openstack
/
keystone
Code Issues Proposed changes

Clean up config help text 

These are suggestions to clean up the help text.

Change-Id: If22c6491b530da92ee1ce6411b57f0585817de38
This commit is contained in:
Brant Knudson 2014-03-05 19:44:08 -06:00
parent 6c6046b79e
commit b5c5354f43
2 changed files with 173 additions and 177 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

190
etc/keystone.conf.sample
View File

@ -12,12 +12,12 @@
# paste.ini). (string value)
#admin_token=ADMIN
# The IP Address of the network interface to for the public
# The IP address of the network interface for the public
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#public_bind_host=0.0.0.0
# The IP Address of the network interface to for the admin
# The IP address of the network interface for the admin
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#admin_bind_host=0.0.0.0
@ -34,44 +34,42 @@
# (integer value)
#public_port=5000
# The base public endpoint URL for keystone that are
# advertised to clients (NOTE: this does NOT affect how
# keystone listens for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:5000/v2.0/users will
# default to http://server:5000. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#public_endpoint=http://localhost:%(public_port)s/
# The base public endpoint URL for Keystone that is advertised
# to clients (NOTE: this does NOT affect how Keystone listens
# for connections). Defaults to the base host URL of the
# request. E.g. a request to http://server:5000/v2.0/users
# will default to http://server:5000. You should only need to
# set this value if the base URL contains a path (e.g.
# /prefix/v2.0) or the endpoint should be found on a different
# server. (string value)
#public_endpoint=<None>
# The base admin endpoint URL for keystone that are advertised
# to clients (NOTE: this does NOT affect how keystone listens
# for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:35357/v2.0/users will
# default to http://server:35357. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#admin_endpoint=http://localhost:%(admin_port)s/
# The base admin endpoint URL for Keystone that is advertised
# to clients (NOTE: this does NOT affect how Keystone listens
# for connections). Defaults to the base host URL of the
# request. E.g. a request to http://server:35357/v2.0/users
# will default to http://server:35357. You should only need to
# set this value if the base URL contains a path (e.g.
# /prefix/v2.0) or the endpoint should be found on a different
# server. (string value)
#admin_endpoint=<None>
# onready allows you to send a notification when the process
# is ready to serve For example, to have it notify using
# is ready to serve. For example, to have it notify using
# systemd, one could set shell command: "onready = systemd-
# notify --ready" or a module with notify() method: "onready =
# keystone.common.systemd". (string value)
#onready=<None>
# enforced by optional sizelimit middleware
# Enforced by optional sizelimit middleware
# (keystone.middleware:RequestBodySizeLimiter). (integer
# value)
#max_request_body_size=114688
# limit the sizes of user & tenant ID/names. (integer value)
# Limit the sizes of user & project ID/names. (integer value)
#max_param_size=64
# similar to max_param_size, but provides an exception for
# Similar to max_param_size, but provides an exception for
# token values. (integer value)
#max_token_size=8192
@ -82,32 +80,32 @@
# add_user_to_project. (string value)
#member_role_id=9fe2ff9ee4384b1894a90878d3e92bab
# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# During a SQL upgrade member_role_name will be used to create
# a new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, member_role_name will be ignored. (string
# value)
#member_role_name=_member_
# The value passed as the keyword "rounds" to passlib encrypt
# method. (integer value)
# The value passed as the keyword "rounds" to passlib's
# encrypt method. (integer value)
#crypt_strength=40000
# Set this to True if you want to enable TCP_KEEPALIVE on
# server sockets i.e. sockets used by the keystone wsgi server
# for client connections. (boolean value)
# Set this to true if you want to enable TCP_KEEPALIVE on
# server sockets, i.e. sockets used by the Keystone wsgi
# server for client connections. (boolean value)
#tcp_keepalive=false
# Sets the value of TCP_KEEPIDLE in seconds for each server
# socket. Only applies if tcp_keepalive is True. Not supported
# socket. Only applies if tcp_keepalive is true. Not supported
# on OS X. (integer value)
#tcp_keepidle=600
# The maximum number of entities that will be returned in a
# collection can be set with list_limit, with no limit set by
# default. This global limit may be then overridden for a
# specific driver, by specifying a list_limit in the
# appropriate section (e.g. [assignment]). (integer value)
# collection, with no limit set by default. This global limit
# may be then overridden for a specific driver, by specifying
# a list_limit in the appropriate section (e.g. [assignment]).
# (integer value)
#list_limit=<None>
# Set this to false if you want to enable the ability for
@ -482,7 +480,7 @@
# Options defined in keystone
#
# Keystone Assignment backend driver. (string value)
# Assignment backend driver. (string value)
#driver=<None>
# Toggle for assignment caching. This has no effect unless
@ -545,7 +543,7 @@
# Use a key-mangling function (sha1) to ensure fixed length
# cache-keys. This is toggle-able for debugging purposes, it
# is highly recommended to always leave this set to True.
# is highly recommended to always leave this set to true.
# (boolean value)
#use_key_mangler=true
@ -554,11 +552,9 @@
# backend. Example format: "<argname>:<value>". (multi valued)
#backend_argument=
# Proxy Classes to import that will affect the way the
# Proxy classes to import that will affect the way the
# dogpile.cache backend functions. See the dogpile.cache
# documentation on changing-backend-behavior. Comma delimited
# list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2.
# (list value)
# documentation on changing-backend-behavior. (list value)
#proxies=
# Global toggle for all caching using the should_cache_fn
@ -566,10 +562,10 @@
#enabled=false
# Extra debugging from the cache backend (cache keys,
# get/set/delete/etc calls) This is only really useful if you
# get/set/delete/etc calls). This is only really useful if you
# need to see the specific cache-backend get/set/delete calls
# with the keys/values. Typically this should be left set to
# False. (boolean value)
# false. (boolean value)
#debug_cache_backend=false
@ -583,7 +579,7 @@
# backend. (string value)
#template_file=default_catalog.templates
# Keystone catalog backend driver. (string value)
# Catalog backend driver. (string value)
#driver=keystone.catalog.backends.sql.Catalog
# Maximum number of entities that will be returned in a
@ -597,7 +593,7 @@
# Options defined in keystone
#
# Keystone Credential backend driver. (string value)
# Credential backend driver. (string value)
#driver=keystone.credential.backends.sql.Credential
@ -709,7 +705,7 @@
# Options defined in keystone
#
# Keystone EC2Credential backend driver. (string value)
# EC2Credential backend driver. (string value)
#driver=keystone.contrib.ec2.backends.kvs.Ec2
@ -719,7 +715,7 @@
# Options defined in keystone
#
# Keystone Endpoint Filter backend driver (string value)
# Endpoint Filter backend driver (string value)
#driver=keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
# Toggle to return all active endpoints if no filter exists.
@ -733,7 +729,7 @@
# Options defined in keystone
#
# Keystone Federation backend driver. (string value)
# Federation backend driver. (string value)
#driver=keystone.contrib.federation.backends.sql.Federation
# Value to be used when filtering assertion parameters from
@ -750,10 +746,10 @@
# This references the domain to use for all Identity API v2
# requests (which are not aware of domains). A domain with
# this ID will be created for you by keystone-manage db_sync
# in migration 008. The domain referenced by this ID cannot
# be deleted on the v3 API, to prevent accidentally breaking
# the v2 API. There is nothing special about this domain,
# other than the fact that it must exist to order to maintain
# in migration 008. The domain referenced by this ID cannot be
# deleted on the v3 API, to prevent accidentally breaking the
# v2 API. There is nothing special about this domain, other
# than the fact that it must exist to order to maintain
# support for your v2 clients. (string value)
#default_domain_id=default
@ -762,15 +758,15 @@
# domain configuration directory. Only values specific to the
# domain need to be placed in the domain specific
# configuration file. This feature is disabled by default; set
# to True to enable. (boolean value)
# to true to enable. (boolean value)
#domain_specific_drivers_enabled=false
# Path for Keystone to locate the domain specificidentity
# Path for Keystone to locate the domain specific identity
# configuration files if domain_specific_drivers_enabled is
# set to true. (string value)
#domain_config_dir=/etc/keystone/domains
# Keystone Identity backend driver. (string value)
# Identity backend driver. (string value)
#driver=keystone.identity.backends.sql.Identity
# Maximum supported length for user passwords; decrease to
@ -801,7 +797,7 @@
# Toggle to disable using a key-mangling function to ensure
# fixed length keys. This is toggle-able for debugging
# purposes, it is highly recommended to always leave this set
# to True. (boolean value)
# to true. (boolean value)
#enable_key_mangler=true
# Default lock timeout for distributed locking. (integer
@ -837,7 +833,9 @@
# enabled. (string value)
#dumb_member=cn=dumb,dc=nonexistent
# allow deleting subtrees. (boolean value)
# Delete subtrees using the subtree delete control. Only
# enable this option if your LDAP server supports subtree
# deletion. (boolean value)
#allow_subtree_delete=false
# The LDAP scope for queries, this can be either "one"
@ -865,7 +863,7 @@
# LDAP search filter for users. (string value)
#user_filter=<None>
# LDAP objectClass for users. (string value)
# LDAP objectclass for users. (string value)
#user_objectclass=inetOrgPerson
# LDAP attribute mapped to user id. (string value)
@ -895,7 +893,7 @@
# Default value to enable users. This should match an
# appropriate int value if the LDAP server uses non-boolean
# (bitmask) values to indicate if a user is enabled or
# disabled. If this is not set to "True"the typical value is
# disabled. If this is not set to "True" the typical value is
# "512". This is typically used when "user_enabled_attribute =
# userAccountControl". (string value)
#user_enabled_default=True
@ -917,7 +915,7 @@
# Allow user deletion in LDAP backend. (boolean value)
#user_allow_delete=true
# If True, Keystone uses an alternative method to determine if
# If true, Keystone uses an alternative method to determine if
# a user is enabled or not by checking if they are a member of
# the "user_enabled_emulation_dn" group. (boolean value)
#user_enabled_emulation=false
@ -927,7 +925,7 @@
#user_enabled_emulation_dn=<None>
# List of additional LDAP attributes used for mapping
# Additional attribute mappings for users. Attribute mapping
# additional attribute mappings for users. Attribute mapping
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
# attribute in the LDAP entry and user_attr is the Identity
# API attribute. (list value)
@ -939,7 +937,7 @@
# LDAP search filter for projects. (string value)
#tenant_filter=<None>
# LDAP objectClass for projects. (string value)
# LDAP objectclass for projects. (string value)
#tenant_objectclass=groupOfNames
# LDAP attribute mapped to project id. (string value)
@ -965,16 +963,16 @@
# value)
#tenant_attribute_ignore=
# Allow tenant creation in LDAP backend. (boolean value)
# Allow project creation in LDAP backend. (boolean value)
#tenant_allow_create=true
# Allow tenant update in LDAP backend. (boolean value)
# Allow project update in LDAP backend. (boolean value)
#tenant_allow_update=true
# Allow tenant deletion in LDAP backend. (boolean value)
# Allow project deletion in LDAP backend. (boolean value)
#tenant_allow_delete=true
# If True, Keystone uses an alternative method to determine if
# If true, Keystone uses an alternative method to determine if
# a project is enabled or not by checking if they are a member
# of the "tenant_enabled_emulation_dn" group. (boolean value)
#tenant_enabled_emulation=false
@ -995,7 +993,7 @@
# LDAP search filter for roles. (string value)
#role_filter=<None>
# LDAP objectClass for roles. (string value)
# LDAP objectclass for roles. (string value)
#role_objectclass=organizationalRole
# LDAP attribute mapped to role id. (string value)
@ -1032,7 +1030,7 @@
# LDAP search filter for groups. (string value)
#group_filter=<None>
# LDAP objectClass for groups. (string value)
# LDAP objectclass for groups. (string value)
#group_objectclass=groupOfNames
# LDAP attribute mapped to group id. (string value)
@ -1079,7 +1077,7 @@
# value)
#use_tls=false
# valid options for tls_req_cert are demand, never, and allow.
# Valid options for tls_req_cert are demand, never, and allow.
# (string value)
#tls_req_cert=demand
@ -1101,7 +1099,7 @@
# Options defined in keystone
#
# Memcache servers in the format of "host:port" (list value)
# Memcache servers in the format of "host:port". (list value)
#servers=localhost:11211
# Number of compare-and-set attempts to make when using
@ -1116,7 +1114,7 @@
# Options defined in keystone
#
# Keystone Credential backend driver. (string value)
# Credential backend driver. (string value)
#driver=keystone.contrib.oauth1.backends.sql.OAuth1
# Duration (in seconds) for the OAuth Request Token. (integer
@ -1156,7 +1154,7 @@
# Options defined in keystone
#
# Keystone Policy backend driver. (string value)
# Policy backend driver. (string value)
#driver=keystone.policy.backends.sql.Policy
# Maximum number of entities that will be returned in a policy
@ -1203,18 +1201,18 @@
# Path of the CA for token signing. (string value)
#ca_certs=/etc/keystone/ssl/certs/ca.pem
# Path of the CA Key for token signing. (string value)
# Path of the CA key for token signing. (string value)
#ca_key=/etc/keystone/ssl/private/cakey.pem
# Key Size (in bits) for token signing cert (auto generated
# Key size (in bits) for token signing cert (auto generated
# certificate). (integer value)
#key_size=2048
# Day the token signing cert is valid for (auto generated
# Days the token signing cert is valid for (auto generated
# certificate). (integer value)
#valid_days=3650
# Certificate Subject (auto generated certificate) for token
# Certificate subject (auto generated certificate) for token
# signing. (string value)
#cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
@ -1225,7 +1223,7 @@
# Options defined in keystone
#
# Toggle for SSL support on the keystone eventlet servers.
# Toggle for SSL support on the Keystone eventlet servers.
# (boolean value)
#enable=false
@ -1244,7 +1242,7 @@
# Require client certificate. (boolean value)
#cert_required=false
# SSL Key Length (in bits) (auto generated certificate).
# SSL key length (in bits) (auto generated certificate).
# (integer value)
#key_size=1024
@ -1252,7 +1250,7 @@
# generated certificate). (integer value)
#valid_days=3650
# SSL Certificate Subject (auto generated certificate).
# SSL certificate subject (auto generated certificate).
# (string value)
#cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
@ -1263,7 +1261,7 @@
# Options defined in keystone
#
# Keystone stats backend driver. (string value)
# Stats backend driver. (string value)
#driver=keystone.contrib.stats.backends.kvs.Stats
@ -1274,12 +1272,12 @@
#
# External auth mechanisms that should add bind information to
# token e.g. kerberos, x509. (list value)
# token, e.g., kerberos,x509. (list value)
#bind=
# Enforcement policy on tokens presented to keystone with bind
# Enforcement policy on tokens presented to Keystone with bind
# information. One of disabled, permissive, strict, required
# or a specifically required bind mode e.g. kerberos or x509
# or a specifically required bind mode, e.g., kerberos or x509
# to require binding to that authentication. (string value)
#enforce_token_bind=permissive
@ -1293,7 +1291,7 @@
# value)
#provider=<None>
# Keystone Token persistence backend driver. (string value)
# Token persistence backend driver. (string value)
#driver=keystone.token.backends.sql.Token
# Toggle for token system cacheing. This has no effect unless
@ -1310,13 +1308,13 @@
# global and token caching are enabled. (integer value)
#cache_time=<None>
# Revoke token by token identifier. Setting revoke_by_id to
# True enables various forms of enumerating tokens, e.g. `list
# tokens for user`. These enumerations are processed to
# determine the list of tokens to revoke. Only disable if
# you are switching to using the Revoke extension with a
# backend other than KVS, which stores events in memory.
# (boolean value)
# Revoke token by token identifier. Setting revoke_by_id to
# true enables various forms of enumerating tokens, e.g. `list
# tokens for user`. These enumerations are processed to
# determine the list of tokens to revoke. Only disable if you
# are switching to using the Revoke extension with a backend
# other than KVS, which stores events in memory. (boolean
# value)
#revoke_by_id=true
@ -1326,11 +1324,11 @@
# Options defined in keystone
#
# delegation and impersonation features can be optionally
# Delegation and impersonation features can be optionally
# disabled. (boolean value)
#enabled=true
# Keystone Trust backend driver. (string value)
# Trust backend driver. (string value)
#driver=keystone.trust.backends.sql.Trust

160
keystone/common/config.py
View File

@ -32,13 +32,13 @@ FILE_OPTIONS = {
default='0.0.0.0',
deprecated_opts=[cfg.DeprecatedOpt('bind_host',
group='DEFAULT')],
help='The IP Address of the network interface to for the '
help='The IP address of the network interface for the '
'public service to listen on.'),
cfg.StrOpt('admin_bind_host',
default='0.0.0.0',
deprecated_opts=[cfg.DeprecatedOpt('bind_host',
group='DEFAULT')],
help='The IP Address of the network interface to for the '
help='The IP address of the network interface for the '
'admin service to listen on.'),
cfg.IntOpt('compute_port', default=8774,
help='The port which the OpenStack Compute service '
@ -50,41 +50,41 @@ FILE_OPTIONS = {
help='The port number which the public service listens '
'on.'),
cfg.StrOpt('public_endpoint',
help='The base public endpoint URL for keystone that are '
help='The base public endpoint URL for Keystone that is '
'advertised to clients (NOTE: this does NOT affect '
'how keystone listens for connections). '
'Defaults to the base host URL of the request. Eg a '
'how Keystone listens for connections). '
'Defaults to the base host URL of the request. E.g. a '
'request to http://server:5000/v2.0/users will '
'default to http://server:5000. You should only need '
'to set this value if the base URL contains a path '
'(eg /prefix/v2.0) or the endpoint should be found on '
'a different server.'),
'(e.g. /prefix/v2.0) or the endpoint should be found '
'on a different server.'),
cfg.StrOpt('admin_endpoint',
help='The base admin endpoint URL for keystone that are '
help='The base admin endpoint URL for Keystone that is '
'advertised to clients (NOTE: this does NOT affect '
'how keystone listens for connections). '
'Defaults to the base host URL of the request. Eg a '
'how Keystone listens for connections). '
'Defaults to the base host URL of the request. E.g. a '
'request to http://server:35357/v2.0/users will '
'default to http://server:35357. You should only need '
'to set this value if the base URL contains a path '
'(eg /prefix/v2.0) or the endpoint should be found on '
'a different server.'),
'(e.g. /prefix/v2.0) or the endpoint should be found '
'on a different server.'),
cfg.StrOpt('onready',
help='onready allows you to send a notification when the '
'process is ready to serve For example, to have it '
'process is ready to serve. For example, to have it '
'notify using systemd, one could set shell command: '
'"onready = systemd-notify --ready" or a module '
'with notify() method: '
'"onready = keystone.common.systemd".'),
# default max request size is 112k
cfg.IntOpt('max_request_body_size', default=114688,
help='enforced by optional sizelimit middleware '
help='Enforced by optional sizelimit middleware '
'(keystone.middleware:RequestBodySizeLimiter).'),
cfg.IntOpt('max_param_size', default=64,
help='limit the sizes of user & tenant ID/names.'),
help='Limit the sizes of user & project ID/names.'),
# we allow tokens to be a bit larger to accommodate PKI
cfg.IntOpt('max_token_size', default=8192,
help='similar to max_param_size, but provides an '
help='Similar to max_param_size, but provides an '
'exception for token values.'),
cfg.StrOpt('member_role_id',
default='9fe2ff9ee4384b1894a90878d3e92bab',
@ -94,31 +94,30 @@ FILE_OPTIONS = {
'role grants. After migration, the member_role_id '
'will be used in the API add_user_to_project.'),
cfg.StrOpt('member_role_name', default='_member_',
help='During a SQL upgrade member_role_id will be used '
help='During a SQL upgrade member_role_name will be used '
'to create a new role that will replace records in '
'the user_tenant_membership table with explicit '
'role grants. After migration, member_role_name will '
'be ignored.'),
cfg.IntOpt('crypt_strength', default=40000,
help='The value passed as the keyword "rounds" to passlib '
'encrypt method.'),
help='The value passed as the keyword "rounds" to '
'passlib\'s encrypt method.'),
cfg.BoolOpt('tcp_keepalive', default=False,
help='Set this to True if you want to enable '
'TCP_KEEPALIVE on server sockets i.e. sockets used '
'by the keystone wsgi server for client '
help='Set this to true if you want to enable '
'TCP_KEEPALIVE on server sockets, i.e. sockets used '
'by the Keystone wsgi server for client '
'connections.'),
cfg.IntOpt('tcp_keepidle',
default=600,
help='Sets the value of TCP_KEEPIDLE in seconds for each '
'server socket. Only applies if tcp_keepalive is '
'True. Not supported on OS X.'),
'true. Not supported on OS X.'),
cfg.IntOpt('list_limit', default=None,
help='The maximum number of entities that will be '
'returned in a collection can be set with '
'list_limit, with no limit set by default. This '
'global limit may be then overridden for a specific '
'driver, by specifying a list_limit in the '
'appropriate section (e.g. [assignment]).'),
'returned in a collection, with no limit set by '
'default. This global limit may be then overridden '
'for a specific driver, by specifying a list_limit '
'in the appropriate section (e.g. [assignment]).'),
cfg.BoolOpt('domain_id_immutable', default=True,
help='Set this to false if you want to enable the '
'ability for user, group and project entities '
@ -133,7 +132,7 @@ FILE_OPTIONS = {
'Identity API v2 requests (which are not aware of '
'domains). A domain with this ID will be created '
'for you by keystone-manage db_sync in migration '
'008. The domain referenced by this ID cannot be '
'008. The domain referenced by this ID cannot be '
'deleted on the v3 API, to prevent accidentally '
'breaking the v2 API. There is nothing special about '
'this domain, other than the fact that it must '
@ -147,16 +146,16 @@ FILE_OPTIONS = {
'directory. Only values specific to the domain '
'need to be placed in the domain specific '
'configuration file. This feature is disabled by '
'default; set to True to enable.'),
'default; set to true to enable.'),
cfg.StrOpt('domain_config_dir',
default='/etc/keystone/domains',
help='Path for Keystone to locate the domain specific'
help='Path for Keystone to locate the domain specific '
'identity configuration files if '
'domain_specific_drivers_enabled is set to true.'),
cfg.StrOpt('driver',
default=('keystone.identity.backends'
'.sql.Identity'),
help='Keystone Identity backend driver.'),
help='Identity backend driver.'),
cfg.IntOpt('max_password_length', default=4096,
help='Maximum supported length for user passwords; '
'decrease to improve performance.'),
@ -165,11 +164,11 @@ FILE_OPTIONS = {
'an identity collection.')],
'trust': [
cfg.BoolOpt('enabled', default=True,
help='delegation and impersonation features can be '
help='Delegation and impersonation features can be '
'optionally disabled.'),
cfg.StrOpt('driver',
default='keystone.trust.backends.sql.Trust',
help='Keystone Trust backend driver.')],
help='Trust backend driver.')],
'os_inherit': [
cfg.BoolOpt('enabled', default=False,
help='role-assignment inheritance to projects from '
@ -177,12 +176,12 @@ FILE_OPTIONS = {
'token': [
cfg.ListOpt('bind', default=[],
help='External auth mechanisms that should add bind '
'information to token e.g. kerberos, x509.'),
'information to token, e.g., kerberos,x509.'),
cfg.StrOpt('enforce_token_bind', default='permissive',
help='Enforcement policy on tokens presented to keystone '
help='Enforcement policy on tokens presented to Keystone '
'with bind information. One of disabled, permissive, '
'strict, required or a specifically required bind '
'mode e.g. kerberos or x509 to require binding to '
'mode, e.g., kerberos or x509 to require binding to '
'that authentication.'),
cfg.IntOpt('expiration', default=3600,
help='Amount of time a token should remain valid '
@ -193,7 +192,7 @@ FILE_OPTIONS = {
'"keystone.token.providers.[pki|uuid].Provider".'),
cfg.StrOpt('driver',
default='keystone.token.backends.sql.Token',
help='Keystone Token persistence backend driver.'),
help='Token persistence backend driver.'),
cfg.BoolOpt('caching', default=True,
help='Toggle for token system cacheing. This has no '
'effect unless global caching is enabled.'),
@ -207,11 +206,11 @@ FILE_OPTIONS = {
'effect unless global and token caching are '
'enabled.'),
cfg.BoolOpt('revoke_by_id', default=True,
help='Revoke token by token identifier. Setting '
'revoke_by_id to True enables various forms of '
'enumerating tokens, e.g. `list tokens for user`. '
help='Revoke token by token identifier. Setting '
'revoke_by_id to true enables various forms of '
'enumerating tokens, e.g. `list tokens for user`. '
'These enumerations are processed to determine the '
'list of tokens to revoke. Only disable if you are '
'list of tokens to revoke. Only disable if you are '
'switching to using the Revoke extension with a '
'backend other than KVS, which stores events in memory.')
],
@ -258,32 +257,30 @@ FILE_OPTIONS = {
help='Use a key-mangling function (sha1) to ensure '
'fixed length cache-keys. This is toggle-able for '
'debugging purposes, it is highly recommended to '
'always leave this set to True.'),
'always leave this set to true.'),
cfg.MultiStrOpt('backend_argument', default=[],
help='Arguments supplied to the backend module. '
'Specify this option once per argument to be '
'passed to the dogpile.cache backend. Example '
'format: "<argname>:<value>".'),
cfg.ListOpt('proxies', default=[],
help='Proxy Classes to import that will affect the way '
help='Proxy classes to import that will affect the way '
'the dogpile.cache backend functions. See the '
'dogpile.cache documentation on '
'changing-backend-behavior. Comma delimited '
'list e.g. '
'my.dogpile.proxy.Class, my.dogpile.proxyClass2.'),
'changing-backend-behavior.'),
cfg.BoolOpt('enabled', default=False,
help='Global toggle for all caching using the '
'should_cache_fn mechanism.'),
cfg.BoolOpt('debug_cache_backend', default=False,
help='Extra debugging from the cache backend (cache '
'keys, get/set/delete/etc calls) This is only '
'keys, get/set/delete/etc calls). This is only '
'really useful if you need to see the specific '
'cache-backend get/set/delete calls with the '
'keys/values. Typically this should be left set '
'to False.')],
'to false.')],
'ssl': [
cfg.BoolOpt('enable', default=False,
help='Toggle for SSL support on the keystone '
help='Toggle for SSL support on the Keystone '
'eventlet servers.'),
cfg.StrOpt('certfile',
default="/etc/keystone/ssl/certs/keystone.pem",
@ -300,14 +297,14 @@ FILE_OPTIONS = {
cfg.BoolOpt('cert_required', default=False,
help='Require client certificate.'),
cfg.IntOpt('key_size', default=1024,
help='SSL Key Length (in bits) (auto generated '
help='SSL key length (in bits) (auto generated '
'certificate).'),
cfg.IntOpt('valid_days', default=3650,
help='Days the certificate is valid for once signed '
'(auto generated certificate).'),
cfg.StrOpt('cert_subject',
default='/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost',
help='SSL Certificate Subject (auto generated '
help='SSL certificate subject (auto generated '
'certificate).')],
'signing': [
cfg.StrOpt('token_format', default=None,
@ -324,24 +321,24 @@ FILE_OPTIONS = {
help='Path of the CA for token signing.'),
cfg.StrOpt('ca_key',
default='/etc/keystone/ssl/private/cakey.pem',
help='Path of the CA Key for token signing.'),
help='Path of the CA key for token signing.'),
cfg.IntOpt('key_size', default=2048,
help='Key Size (in bits) for token signing cert '
help='Key size (in bits) for token signing cert '
'(auto generated certificate).'),
cfg.IntOpt('valid_days', default=3650,
help='Day the token signing cert is valid for '
help='Days the token signing cert is valid for '
'(auto generated certificate).'),
cfg.StrOpt('cert_subject',
default=('/C=US/ST=Unset/L=Unset/O=Unset/'
'CN=www.example.com'),
help='Certificate Subject (auto generated certificate) for '
help='Certificate subject (auto generated certificate) for '
'token signing.')],
'assignment': [
# assignment has no default for backward compatibility reasons.
# If assignment driver is not specified, the identity driver chooses
# the backend
cfg.StrOpt('driver', default=None,
help='Keystone Assignment backend driver.'),
help='Assignment backend driver.'),
cfg.BoolOpt('caching', default=True,
help='Toggle for assignment caching. This has no effect '
'unless global caching is enabled.'),
@ -355,11 +352,11 @@ FILE_OPTIONS = {
cfg.StrOpt('driver',
default=('keystone.credential.backends'
'.sql.Credential'),
help='Keystone Credential backend driver.')],
help='Credential backend driver.')],
'oauth1': [
cfg.StrOpt('driver',
default='keystone.contrib.oauth1.backends.sql.OAuth1',
help='Keystone Credential backend driver.'),
help='Credential backend driver.'),
cfg.IntOpt('request_token_duration', default=28800,
help='Duration (in seconds) for the OAuth Request Token.'),
cfg.IntOpt('access_token_duration', default=86400,
@ -369,27 +366,26 @@ FILE_OPTIONS = {
cfg.StrOpt('driver',
default='keystone.contrib.federation.'
'backends.sql.Federation',
help='Keystone Federation backend driver.'),
help='Federation backend driver.'),
cfg.StrOpt('assertion_prefix', default='',
help='Value to be used when filtering assertion parameters '
'from the environment.')],
'policy': [
cfg.StrOpt('driver',
default='keystone.policy.backends.sql.Policy',
help='Keystone Policy backend driver.'),
help='Policy backend driver.'),
cfg.IntOpt('list_limit', default=None,
help='Maximum number of entities that will be returned '
'in a policy collection.')],
'ec2': [
cfg.StrOpt('driver',
default='keystone.contrib.ec2.backends.kvs.Ec2',
help='Keystone EC2Credential backend driver.')],
help='EC2Credential backend driver.')],
'endpoint_filter': [
cfg.StrOpt('driver',
default='keystone.contrib.endpoint_filter.backends'
'.sql.EndpointFilter',
help='Keystone Endpoint Filter backend driver'),
help='Endpoint Filter backend driver'),
cfg.BoolOpt('return_all_endpoints_if_no_filter', default=True,
help='Toggle to return all active endpoints if no filter '
'exists.')],
@ -397,7 +393,7 @@ FILE_OPTIONS = {
cfg.StrOpt('driver',
default=('keystone.contrib.stats.backends'
'.kvs.Stats'),
help='Keystone stats backend driver.')],
help='Stats backend driver.')],
'ldap': [
cfg.StrOpt('url', default='ldap://localhost',
help='URL for connecting to the LDAP server.'),
@ -415,7 +411,9 @@ FILE_OPTIONS = {
help='DN of the "dummy member" to use when '
'"use_dumb_member" is enabled.'),
cfg.BoolOpt('allow_subtree_delete', default=False,
help='allow deleting subtrees.'),
help='Delete subtrees using the subtree delete control. '
'Only enable this option if your LDAP server '
'supports subtree deletion.'),
cfg.StrOpt('query_scope', default='one',
help='The LDAP scope for queries, this can be either '
'"one" (onelevel/singleLevel) or "sub" '
@ -437,7 +435,7 @@ FILE_OPTIONS = {
cfg.StrOpt('user_filter', default=None,
help='LDAP search filter for users.'),
cfg.StrOpt('user_objectclass', default='inetOrgPerson',
help='LDAP objectClass for users.'),
help='LDAP objectclass for users.'),
cfg.StrOpt('user_id_attribute', default='cn',
help='LDAP attribute mapped to user id.'),
cfg.StrOpt('user_name_attribute', default='sn',
@ -460,7 +458,7 @@ FILE_OPTIONS = {
help='Default value to enable users. This should match an '
'appropriate int value if the LDAP server uses '
'non-boolean (bitmask) values to indicate if a user '
'is enabled or disabled. If this is not set to "True"'
'is enabled or disabled. If this is not set to "True" '
'the typical value is "512". This is typically used '
'when "user_enabled_attribute = userAccountControl".'),
cfg.ListOpt('user_attribute_ignore',
@ -477,7 +475,7 @@ FILE_OPTIONS = {
cfg.BoolOpt('user_allow_delete', default=True,
help='Allow user deletion in LDAP backend.'),
cfg.BoolOpt('user_enabled_emulation', default=False,
help='If True, Keystone uses an alternative method to '
help='If true, Keystone uses an alternative method to '
'determine if a user is enabled or not by checking '
'if they are a member of the '
'"user_enabled_emulation_dn" group.'),
@ -487,7 +485,7 @@ FILE_OPTIONS = {
cfg.ListOpt('user_additional_attribute_mapping',
default=[],
help='List of additional LDAP attributes used for mapping '
'Additional attribute mappings for users. Attribute '
'additional attribute mappings for users. Attribute '
'mapping format is <ldap_attr>:<user_attr>, where '
'ldap_attr is the attribute in the LDAP entry and '
'user_attr is the Identity API attribute.'),
@ -497,7 +495,7 @@ FILE_OPTIONS = {
cfg.StrOpt('tenant_filter', default=None,
help='LDAP search filter for projects.'),
cfg.StrOpt('tenant_objectclass', default='groupOfNames',
help='LDAP objectClass for projects.'),
help='LDAP objectclass for projects.'),
cfg.StrOpt('tenant_id_attribute', default='cn',
help='LDAP attribute mapped to project id.'),
cfg.StrOpt('tenant_member_attribute', default='member',
@ -516,13 +514,13 @@ FILE_OPTIONS = {
help='List of attributes stripped off the project on '
'update.'),
cfg.BoolOpt('tenant_allow_create', default=True,
help='Allow tenant creation in LDAP backend.'),
help='Allow project creation in LDAP backend.'),
cfg.BoolOpt('tenant_allow_update', default=True,
help='Allow tenant update in LDAP backend.'),
help='Allow project update in LDAP backend.'),
cfg.BoolOpt('tenant_allow_delete', default=True,
help='Allow tenant deletion in LDAP backend.'),
help='Allow project deletion in LDAP backend.'),
cfg.BoolOpt('tenant_enabled_emulation', default=False,
help='If True, Keystone uses an alternative method to '
help='If true, Keystone uses an alternative method to '
'determine if a project is enabled or not by '
'checking if they are a member of the '
'"tenant_enabled_emulation_dn" group.'),
@ -542,7 +540,7 @@ FILE_OPTIONS = {
cfg.StrOpt('role_filter', default=None,
help='LDAP search filter for roles.'),
cfg.StrOpt('role_objectclass', default='organizationalRole',
help='LDAP objectClass for roles.'),
help='LDAP objectclass for roles.'),
cfg.StrOpt('role_id_attribute', default='cn',
help='LDAP attribute mapped to role id.'),
cfg.StrOpt('role_name_attribute', default='ou',
@ -570,7 +568,7 @@ FILE_OPTIONS = {
cfg.StrOpt('group_filter', default=None,
help='LDAP search filter for groups.'),
cfg.StrOpt('group_objectclass', default='groupOfNames',
help='LDAP objectClass for groups.'),
help='LDAP objectclass for groups.'),
cfg.StrOpt('group_id_attribute', default='cn',
help='LDAP attribute mapped to group id.'),
cfg.StrOpt('group_name_attribute', default='ou',
@ -604,7 +602,7 @@ FILE_OPTIONS = {
cfg.BoolOpt('use_tls', default=False,
help='Enable TLS for communicating with LDAP servers.'),
cfg.StrOpt('tls_req_cert', default='demand',
help='valid options for tls_req_cert are demand, never, '
help='Valid options for tls_req_cert are demand, never, '
'and allow.')],
'auth': [
cfg.ListOpt('methods', default=_DEFAULT_AUTH_METHODS,
@ -625,7 +623,7 @@ FILE_OPTIONS = {
'the available pipelines.')],
'memcache': [
cfg.ListOpt('servers', default=['localhost:11211'],
help='Memcache servers in the format of "host:port"'),
help='Memcache servers in the format of "host:port".'),
cfg.IntOpt('max_compare_and_set_retry', default=16,
help='Number of compare-and-set attempts to make when '
'using compare-and-set in the token memcache back '
@ -637,7 +635,7 @@ FILE_OPTIONS = {
'template catalog backend.'),
cfg.StrOpt('driver',
default='keystone.catalog.backends.sql.Catalog',
help='Keystone catalog backend driver.'),
help='Catalog backend driver.'),
cfg.IntOpt('list_limit', default=None,
help='Maximum number of entities that will be returned '
'in a catalog collection.')],
@ -654,7 +652,7 @@ FILE_OPTIONS = {
help='Toggle to disable using a key-mangling function '
'to ensure fixed length keys. This is toggle-able '
'for debugging purposes, it is highly recommended '
'to always leave this set to True.'),
'to always leave this set to true.'),
cfg.IntOpt('default_lock_timeout', default=5,
help='Default lock timeout for distributed locking.')]}