Update sample configuration file for Pike

The last time we updated the sample configuration file was for the Ocata release candidate. Let's generate a fresh version so that it is somewhat relevant. This change was generated using: $ tox -e genconfig; git commit -a Change-Id: I8c4fbce02946b87534da61a4e3e81fc375615d7d
2017-05-16 17:05:28 +00:00
parent d01c7f1b96
commit a40c2f4917
1 changed files with 128 additions and 227 deletions
--- a/etc/keystone.conf.sample
+++ b/etc/keystone.conf.sample
@@ -140,12 +140,6 @@
 # Note: This option can be changed without restarting.
 #debug = false
 # DEPRECATED: If set to false, the logging level will be set to WARNING instead
 # of the default INFO level. (boolean value)
 # This option is deprecated for removal.
 # Its value may be silently ignored in the future.
 #verbose = true
 # The name of a logging configuration file. This file is appended to any
 # existing logging configuration files. For details about logging configuration
 # files, see the Python logging module documentation. Note that when logging
@@ -184,6 +178,12 @@
 # is set. (boolean value)
 #use_syslog = false
 # Enable journald for logging. If running in a systemd environment you may wish
 # to enable journal support. Doing so will use the journal native protocol
 # which includes structured metadata in addition to log messages.This option is
 # ignored if log_config_append is set. (boolean value)
 #use_journal = false
 # Syslog facility to receive log lines. This option is ignored if
 # log_config_append is set. (string value)
 #syslog_log_facility = LOG_USER
@@ -212,7 +212,7 @@
 # List of package logging levels in logger=LEVEL pairs. This option is ignored
 # if log_config_append is set. (list value)
-#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO
+#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO
 # Enables or disables publication of error events. (boolean value)
 #publish_errors = false
@@ -245,7 +245,6 @@
 #
 # Size of RPC connection pool. (integer value)
 # Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
 #rpc_conn_pool_size = 30
 # The pool size limit for connections expiration policy (integer value)
@@ -256,30 +255,24 @@
 # ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
 # The "host" option should point or resolve to this address. (string value)
 # Deprecated group/name - [DEFAULT]/rpc_zmq_bind_address
 #rpc_zmq_bind_address = *
 # MatchMaker driver. (string value)
 # Allowed values: redis, sentinel, dummy
 # Deprecated group/name - [DEFAULT]/rpc_zmq_matchmaker
 #rpc_zmq_matchmaker = redis
 # Number of ZeroMQ contexts, defaults to 1. (integer value)
 # Deprecated group/name - [DEFAULT]/rpc_zmq_contexts
 #rpc_zmq_contexts = 1
 # Maximum number of ingress messages to locally buffer per topic. Default is
 # unlimited. (integer value)
 # Deprecated group/name - [DEFAULT]/rpc_zmq_topic_backlog
 #rpc_zmq_topic_backlog = <None>
 # Directory for holding IPC sockets. (string value)
 # Deprecated group/name - [DEFAULT]/rpc_zmq_ipc_dir
 #rpc_zmq_ipc_dir = /var/run/openstack
 # Name of this node. Must be a valid hostname, FQDN, or IP address. Must match
 # "host" option, if running Nova. (string value)
 # Deprecated group/name - [DEFAULT]/rpc_zmq_host
 #rpc_zmq_host = localhost
 # Number of seconds to wait before all pending messages will be sent after
@@ -292,26 +285,21 @@
 # The default number of seconds that poll should wait. Poll raises timeout
 # exception when timeout expired. (integer value)
 # Deprecated group/name - [DEFAULT]/rpc_poll_timeout
 #rpc_poll_timeout = 1
 # Expiration timeout in seconds of a name service record about existing target
 # ( < 0 means no timeout). (integer value)
 # Deprecated group/name - [DEFAULT]/zmq_target_expire
 #zmq_target_expire = 300
 # Update period in seconds of a name service record about existing target.
 # (integer value)
 # Deprecated group/name - [DEFAULT]/zmq_target_update
 #zmq_target_update = 180
 # Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy. (boolean
 # value)
 # Deprecated group/name - [DEFAULT]/use_pub_sub
 #use_pub_sub = false
 # Use ROUTER remote proxy. (boolean value)
 # Deprecated group/name - [DEFAULT]/use_router_proxy
 #use_router_proxy = false
 # This option makes direct connections dynamic or static. It makes sense only
@@ -326,24 +314,20 @@
 # Minimal port number for random ports range. (port value)
 # Minimum value: 0
 # Maximum value: 65535
 # Deprecated group/name - [DEFAULT]/rpc_zmq_min_port
 #rpc_zmq_min_port = 49153
 # Maximal port number for random ports range. (integer value)
 # Minimum value: 1
 # Maximum value: 65536
 # Deprecated group/name - [DEFAULT]/rpc_zmq_max_port
 #rpc_zmq_max_port = 65536
 # Number of retries to find free port number before fail with ZMQBindError.
 # (integer value)
 # Deprecated group/name - [DEFAULT]/rpc_zmq_bind_port_retries
 #rpc_zmq_bind_port_retries = 100
 # Default serialization mechanism for serializing/deserializing
 # outgoing/incoming messages (string value)
 # Allowed values: json, msgpack
 # Deprecated group/name - [DEFAULT]/rpc_zmq_serialization
 #rpc_zmq_serialization = json
 # This option configures round-robin mode in zmq socket. True means not keeping
@@ -408,7 +392,8 @@
 # value)
 #subscribe_on =
-# Size of executor thread pool. (integer value)
+# Size of executor thread pool when executor is threading or eventlet. (integer
 # value)
 # Deprecated group/name - [DEFAULT]/rpc_thread_pool_size
 #executor_thread_pool_size = 64
@@ -689,16 +674,7 @@
 # From oslo.db
 #
 # DEPRECATED: The file name to use with SQLite. (string value)
 # Deprecated group/name - [DEFAULT]/sqlite_db
 # This option is deprecated for removal.
 # Its value may be silently ignored in the future.
 # Reason: Should use config option connection or slave_connection to connect
 # the database.
 #sqlite_db = oslo.sqlite
 # If True, SQLite uses synchronous mode. (boolean value)
 # Deprecated group/name - [DEFAULT]/sqlite_synchronous
 #sqlite_synchronous = true
 # The back end to use for the database. (string value)
@@ -851,7 +827,7 @@
 #
 # DEPRECATED: The IP address of the network interface for the public service to
-# listen on. (string value)
+# listen on. (unknown value)
 # Deprecated group/name - [DEFAULT]/bind_host
 # Deprecated group/name - [DEFAULT]/public_bind_host
 # This option is deprecated for removal since K.
@@ -873,7 +849,7 @@
 #public_port = 5000
 # DEPRECATED: The IP address of the network interface for the admin service to
-# listen on. (string value)
+# listen on. (unknown value)
 # Deprecated group/name - [DEFAULT]/bind_host
 # Deprecated group/name - [DEFAULT]/admin_bind_host
 # This option is deprecated for removal since K.
@@ -1114,57 +1090,6 @@
 #backward_compatible_ids = true
 [kvs]
 #
 # From keystone
 #
 # DEPRECATED: Extra `dogpile.cache` backend modules to register with the
 # `dogpile.cache` library. It is not necessary to set this value unless you are
 # providing a custom KVS backend beyond what `dogpile.cache` already supports.
 # (list value)
 # This option is deprecated for removal since O.
 # Its value may be silently ignored in the future.
 # Reason: This option has been deprecated in the O release and will be removed
 # in the P release. Use SQL backends instead.
 #backends =
 # DEPRECATED: Prefix for building the configuration dictionary for the KVS
 # region. This should not need to be changed unless there is another
 # `dogpile.cache` region with the same configuration name. (string value)
 # This option is deprecated for removal since O.
 # Its value may be silently ignored in the future.
 # Reason: This option has been deprecated in the O release and will be removed
 # in the P release. Use SQL backends instead.
 #config_prefix = keystone.kvs
 # DEPRECATED: Set to false to disable using a key-mangling function, which
 # ensures fixed-length keys are used in the KVS store. This is configurable for
 # debugging purposes, and it is therefore highly recommended to always leave
 # this set to true. (boolean value)
 # This option is deprecated for removal since O.
 # Its value may be silently ignored in the future.
 # Reason: This option has been deprecated in the O release and will be removed
 # in the P release. Use SQL backends instead.
 #enable_key_mangler = true
 # DEPRECATED: Number of seconds after acquiring a distributed lock that the
 # backend should consider the lock to be expired. This option should be tuned
 # relative to the longest amount of time that it takes to perform a successful
 # operation. If this value is set too low, then a cluster will end up
 # performing work redundantly. If this value is set too high, then a cluster
 # will not be able to efficiently recover and retry after a failed operation. A
 # non-zero value is recommended if the backend supports lock timeouts, as zero
 # prevents locks from expiring altogether. (integer value)
 # Minimum value: 0
 # This option is deprecated for removal since O.
 # Its value may be silently ignored in the future.
 # Reason: This option has been deprecated in the O release and will be removed
 # in the P release. Use SQL backends instead.
 #default_lock_timeout = 5
 [ldap]
 #
@@ -1496,20 +1421,6 @@
 # From keystone
 #
 # DEPRECATED: Comma-separated list of memcached servers in the format of
 # `host:port,host:port` that keystone should use for the `memcache` token
 # persistence provider and other memcache-backed KVS drivers. This
 # configuration value is NOT used for intermediary caching between keystone and
 # other backends, such as SQL and LDAP (for that, see the `[cache]` section).
 # Multiple keystone servers in the same deployment should use the same set of
 # memcached servers to ensure that data (such as UUID tokens) created by one
 # node is available to the others. (list value)
 # This option is deprecated for removal since O.
 # Its value may be silently ignored in the future.
 # Reason: This option has been deprecated in the O release and will be removed
 # in the P release. Use oslo.cache instead.
 #servers = localhost:11211
 # Number of seconds memcached server is considered dead before it is tried
 # again. This is used by the key value store system. (integer value)
 #dead_retry = 300
@@ -1565,61 +1476,64 @@
 # Name for the AMQP container. must be globally unique. Defaults to a generated
 # UUID (string value)
 # Deprecated group/name - [amqp1]/container_name
 #container_name = <None>
 # Timeout for inactive connections (in seconds) (integer value)
 # Deprecated group/name - [amqp1]/idle_timeout
 #idle_timeout = 0
 # Debug: dump AMQP frames to stdout (boolean value)
 # Deprecated group/name - [amqp1]/trace
 #trace = false
 # Attempt to connect via SSL. If no other ssl-related parameters are given, it
 # will use the system's CA-bundle to verify the server's certificate. (boolean
 # value)
 #ssl = false
 # CA certificate PEM file used to verify the server's certificate (string
 # value)
 # Deprecated group/name - [amqp1]/ssl_ca_file
 #ssl_ca_file =
 # Self-identifying certificate PEM file for client authentication (string
 # value)
 # Deprecated group/name - [amqp1]/ssl_cert_file
 #ssl_cert_file =
 # Private key PEM file used to sign ssl_cert_file certificate (optional)
 # (string value)
 # Deprecated group/name - [amqp1]/ssl_key_file
 #ssl_key_file =
 # Password for decrypting ssl_key_file (if encrypted) (string value)
 # Deprecated group/name - [amqp1]/ssl_key_password
 #ssl_key_password = <None>
 # DEPRECATED: Accept clients using either SSL or plain TCP (boolean value)
 # Deprecated group/name - [amqp1]/allow_insecure_clients
 # This option is deprecated for removal.
 # Its value may be silently ignored in the future.
 # Reason: Not applicable - not a SSL server
 #allow_insecure_clients = false
 # Space separated list of acceptable SASL mechanisms (string value)
 # Deprecated group/name - [amqp1]/sasl_mechanisms
 #sasl_mechanisms =
 # Path to directory that contains the SASL configuration (string value)
 # Deprecated group/name - [amqp1]/sasl_config_dir
 #sasl_config_dir =
 # Name of configuration file (without .conf suffix) (string value)
 # Deprecated group/name - [amqp1]/sasl_config_name
 #sasl_config_name =
-# User name for message broker authentication (string value)
+# SASL realm to use if no realm present in username (string value)
-# Deprecated group/name - [amqp1]/username
+#sasl_default_realm =
 # DEPRECATED: User name for message broker authentication (string value)
 # This option is deprecated for removal.
 # Its value may be silently ignored in the future.
 # Reason: Should use configuration option transport_url to provide the
 # username.
 #username =
-# Password for message broker authentication (string value)
+# DEPRECATED: Password for message broker authentication (string value)
-# Deprecated group/name - [amqp1]/password
+# This option is deprecated for removal.
 # Its value may be silently ignored in the future.
 # Reason: Should use configuration option transport_url to provide the
 # password.
 #password =
 # Seconds to pause before attempting to re-connect. (integer value)
@@ -1674,15 +1588,12 @@
 #addressing_mode = dynamic
 # address prefix used when sending to a specific server (string value)
 # Deprecated group/name - [amqp1]/server_request_prefix
 #server_request_prefix = exclusive
 # address prefix used when broadcasting to all servers (string value)
 # Deprecated group/name - [amqp1]/broadcast_prefix
 #broadcast_prefix = broadcast
 # address prefix when sending to any server in group (string value)
 # Deprecated group/name - [amqp1]/group_request_prefix
 #group_request_prefix = unicast
 # Address prefix for all generated RPC addresses (string value)
@@ -1770,7 +1681,7 @@
 # Max fetch bytes of Kafka consumer (integer value)
 #kafka_max_fetch_bytes = 1048576
-# Default timeout(s) for Kafka consumers (integer value)
+# Default timeout(s) for Kafka consumers (floating point value)
 #kafka_consumer_timeout = 1.0
 # Pool Size for Kafka Consumers (integer value)
@@ -1815,6 +1726,11 @@
 # Deprecated group/name - [DEFAULT]/notification_topics
 #topics = notifications
 # The maximum number of attempts to re-send a notification message which failed
 # to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite
 # (integer value)
 #retry = -1
 [oslo_messaging_rabbit]
@@ -1828,30 +1744,31 @@
 #amqp_durable_queues = false
 # Auto-delete queues in AMQP. (boolean value)
 # Deprecated group/name - [DEFAULT]/amqp_auto_delete
 #amqp_auto_delete = false
 # Enable SSL (boolean value)
 #ssl = <None>
 # SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and
 # SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some
 # distributions. (string value)
-# Deprecated group/name - [DEFAULT]/kombu_ssl_version
+# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_version
-#kombu_ssl_version =
+#ssl_version =
 # SSL key file (valid only if SSL enabled). (string value)
-# Deprecated group/name - [DEFAULT]/kombu_ssl_keyfile
+# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_keyfile
-#kombu_ssl_keyfile =
+#ssl_key_file =
 # SSL cert file (valid only if SSL enabled). (string value)
-# Deprecated group/name - [DEFAULT]/kombu_ssl_certfile
+# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_certfile
-#kombu_ssl_certfile =
+#ssl_cert_file =
 # SSL certification authority file (valid only if SSL enabled). (string value)
-# Deprecated group/name - [DEFAULT]/kombu_ssl_ca_certs
+# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_ca_certs
-#kombu_ssl_ca_certs =
+#ssl_ca_file =
 # How long to wait before reconnecting in response to an AMQP consumer cancel
 # notification. (floating point value)
 # Deprecated group/name - [DEFAULT]/kombu_reconnect_delay
 #kombu_reconnect_delay = 1.0
 # EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not
@@ -1871,7 +1788,6 @@
 # DEPRECATED: The RabbitMQ broker address where a single node is used. (string
 # value)
 # Deprecated group/name - [DEFAULT]/rabbit_host
 # This option is deprecated for removal.
 # Its value may be silently ignored in the future.
 # Reason: Replaced by [DEFAULT]/transport_url
@@ -1881,32 +1797,24 @@
 # value)
 # Minimum value: 0
 # Maximum value: 65535
 # Deprecated group/name - [DEFAULT]/rabbit_port
 # This option is deprecated for removal.
 # Its value may be silently ignored in the future.
 # Reason: Replaced by [DEFAULT]/transport_url
 #rabbit_port = 5672
 # DEPRECATED: RabbitMQ HA cluster host:port pairs. (list value)
 # Deprecated group/name - [DEFAULT]/rabbit_hosts
 # This option is deprecated for removal.
 # Its value may be silently ignored in the future.
 # Reason: Replaced by [DEFAULT]/transport_url
 #rabbit_hosts = $rabbit_host:$rabbit_port
 # Connect over SSL for RabbitMQ. (boolean value)
 # Deprecated group/name - [DEFAULT]/rabbit_use_ssl
 #rabbit_use_ssl = false
 # DEPRECATED: The RabbitMQ userid. (string value)
 # Deprecated group/name - [DEFAULT]/rabbit_userid
 # This option is deprecated for removal.
 # Its value may be silently ignored in the future.
 # Reason: Replaced by [DEFAULT]/transport_url
 #rabbit_userid = guest
 # DEPRECATED: The RabbitMQ password. (string value)
 # Deprecated group/name - [DEFAULT]/rabbit_password
 # This option is deprecated for removal.
 # Its value may be silently ignored in the future.
 # Reason: Replaced by [DEFAULT]/transport_url
@@ -1914,11 +1822,9 @@
 # The RabbitMQ login method. (string value)
 # Allowed values: PLAIN, AMQPLAIN, RABBIT-CR-DEMO
 # Deprecated group/name - [DEFAULT]/rabbit_login_method
 #rabbit_login_method = AMQPLAIN
 # DEPRECATED: The RabbitMQ virtual host. (string value)
 # Deprecated group/name - [DEFAULT]/rabbit_virtual_host
 # This option is deprecated for removal.
 # Its value may be silently ignored in the future.
 # Reason: Replaced by [DEFAULT]/transport_url
@@ -1929,7 +1835,6 @@
 # How long to backoff for between retries when connecting to RabbitMQ. (integer
 # value)
 # Deprecated group/name - [DEFAULT]/rabbit_retry_backoff
 #rabbit_retry_backoff = 2
 # Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
@@ -1938,7 +1843,6 @@
 # DEPRECATED: Maximum number of RabbitMQ connection retries. Default is 0
 # (infinite retry count). (integer value)
 # Deprecated group/name - [DEFAULT]/rabbit_max_retries
 # This option is deprecated for removal.
 # Its value may be silently ignored in the future.
 #rabbit_max_retries = 0
@@ -1949,7 +1853,6 @@
 # If you just want to make sure that all queues (except those with auto-
 # generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy
 # HA '^(?!amq\.).*' '{"ha-mode": "all"}' " (boolean value)
 # Deprecated group/name - [DEFAULT]/rabbit_ha_queues
 #rabbit_ha_queues = false
 # Positive integer representing duration in seconds for queue TTL (x-expires).
@@ -1972,7 +1875,6 @@
 #heartbeat_rate = 2
 # Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value)
 # Deprecated group/name - [DEFAULT]/fake_rabbit
 #fake_rabbit = false
 # Maximum number of channels to allow (integer value)
@@ -1984,9 +1886,6 @@
 # How often to send heartbeats for consumer's connections (integer value)
 #heartbeat_interval = 3
 # Enable SSL (boolean value)
 #ssl = <None>
 # Arguments passed to ssl.wrap_socket (dict value)
 #ssl_options = <None>
@@ -2091,30 +1990,24 @@
 # ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
 # The "host" option should point or resolve to this address. (string value)
 # Deprecated group/name - [DEFAULT]/rpc_zmq_bind_address
 #rpc_zmq_bind_address = *
 # MatchMaker driver. (string value)
 # Allowed values: redis, sentinel, dummy
 # Deprecated group/name - [DEFAULT]/rpc_zmq_matchmaker
 #rpc_zmq_matchmaker = redis
 # Number of ZeroMQ contexts, defaults to 1. (integer value)
 # Deprecated group/name - [DEFAULT]/rpc_zmq_contexts
 #rpc_zmq_contexts = 1
 # Maximum number of ingress messages to locally buffer per topic. Default is
 # unlimited. (integer value)
 # Deprecated group/name - [DEFAULT]/rpc_zmq_topic_backlog
 #rpc_zmq_topic_backlog = <None>
 # Directory for holding IPC sockets. (string value)
 # Deprecated group/name - [DEFAULT]/rpc_zmq_ipc_dir
 #rpc_zmq_ipc_dir = /var/run/openstack
 # Name of this node. Must be a valid hostname, FQDN, or IP address. Must match
 # "host" option, if running Nova. (string value)
 # Deprecated group/name - [DEFAULT]/rpc_zmq_host
 #rpc_zmq_host = localhost
 # Number of seconds to wait before all pending messages will be sent after
@@ -2127,26 +2020,21 @@
 # The default number of seconds that poll should wait. Poll raises timeout
 # exception when timeout expired. (integer value)
 # Deprecated group/name - [DEFAULT]/rpc_poll_timeout
 #rpc_poll_timeout = 1
 # Expiration timeout in seconds of a name service record about existing target
 # ( < 0 means no timeout). (integer value)
 # Deprecated group/name - [DEFAULT]/zmq_target_expire
 #zmq_target_expire = 300
 # Update period in seconds of a name service record about existing target.
 # (integer value)
 # Deprecated group/name - [DEFAULT]/zmq_target_update
 #zmq_target_update = 180
 # Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy. (boolean
 # value)
 # Deprecated group/name - [DEFAULT]/use_pub_sub
 #use_pub_sub = false
 # Use ROUTER remote proxy. (boolean value)
 # Deprecated group/name - [DEFAULT]/use_router_proxy
 #use_router_proxy = false
 # This option makes direct connections dynamic or static. It makes sense only
@@ -2161,24 +2049,20 @@
 # Minimal port number for random ports range. (port value)
 # Minimum value: 0
 # Maximum value: 65535
 # Deprecated group/name - [DEFAULT]/rpc_zmq_min_port
 #rpc_zmq_min_port = 49153
 # Maximal port number for random ports range. (integer value)
 # Minimum value: 1
 # Maximum value: 65536
 # Deprecated group/name - [DEFAULT]/rpc_zmq_max_port
 #rpc_zmq_max_port = 65536
 # Number of retries to find free port number before fail with ZMQBindError.
 # (integer value)
 # Deprecated group/name - [DEFAULT]/rpc_zmq_bind_port_retries
 #rpc_zmq_bind_port_retries = 100
 # Default serialization mechanism for serializing/deserializing
 # outgoing/incoming messages (string value)
 # Allowed values: json, msgpack
 # Deprecated group/name - [DEFAULT]/rpc_zmq_serialization
 #rpc_zmq_serialization = json
 # This option configures round-robin mode in zmq socket. True means not keeping
@@ -2274,11 +2158,9 @@
 #
 # The file that defines policies. (string value)
 # Deprecated group/name - [DEFAULT]/policy_file
 #policy_file = policy.json
 # Default rule. Enforced when a requested rule is not found. (string value)
 # Deprecated group/name - [DEFAULT]/policy_default_rule
 #policy_default_rule = default
 # Directories where policy configuration files are stored. They can be relative
@@ -2286,7 +2168,6 @@
 # absolute paths. The file defined by policy_file must exist for these
 # directories to be searched.  Missing or empty directories are ignored. (multi
 # valued)
 # Deprecated group/name - [DEFAULT]/policy_dirs
 #policy_dirs = policy.d
@@ -2661,20 +2542,6 @@
 # Minimum value: 1
 #password_expires_days = <None>
 # DEPRECATED: Comma separated list of user IDs to be ignored when checking if a
 # password is expired. Passwords for users in this list will not expire. This
 # feature will only be enabled if `[security_compliance] password_expires_days`
 # is set. (list value)
 # This option is deprecated for removal since O.
 # Its value may be silently ignored in the future.
 # Reason: Functionality added as a per-user option "ignore_password_expiry" in
 # Ocata. Each user that should ignore password expiry should have the value set
 # to "true" in the user's `options` attribute (e.g.
 # `user['options']['ignore_password_expiry'] = True`) with an "update_user"
 # call. This avoids the need to restart keystone to adjust the users that
 # ignore password expiry. This option will be removed in the Pike release.
 #password_expires_ignore_user_ids =
 # This controls the number of previous user password iterations to keep in
 # history, in order to enforce that newly created passwords are unique. Setting
 # the value to one (the default) disables this feature. Thus, to enable this
@@ -2739,51 +2606,82 @@
 # From keystone
 #
-# Absolute path to the public certificate file to use for signing responses to
+# DEPRECATED: Absolute path to the public certificate file to use for signing
-# revocation lists requests. Set this together with `[signing] keyfile`. For
+# responses to revocation lists requests. Set this together with `[signing]
-# non-production environments, you may be interested in using `keystone-manage
+# keyfile`. For non-production environments, you may be interested in using
-# pki_setup` to generate self-signed certificates. (string value)
+# `keystone-manage pki_setup` to generate self-signed certificates. (string
 # value)
 # This option is deprecated for removal since P.
 # Its value may be silently ignored in the future.
 # Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in
 # Pike. These options remain for backwards compatibility.
 #certfile = /etc/keystone/ssl/certs/signing_cert.pem
-# Absolute path to the private key file to use for signing responses to
+# DEPRECATED: Absolute path to the private key file to use for signing
-# revocation lists requests. Set this together with `[signing] certfile`.
+# responses to revocation lists requests. Set this together with `[signing]
-# (string value)
+# certfile`. (string value)
 # This option is deprecated for removal since P.
 # Its value may be silently ignored in the future.
 # Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in
 # Pike. These options remain for backwards compatibility.
 #keyfile = /etc/keystone/ssl/private/signing_key.pem
-# Absolute path to the public certificate authority (CA) file to use when
+# DEPRECATED: Absolute path to the public certificate authority (CA) file to
-# creating self-signed certificates with `keystone-manage pki_setup`. Set this
+# use when creating self-signed certificates with `keystone-manage pki_setup`.
-# together with `[signing] ca_key`. There is no reason to set this option
+# Set this together with `[signing] ca_key`. There is no reason to set this
-# unless you are requesting revocation lists in a non-production environment.
+# option unless you are requesting revocation lists in a non-production
-# Use a `[signing] certfile` issued from a trusted certificate authority
+# environment. Use a `[signing] certfile` issued from a trusted certificate
-# instead. (string value)
+# authority instead. (string value)
 # This option is deprecated for removal since P.
 # Its value may be silently ignored in the future.
 # Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in
 # Pike. These options remain for backwards compatibility.
 #ca_certs = /etc/keystone/ssl/certs/ca.pem
-# Absolute path to the private certificate authority (CA) key file to use when
+# DEPRECATED: Absolute path to the private certificate authority (CA) key file
-# creating self-signed certificates with `keystone-manage pki_setup`. Set this
+# to use when creating self-signed certificates with `keystone-manage
-# together with `[signing] ca_certs`. There is no reason to set this option
+# pki_setup`. Set this together with `[signing] ca_certs`. There is no reason
-# unless you are requesting revocation lists in a non-production environment.
+# to set this option unless you are requesting revocation lists in a non-
-# Use a `[signing] certfile` issued from a trusted certificate authority
+# production environment. Use a `[signing] certfile` issued from a trusted
-# instead. (string value)
+# certificate authority instead. (string value)
 # This option is deprecated for removal since P.
 # Its value may be silently ignored in the future.
 # Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in
 # Pike. These options remain for backwards compatibility.
 #ca_key = /etc/keystone/ssl/private/cakey.pem
-# Key size (in bits) to use when generating a self-signed token signing
+# DEPRECATED: Key size (in bits) to use when generating a self-signed token
 # certificate. There is no reason to set this option unless you are requesting
 # revocation lists in a non-production environment. Use a `[signing] certfile`
 # issued from a trusted certificate authority instead. (integer value)
 # Minimum value: 1024
 #key_size = 2048
 # The validity period (in days) to use when generating a self-signed token
 # signing certificate. There is no reason to set this option unless you are
 # requesting revocation lists in a non-production environment. Use a `[signing]
 # certfile` issued from a trusted certificate authority instead. (integer
 # value)
 # Minimum value: 1024
 # This option is deprecated for removal since P.
 # Its value may be silently ignored in the future.
 # Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in
 # Pike. These options remain for backwards compatibility.
 #key_size = 2048
 # DEPRECATED: The validity period (in days) to use when generating a self-
 # signed token signing certificate. There is no reason to set this option
 # unless you are requesting revocation lists in a non-production environment.
 # Use a `[signing] certfile` issued from a trusted certificate authority
 # instead. (integer value)
 # This option is deprecated for removal since P.
 # Its value may be silently ignored in the future.
 # Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in
 # Pike. These options remain for backwards compatibility.
 #valid_days = 3650
-# The certificate subject to use when generating a self-signed token signing
+# DEPRECATED: The certificate subject to use when generating a self-signed
-# certificate. There is no reason to set this option unless you are requesting
+# token signing certificate. There is no reason to set this option unless you
-# revocation lists in a non-production environment. Use a `[signing] certfile`
+# are requesting revocation lists in a non-production environment. Use a
-# issued from a trusted certificate authority instead. (string value)
+# `[signing] certfile` issued from a trusted certificate authority instead.
 # (string value)
 # This option is deprecated for removal since P.
 # Its value may be silently ignored in the future.
 # Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in
 # Pike. These options remain for backwards compatibility.
 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
@@ -2798,16 +2696,18 @@
 # enforced according to the `[token] enforce_token_bind` option. (list value)
 #bind =
-# This controls the token binding enforcement policy on tokens presented to
+# DEPRECATED: This controls the token binding enforcement policy on tokens
-# keystone with token binding metadata (as specified by the `[token] bind`
+# presented to keystone with token binding metadata (as specified by the
-# option). `disabled` completely bypasses token binding validation.
+# `[token] bind` option). `disabled` completely bypasses token binding
-# `permissive` and `strict` do not require tokens to have binding metadata (but
+# validation. `permissive` and `strict` do not require tokens to have binding
-# will validate it if present), whereas `required` will always demand tokens to
+# metadata (but will validate it if present), whereas `required` will always
-# having binding metadata. `permissive` will allow unsupported binding metadata
+# demand tokens to having binding metadata. `permissive` will allow unsupported
-# to pass through without validation (usually to be validated at another time
+# binding metadata to pass through without validation (usually to be validated
-# by another component), whereas `strict` and `required` will demand that the
+# at another time by another component), whereas `strict` and `required` will
-# included binding metadata be supported by keystone. (string value)
+# demand that the included binding metadata be supported by keystone. (string
-# Allowed values: disabled, permissive, strict, required
+# value)
 # This option is deprecated for removal since P.
 # Its value may be silently ignored in the future.
 #enforce_token_bind = permissive
 # The amount of time that a token should remain valid (in seconds). Drastically
@@ -2831,12 +2731,13 @@
 # fernet_rotate` command). (string value)
 #provider = fernet
-# Entry point for the token persistence backend driver in the
+# DEPRECATED: Entry point for the token persistence backend driver in the
-# `keystone.token.persistence` namespace. Keystone provides `kvs` and `sql`
+# `keystone.token.persistence` namespace. Keystone provides the `sql` driver.
-# drivers. The `kvs` backend depends on the configuration in the `[kvs]`
+# The `sql` option (default) depends on the options in your `[database]`
-# section. The `sql` option (default) depends on the options in your
+# section. If you're using the `fernet` `[token] provider`, this backend will
-# `[database]` section. If you're using the `fernet` `[token] provider`, this
+# not be utilized to persist tokens at all. (string value)
-# backend will not be utilized to persist tokens at all. (string value)
+# This option is deprecated for removal since P.
 # Its value may be silently ignored in the future.
 #driver = sql
 # Toggle for caching token creation and validation data. This has no effect
@@ -2857,7 +2758,7 @@
 # `kvs` `[revoke] driver`. (boolean value)
 #revoke_by_id = true
-# This toggles whether scoped tokens may be be re-scoped to a new project or
+# This toggles whether scoped tokens may be re-scoped to a new project or
 # domain, thereby preventing users from exchanging a scoped token (including
 # those with a default project scope) for any other token. This forces users to
 # either authenticate for unscoped tokens (and later exchange that unscoped