openstack
/
keystone
Code Issues Proposed changes

Improve keystone.conf [signing] documentation 

Change-Id: Iad8e5869b20c76f631131115a6358bf14ae56787
This commit is contained in:
Dolph Mathews 2016-07-13 20:12:38 +00:00
parent 77a2283ef0
commit 84aec993b8
1 changed files with 32 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
keystone/conf/signing.py
View File

@ -22,9 +22,11 @@ certfile = cfg.StrOpt(
deprecated_for_removal=True,
deprecated_reason=constants._DEPRECATE_PKI_MSG,
help=utils.fmt("""
Path of the certfile for token signing. For non-production environments, you
may be interested in using `keystone-manage pki_setup` to generate self-signed
certificates.
Absolute path to the public certificate file to use for signing PKI and PKIZ
tokens. Set this together with `[signing] keyfile`. For non-production
environments, you may be interested in using `keystone-manage pki_setup` to
generate self-signed certificates. There is no reason to set this option unless
you are using either a `pki` or `pkiz` `[token] provider`.
"""))
keyfile = cfg.StrOpt(
@ -33,7 +35,9 @@ keyfile = cfg.StrOpt(
deprecated_for_removal=True,
deprecated_reason=constants._DEPRECATE_PKI_MSG,
help=utils.fmt("""
Path of the keyfile for token signing.
Absolute path to the private key file to use for signing PKI and PKIZ tokens.
Set this together with `[signing] certfile`. There is no reason to set this
option unless you are using either a `pki` or `pkiz` `[token] provider`.
"""))
ca_certs = cfg.StrOpt(
@ -42,7 +46,12 @@ ca_certs = cfg.StrOpt(
deprecated_reason=constants._DEPRECATE_PKI_MSG,
default='/etc/keystone/ssl/certs/ca.pem',
help=utils.fmt("""
Path of the CA for token signing.
Absolute path to the public certificate authority (CA) file to use when
creating self-signed certificates with `keystone-manage pki_setup`. Set this
together with `[signing] ca_key`. There is no reason to set this option unless
you are using a `pki` or `pkiz` `[token] provider` value in a non-production
environment. Use a `[signing] certfile` issued from a trusted certificate
authority instead.
"""))
ca_key = cfg.StrOpt(
@ -51,7 +60,12 @@ ca_key = cfg.StrOpt(
deprecated_for_removal=True,
deprecated_reason=constants._DEPRECATE_PKI_MSG,
help=utils.fmt("""
Path of the CA key for token signing.
Absolute path to the private certificate authority (CA) key file to use when
creating self-signed certificates with `keystone-manage pki_setup`. Set this
together with `[signing] ca_certs`. There is no reason to set this option
unless you are using a `pki` or `pkiz` `[token] provider` value in a
non-production environment. Use a `[signing] certfile` issued from a trusted
certificate authority instead.
"""))
key_size = cfg.IntOpt(
@ -61,7 +75,10 @@ key_size = cfg.IntOpt(
deprecated_for_removal=True,
deprecated_reason=constants._DEPRECATE_PKI_MSG,
help=utils.fmt("""
Key size (in bits) for token signing cert (auto generated certificate).
Key size (in bits) to use when generating a self-signed token signing
certificate. There is no reason to set this option unless you are using a `pki`
or `pkiz` `[token] provider` value in a non-production environment. Use a
`[signing] certfile` issued from a trusted certificate authority instead.
"""))
valid_days = cfg.IntOpt(
@ -70,7 +87,10 @@ valid_days = cfg.IntOpt(
deprecated_for_removal=True,
deprecated_reason=constants._DEPRECATE_PKI_MSG,
help=utils.fmt("""
Days the token signing cert is valid for (auto generated certificate).
The validity period (in days) to use when generating a self-signed token
signing certificate. There is no reason to set this option unless you are using
a `pki` or `pkiz` `[token] provider` value in a non-production environment. Use
a `[signing] certfile` issued from a trusted certificate authority instead.
"""))
cert_subject = cfg.StrOpt(
@ -79,7 +99,10 @@ cert_subject = cfg.StrOpt(
deprecated_reason=constants._DEPRECATE_PKI_MSG,
default=('/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'),
help=utils.fmt("""
Certificate subject (auto generated certificate) for token signing.
The certificate subject to use when generating a self-signed token signing
certificate. There is no reason to set this option unless you are using a `pki`
or `pkiz` `[token] provider` value in a non-production environment. Use a
`[signing] certfile` issued from a trusted certificate authority instead.
"""))