Clean up config help text
These are suggestions to clean up the help text. Change-Id: If22c6491b530da92ee1ce6411b57f0585817de38
This commit is contained in:
parent
6c6046b79e
commit
b5c5354f43
@ -12,12 +12,12 @@
|
||||
# paste.ini). (string value)
|
||||
#admin_token=ADMIN
|
||||
|
||||
# The IP Address of the network interface to for the public
|
||||
# The IP address of the network interface for the public
|
||||
# service to listen on. (string value)
|
||||
# Deprecated group/name - [DEFAULT]/bind_host
|
||||
#public_bind_host=0.0.0.0
|
||||
|
||||
# The IP Address of the network interface to for the admin
|
||||
# The IP address of the network interface for the admin
|
||||
# service to listen on. (string value)
|
||||
# Deprecated group/name - [DEFAULT]/bind_host
|
||||
#admin_bind_host=0.0.0.0
|
||||
@ -34,44 +34,42 @@
|
||||
# (integer value)
|
||||
#public_port=5000
|
||||
|
||||
# The base public endpoint URL for keystone that are
|
||||
# advertised to clients (NOTE: this does NOT affect how
|
||||
# keystone listens for connections) (string value).
|
||||
# Defaults to the base host URL of the request. Eg a
|
||||
# request to http://server:5000/v2.0/users will
|
||||
# default to http://server:5000. You should only need
|
||||
# to set this value if the base URL contains a path
|
||||
# (eg /prefix/v2.0) or the endpoint should be found on
|
||||
# a different server.
|
||||
#public_endpoint=http://localhost:%(public_port)s/
|
||||
# The base public endpoint URL for Keystone that is advertised
|
||||
# to clients (NOTE: this does NOT affect how Keystone listens
|
||||
# for connections). Defaults to the base host URL of the
|
||||
# request. E.g. a request to http://server:5000/v2.0/users
|
||||
# will default to http://server:5000. You should only need to
|
||||
# set this value if the base URL contains a path (e.g.
|
||||
# /prefix/v2.0) or the endpoint should be found on a different
|
||||
# server. (string value)
|
||||
#public_endpoint=<None>
|
||||
|
||||
# The base admin endpoint URL for keystone that are advertised
|
||||
# to clients (NOTE: this does NOT affect how keystone listens
|
||||
# for connections) (string value).
|
||||
# Defaults to the base host URL of the request. Eg a
|
||||
# request to http://server:35357/v2.0/users will
|
||||
# default to http://server:35357. You should only need
|
||||
# to set this value if the base URL contains a path
|
||||
# (eg /prefix/v2.0) or the endpoint should be found on
|
||||
# a different server.
|
||||
#admin_endpoint=http://localhost:%(admin_port)s/
|
||||
# The base admin endpoint URL for Keystone that is advertised
|
||||
# to clients (NOTE: this does NOT affect how Keystone listens
|
||||
# for connections). Defaults to the base host URL of the
|
||||
# request. E.g. a request to http://server:35357/v2.0/users
|
||||
# will default to http://server:35357. You should only need to
|
||||
# set this value if the base URL contains a path (e.g.
|
||||
# /prefix/v2.0) or the endpoint should be found on a different
|
||||
# server. (string value)
|
||||
#admin_endpoint=<None>
|
||||
|
||||
# onready allows you to send a notification when the process
|
||||
# is ready to serve For example, to have it notify using
|
||||
# is ready to serve. For example, to have it notify using
|
||||
# systemd, one could set shell command: "onready = systemd-
|
||||
# notify --ready" or a module with notify() method: "onready =
|
||||
# keystone.common.systemd". (string value)
|
||||
#onready=<None>
|
||||
|
||||
# enforced by optional sizelimit middleware
|
||||
# Enforced by optional sizelimit middleware
|
||||
# (keystone.middleware:RequestBodySizeLimiter). (integer
|
||||
# value)
|
||||
#max_request_body_size=114688
|
||||
|
||||
# limit the sizes of user & tenant ID/names. (integer value)
|
||||
# Limit the sizes of user & project ID/names. (integer value)
|
||||
#max_param_size=64
|
||||
|
||||
# similar to max_param_size, but provides an exception for
|
||||
# Similar to max_param_size, but provides an exception for
|
||||
# token values. (integer value)
|
||||
#max_token_size=8192
|
||||
|
||||
@ -82,32 +80,32 @@
|
||||
# add_user_to_project. (string value)
|
||||
#member_role_id=9fe2ff9ee4384b1894a90878d3e92bab
|
||||
|
||||
# During a SQL upgrade member_role_id will be used to create a
|
||||
# new role that will replace records in the
|
||||
# During a SQL upgrade member_role_name will be used to create
|
||||
# a new role that will replace records in the
|
||||
# user_tenant_membership table with explicit role grants.
|
||||
# After migration, member_role_name will be ignored. (string
|
||||
# value)
|
||||
#member_role_name=_member_
|
||||
|
||||
# The value passed as the keyword "rounds" to passlib encrypt
|
||||
# method. (integer value)
|
||||
# The value passed as the keyword "rounds" to passlib's
|
||||
# encrypt method. (integer value)
|
||||
#crypt_strength=40000
|
||||
|
||||
# Set this to True if you want to enable TCP_KEEPALIVE on
|
||||
# server sockets i.e. sockets used by the keystone wsgi server
|
||||
# for client connections. (boolean value)
|
||||
# Set this to true if you want to enable TCP_KEEPALIVE on
|
||||
# server sockets, i.e. sockets used by the Keystone wsgi
|
||||
# server for client connections. (boolean value)
|
||||
#tcp_keepalive=false
|
||||
|
||||
# Sets the value of TCP_KEEPIDLE in seconds for each server
|
||||
# socket. Only applies if tcp_keepalive is True. Not supported
|
||||
# socket. Only applies if tcp_keepalive is true. Not supported
|
||||
# on OS X. (integer value)
|
||||
#tcp_keepidle=600
|
||||
|
||||
# The maximum number of entities that will be returned in a
|
||||
# collection can be set with list_limit, with no limit set by
|
||||
# default. This global limit may be then overridden for a
|
||||
# specific driver, by specifying a list_limit in the
|
||||
# appropriate section (e.g. [assignment]). (integer value)
|
||||
# collection, with no limit set by default. This global limit
|
||||
# may be then overridden for a specific driver, by specifying
|
||||
# a list_limit in the appropriate section (e.g. [assignment]).
|
||||
# (integer value)
|
||||
#list_limit=<None>
|
||||
|
||||
# Set this to false if you want to enable the ability for
|
||||
@ -482,7 +480,7 @@
|
||||
# Options defined in keystone
|
||||
#
|
||||
|
||||
# Keystone Assignment backend driver. (string value)
|
||||
# Assignment backend driver. (string value)
|
||||
#driver=<None>
|
||||
|
||||
# Toggle for assignment caching. This has no effect unless
|
||||
@ -545,7 +543,7 @@
|
||||
|
||||
# Use a key-mangling function (sha1) to ensure fixed length
|
||||
# cache-keys. This is toggle-able for debugging purposes, it
|
||||
# is highly recommended to always leave this set to True.
|
||||
# is highly recommended to always leave this set to true.
|
||||
# (boolean value)
|
||||
#use_key_mangler=true
|
||||
|
||||
@ -554,11 +552,9 @@
|
||||
# backend. Example format: "<argname>:<value>". (multi valued)
|
||||
#backend_argument=
|
||||
|
||||
# Proxy Classes to import that will affect the way the
|
||||
# Proxy classes to import that will affect the way the
|
||||
# dogpile.cache backend functions. See the dogpile.cache
|
||||
# documentation on changing-backend-behavior. Comma delimited
|
||||
# list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2.
|
||||
# (list value)
|
||||
# documentation on changing-backend-behavior. (list value)
|
||||
#proxies=
|
||||
|
||||
# Global toggle for all caching using the should_cache_fn
|
||||
@ -566,10 +562,10 @@
|
||||
#enabled=false
|
||||
|
||||
# Extra debugging from the cache backend (cache keys,
|
||||
# get/set/delete/etc calls) This is only really useful if you
|
||||
# get/set/delete/etc calls). This is only really useful if you
|
||||
# need to see the specific cache-backend get/set/delete calls
|
||||
# with the keys/values. Typically this should be left set to
|
||||
# False. (boolean value)
|
||||
# false. (boolean value)
|
||||
#debug_cache_backend=false
|
||||
|
||||
|
||||
@ -583,7 +579,7 @@
|
||||
# backend. (string value)
|
||||
#template_file=default_catalog.templates
|
||||
|
||||
# Keystone catalog backend driver. (string value)
|
||||
# Catalog backend driver. (string value)
|
||||
#driver=keystone.catalog.backends.sql.Catalog
|
||||
|
||||
# Maximum number of entities that will be returned in a
|
||||
@ -597,7 +593,7 @@
|
||||
# Options defined in keystone
|
||||
#
|
||||
|
||||
# Keystone Credential backend driver. (string value)
|
||||
# Credential backend driver. (string value)
|
||||
#driver=keystone.credential.backends.sql.Credential
|
||||
|
||||
|
||||
@ -709,7 +705,7 @@
|
||||
# Options defined in keystone
|
||||
#
|
||||
|
||||
# Keystone EC2Credential backend driver. (string value)
|
||||
# EC2Credential backend driver. (string value)
|
||||
#driver=keystone.contrib.ec2.backends.kvs.Ec2
|
||||
|
||||
|
||||
@ -719,7 +715,7 @@
|
||||
# Options defined in keystone
|
||||
#
|
||||
|
||||
# Keystone Endpoint Filter backend driver (string value)
|
||||
# Endpoint Filter backend driver (string value)
|
||||
#driver=keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
|
||||
|
||||
# Toggle to return all active endpoints if no filter exists.
|
||||
@ -733,7 +729,7 @@
|
||||
# Options defined in keystone
|
||||
#
|
||||
|
||||
# Keystone Federation backend driver. (string value)
|
||||
# Federation backend driver. (string value)
|
||||
#driver=keystone.contrib.federation.backends.sql.Federation
|
||||
|
||||
# Value to be used when filtering assertion parameters from
|
||||
@ -750,10 +746,10 @@
|
||||
# This references the domain to use for all Identity API v2
|
||||
# requests (which are not aware of domains). A domain with
|
||||
# this ID will be created for you by keystone-manage db_sync
|
||||
# in migration 008. The domain referenced by this ID cannot
|
||||
# be deleted on the v3 API, to prevent accidentally breaking
|
||||
# the v2 API. There is nothing special about this domain,
|
||||
# other than the fact that it must exist to order to maintain
|
||||
# in migration 008. The domain referenced by this ID cannot be
|
||||
# deleted on the v3 API, to prevent accidentally breaking the
|
||||
# v2 API. There is nothing special about this domain, other
|
||||
# than the fact that it must exist to order to maintain
|
||||
# support for your v2 clients. (string value)
|
||||
#default_domain_id=default
|
||||
|
||||
@ -762,15 +758,15 @@
|
||||
# domain configuration directory. Only values specific to the
|
||||
# domain need to be placed in the domain specific
|
||||
# configuration file. This feature is disabled by default; set
|
||||
# to True to enable. (boolean value)
|
||||
# to true to enable. (boolean value)
|
||||
#domain_specific_drivers_enabled=false
|
||||
|
||||
# Path for Keystone to locate the domain specificidentity
|
||||
# Path for Keystone to locate the domain specific identity
|
||||
# configuration files if domain_specific_drivers_enabled is
|
||||
# set to true. (string value)
|
||||
#domain_config_dir=/etc/keystone/domains
|
||||
|
||||
# Keystone Identity backend driver. (string value)
|
||||
# Identity backend driver. (string value)
|
||||
#driver=keystone.identity.backends.sql.Identity
|
||||
|
||||
# Maximum supported length for user passwords; decrease to
|
||||
@ -801,7 +797,7 @@
|
||||
# Toggle to disable using a key-mangling function to ensure
|
||||
# fixed length keys. This is toggle-able for debugging
|
||||
# purposes, it is highly recommended to always leave this set
|
||||
# to True. (boolean value)
|
||||
# to true. (boolean value)
|
||||
#enable_key_mangler=true
|
||||
|
||||
# Default lock timeout for distributed locking. (integer
|
||||
@ -837,7 +833,9 @@
|
||||
# enabled. (string value)
|
||||
#dumb_member=cn=dumb,dc=nonexistent
|
||||
|
||||
# allow deleting subtrees. (boolean value)
|
||||
# Delete subtrees using the subtree delete control. Only
|
||||
# enable this option if your LDAP server supports subtree
|
||||
# deletion. (boolean value)
|
||||
#allow_subtree_delete=false
|
||||
|
||||
# The LDAP scope for queries, this can be either "one"
|
||||
@ -865,7 +863,7 @@
|
||||
# LDAP search filter for users. (string value)
|
||||
#user_filter=<None>
|
||||
|
||||
# LDAP objectClass for users. (string value)
|
||||
# LDAP objectclass for users. (string value)
|
||||
#user_objectclass=inetOrgPerson
|
||||
|
||||
# LDAP attribute mapped to user id. (string value)
|
||||
@ -895,7 +893,7 @@
|
||||
# Default value to enable users. This should match an
|
||||
# appropriate int value if the LDAP server uses non-boolean
|
||||
# (bitmask) values to indicate if a user is enabled or
|
||||
# disabled. If this is not set to "True"the typical value is
|
||||
# disabled. If this is not set to "True" the typical value is
|
||||
# "512". This is typically used when "user_enabled_attribute =
|
||||
# userAccountControl". (string value)
|
||||
#user_enabled_default=True
|
||||
@ -917,7 +915,7 @@
|
||||
# Allow user deletion in LDAP backend. (boolean value)
|
||||
#user_allow_delete=true
|
||||
|
||||
# If True, Keystone uses an alternative method to determine if
|
||||
# If true, Keystone uses an alternative method to determine if
|
||||
# a user is enabled or not by checking if they are a member of
|
||||
# the "user_enabled_emulation_dn" group. (boolean value)
|
||||
#user_enabled_emulation=false
|
||||
@ -927,7 +925,7 @@
|
||||
#user_enabled_emulation_dn=<None>
|
||||
|
||||
# List of additional LDAP attributes used for mapping
|
||||
# Additional attribute mappings for users. Attribute mapping
|
||||
# additional attribute mappings for users. Attribute mapping
|
||||
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
|
||||
# attribute in the LDAP entry and user_attr is the Identity
|
||||
# API attribute. (list value)
|
||||
@ -939,7 +937,7 @@
|
||||
# LDAP search filter for projects. (string value)
|
||||
#tenant_filter=<None>
|
||||
|
||||
# LDAP objectClass for projects. (string value)
|
||||
# LDAP objectclass for projects. (string value)
|
||||
#tenant_objectclass=groupOfNames
|
||||
|
||||
# LDAP attribute mapped to project id. (string value)
|
||||
@ -965,16 +963,16 @@
|
||||
# value)
|
||||
#tenant_attribute_ignore=
|
||||
|
||||
# Allow tenant creation in LDAP backend. (boolean value)
|
||||
# Allow project creation in LDAP backend. (boolean value)
|
||||
#tenant_allow_create=true
|
||||
|
||||
# Allow tenant update in LDAP backend. (boolean value)
|
||||
# Allow project update in LDAP backend. (boolean value)
|
||||
#tenant_allow_update=true
|
||||
|
||||
# Allow tenant deletion in LDAP backend. (boolean value)
|
||||
# Allow project deletion in LDAP backend. (boolean value)
|
||||
#tenant_allow_delete=true
|
||||
|
||||
# If True, Keystone uses an alternative method to determine if
|
||||
# If true, Keystone uses an alternative method to determine if
|
||||
# a project is enabled or not by checking if they are a member
|
||||
# of the "tenant_enabled_emulation_dn" group. (boolean value)
|
||||
#tenant_enabled_emulation=false
|
||||
@ -995,7 +993,7 @@
|
||||
# LDAP search filter for roles. (string value)
|
||||
#role_filter=<None>
|
||||
|
||||
# LDAP objectClass for roles. (string value)
|
||||
# LDAP objectclass for roles. (string value)
|
||||
#role_objectclass=organizationalRole
|
||||
|
||||
# LDAP attribute mapped to role id. (string value)
|
||||
@ -1032,7 +1030,7 @@
|
||||
# LDAP search filter for groups. (string value)
|
||||
#group_filter=<None>
|
||||
|
||||
# LDAP objectClass for groups. (string value)
|
||||
# LDAP objectclass for groups. (string value)
|
||||
#group_objectclass=groupOfNames
|
||||
|
||||
# LDAP attribute mapped to group id. (string value)
|
||||
@ -1079,7 +1077,7 @@
|
||||
# value)
|
||||
#use_tls=false
|
||||
|
||||
# valid options for tls_req_cert are demand, never, and allow.
|
||||
# Valid options for tls_req_cert are demand, never, and allow.
|
||||
# (string value)
|
||||
#tls_req_cert=demand
|
||||
|
||||
@ -1101,7 +1099,7 @@
|
||||
# Options defined in keystone
|
||||
#
|
||||
|
||||
# Memcache servers in the format of "host:port" (list value)
|
||||
# Memcache servers in the format of "host:port". (list value)
|
||||
#servers=localhost:11211
|
||||
|
||||
# Number of compare-and-set attempts to make when using
|
||||
@ -1116,7 +1114,7 @@
|
||||
# Options defined in keystone
|
||||
#
|
||||
|
||||
# Keystone Credential backend driver. (string value)
|
||||
# Credential backend driver. (string value)
|
||||
#driver=keystone.contrib.oauth1.backends.sql.OAuth1
|
||||
|
||||
# Duration (in seconds) for the OAuth Request Token. (integer
|
||||
@ -1156,7 +1154,7 @@
|
||||
# Options defined in keystone
|
||||
#
|
||||
|
||||
# Keystone Policy backend driver. (string value)
|
||||
# Policy backend driver. (string value)
|
||||
#driver=keystone.policy.backends.sql.Policy
|
||||
|
||||
# Maximum number of entities that will be returned in a policy
|
||||
@ -1203,18 +1201,18 @@
|
||||
# Path of the CA for token signing. (string value)
|
||||
#ca_certs=/etc/keystone/ssl/certs/ca.pem
|
||||
|
||||
# Path of the CA Key for token signing. (string value)
|
||||
# Path of the CA key for token signing. (string value)
|
||||
#ca_key=/etc/keystone/ssl/private/cakey.pem
|
||||
|
||||
# Key Size (in bits) for token signing cert (auto generated
|
||||
# Key size (in bits) for token signing cert (auto generated
|
||||
# certificate). (integer value)
|
||||
#key_size=2048
|
||||
|
||||
# Day the token signing cert is valid for (auto generated
|
||||
# Days the token signing cert is valid for (auto generated
|
||||
# certificate). (integer value)
|
||||
#valid_days=3650
|
||||
|
||||
# Certificate Subject (auto generated certificate) for token
|
||||
# Certificate subject (auto generated certificate) for token
|
||||
# signing. (string value)
|
||||
#cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
|
||||
|
||||
@ -1225,7 +1223,7 @@
|
||||
# Options defined in keystone
|
||||
#
|
||||
|
||||
# Toggle for SSL support on the keystone eventlet servers.
|
||||
# Toggle for SSL support on the Keystone eventlet servers.
|
||||
# (boolean value)
|
||||
#enable=false
|
||||
|
||||
@ -1244,7 +1242,7 @@
|
||||
# Require client certificate. (boolean value)
|
||||
#cert_required=false
|
||||
|
||||
# SSL Key Length (in bits) (auto generated certificate).
|
||||
# SSL key length (in bits) (auto generated certificate).
|
||||
# (integer value)
|
||||
#key_size=1024
|
||||
|
||||
@ -1252,7 +1250,7 @@
|
||||
# generated certificate). (integer value)
|
||||
#valid_days=3650
|
||||
|
||||
# SSL Certificate Subject (auto generated certificate).
|
||||
# SSL certificate subject (auto generated certificate).
|
||||
# (string value)
|
||||
#cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
|
||||
|
||||
@ -1263,7 +1261,7 @@
|
||||
# Options defined in keystone
|
||||
#
|
||||
|
||||
# Keystone stats backend driver. (string value)
|
||||
# Stats backend driver. (string value)
|
||||
#driver=keystone.contrib.stats.backends.kvs.Stats
|
||||
|
||||
|
||||
@ -1274,12 +1272,12 @@
|
||||
#
|
||||
|
||||
# External auth mechanisms that should add bind information to
|
||||
# token e.g. kerberos, x509. (list value)
|
||||
# token, e.g., kerberos,x509. (list value)
|
||||
#bind=
|
||||
|
||||
# Enforcement policy on tokens presented to keystone with bind
|
||||
# Enforcement policy on tokens presented to Keystone with bind
|
||||
# information. One of disabled, permissive, strict, required
|
||||
# or a specifically required bind mode e.g. kerberos or x509
|
||||
# or a specifically required bind mode, e.g., kerberos or x509
|
||||
# to require binding to that authentication. (string value)
|
||||
#enforce_token_bind=permissive
|
||||
|
||||
@ -1293,7 +1291,7 @@
|
||||
# value)
|
||||
#provider=<None>
|
||||
|
||||
# Keystone Token persistence backend driver. (string value)
|
||||
# Token persistence backend driver. (string value)
|
||||
#driver=keystone.token.backends.sql.Token
|
||||
|
||||
# Toggle for token system cacheing. This has no effect unless
|
||||
@ -1310,13 +1308,13 @@
|
||||
# global and token caching are enabled. (integer value)
|
||||
#cache_time=<None>
|
||||
|
||||
# Revoke token by token identifier. Setting revoke_by_id to
|
||||
# True enables various forms of enumerating tokens, e.g. `list
|
||||
# tokens for user`. These enumerations are processed to
|
||||
# determine the list of tokens to revoke. Only disable if
|
||||
# you are switching to using the Revoke extension with a
|
||||
# backend other than KVS, which stores events in memory.
|
||||
# (boolean value)
|
||||
# Revoke token by token identifier. Setting revoke_by_id to
|
||||
# true enables various forms of enumerating tokens, e.g. `list
|
||||
# tokens for user`. These enumerations are processed to
|
||||
# determine the list of tokens to revoke. Only disable if you
|
||||
# are switching to using the Revoke extension with a backend
|
||||
# other than KVS, which stores events in memory. (boolean
|
||||
# value)
|
||||
#revoke_by_id=true
|
||||
|
||||
|
||||
@ -1326,11 +1324,11 @@
|
||||
# Options defined in keystone
|
||||
#
|
||||
|
||||
# delegation and impersonation features can be optionally
|
||||
# Delegation and impersonation features can be optionally
|
||||
# disabled. (boolean value)
|
||||
#enabled=true
|
||||
|
||||
# Keystone Trust backend driver. (string value)
|
||||
# Trust backend driver. (string value)
|
||||
#driver=keystone.trust.backends.sql.Trust
|
||||
|
||||
|
||||
|
@ -32,13 +32,13 @@ FILE_OPTIONS = {
|
||||
default='0.0.0.0',
|
||||
deprecated_opts=[cfg.DeprecatedOpt('bind_host',
|
||||
group='DEFAULT')],
|
||||
help='The IP Address of the network interface to for the '
|
||||
help='The IP address of the network interface for the '
|
||||
'public service to listen on.'),
|
||||
cfg.StrOpt('admin_bind_host',
|
||||
default='0.0.0.0',
|
||||
deprecated_opts=[cfg.DeprecatedOpt('bind_host',
|
||||
group='DEFAULT')],
|
||||
help='The IP Address of the network interface to for the '
|
||||
help='The IP address of the network interface for the '
|
||||
'admin service to listen on.'),
|
||||
cfg.IntOpt('compute_port', default=8774,
|
||||
help='The port which the OpenStack Compute service '
|
||||
@ -50,41 +50,41 @@ FILE_OPTIONS = {
|
||||
help='The port number which the public service listens '
|
||||
'on.'),
|
||||
cfg.StrOpt('public_endpoint',
|
||||
help='The base public endpoint URL for keystone that are '
|
||||
help='The base public endpoint URL for Keystone that is '
|
||||
'advertised to clients (NOTE: this does NOT affect '
|
||||
'how keystone listens for connections). '
|
||||
'Defaults to the base host URL of the request. Eg a '
|
||||
'how Keystone listens for connections). '
|
||||
'Defaults to the base host URL of the request. E.g. a '
|
||||
'request to http://server:5000/v2.0/users will '
|
||||
'default to http://server:5000. You should only need '
|
||||
'to set this value if the base URL contains a path '
|
||||
'(eg /prefix/v2.0) or the endpoint should be found on '
|
||||
'a different server.'),
|
||||
'(e.g. /prefix/v2.0) or the endpoint should be found '
|
||||
'on a different server.'),
|
||||
cfg.StrOpt('admin_endpoint',
|
||||
help='The base admin endpoint URL for keystone that are '
|
||||
help='The base admin endpoint URL for Keystone that is '
|
||||
'advertised to clients (NOTE: this does NOT affect '
|
||||
'how keystone listens for connections). '
|
||||
'Defaults to the base host URL of the request. Eg a '
|
||||
'how Keystone listens for connections). '
|
||||
'Defaults to the base host URL of the request. E.g. a '
|
||||
'request to http://server:35357/v2.0/users will '
|
||||
'default to http://server:35357. You should only need '
|
||||
'to set this value if the base URL contains a path '
|
||||
'(eg /prefix/v2.0) or the endpoint should be found on '
|
||||
'a different server.'),
|
||||
'(e.g. /prefix/v2.0) or the endpoint should be found '
|
||||
'on a different server.'),
|
||||
cfg.StrOpt('onready',
|
||||
help='onready allows you to send a notification when the '
|
||||
'process is ready to serve For example, to have it '
|
||||
'process is ready to serve. For example, to have it '
|
||||
'notify using systemd, one could set shell command: '
|
||||
'"onready = systemd-notify --ready" or a module '
|
||||
'with notify() method: '
|
||||
'"onready = keystone.common.systemd".'),
|
||||
# default max request size is 112k
|
||||
cfg.IntOpt('max_request_body_size', default=114688,
|
||||
help='enforced by optional sizelimit middleware '
|
||||
help='Enforced by optional sizelimit middleware '
|
||||
'(keystone.middleware:RequestBodySizeLimiter).'),
|
||||
cfg.IntOpt('max_param_size', default=64,
|
||||
help='limit the sizes of user & tenant ID/names.'),
|
||||
help='Limit the sizes of user & project ID/names.'),
|
||||
# we allow tokens to be a bit larger to accommodate PKI
|
||||
cfg.IntOpt('max_token_size', default=8192,
|
||||
help='similar to max_param_size, but provides an '
|
||||
help='Similar to max_param_size, but provides an '
|
||||
'exception for token values.'),
|
||||
cfg.StrOpt('member_role_id',
|
||||
default='9fe2ff9ee4384b1894a90878d3e92bab',
|
||||
@ -94,31 +94,30 @@ FILE_OPTIONS = {
|
||||
'role grants. After migration, the member_role_id '
|
||||
'will be used in the API add_user_to_project.'),
|
||||
cfg.StrOpt('member_role_name', default='_member_',
|
||||
help='During a SQL upgrade member_role_id will be used '
|
||||
help='During a SQL upgrade member_role_name will be used '
|
||||
'to create a new role that will replace records in '
|
||||
'the user_tenant_membership table with explicit '
|
||||
'role grants. After migration, member_role_name will '
|
||||
'be ignored.'),
|
||||
cfg.IntOpt('crypt_strength', default=40000,
|
||||
help='The value passed as the keyword "rounds" to passlib '
|
||||
'encrypt method.'),
|
||||
help='The value passed as the keyword "rounds" to '
|
||||
'passlib\'s encrypt method.'),
|
||||
cfg.BoolOpt('tcp_keepalive', default=False,
|
||||
help='Set this to True if you want to enable '
|
||||
'TCP_KEEPALIVE on server sockets i.e. sockets used '
|
||||
'by the keystone wsgi server for client '
|
||||
help='Set this to true if you want to enable '
|
||||
'TCP_KEEPALIVE on server sockets, i.e. sockets used '
|
||||
'by the Keystone wsgi server for client '
|
||||
'connections.'),
|
||||
cfg.IntOpt('tcp_keepidle',
|
||||
default=600,
|
||||
help='Sets the value of TCP_KEEPIDLE in seconds for each '
|
||||
'server socket. Only applies if tcp_keepalive is '
|
||||
'True. Not supported on OS X.'),
|
||||
'true. Not supported on OS X.'),
|
||||
cfg.IntOpt('list_limit', default=None,
|
||||
help='The maximum number of entities that will be '
|
||||
'returned in a collection can be set with '
|
||||
'list_limit, with no limit set by default. This '
|
||||
'global limit may be then overridden for a specific '
|
||||
'driver, by specifying a list_limit in the '
|
||||
'appropriate section (e.g. [assignment]).'),
|
||||
'returned in a collection, with no limit set by '
|
||||
'default. This global limit may be then overridden '
|
||||
'for a specific driver, by specifying a list_limit '
|
||||
'in the appropriate section (e.g. [assignment]).'),
|
||||
cfg.BoolOpt('domain_id_immutable', default=True,
|
||||
help='Set this to false if you want to enable the '
|
||||
'ability for user, group and project entities '
|
||||
@ -133,7 +132,7 @@ FILE_OPTIONS = {
|
||||
'Identity API v2 requests (which are not aware of '
|
||||
'domains). A domain with this ID will be created '
|
||||
'for you by keystone-manage db_sync in migration '
|
||||
'008. The domain referenced by this ID cannot be '
|
||||
'008. The domain referenced by this ID cannot be '
|
||||
'deleted on the v3 API, to prevent accidentally '
|
||||
'breaking the v2 API. There is nothing special about '
|
||||
'this domain, other than the fact that it must '
|
||||
@ -147,16 +146,16 @@ FILE_OPTIONS = {
|
||||
'directory. Only values specific to the domain '
|
||||
'need to be placed in the domain specific '
|
||||
'configuration file. This feature is disabled by '
|
||||
'default; set to True to enable.'),
|
||||
'default; set to true to enable.'),
|
||||
cfg.StrOpt('domain_config_dir',
|
||||
default='/etc/keystone/domains',
|
||||
help='Path for Keystone to locate the domain specific'
|
||||
help='Path for Keystone to locate the domain specific '
|
||||
'identity configuration files if '
|
||||
'domain_specific_drivers_enabled is set to true.'),
|
||||
cfg.StrOpt('driver',
|
||||
default=('keystone.identity.backends'
|
||||
'.sql.Identity'),
|
||||
help='Keystone Identity backend driver.'),
|
||||
help='Identity backend driver.'),
|
||||
cfg.IntOpt('max_password_length', default=4096,
|
||||
help='Maximum supported length for user passwords; '
|
||||
'decrease to improve performance.'),
|
||||
@ -165,11 +164,11 @@ FILE_OPTIONS = {
|
||||
'an identity collection.')],
|
||||
'trust': [
|
||||
cfg.BoolOpt('enabled', default=True,
|
||||
help='delegation and impersonation features can be '
|
||||
help='Delegation and impersonation features can be '
|
||||
'optionally disabled.'),
|
||||
cfg.StrOpt('driver',
|
||||
default='keystone.trust.backends.sql.Trust',
|
||||
help='Keystone Trust backend driver.')],
|
||||
help='Trust backend driver.')],
|
||||
'os_inherit': [
|
||||
cfg.BoolOpt('enabled', default=False,
|
||||
help='role-assignment inheritance to projects from '
|
||||
@ -177,12 +176,12 @@ FILE_OPTIONS = {
|
||||
'token': [
|
||||
cfg.ListOpt('bind', default=[],
|
||||
help='External auth mechanisms that should add bind '
|
||||
'information to token e.g. kerberos, x509.'),
|
||||
'information to token, e.g., kerberos,x509.'),
|
||||
cfg.StrOpt('enforce_token_bind', default='permissive',
|
||||
help='Enforcement policy on tokens presented to keystone '
|
||||
help='Enforcement policy on tokens presented to Keystone '
|
||||
'with bind information. One of disabled, permissive, '
|
||||
'strict, required or a specifically required bind '
|
||||
'mode e.g. kerberos or x509 to require binding to '
|
||||
'mode, e.g., kerberos or x509 to require binding to '
|
||||
'that authentication.'),
|
||||
cfg.IntOpt('expiration', default=3600,
|
||||
help='Amount of time a token should remain valid '
|
||||
@ -193,7 +192,7 @@ FILE_OPTIONS = {
|
||||
'"keystone.token.providers.[pki|uuid].Provider".'),
|
||||
cfg.StrOpt('driver',
|
||||
default='keystone.token.backends.sql.Token',
|
||||
help='Keystone Token persistence backend driver.'),
|
||||
help='Token persistence backend driver.'),
|
||||
cfg.BoolOpt('caching', default=True,
|
||||
help='Toggle for token system cacheing. This has no '
|
||||
'effect unless global caching is enabled.'),
|
||||
@ -207,11 +206,11 @@ FILE_OPTIONS = {
|
||||
'effect unless global and token caching are '
|
||||
'enabled.'),
|
||||
cfg.BoolOpt('revoke_by_id', default=True,
|
||||
help='Revoke token by token identifier. Setting '
|
||||
'revoke_by_id to True enables various forms of '
|
||||
'enumerating tokens, e.g. `list tokens for user`. '
|
||||
help='Revoke token by token identifier. Setting '
|
||||
'revoke_by_id to true enables various forms of '
|
||||
'enumerating tokens, e.g. `list tokens for user`. '
|
||||
'These enumerations are processed to determine the '
|
||||
'list of tokens to revoke. Only disable if you are '
|
||||
'list of tokens to revoke. Only disable if you are '
|
||||
'switching to using the Revoke extension with a '
|
||||
'backend other than KVS, which stores events in memory.')
|
||||
],
|
||||
@ -258,32 +257,30 @@ FILE_OPTIONS = {
|
||||
help='Use a key-mangling function (sha1) to ensure '
|
||||
'fixed length cache-keys. This is toggle-able for '
|
||||
'debugging purposes, it is highly recommended to '
|
||||
'always leave this set to True.'),
|
||||
'always leave this set to true.'),
|
||||
cfg.MultiStrOpt('backend_argument', default=[],
|
||||
help='Arguments supplied to the backend module. '
|
||||
'Specify this option once per argument to be '
|
||||
'passed to the dogpile.cache backend. Example '
|
||||
'format: "<argname>:<value>".'),
|
||||
cfg.ListOpt('proxies', default=[],
|
||||
help='Proxy Classes to import that will affect the way '
|
||||
help='Proxy classes to import that will affect the way '
|
||||
'the dogpile.cache backend functions. See the '
|
||||
'dogpile.cache documentation on '
|
||||
'changing-backend-behavior. Comma delimited '
|
||||
'list e.g. '
|
||||
'my.dogpile.proxy.Class, my.dogpile.proxyClass2.'),
|
||||
'changing-backend-behavior.'),
|
||||
cfg.BoolOpt('enabled', default=False,
|
||||
help='Global toggle for all caching using the '
|
||||
'should_cache_fn mechanism.'),
|
||||
cfg.BoolOpt('debug_cache_backend', default=False,
|
||||
help='Extra debugging from the cache backend (cache '
|
||||
'keys, get/set/delete/etc calls) This is only '
|
||||
'keys, get/set/delete/etc calls). This is only '
|
||||
'really useful if you need to see the specific '
|
||||
'cache-backend get/set/delete calls with the '
|
||||
'keys/values. Typically this should be left set '
|
||||
'to False.')],
|
||||
'to false.')],
|
||||
'ssl': [
|
||||
cfg.BoolOpt('enable', default=False,
|
||||
help='Toggle for SSL support on the keystone '
|
||||
help='Toggle for SSL support on the Keystone '
|
||||
'eventlet servers.'),
|
||||
cfg.StrOpt('certfile',
|
||||
default="/etc/keystone/ssl/certs/keystone.pem",
|
||||
@ -300,14 +297,14 @@ FILE_OPTIONS = {
|
||||
cfg.BoolOpt('cert_required', default=False,
|
||||
help='Require client certificate.'),
|
||||
cfg.IntOpt('key_size', default=1024,
|
||||
help='SSL Key Length (in bits) (auto generated '
|
||||
help='SSL key length (in bits) (auto generated '
|
||||
'certificate).'),
|
||||
cfg.IntOpt('valid_days', default=3650,
|
||||
help='Days the certificate is valid for once signed '
|
||||
'(auto generated certificate).'),
|
||||
cfg.StrOpt('cert_subject',
|
||||
default='/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
|
||||
help='SSL Certificate Subject (auto generated '
|
||||
help='SSL certificate subject (auto generated '
|
||||
'certificate).')],
|
||||
'signing': [
|
||||
cfg.StrOpt('token_format', default=None,
|
||||
@ -324,24 +321,24 @@ FILE_OPTIONS = {
|
||||
help='Path of the CA for token signing.'),
|
||||
cfg.StrOpt('ca_key',
|
||||
default='/etc/keystone/ssl/private/cakey.pem',
|
||||
help='Path of the CA Key for token signing.'),
|
||||
help='Path of the CA key for token signing.'),
|
||||
cfg.IntOpt('key_size', default=2048,
|
||||
help='Key Size (in bits) for token signing cert '
|
||||
help='Key size (in bits) for token signing cert '
|
||||
'(auto generated certificate).'),
|
||||
cfg.IntOpt('valid_days', default=3650,
|
||||
help='Day the token signing cert is valid for '
|
||||
help='Days the token signing cert is valid for '
|
||||
'(auto generated certificate).'),
|
||||
cfg.StrOpt('cert_subject',
|
||||
default=('/C=US/ST=Unset/L=Unset/O=Unset/'
|
||||
'CN=www.example.com'),
|
||||
help='Certificate Subject (auto generated certificate) for '
|
||||
help='Certificate subject (auto generated certificate) for '
|
||||
'token signing.')],
|
||||
'assignment': [
|
||||
# assignment has no default for backward compatibility reasons.
|
||||
# If assignment driver is not specified, the identity driver chooses
|
||||
# the backend
|
||||
cfg.StrOpt('driver', default=None,
|
||||
help='Keystone Assignment backend driver.'),
|
||||
help='Assignment backend driver.'),
|
||||
cfg.BoolOpt('caching', default=True,
|
||||
help='Toggle for assignment caching. This has no effect '
|
||||
'unless global caching is enabled.'),
|
||||
@ -355,11 +352,11 @@ FILE_OPTIONS = {
|
||||
cfg.StrOpt('driver',
|
||||
default=('keystone.credential.backends'
|
||||
'.sql.Credential'),
|
||||
help='Keystone Credential backend driver.')],
|
||||
help='Credential backend driver.')],
|
||||
'oauth1': [
|
||||
cfg.StrOpt('driver',
|
||||
default='keystone.contrib.oauth1.backends.sql.OAuth1',
|
||||
help='Keystone Credential backend driver.'),
|
||||
help='Credential backend driver.'),
|
||||
cfg.IntOpt('request_token_duration', default=28800,
|
||||
help='Duration (in seconds) for the OAuth Request Token.'),
|
||||
cfg.IntOpt('access_token_duration', default=86400,
|
||||
@ -369,27 +366,26 @@ FILE_OPTIONS = {
|
||||
cfg.StrOpt('driver',
|
||||
default='keystone.contrib.federation.'
|
||||
'backends.sql.Federation',
|
||||
help='Keystone Federation backend driver.'),
|
||||
help='Federation backend driver.'),
|
||||
cfg.StrOpt('assertion_prefix', default='',
|
||||
help='Value to be used when filtering assertion parameters '
|
||||
'from the environment.')],
|
||||
|
||||
'policy': [
|
||||
cfg.StrOpt('driver',
|
||||
default='keystone.policy.backends.sql.Policy',
|
||||
help='Keystone Policy backend driver.'),
|
||||
help='Policy backend driver.'),
|
||||
cfg.IntOpt('list_limit', default=None,
|
||||
help='Maximum number of entities that will be returned '
|
||||
'in a policy collection.')],
|
||||
'ec2': [
|
||||
cfg.StrOpt('driver',
|
||||
default='keystone.contrib.ec2.backends.kvs.Ec2',
|
||||
help='Keystone EC2Credential backend driver.')],
|
||||
help='EC2Credential backend driver.')],
|
||||
'endpoint_filter': [
|
||||
cfg.StrOpt('driver',
|
||||
default='keystone.contrib.endpoint_filter.backends'
|
||||
'.sql.EndpointFilter',
|
||||
help='Keystone Endpoint Filter backend driver'),
|
||||
help='Endpoint Filter backend driver'),
|
||||
cfg.BoolOpt('return_all_endpoints_if_no_filter', default=True,
|
||||
help='Toggle to return all active endpoints if no filter '
|
||||
'exists.')],
|
||||
@ -397,7 +393,7 @@ FILE_OPTIONS = {
|
||||
cfg.StrOpt('driver',
|
||||
default=('keystone.contrib.stats.backends'
|
||||
'.kvs.Stats'),
|
||||
help='Keystone stats backend driver.')],
|
||||
help='Stats backend driver.')],
|
||||
'ldap': [
|
||||
cfg.StrOpt('url', default='ldap://localhost',
|
||||
help='URL for connecting to the LDAP server.'),
|
||||
@ -415,7 +411,9 @@ FILE_OPTIONS = {
|
||||
help='DN of the "dummy member" to use when '
|
||||
'"use_dumb_member" is enabled.'),
|
||||
cfg.BoolOpt('allow_subtree_delete', default=False,
|
||||
help='allow deleting subtrees.'),
|
||||
help='Delete subtrees using the subtree delete control. '
|
||||
'Only enable this option if your LDAP server '
|
||||
'supports subtree deletion.'),
|
||||
cfg.StrOpt('query_scope', default='one',
|
||||
help='The LDAP scope for queries, this can be either '
|
||||
'"one" (onelevel/singleLevel) or "sub" '
|
||||
@ -437,7 +435,7 @@ FILE_OPTIONS = {
|
||||
cfg.StrOpt('user_filter', default=None,
|
||||
help='LDAP search filter for users.'),
|
||||
cfg.StrOpt('user_objectclass', default='inetOrgPerson',
|
||||
help='LDAP objectClass for users.'),
|
||||
help='LDAP objectclass for users.'),
|
||||
cfg.StrOpt('user_id_attribute', default='cn',
|
||||
help='LDAP attribute mapped to user id.'),
|
||||
cfg.StrOpt('user_name_attribute', default='sn',
|
||||
@ -460,7 +458,7 @@ FILE_OPTIONS = {
|
||||
help='Default value to enable users. This should match an '
|
||||
'appropriate int value if the LDAP server uses '
|
||||
'non-boolean (bitmask) values to indicate if a user '
|
||||
'is enabled or disabled. If this is not set to "True"'
|
||||
'is enabled or disabled. If this is not set to "True" '
|
||||
'the typical value is "512". This is typically used '
|
||||
'when "user_enabled_attribute = userAccountControl".'),
|
||||
cfg.ListOpt('user_attribute_ignore',
|
||||
@ -477,7 +475,7 @@ FILE_OPTIONS = {
|
||||
cfg.BoolOpt('user_allow_delete', default=True,
|
||||
help='Allow user deletion in LDAP backend.'),
|
||||
cfg.BoolOpt('user_enabled_emulation', default=False,
|
||||
help='If True, Keystone uses an alternative method to '
|
||||
help='If true, Keystone uses an alternative method to '
|
||||
'determine if a user is enabled or not by checking '
|
||||
'if they are a member of the '
|
||||
'"user_enabled_emulation_dn" group.'),
|
||||
@ -487,7 +485,7 @@ FILE_OPTIONS = {
|
||||
cfg.ListOpt('user_additional_attribute_mapping',
|
||||
default=[],
|
||||
help='List of additional LDAP attributes used for mapping '
|
||||
'Additional attribute mappings for users. Attribute '
|
||||
'additional attribute mappings for users. Attribute '
|
||||
'mapping format is <ldap_attr>:<user_attr>, where '
|
||||
'ldap_attr is the attribute in the LDAP entry and '
|
||||
'user_attr is the Identity API attribute.'),
|
||||
@ -497,7 +495,7 @@ FILE_OPTIONS = {
|
||||
cfg.StrOpt('tenant_filter', default=None,
|
||||
help='LDAP search filter for projects.'),
|
||||
cfg.StrOpt('tenant_objectclass', default='groupOfNames',
|
||||
help='LDAP objectClass for projects.'),
|
||||
help='LDAP objectclass for projects.'),
|
||||
cfg.StrOpt('tenant_id_attribute', default='cn',
|
||||
help='LDAP attribute mapped to project id.'),
|
||||
cfg.StrOpt('tenant_member_attribute', default='member',
|
||||
@ -516,13 +514,13 @@ FILE_OPTIONS = {
|
||||
help='List of attributes stripped off the project on '
|
||||
'update.'),
|
||||
cfg.BoolOpt('tenant_allow_create', default=True,
|
||||
help='Allow tenant creation in LDAP backend.'),
|
||||
help='Allow project creation in LDAP backend.'),
|
||||
cfg.BoolOpt('tenant_allow_update', default=True,
|
||||
help='Allow tenant update in LDAP backend.'),
|
||||
help='Allow project update in LDAP backend.'),
|
||||
cfg.BoolOpt('tenant_allow_delete', default=True,
|
||||
help='Allow tenant deletion in LDAP backend.'),
|
||||
help='Allow project deletion in LDAP backend.'),
|
||||
cfg.BoolOpt('tenant_enabled_emulation', default=False,
|
||||
help='If True, Keystone uses an alternative method to '
|
||||
help='If true, Keystone uses an alternative method to '
|
||||
'determine if a project is enabled or not by '
|
||||
'checking if they are a member of the '
|
||||
'"tenant_enabled_emulation_dn" group.'),
|
||||
@ -542,7 +540,7 @@ FILE_OPTIONS = {
|
||||
cfg.StrOpt('role_filter', default=None,
|
||||
help='LDAP search filter for roles.'),
|
||||
cfg.StrOpt('role_objectclass', default='organizationalRole',
|
||||
help='LDAP objectClass for roles.'),
|
||||
help='LDAP objectclass for roles.'),
|
||||
cfg.StrOpt('role_id_attribute', default='cn',
|
||||
help='LDAP attribute mapped to role id.'),
|
||||
cfg.StrOpt('role_name_attribute', default='ou',
|
||||
@ -570,7 +568,7 @@ FILE_OPTIONS = {
|
||||
cfg.StrOpt('group_filter', default=None,
|
||||
help='LDAP search filter for groups.'),
|
||||
cfg.StrOpt('group_objectclass', default='groupOfNames',
|
||||
help='LDAP objectClass for groups.'),
|
||||
help='LDAP objectclass for groups.'),
|
||||
cfg.StrOpt('group_id_attribute', default='cn',
|
||||
help='LDAP attribute mapped to group id.'),
|
||||
cfg.StrOpt('group_name_attribute', default='ou',
|
||||
@ -604,7 +602,7 @@ FILE_OPTIONS = {
|
||||
cfg.BoolOpt('use_tls', default=False,
|
||||
help='Enable TLS for communicating with LDAP servers.'),
|
||||
cfg.StrOpt('tls_req_cert', default='demand',
|
||||
help='valid options for tls_req_cert are demand, never, '
|
||||
help='Valid options for tls_req_cert are demand, never, '
|
||||
'and allow.')],
|
||||
'auth': [
|
||||
cfg.ListOpt('methods', default=_DEFAULT_AUTH_METHODS,
|
||||
@ -625,7 +623,7 @@ FILE_OPTIONS = {
|
||||
'the available pipelines.')],
|
||||
'memcache': [
|
||||
cfg.ListOpt('servers', default=['localhost:11211'],
|
||||
help='Memcache servers in the format of "host:port"'),
|
||||
help='Memcache servers in the format of "host:port".'),
|
||||
cfg.IntOpt('max_compare_and_set_retry', default=16,
|
||||
help='Number of compare-and-set attempts to make when '
|
||||
'using compare-and-set in the token memcache back '
|
||||
@ -637,7 +635,7 @@ FILE_OPTIONS = {
|
||||
'template catalog backend.'),
|
||||
cfg.StrOpt('driver',
|
||||
default='keystone.catalog.backends.sql.Catalog',
|
||||
help='Keystone catalog backend driver.'),
|
||||
help='Catalog backend driver.'),
|
||||
cfg.IntOpt('list_limit', default=None,
|
||||
help='Maximum number of entities that will be returned '
|
||||
'in a catalog collection.')],
|
||||
@ -654,7 +652,7 @@ FILE_OPTIONS = {
|
||||
help='Toggle to disable using a key-mangling function '
|
||||
'to ensure fixed length keys. This is toggle-able '
|
||||
'for debugging purposes, it is highly recommended '
|
||||
'to always leave this set to True.'),
|
||||
'to always leave this set to true.'),
|
||||
cfg.IntOpt('default_lock_timeout', default=5,
|
||||
help='Default lock timeout for distributed locking.')]}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user