Update sample configuration file for Queens

This patch was generated using the tox environment for generating
sample configuration files:

  tox -e genconfig

Change-Id: I225432d54b28ed5e83de7f33adee38b07e0fa6e3
This commit is contained in:
Lance Bragstad 2018-02-06 21:19:35 +00:00
parent 7fec65fa9a
commit ae7c7a0f07

View File

@ -10,10 +10,7 @@
# represent a user (it has no identity), and carries no explicit authorization # represent a user (it has no identity), and carries no explicit authorization
# (it effectively bypasses most authorization checks). If set to `None`, the # (it effectively bypasses most authorization checks). If set to `None`, the
# value is ignored and the `admin_token` middleware is effectively disabled. # value is ignored and the `admin_token` middleware is effectively disabled.
# However, to completely disable `admin_token` in production (highly # (string value)
# recommended, as it presents a security risk), remove
# `AdminTokenAuthMiddleware` (the `admin_token_auth` filter) from your paste
# application pipelines (for example, in `keystone-paste.ini`). (string value)
#admin_token = <None> #admin_token = <None>
# The base public endpoint URL for Keystone that is advertised to clients # The base public endpoint URL for Keystone that is advertised to clients
@ -49,19 +46,33 @@
# this should be set to 32). (integer value) # this should be set to 32). (integer value)
#max_token_size = 255 #max_token_size = 255
# Similar to the `[DEFAULT] member_role_name` option, this represents the # DEPRECATED: Similar to the `[DEFAULT] member_role_name` option, this
# default role ID used to associate users with their default projects in the v2 # represents the default role ID used to associate users with their default
# API. This will be used as the explicit role where one is not specified by the # projects in the v2 API. This will be used as the explicit role where one is
# v2 API. You do not need to set this value unless you want keystone to use an # not specified by the v2 API. You do not need to set this value unless you
# existing role with a different ID, other than the arbitrarily defined # want keystone to use an existing role with a different ID, other than the
# `_member_` role (in which case, you should set `[DEFAULT] member_role_name` # arbitrarily defined `_member_` role (in which case, you should set `[DEFAULT]
# as well). (string value) # member_role_name` as well). (string value)
# This option is deprecated for removal since Q.
# Its value may be silently ignored in the future.
# Reason: This option was used to create a default member role for keystone v2
# role assignments, but with the removal of the v2 API it is no longer
# necessary to create this default role. This option is deprecated and will be
# removed in the S release. If you are depending on having a predictable role
# name and ID for this member role you will need to update your tooling.
#member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab #member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
# This is the role name used in combination with the `[DEFAULT] member_role_id` # DEPRECATED: This is the role name used in combination with the `[DEFAULT]
# option; see that option for more detail. You do not need to set this option # member_role_id` option; see that option for more detail. You do not need to
# unless you want keystone to use an existing role (in which case, you should # set this option unless you want keystone to use an existing role (in which
# set `[DEFAULT] member_role_id` as well). (string value) # case, you should set `[DEFAULT] member_role_id` as well). (string value)
# This option is deprecated for removal since Q.
# Its value may be silently ignored in the future.
# Reason: This option was used to create a default member role for keystone v2
# role assignments, but with the removal of the v2 API it is no longer
# necessary to create this default role. This option is deprecated and will be
# removed in the S release. If you are depending on having a predictable role
# name and ID for this member role you will need to update your tooling.
#member_role_name = _member_ #member_role_name = _member_
# The value passed as the keyword "rounds" to passlib's encrypt method. This # The value passed as the keyword "rounds" to passlib's encrypt method. This
@ -416,6 +427,33 @@
#control_exchange = keystone #control_exchange = keystone
[application_credential]
#
# From keystone
#
# Entry point for the application credential backend driver in the
# `keystone.application_credential` namespace. Keystone only provides a `sql`
# driver, so there is no reason to change this unless you are providing a
# custom entry point. (string value)
#driver = sql
# Toggle for application credential caching. This has no effect unless global
# caching is enabled. (boolean value)
#caching = true
# Time to cache application credential data in seconds. This has no effect
# unless global caching is enabled. (integer value)
#cache_time = <None>
# Maximum number of application credentials a user is permitted to create. A
# value of -1 means unlimited. If a limit is not set, users are permitted to
# create application credentials at will, which could lead to bloat in the
# keystone database or open keystone to a DoS attack. (integer value)
#user_limit = -1
[assignment] [assignment]
# #
@ -444,7 +482,7 @@
# both use the REMOTE_USER variable. Since both the mapped and external plugin # both use the REMOTE_USER variable. Since both the mapped and external plugin
# are being invoked to validate attributes in the request environment, it can # are being invoked to validate attributes in the request environment, it can
# cause conflicts. (list value) # cause conflicts. (list value)
#methods = external,password,token,oauth1,mapped #methods = external,password,token,oauth1,mapped,application_credential
# Entry point for the password auth plugin module in the # Entry point for the password auth plugin module in the
# `keystone.auth.password` namespace. You do not need to set this unless you # `keystone.auth.password` namespace. You do not need to set this unless you
@ -479,6 +517,12 @@
# own `mapped` authentication plugin. (string value) # own `mapped` authentication plugin. (string value)
#mapped = <None> #mapped = <None>
# Entry point for the application_credential auth plugin module in the
# `keystone.auth.application_credential` namespace. You do not need to set this
# unless you are overriding keystone's own `application_credential`
# authentication plugin. (string value)
#application_credential = <None>
[cache] [cache]
@ -613,35 +657,6 @@
#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name #allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name
[cors.subdomain]
#
# From oslo.middleware
#
# Indicate whether this resource may be shared with the domain received in the
# requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing
# slash. Example: https://horizon.example.com (list value)
#allowed_origin = <None>
# Indicate that the actual request can include user credentials (boolean value)
#allow_credentials = true
# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
# Headers. (list value)
#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
# Maximum cache age of CORS preflight requests. (integer value)
#max_age = 3600
# Indicate which methods can be used during the actual request. (list value)
#allow_methods = GET,PUT,POST,DELETE,PATCH
# Indicate which header field names may be used during the actual request.
# (list value)
#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name
[credential] [credential]
# #
@ -698,6 +713,10 @@
# (string value) # (string value)
#mysql_sql_mode = TRADITIONAL #mysql_sql_mode = TRADITIONAL
# If True, transparently enables support for handling MySQL Cluster (NDB).
# (boolean value)
#mysql_enable_ndb = false
# Timeout before idle SQL connections are reaped. (integer value) # Timeout before idle SQL connections are reaped. (integer value)
# Deprecated group/name - [DEFAULT]/sql_idle_timeout # Deprecated group/name - [DEFAULT]/sql_idle_timeout
# Deprecated group/name - [DATABASE]/sql_idle_timeout # Deprecated group/name - [DATABASE]/sql_idle_timeout
@ -888,7 +907,7 @@
#assertion_prefix = #assertion_prefix =
# Value to be used to obtain the entity ID of the Identity Provider from the # Value to be used to obtain the entity ID of the Identity Provider from the
# environment. For `mod_shib`, this would be `Shib-Identity-Provider`. For For # environment. For `mod_shib`, this would be `Shib-Identity-Provider`. For
# `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`, # `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`,
# this could be `MELLON_IDP`. (string value) # this could be `MELLON_IDP`. (string value)
#remote_id_attribute = <None> #remote_id_attribute = <None>
@ -1051,6 +1070,41 @@
# (integer value) # (integer value)
#list_limit = <None> #list_limit = <None>
# The password hashing algorithm to use for passwords stored within keystone.
# (string value)
# Allowed values: bcrypt, scrypt, pbkdf2_sha512
#password_hash_algorithm = bcrypt
# This option represents a trade off between security and performance. Higher
# values lead to slower performance, but higher security. Changing this option
# will only affect newly created passwords as existing password hashes already
# have a fixed number of rounds applied, so it is safe to tune this option in a
# running cluster. The default for bcrypt is 12, must be between 4 and 31,
# inclusive. The default for scrypt is 16, must be within `range(1,32)`. The
# default for pbkdf_sha512 is 60000, must be within `range(1,1<<32)` WARNING:
# If using scrypt, increasing this value increases BOTH time AND memory
# requirements to hash a password. (integer value)
#password_hash_rounds = <None>
# Optional block size to pass to scrypt hash function (the `r` parameter).
# Useful for tuning scrypt to optimal performance for your CPU architecture.
# This option is only used when the `password_hash_algorithm` option is set to
# `scrypt`. Defaults to 8. (integer value)
#scrypt_block_size = <None>
# Optional parallelism to pass to scrypt hash function (the `p` parameter).
# This option is only used when the `password_hash_algorithm` option is set to
# `scrypt`. Defaults to 1. (integer value)
#scrypt_parallelism = <None>
# Number of bytes to use in scrypt and pbkfd2_sha512 hashing salt. Default for
# scrypt is 16 bytes. Default for pbkfd2_sha512 is 16 bytes. Limited to a
# maximum of 96 bytes due to the size of the column used to store password
# hashes. (integer value)
# Minimum value: 0
# Maximum value: 96
#salt_bytesize = <None>
[identity_mapping] [identity_mapping]
@ -2305,10 +2359,15 @@
# From keystone # From keystone
# #
# Entry point for the resource driver in the `keystone.resource` namespace. # DEPRECATED: Entry point for the resource driver in the `keystone.resource`
# Only a `sql` driver is supplied by keystone. Unless you are writing # namespace. Only a `sql` driver is supplied by keystone. Unless you are
# proprietary drivers for keystone, you do not need to set this option. (string # writing proprietary drivers for keystone, you do not need to set this option.
# value) # (string value)
# This option is deprecated for removal since P.
# Its value may be silently ignored in the future.
# Reason: Non-SQL resource cannot be used with SQL Identity and has been unable
# to be used since Ocata. SQL Resource backend is a requirement as of Pike.
# Setting this option no longer has an effect on how Keystone operates.
#driver = sql #driver = sql
# Toggle for resource caching. This has no effect unless global caching is # Toggle for resource caching. This has no effect unless global caching is
@ -2543,10 +2602,11 @@
#password_expires_days = <None> #password_expires_days = <None>
# This controls the number of previous user password iterations to keep in # This controls the number of previous user password iterations to keep in
# history, in order to enforce that newly created passwords are unique. Setting # history, in order to enforce that newly created passwords are unique. The
# the value to one (the default) disables this feature. Thus, to enable this # total number which includes the new password should not be greater or equal
# feature, values must be greater than 1. This feature depends on the `sql` # to this value. Setting the value to one (the default) disables this feature.
# backend for the `[identity] driver`. (integer value) # Thus, to enable this feature, values must be greater than 1. This feature
# depends on the `sql` backend for the `[identity] driver`. (integer value)
# Minimum value: 1 # Minimum value: 1
#unique_last_password_count = 1 #unique_last_password_count = 1
@ -2821,8 +2881,12 @@
# From keystone # From keystone
# #
# Delegation and impersonation features using trusts can be optionally # DEPRECATED: Delegation and impersonation features using trusts can be
# disabled. (boolean value) # optionally disabled. (boolean value)
# This option is deprecated for removal since Q.
# Its value may be silently ignored in the future.
# Reason: Disabling the trusts API is deprecated. This option will be removed
# in the next release and trusts will always be enabled.
#enabled = true #enabled = true
# Allows authorization to be redelegated from one user to another, effectively # Allows authorization to be redelegated from one user to another, effectively
@ -2839,3 +2903,30 @@
# Keystone only provides a `sql` driver, so there is no reason to change this # Keystone only provides a `sql` driver, so there is no reason to change this
# unless you are providing a custom entry point. (string value) # unless you are providing a custom entry point. (string value)
#driver = sql #driver = sql
[unified_limit]
#
# From keystone
#
# Entry point for the unified limit backend driver in the
# `keystone.unified_limit` namespace. Keystone only provides a `sql` driver, so
# there's no reason to change this unless you are providing a custom entry
# point. (string value)
#driver = sql
# Toggle for unified limit caching. This has no effect unless global caching is
# enabled. In a typical deployment, there is no reason to disable this.
# (boolean value)
#caching = true
# Time to cache unified limit data, in seconds. This has no effect unless both
# global caching and `[unified_limit] caching` are enabled. (integer value)
#cache_time = <None>
# Maximum number of entities that will be returned in a role collection. This
# may be useful to tune if you have a large number of unified limits in your
# deployment. (integer value)
#list_limit = <None>