keystone/etc/keystone.conf.sample

434 lines
15 KiB
Plaintext
Raw Normal View History

2011-11-09 11:57:59 -08:00
[DEFAULT]
# A "shared secret" between keystone and other openstack services
# admin_token = ADMIN
# The IP address of the network interface to listen on
# public_bind_host = 0.0.0.0
# admin_bind_host = 0.0.0.0
# The port number which the public service listens on
# public_port = 5000
# The port number which the public admin listens on
# admin_port = 35357
# The base endpoint URLs for keystone that are advertised to clients
# (NOTE: this does NOT affect how keystone listens for connections)
# public_endpoint = http://localhost:%(public_port)s/
# admin_endpoint = http://localhost:%(admin_port)s/
# The port number which the OpenStack Compute service listens on
# compute_port = 8774
# Path to your policy definition containing identity actions
# policy_file = policy.json
# Rule to check if no matching policy definition is found
# FIXME(dolph): This should really be defined as [policy] default_rule
# policy_default_rule = admin_required
# Role for migrating membership relationships
# During a SQL upgrade, the following values will be used to create a new role
# that will replace records in the user_tenant_membership table with explicit
# role grants. After migration, the member_role_id will be used in the API
# add_user_to_project, and member_role_name will be ignored.
# member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
# member_role_name = _member_
# enforced by optional sizelimit middleware (keystone.middleware:RequestBodySizeLimiter)
# max_request_body_size = 114688
# limit the sizes of user & tenant ID/names
# max_param_size = 64
# similar to max_param_size, but provides an exception for token values
# max_token_size = 8192
# === Logging Options ===
# Print debugging output
# (includes plaintext request logging, potentially including passwords)
# debug = False
# Print more verbose output
# verbose = False
# Name of log file to output to. If not set, logging will go to stdout.
# log_file = keystone.log
# The directory to keep log files in (will be prepended to --logfile)
# log_dir = /var/log/keystone
# Use syslog for logging.
# use_syslog = False
# syslog facility to receive log lines
# syslog_log_facility = LOG_USER
# list of logger=LEVEL pairs (list value)
#default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,keystone=INFO,qpid=WARN,sqlalchemy=WARN,suds=INFO
# The name of logging configuration file. It does not disable
# existing loggers, but just appends specified logging
# configuration to any other existing logging options. Please
# see the Python logging module documentation for details on
# logging configuration files. (string value)
#log_config_append=<None>
# A logging.Formatter log message format string which may use any of the
# available logging.LogRecord attributes.
# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
# Format string for %(asctime)s in log records.
# log_date_format = %Y-%m-%d %H:%M:%S
2012-01-09 14:32:02 -08:00
# onready allows you to send a notification when the process is ready to serve
# For example, to have it notify using systemd, one could set shell command:
# onready = systemd-notify --ready
# or a module with notify() method:
# onready = keystone.common.systemd
# === Notification Options ===
# Notifications can be sent when users or projects are created, updated or
# deleted. There are three methods of sending notifications: logging (via the
# log_file directive), rpc (via a message queue) and no_op (no notifications
# sent, the default)
# notification_driver can be defined multiple times
# Do nothing driver (the default)
# notification_driver = keystone.openstack.common.notifier.no_op_notifier
# Logging driver example (not enabled by default)
# notification_driver = keystone.openstack.common.notifier.log_notifier
# RPC driver example (not enabled by default)
# notification_driver = keystone.openstack.common.notifier.rpc_notifier
# Default notification level for outgoing notifications
# default_notification_level = INFO
# Default publisher_id for outgoing notifications; included in the payload.
# default_publisher_id =
# AMQP topics to publish to when using the RPC notification driver.
# Multiple values can be specified by separating with commas.
# The actual topic names will be %s.%(default_notification_level)s
# notification_topics = notifications
# === RPC Options ===
# For Keystone, these options apply only when the RPC notification driver is
# used.
# The messaging module to use, defaults to kombu.
# rpc_backend = keystone.openstack.common.rpc.impl_kombu
# Size of RPC thread pool
# rpc_thread_pool_size = 64
# Size of RPC connection pool
# rpc_conn_pool_size = 30
# Seconds to wait for a response from call or multicall
# rpc_response_timeout = 60
# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
# rpc_cast_timeout = 30
# Modules of exceptions that are permitted to be recreated upon receiving
# exception data from an rpc call.
# allowed_rpc_exception_modules = keystone.openstack.common.exception,nova.exception,cinder.exception,exceptions
# If True, use a fake RabbitMQ provider
# fake_rabbit = False
# AMQP exchange to connect to if using RabbitMQ or Qpid
# control_exchange = openstack
2012-01-09 14:32:02 -08:00
[sql]
# The SQLAlchemy connection string used to connect to the database
# connection = sqlite:///keystone.db
2012-01-09 14:32:02 -08:00
# the timeout before idle sql connections are reaped
# idle_timeout = 200
2012-01-09 14:32:02 -08:00
[identity]
# driver = keystone.identity.backends.sql.Identity
2012-01-09 14:32:02 -08:00
# This references the domain to use for all Identity API v2 requests (which are
# not aware of domains). A domain with this ID will be created for you by
# keystone-manage db_sync in migration 008. The domain referenced by this ID
# cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.
# There is nothing special about this domain, other than the fact that it must
# exist to order to maintain support for your v2 clients.
# default_domain_id = default
#
# A subset (or all) of domains can have their own identity driver, each with
# their own partial configuration file in a domain configuration directory.
# Only values specific to the domain need to be placed in the domain specific
# configuration file. This feature is disabled by default; set
# domain_specific_drivers_enabled to True to enable.
# domain_specific_drivers_enabled = False
# domain_config_dir = /etc/keystone/domains
# Maximum supported length for user passwords; decrease to improve performance.
# max_password_length = 4096
[credential]
# driver = keystone.credential.backends.sql.Credential
[trust]
# driver = keystone.trust.backends.sql.Trust
# delegation and impersonation features can be optionally disabled
# enabled = True
Implement role assignment inheritance (OS-INHERIT extension) This extension allows for project roles to be optionally inherited from the owning domain. The v3 grant APIs are extended to take an inherited_to_projects flag. The GET role_assignments API will also include these roles in its response, either showing them as inherited roles assigned to the domain or, if the 'effective' query parameter is set, will interpret the inheritance and reflect those role assignments on the projects. The inherited_to_projects flag is encoded in the role list in the metadata of the relevant entries in the grant tables. The 'roles' key in the metadata is now a list of dicts, as opposed to a simple list, where each dict is either {'id': role_id} for a regular role, or {'id': role_id, 'inherited_to': 'projects'} for an inherited role Remember that a previous patch had rationalized the way metadata is handled so that its structure is entirely hidden within the driver layer. The extension can be enabled/disabled via a config setting. Limitations: - The extension is not yet discoverable via url, this will be added as a separate patch when the v3/extensions work is complete. A separate issue has been discovered with the fact that the v2 calls of 'get_projects_for_user()' and 'list_user_projects()' should be rationalized and also honor both group (and inherited) role assignments. This is being raised as a separate bug. DocImpact Implements bp inherited-domain-roles Change-Id: I35b57ce0df668f12462e96b3467cef0239594e97
2013-07-05 06:04:25 +01:00
[os_inherit]
# role-assignment inheritance to projects from owning domain can be
# optionally enabled
# enabled = False
2012-01-09 14:32:02 -08:00
[catalog]
# dynamic, sql-based backend (supports API/CLI-based management commands)
# driver = keystone.catalog.backends.sql.Catalog
# static, file-based backend (does *NOT* support any management commands)
# driver = keystone.catalog.backends.templated.TemplatedCatalog
# template_file = default_catalog.templates
2012-01-09 14:32:02 -08:00
[endpoint_filter]
# extension for creating associations between project and endpoints in order to
# provide a tailored catalog for project-scoped token requests.
# driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
# return_all_endpoints_if_no_filter = True
2012-01-09 14:32:02 -08:00
[token]
# Provides token persistence.
# driver = keystone.token.backends.sql.Token
2012-01-09 14:32:02 -08:00
# Controls the token construction, validation, and revocation operations.
# Core providers are keystone.token.providers.[pki|uuid].Provider
# provider =
# Amount of time a token should remain valid (in seconds)
# expiration = 86400
# External auth mechanisms that should add bind information to token.
# eg kerberos, x509
# bind =
# Enforcement policy on tokens presented to keystone with bind information.
# One of disabled, permissive, strict, required or a specifically required bind
# mode e.g. kerberos or x509 to require binding to that authentication.
# enforce_token_bind = permissive
# Token specific caching toggle. This has no effect unless the global caching
# option is set to True
# caching = True
# Token specific cache time-to-live (TTL) in seconds.
# cache_time =
# Revocation-List specific cache time-to-live (TTL) in seconds.
# revocation_cache_time = 3600
[cache]
# Global cache functionality toggle.
# enabled = False
# Prefix for building the configuration dictionary for the cache region. This
# should not need to be changed unless there is another dogpile.cache region
# with the same configuration name
# config_prefix = cache.keystone
# Default TTL, in seconds, for any cached item in the dogpile.cache region.
# This applies to any cached method that doesn't have an explicit cache
# expiration time defined for it.
# expiration_time = 600
# Dogpile.cache backend module. It is recommended that Memcache
# (dogpile.cache.memcache) or Redis (dogpile.cache.redis) be used in production
# deployments. Small workloads (single process) like devstack can use the
# dogpile.cache.memory backend.
# backend = keystone.common.cache.noop
# Arguments supplied to the backend module. Specify this option once per
# argument to be passed to the dogpile.cache backend.
# Example format: <argname>:<value>
# backend_argument =
# Proxy Classes to import that will affect the way the dogpile.cache backend
# functions. See the dogpile.cache documentation on changing-backend-behavior.
# Comma delimited list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2
# proxies =
# Use a key-mangling function (sha1) to ensure fixed length cache-keys. This
# is toggle-able for debugging purposes, it is highly recommended to always
# leave this set to True.
# use_key_mangler = True
# Extra debugging from the cache backend (cache keys, get/set/delete/etc calls)
# This is only really useful if you need to see the specific cache-backend
# get/set/delete calls with the keys/values. Typically this should be left
# set to False.
# debug_cache_backend = False
2012-01-09 14:32:02 -08:00
[policy]
# driver = keystone.policy.backends.sql.Policy
2012-01-09 14:32:02 -08:00
2012-01-16 16:31:44 -08:00
[ec2]
# driver = keystone.contrib.ec2.backends.kvs.Ec2
[assignment]
# driver =
# Assignment specific caching toggle. This has no effect unless the global
# caching option is set to True
# caching = True
# Assignment specific cache time-to-live (TTL) in seconds.
# cache_time =
[oauth1]
# driver = keystone.contrib.oauth1.backends.sql.OAuth1
# The Identity service may include expire attributes.
# If no such attribute is included, then the token lasts indefinitely.
# Specify how quickly the request token will expire (in seconds)
# request_token_duration = 28800
# Specify how quickly the access token will expire (in seconds)
# access_token_duration = 86400
[ssl]
#enable = True
#certfile = /etc/keystone/ssl/certs/keystone.pem
#keyfile = /etc/keystone/ssl/private/keystonekey.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#ca_key = /etc/keystone/ssl/private/cakey.pem
#key_size = 1024
#valid_days = 3650
#cert_required = False
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
[signing]
# Deprecated in favor of provider in the [token] section
# Allowed values are PKI or UUID
#token_format =
#certfile = /etc/keystone/ssl/certs/signing_cert.pem
#keyfile = /etc/keystone/ssl/private/signing_key.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#ca_key = /etc/keystone/ssl/private/cakey.pem
#key_size = 2048
#valid_days = 3650
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
[ldap]
# url = ldap://localhost
# user = dc=Manager,dc=example,dc=com
# password = None
# suffix = cn=example,cn=com
# use_dumb_member = False
# allow_subtree_delete = False
# dumb_member = cn=dumb,dc=example,dc=com
# Maximum results per page; a value of zero ('0') disables paging (default)
# page_size = 0
# The LDAP dereferencing option for queries. This can be either 'never',
# 'searching', 'always', 'finding' or 'default'. The 'default' option falls
# back to using default dereferencing configured by your ldap.conf.
# alias_dereferencing = default
# The LDAP scope for queries, this can be either 'one'
# (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree)
# query_scope = one
# user_tree_dn = ou=Users,dc=example,dc=com
# user_filter =
# user_objectclass = inetOrgPerson
# user_id_attribute = cn
# user_name_attribute = sn
# user_mail_attribute = email
# user_pass_attribute = userPassword
# user_enabled_attribute = enabled
# user_enabled_mask = 0
# user_enabled_default = True
# user_attribute_ignore = default_project_id,tenants
# user_default_project_id_attribute =
# user_allow_create = True
# user_allow_update = True
# user_allow_delete = True
# user_enabled_emulation = False
# user_enabled_emulation_dn =
# tenant_tree_dn = ou=Projects,dc=example,dc=com
# tenant_filter =
# tenant_objectclass = groupOfNames
# tenant_domain_id_attribute = businessCategory
# tenant_id_attribute = cn
# tenant_member_attribute = member
# tenant_name_attribute = ou
# tenant_desc_attribute = desc
# tenant_enabled_attribute = enabled
# tenant_attribute_ignore =
# tenant_allow_create = True
# tenant_allow_update = True
# tenant_allow_delete = True
# tenant_enabled_emulation = False
# tenant_enabled_emulation_dn =
# role_tree_dn = ou=Roles,dc=example,dc=com
# role_filter =
# role_objectclass = organizationalRole
# role_id_attribute = cn
# role_name_attribute = ou
# role_member_attribute = roleOccupant
# role_attribute_ignore =
# role_allow_create = True
# role_allow_update = True
# role_allow_delete = True
2011-11-09 11:57:59 -08:00
# group_tree_dn =
# group_filter =
# group_objectclass = groupOfNames
# group_id_attribute = cn
# group_name_attribute = ou
# group_member_attribute = member
# group_desc_attribute = desc
# group_attribute_ignore =
# group_allow_create = True
# group_allow_update = True
# group_allow_delete = True
# ldap TLS options
# if both tls_cacertfile and tls_cacertdir are set then
# tls_cacertfile will be used and tls_cacertdir is ignored
# valid options for tls_req_cert are demand, never, and allow
# use_tls = False
# tls_cacertfile =
# tls_cacertdir =
# tls_req_cert = demand
# Additional attribute mappings can be used to map ldap attributes to internal
# keystone attributes. This allows keystone to fulfill ldap objectclass
# requirements. An example to map the description and gecos attributes to a
# user's name would be:
# user_additional_attribute_mapping = description:name, gecos:name
#
# domain_additional_attribute_mapping =
# group_additional_attribute_mapping =
# role_additional_attribute_mapping =
# project_additional_attribute_mapping =
# user_additional_attribute_mapping =
[auth]
methods = external,password,token,oauth1
#external = keystone.auth.plugins.external.ExternalDefault
password = keystone.auth.plugins.password.Password
token = keystone.auth.plugins.token.Token
oauth1 = keystone.auth.plugins.oauth1.OAuth
[paste_deploy]
# Name of the paste configuration file that defines the available pipelines
config_file = keystone-paste.ini