which represent SAML 2.0, OpenID
 # Connect respectively.
 # Do not remove the mandatory credentials mechanism.
 # Note: The last two tuples are sample mapping keys to a identity provider
 # and federation protocol combination (WEBSSO_IDP_MAPPING).
 #WEBSSO_CHOICES = (
 #    ("credentials", _("Keystone Credentials")),
 #    ("oidc", _("OpenID Connect")),
 #    ("saml2", _("Security Assertion Markup Language")),
 #    ("acme_oidc", "ACME - OpenID Connect"),
 #    ("acme_saml2", "ACME - SAML2"),
 #)
 # A dictionary of specific identity provider and federation protocol
 # combinations. From the selected authentication mechanism, the value
 # will be looked up as keys in the dictionary. If a match is found,
 # it will redirect the user to a identity provider and federation protocol
 # specific WebSSO endpoint in keystone, otherwise it will use the value
 # as the protocol_id when redirecting to the WebSSO by protocol endpoint.
 # NOTE: The value is expected to be a tuple formatted as: (<idp_id>, <protocol_id>).
 #WEBSSO_IDP_MAPPING = {
 #    "acme_oidc": ("acme", "oidc"),
 #    "acme_saml2": ("acme", "saml2"),
 #}
 # Enables redirection on login to the identity provider defined on
 # WEBSSO_DEFAULT_REDIRECT_PROTOCOL and WEBSSO_DEFAULT_REDIRECT_REGION
 #WEBSSO_DEFAULT_REDIRECT = False
 # Specifies the protocol to use for default redirection on login
 #WEBSSO_DEFAULT_REDIRECT_PROTOCOL = None
 # Specifies the region to which the connection will be established on login
 #WEBSSO_DEFAULT_REDIRECT_REGION = OPENSTACK_KEYSTONE_URL
 # Enables redirection on logout to the method specified on the identity provider.
 # Once logout the client will be redirected to the address specified in this
 # variable.
 #WEBSSO_DEFAULT_REDIRECT_LOGOUT = None
 # If set this URL will be used for web single-sign-on authentication
 # instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment
 # scenarios where network segmentation is used per security requirement.
 # In this case, the controllers are not reachable from public network.
 # Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL
 # if it is set to the internal endpoint.
 #WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3"
 # The Keystone Provider drop down uses Keystone to Keystone federation
 # to switch between Keystone service providers.
 # Set display name for Identity Provider (dropdown display name)
 #KEYSTONE_PROVIDER_IDP_NAME = "Local Keystone"
 # This id is used for only for comparison with the service provider IDs. This ID
 # should not match any service provider IDs.
 #KEYSTONE_PROVIDER_IDP_ID = "localkeystone"
 # The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional
 # services provided by neutron. Options currently available are load
 # balancer service, security groups, quotas, VPN service.
@ -244,32 +155,6 @@ INSTANCE_LOG_LENGTH = 35
 # of your entire OpenStack installation, and hopefully be in UTC.
 TIME_ZONE = "UTC"
 # The Horizon Policy Enforcement engine uses these values to load per service
 # policy rule files. The content of these files should match the files the
 # OpenStack services are using to determine role based access control in the
 # target installation.
 # Path to directory containing policy.json files
 #POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf")
 # Map of local copy of service policy files.
 # Please insure that your identity policy file matches the one being used on
 # your keystone servers. There is an alternate policy file that may be used
 # in the Keystone v3 multi-domain case, policy.v3cloudsample.json.
 # This file is not included in the Horizon repository by default but can be
 # found at
 # https://opendev.org/openstack/keystone/src/branch/master/etc/ \
 # policy.v3cloudsample.json
 # Having matching policy files on the Horizon and Keystone servers is essential
 # for normal operation. This holds true for all services and their policy files.
 #POLICY_FILES = {
 #    'identity': 'keystone_policy.json',
 #    'compute': 'nova_policy.json',
 #    'volume': 'cinder_policy.json',
 #    'image': 'glance_policy.json',
 #    'network': 'neutron_policy.json',
 #}
 # Change this patch to the appropriate list of tuples containing
 # a key, label and static directory containing two files:
 # _variables.scss and _styles.scss
@ -555,11 +440,3 @@ SECURITY_GROUP_RULES = {
 #        " [%(referer_url)s] [%(request_url)s] [%(message)s] [%(method)s]"
 #        " [%(http_status)s] [%(param)s]"),
 #}
 # Password will have an expiration date when using keystone v3 and enabling the
 # feature.
 # This setting allows you to set the number of days that the user will be alerted
 # prior to the password expiration.
 # Once the password expires keystone will deny the access and users must
 # contact an admin to change their password.
 #PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = 0
--- a/openstack_dashboard/settings.py
+++ b/openstack_dashboard/settings.py
@ -187,15 +187,6 @@ SESSION_COOKIE_SECURE = False
 # False, SESSION_TIMEOUT acts as a hard limit.
 SESSION_REFRESH = True
 # This SESSION_TIMEOUT is a method to supercede the token timeout with a
 # shorter horizon session timeout (in seconds). If SESSION_REFRESH is True (the
 # default) SESSION_TIMEOUT acts like an idle timeout rather than being a hard
 # limit, but will never exceed the token expiry. If your token expires in 60
 # minutes, a value of 1800 will log users out after 30 minutes of inactivity,
 # or 60 minutes with activity. Setting SESSION_REFRESH to False will make
 # SESSION_TIMEOUT act like a hard limit on session times.
 SESSION_TIMEOUT = 3600
 # When using cookie-based sessions, log error when the session cookie exceeds
 # the following size (common browsers drop cookies above a certain size):
 SESSION_COOKIE_MAX_SIZE = 4093
@ -240,21 +231,6 @@ USE_TZ = True
 DEFAULT_EXCEPTION_REPORTER_FILTER = 'horizon.exceptions.HorizonReporterFilter'
 POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf")
 # Map of local copy of service policy files
 POLICY_FILES = {
    'identity': 'keystone_policy.json',
    'compute': 'nova_policy.json',
    'volume': 'cinder_policy.json',
    'image': 'glance_policy.json',
    'network': 'neutron_policy.json',
 }
 # Services for which horizon has extra policies are defined
 # in POLICY_DIRS by default.
 POLICY_DIRS = {
    'compute': ['nova_policy.d'],
 }
 SECRET_KEY = None
 LOCAL_PATH = None