b7bb76eb20
This commit allows horizon to handle deprecated policy rules. The approach is explained in the document updated by this change. oslo.policy requirement is updated. oslo.policy 3.2.0 is chosen just because it is the first release in Victoria cycle. requirements.txt and lower-constraints.txt are updated accordingly including oslo.policy dependencies. Change-Id: If5059d03f6bd7e94796065aa1b51c0c23ac85f5e
174 lines
7.0 KiB
Python
174 lines
7.0 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
# NOTE: The following are from Django settings.
|
|
# LOGIN_URL
|
|
# LOGIN_REDIRECT_URL
|
|
# SESSION_ENGINE
|
|
# USE_TZ
|
|
|
|
# WEBROOT is the location relative to Webserver root
|
|
# should end with a slash in openstack_dashboard.settings..
|
|
WEBROOT = '/'
|
|
|
|
# TODO(amotoki): What is the right default value in openstack_auth?
|
|
LOGIN_ERROR = 'error/'
|
|
|
|
OPENSTACK_KEYSTONE_URL = "http://localhost/identity/v3"
|
|
|
|
# TODO(amotoki): The default value in openstack_dashboard is different:
|
|
# publicURL. It should be consistent.
|
|
OPENSTACK_ENDPOINT_TYPE = 'public'
|
|
OPENSTACK_SSL_NO_VERIFY = False
|
|
# TODO(amotoki): Is it correct?
|
|
OPENSTACK_SSL_CACERT = True
|
|
OPENSTACK_API_VERSIONS = {
|
|
'identity': 3,
|
|
}
|
|
|
|
AUTHENTICATION_PLUGINS = ['openstack_auth.plugin.password.PasswordPlugin',
|
|
'openstack_auth.plugin.token.TokenPlugin']
|
|
|
|
# This SESSION_TIMEOUT is a method to supercede the token timeout with a
|
|
# shorter horizon session timeout (in seconds). If SESSION_REFRESH is True (the
|
|
# default) SESSION_TIMEOUT acts like an idle timeout rather than being a hard
|
|
# limit, but will never exceed the token expiry. If your token expires in 60
|
|
# minutes, a value of 1800 will log users out after 30 minutes of inactivity,
|
|
# or 60 minutes with activity. Setting SESSION_REFRESH to False will make
|
|
# SESSION_TIMEOUT act like a hard limit on session times.
|
|
SESSION_TIMEOUT = 3600
|
|
|
|
TOKEN_TIMEOUT_MARGIN = 0
|
|
AVAILABLE_REGIONS = []
|
|
|
|
# For setting the default service region on a per-endpoint basis. Note that the
|
|
# default value for this setting is {}, and below is just an example of how it
|
|
# should be specified.
|
|
# A key of '*' is an optional global default if no other key matches.
|
|
# Example:
|
|
# DEFAULT_SERVICE_REGIONS = {
|
|
# '*': 'RegionOne'
|
|
# OPENSTACK_KEYSTONE_URL: 'RegionTwo'
|
|
# }
|
|
DEFAULT_SERVICE_REGIONS = {}
|
|
|
|
SECURE_PROXY_ADDR_HEADER = False
|
|
|
|
# Password will have an expiration date when using keystone v3 and enabling
|
|
# the feature.
|
|
# This setting allows you to set the number of days that the user will be
|
|
# alerted prior to the password expiration.
|
|
# Once the password expires keystone will deny the access and users must
|
|
# contact an admin to change their password.
|
|
PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = -1
|
|
|
|
# Horizon can prompt the user to change their password when it is expired
|
|
# or required to be changed on first use. This is enabled by default, but
|
|
# can be disabled if not desired.
|
|
ALLOW_USERS_CHANGE_EXPIRED_PASSWORD = True
|
|
|
|
OPENSTACK_KEYSTONE_ADMIN_ROLES = ['admin']
|
|
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False
|
|
# Set this to True if you want available domains displayed as a dropdown menu
|
|
# on the login screen. It is strongly advised NOT to enable this for public
|
|
# clouds, as advertising enabled domains to unauthenticated customers
|
|
# irresponsibly exposes private information. This should only be used for
|
|
# private clouds where the dashboard sits behind a corporate firewall.
|
|
OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False
|
|
|
|
# If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to
|
|
# set the available domains to choose from. This is a list of pairs whose first
|
|
# value is the domain name and the second is the display name.
|
|
# Example:
|
|
# OPENSTACK_KEYSTONE_DOMAIN_CHOICES = (
|
|
# ('Default', 'Default'),
|
|
# )
|
|
OPENSTACK_KEYSTONE_DOMAIN_CHOICES = ()
|
|
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'
|
|
|
|
# Enables keystone web single-sign-on if set to True.
|
|
WEBSSO_ENABLED = False
|
|
|
|
# Authentication mechanism to be selected as default.
|
|
# The value must be a key from WEBSSO_CHOICES.
|
|
WEBSSO_INITIAL_CHOICE = 'credentials'
|
|
|
|
# The list of authentication mechanisms which include keystone
|
|
# federation protocols and identity provider/federation protocol
|
|
# mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol
|
|
# IDs are 'saml2' and 'oidc' which represent SAML 2.0, OpenID
|
|
# Connect respectively.
|
|
# Do not remove the mandatory credentials mechanism.
|
|
# Note: The last two tuples are sample mapping keys to a identity provider
|
|
# and federation protocol combination (WEBSSO_IDP_MAPPING).
|
|
# Example:
|
|
# WEBSSO_CHOICES = (
|
|
# ("credentials", _("Keystone Credentials")),
|
|
# ("oidc", _("OpenID Connect")),
|
|
# ("saml2", _("Security Assertion Markup Language")),
|
|
# ("acme_oidc", "ACME - OpenID Connect"),
|
|
# ("acme_saml2", "ACME - SAML2"),
|
|
# )
|
|
WEBSSO_CHOICES = ()
|
|
|
|
# A dictionary of specific identity provider and federation protocol
|
|
# combinations. From the selected authentication mechanism, the value
|
|
# will be looked up as keys in the dictionary. If a match is found,
|
|
# it will redirect the user to a identity provider and federation protocol
|
|
# specific WebSSO endpoint in keystone, otherwise it will use the value
|
|
# as the protocol_id when redirecting to the WebSSO by protocol endpoint.
|
|
# NOTE: The value is expected to be a tuple formatted as:
|
|
# (<idp_id>, <protocol_id>).
|
|
# Example:
|
|
# WEBSSO_IDP_MAPPING = {
|
|
# "acme_oidc": ("acme", "oidc"),
|
|
# "acme_saml2": ("acme", "saml2"),
|
|
# }
|
|
WEBSSO_IDP_MAPPING = {}
|
|
|
|
# Enables redirection on login to the identity provider defined on
|
|
# WEBSSO_DEFAULT_REDIRECT_PROTOCOL and WEBSSO_DEFAULT_REDIRECT_REGION
|
|
WEBSSO_DEFAULT_REDIRECT = False
|
|
|
|
# Specifies the protocol to use for default redirection on login
|
|
WEBSSO_DEFAULT_REDIRECT_PROTOCOL = None
|
|
|
|
# Specifies the region to which the connection will be established on login
|
|
WEBSSO_DEFAULT_REDIRECT_REGION = OPENSTACK_KEYSTONE_URL
|
|
|
|
# Enables redirection on logout to the method specified on the identity
|
|
# provider. Once logout the client will be redirected to the address specified
|
|
# in this variable.
|
|
WEBSSO_DEFAULT_REDIRECT_LOGOUT = None
|
|
|
|
# If set this URL will be used for web single-sign-on authentication
|
|
# instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment
|
|
# scenarios where network segmentation is used per security requirement.
|
|
# In this case, the controllers are not reachable from public network.
|
|
# Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL
|
|
# if it is set to the internal endpoint.
|
|
# Example: WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3"
|
|
WEBSSO_KEYSTONE_URL = None
|
|
|
|
# The Keystone Provider drop down uses Keystone to Keystone federation
|
|
# to switch between Keystone service providers.
|
|
# Set display name for Identity Provider (dropdown display name)
|
|
KEYSTONE_PROVIDER_IDP_NAME = 'Local Keystone'
|
|
# This id is used for only for comparison with the service provider IDs.
|
|
# This ID should not match any service provider IDs.
|
|
KEYSTONE_PROVIDER_IDP_ID = 'localkeystone'
|
|
|
|
POLICY_FILES_PATH = ''
|
|
POLICY_FILES = {}
|
|
POLICY_DIRS = {}
|
|
DEFAULT_POLICY_FILES = {}
|