Cleanup and add more config help strings
Cleanup and add expanded helpstrings for the auto generated sample config. Change-Id: I2106d8efee9934e6a48e5d0184c5a63754816a74
This commit is contained in:
parent
0b5685962c
commit
d53945c779
@ -784,28 +784,28 @@
|
||||
# dereferencing configured by your ldap.conf. (string value)
|
||||
#alias_dereferencing=default
|
||||
|
||||
# (string value)
|
||||
# Search base for users (string value)
|
||||
#user_tree_dn=<None>
|
||||
|
||||
# (string value)
|
||||
# LDAP search filter for users (string value)
|
||||
#user_filter=<None>
|
||||
|
||||
# (string value)
|
||||
# LDAP objectClass for users (string value)
|
||||
#user_objectclass=inetOrgPerson
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to user id (string value)
|
||||
#user_id_attribute=cn
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to user name (string value)
|
||||
#user_name_attribute=sn
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to user email (string value)
|
||||
#user_mail_attribute=email
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to password (string value)
|
||||
#user_pass_attribute=userPassword
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to user enabled flag (string value)
|
||||
#user_enabled_attribute=enabled
|
||||
|
||||
# (integer value)
|
||||
@ -814,19 +814,21 @@
|
||||
# (string value)
|
||||
#user_enabled_default=True
|
||||
|
||||
# (list value)
|
||||
# List of attributes stripped off the user on update (list
|
||||
# value)
|
||||
#user_attribute_ignore=default_project_id,tenants
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to default_project_id for users
|
||||
# (string value)
|
||||
#user_default_project_id_attribute=<None>
|
||||
|
||||
# (boolean value)
|
||||
# Allow user creation in LDAP backend (boolean value)
|
||||
#user_allow_create=true
|
||||
|
||||
# (boolean value)
|
||||
# Allow user updates in LDAP backend (boolean value)
|
||||
#user_allow_update=true
|
||||
|
||||
# (boolean value)
|
||||
# Allow user deletion in LDAP backend (boolean value)
|
||||
#user_allow_delete=true
|
||||
|
||||
# (boolean value)
|
||||
@ -835,46 +837,52 @@
|
||||
# (string value)
|
||||
#user_enabled_emulation_dn=<None>
|
||||
|
||||
# (list value)
|
||||
# List of additional LDAP attributes used for mapping
|
||||
# Additional attribute mappings for users. Attribute mapping
|
||||
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
|
||||
# attribute in the LDAP entry and user_attr is the Identity
|
||||
# API attribute. (list value)
|
||||
#user_additional_attribute_mapping=
|
||||
|
||||
# (string value)
|
||||
# Search base for projects (string value)
|
||||
#tenant_tree_dn=<None>
|
||||
|
||||
# (string value)
|
||||
# LDAP search filter for projects (string value)
|
||||
#tenant_filter=<None>
|
||||
|
||||
# (string value)
|
||||
# LDAP objectClass for projects (string value)
|
||||
#tenant_objectclass=groupOfNames
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to project id (string value)
|
||||
#tenant_id_attribute=cn
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to project membership for user (string
|
||||
# value)
|
||||
#tenant_member_attribute=member
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to project name (string value)
|
||||
#tenant_name_attribute=ou
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to project description (string value)
|
||||
#tenant_desc_attribute=description
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to project enabled (string value)
|
||||
#tenant_enabled_attribute=enabled
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to project domain_id (string value)
|
||||
#tenant_domain_id_attribute=businessCategory
|
||||
|
||||
# (list value)
|
||||
# List of attributes stripped off the project on update (list
|
||||
# value)
|
||||
#tenant_attribute_ignore=
|
||||
|
||||
# (boolean value)
|
||||
# Allow tenant creation in LDAP backend (boolean value)
|
||||
#tenant_allow_create=true
|
||||
|
||||
# (boolean value)
|
||||
# Allow tenant update in LDAP backend (boolean value)
|
||||
#tenant_allow_update=true
|
||||
|
||||
# (boolean value)
|
||||
# Allow tenant deletion in LDAP backend (boolean value)
|
||||
#tenant_allow_delete=true
|
||||
|
||||
# (boolean value)
|
||||
@ -883,85 +891,100 @@
|
||||
# (string value)
|
||||
#tenant_enabled_emulation_dn=<None>
|
||||
|
||||
# (list value)
|
||||
# Additional attribute mappings for projects. Attribute
|
||||
# mapping format is <ldap_attr>:<user_attr>, where ldap_attr
|
||||
# is the attribute in the LDAP entry and user_attr is the
|
||||
# Identity API attribute. (list value)
|
||||
#tenant_additional_attribute_mapping=
|
||||
|
||||
# (string value)
|
||||
# Search base for roles (string value)
|
||||
#role_tree_dn=<None>
|
||||
|
||||
# (string value)
|
||||
# LDAP search filter for roles (string value)
|
||||
#role_filter=<None>
|
||||
|
||||
# (string value)
|
||||
# LDAP objectClass for roles (string value)
|
||||
#role_objectclass=organizationalRole
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to role id (string value)
|
||||
#role_id_attribute=cn
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to role name (string value)
|
||||
#role_name_attribute=ou
|
||||
|
||||
# (string value)
|
||||
#role_member_attribute=roleOccupant
|
||||
|
||||
# (list value)
|
||||
# List of attributes stripped off the role on update (list
|
||||
# value)
|
||||
#role_attribute_ignore=
|
||||
|
||||
# (boolean value)
|
||||
# Allow role creation in LDAP backend (boolean value)
|
||||
#role_allow_create=true
|
||||
|
||||
# (boolean value)
|
||||
# Allow role update in LDAP backend (boolean value)
|
||||
#role_allow_update=true
|
||||
|
||||
# (boolean value)
|
||||
# Allow role deletion in LDAP backend (boolean value)
|
||||
#role_allow_delete=true
|
||||
|
||||
# (list value)
|
||||
# Additional attribute mappings for roles. Attribute mapping
|
||||
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
|
||||
# attribute in the LDAP entry and user_attr is the Identity
|
||||
# API attribute. (list value)
|
||||
#role_additional_attribute_mapping=
|
||||
|
||||
# (string value)
|
||||
# Search base for groups (string value)
|
||||
#group_tree_dn=<None>
|
||||
|
||||
# (string value)
|
||||
# LDAP search filter for groups (string value)
|
||||
#group_filter=<None>
|
||||
|
||||
# (string value)
|
||||
# LDAP objectClass for groups (string value)
|
||||
#group_objectclass=groupOfNames
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to group id (string value)
|
||||
#group_id_attribute=cn
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to group name (string value)
|
||||
#group_name_attribute=ou
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to show group membership (string
|
||||
# value)
|
||||
#group_member_attribute=member
|
||||
|
||||
# (string value)
|
||||
# LDAP attribute mapped to group description (string value)
|
||||
#group_desc_attribute=description
|
||||
|
||||
# (list value)
|
||||
# List of attributes stripped off the group on update (list
|
||||
# value)
|
||||
#group_attribute_ignore=
|
||||
|
||||
# (boolean value)
|
||||
# Allow group creation in LDAP backend (boolean value)
|
||||
#group_allow_create=true
|
||||
|
||||
# (boolean value)
|
||||
# Allow group update in LDAP backend (boolean value)
|
||||
#group_allow_update=true
|
||||
|
||||
# (boolean value)
|
||||
# Allow group deletion in LDAP backend (boolean value)
|
||||
#group_allow_delete=true
|
||||
|
||||
# (list value)
|
||||
# Additional attribute mappings for groups. Attribute mapping
|
||||
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
|
||||
# attribute in the LDAP entry and user_attr is the Identity
|
||||
# API attribute. (list value)
|
||||
#group_additional_attribute_mapping=
|
||||
|
||||
# (string value)
|
||||
# CA certificate file path for communicating with LDAP servers
|
||||
# (string value)
|
||||
#tls_cacertfile=<None>
|
||||
|
||||
# (string value)
|
||||
# CA certificate directory path for communicating with LDAP
|
||||
# servers (string value)
|
||||
#tls_cacertdir=<None>
|
||||
|
||||
# (boolean value)
|
||||
# Enable TLS for communicating with LDAP servers (boolean
|
||||
# value)
|
||||
#use_tls=false
|
||||
|
||||
# valid options for tls_req_cert are demand, never, and allow
|
||||
|
@ -21,183 +21,183 @@ _DEFAULT_AUTH_METHODS = ['external', 'password', 'token']
|
||||
FILE_OPTIONS = {
|
||||
None: [
|
||||
cfg.StrOpt('admin_token', secret=True, default='ADMIN',
|
||||
help=('A "shared secret" that can be used to bootstrap '
|
||||
'Keystone. This "token" does not represent a user, '
|
||||
'and carries no explicit authorization. To disable '
|
||||
'in production (highly recommended), remove '
|
||||
'AdminTokenAuthMiddleware from your paste '
|
||||
'application pipelines (for example, in '
|
||||
'keystone-paste.ini).')),
|
||||
help='A "shared secret" that can be used to bootstrap '
|
||||
'Keystone. This "token" does not represent a user, '
|
||||
'and carries no explicit authorization. To disable '
|
||||
'in production (highly recommended), remove '
|
||||
'AdminTokenAuthMiddleware from your paste '
|
||||
'application pipelines (for example, in '
|
||||
'keystone-paste.ini).'),
|
||||
cfg.StrOpt('public_bind_host',
|
||||
default='0.0.0.0',
|
||||
deprecated_opts=[cfg.DeprecatedOpt('bind_host',
|
||||
group='DEFAULT')],
|
||||
help=('The IP Address of the network interface to for the '
|
||||
'public service to listen on.')),
|
||||
help='The IP Address of the network interface to for the '
|
||||
'public service to listen on.'),
|
||||
cfg.StrOpt('admin_bind_host',
|
||||
default='0.0.0.0',
|
||||
deprecated_opts=[cfg.DeprecatedOpt('bind_host',
|
||||
group='DEFAULT')],
|
||||
help=('The IP Address of the network interface to for the '
|
||||
'admin service to listen on.')),
|
||||
help='The IP Address of the network interface to for the '
|
||||
'admin service to listen on.'),
|
||||
cfg.IntOpt('compute_port', default=8774,
|
||||
help=('The port which the OpenStack Compute service '
|
||||
'listens on.')),
|
||||
help='The port which the OpenStack Compute service '
|
||||
'listens on.'),
|
||||
cfg.IntOpt('admin_port', default=35357,
|
||||
help=('The port number which the admin service listens '
|
||||
'on.')),
|
||||
help='The port number which the admin service listens '
|
||||
'on.'),
|
||||
cfg.IntOpt('public_port', default=5000,
|
||||
help=('The port number which the public service listens '
|
||||
'on.')),
|
||||
help='The port number which the public service listens '
|
||||
'on.'),
|
||||
cfg.StrOpt('public_endpoint',
|
||||
default='http://localhost:%(public_port)s/',
|
||||
help=('The base public endpoint URL for keystone that are '
|
||||
'advertised to clients (NOTE: this does NOT affect '
|
||||
'how keystone listens for connections)')),
|
||||
help='The base public endpoint URL for keystone that are '
|
||||
'advertised to clients (NOTE: this does NOT affect '
|
||||
'how keystone listens for connections)'),
|
||||
cfg.StrOpt('admin_endpoint',
|
||||
default='http://localhost:%(admin_port)s/',
|
||||
help=('The base admin endpoint URL for keystone that are '
|
||||
'advertised to clients (NOTE: this does NOT affect '
|
||||
'how keystone listens for connections)')),
|
||||
help='The base admin endpoint URL for keystone that are '
|
||||
'advertised to clients (NOTE: this does NOT affect '
|
||||
'how keystone listens for connections)'),
|
||||
cfg.StrOpt('onready',
|
||||
help=('onready allows you to send a notification when the '
|
||||
'process is ready to serve For example, to have it '
|
||||
'notify using systemd, one could set shell command: '
|
||||
'"onready = systemd-notify --ready" or a module '
|
||||
'with notify() method: '
|
||||
'"onready = keystone.common.systemd"')),
|
||||
help='onready allows you to send a notification when the '
|
||||
'process is ready to serve For example, to have it '
|
||||
'notify using systemd, one could set shell command: '
|
||||
'"onready = systemd-notify --ready" or a module '
|
||||
'with notify() method: '
|
||||
'"onready = keystone.common.systemd"'),
|
||||
# default max request size is 112k
|
||||
cfg.IntOpt('max_request_body_size', default=114688,
|
||||
help=('enforced by optional sizelimit middleware '
|
||||
'(keystone.middleware:RequestBodySizeLimiter)')),
|
||||
help='enforced by optional sizelimit middleware '
|
||||
'(keystone.middleware:RequestBodySizeLimiter)'),
|
||||
cfg.IntOpt('max_param_size', default=64,
|
||||
help='limit the sizes of user & tenant ID/names'),
|
||||
# we allow tokens to be a bit larger to accommodate PKI
|
||||
cfg.IntOpt('max_token_size', default=8192,
|
||||
help=('similar to max_param_size, but provides an '
|
||||
'exception for token values')),
|
||||
help='similar to max_param_size, but provides an '
|
||||
'exception for token values'),
|
||||
cfg.StrOpt('member_role_id',
|
||||
default='9fe2ff9ee4384b1894a90878d3e92bab',
|
||||
help=('During a SQL upgrade member_role_id will be used '
|
||||
'to create a new role that will replace records in '
|
||||
'the user_tenant_membership table with explicit '
|
||||
'role grants. After migration, the member_role_id '
|
||||
'will be used in the API add_user_to_project.')),
|
||||
help='During a SQL upgrade member_role_id will be used '
|
||||
'to create a new role that will replace records in '
|
||||
'the user_tenant_membership table with explicit '
|
||||
'role grants. After migration, the member_role_id '
|
||||
'will be used in the API add_user_to_project.'),
|
||||
cfg.StrOpt('member_role_name', default='_member_',
|
||||
help=('During a SQL upgrade member_role_id will be used '
|
||||
'to create a new role that will replace records in '
|
||||
'the user_tenant_membership table with explicit '
|
||||
'role grants. After migration, member_role_name will '
|
||||
'be ignored.')),
|
||||
help='During a SQL upgrade member_role_id will be used '
|
||||
'to create a new role that will replace records in '
|
||||
'the user_tenant_membership table with explicit '
|
||||
'role grants. After migration, member_role_name will '
|
||||
'be ignored.'),
|
||||
cfg.IntOpt('crypt_strength', default=40000,
|
||||
help=('The value passed as the keyword "rounds" to passlib '
|
||||
'encrypt method.')),
|
||||
help='The value passed as the keyword "rounds" to passlib '
|
||||
'encrypt method.'),
|
||||
cfg.BoolOpt('tcp_keepalive', default=False,
|
||||
help=("Set this to True if you want to enable "
|
||||
"TCP_KEEPALIVE on server sockets i.e. sockets used "
|
||||
"by the keystone wsgi server for client "
|
||||
"connections")),
|
||||
help='Set this to True if you want to enable '
|
||||
'TCP_KEEPALIVE on server sockets i.e. sockets used '
|
||||
'by the keystone wsgi server for client '
|
||||
'connections'),
|
||||
cfg.IntOpt('tcp_keepidle',
|
||||
default=600,
|
||||
help=("Sets the value of TCP_KEEPIDLE in seconds for each "
|
||||
"server socket. Only applies if tcp_keepalive is "
|
||||
"True. Not supported on OS X.")),
|
||||
help='Sets the value of TCP_KEEPIDLE in seconds for each '
|
||||
'server socket. Only applies if tcp_keepalive is '
|
||||
'True. Not supported on OS X.'),
|
||||
cfg.IntOpt('list_limit', default=None,
|
||||
help=('The maximum number of entities that will be '
|
||||
'returned in a collection can be set with '
|
||||
'list_limit, with no limit set by default. This '
|
||||
'global limit may be then overridden for a specific '
|
||||
'driver, by specifying a list_limit in the '
|
||||
'appropriate section (e.g. [assignment]'))],
|
||||
help='The maximum number of entities that will be '
|
||||
'returned in a collection can be set with '
|
||||
'list_limit, with no limit set by default. This '
|
||||
'global limit may be then overridden for a specific '
|
||||
'driver, by specifying a list_limit in the '
|
||||
'appropriate section (e.g. [assignment]')],
|
||||
'identity': [
|
||||
cfg.StrOpt('default_domain_id', default='default',
|
||||
help=('This references the domain to use for all '
|
||||
'Identity API v2 requests (which are not aware of '
|
||||
'domains). A domain with this ID will be created '
|
||||
'for you by keystone-manage db_sync in migration '
|
||||
'008. The domain referenced by this ID cannot be '
|
||||
'deleted on the v3 API, to prevent accidentally '
|
||||
'breaking the v2 API. There is nothing special about '
|
||||
'this domain, other than the fact that it must '
|
||||
'exist to order to maintain support for your v2 '
|
||||
'clients.')),
|
||||
help='This references the domain to use for all '
|
||||
'Identity API v2 requests (which are not aware of '
|
||||
'domains). A domain with this ID will be created '
|
||||
'for you by keystone-manage db_sync in migration '
|
||||
'008. The domain referenced by this ID cannot be '
|
||||
'deleted on the v3 API, to prevent accidentally '
|
||||
'breaking the v2 API. There is nothing special about '
|
||||
'this domain, other than the fact that it must '
|
||||
'exist to order to maintain support for your v2 '
|
||||
'clients.'),
|
||||
cfg.BoolOpt('domain_specific_drivers_enabled',
|
||||
default=False,
|
||||
help=('A subset (or all) of domains can have their own '
|
||||
'identity driver, each with their own partial '
|
||||
'configuration file in a domain configuration '
|
||||
'directory. Only values specific to the domain '
|
||||
'need to be placed in the domain specific '
|
||||
'configuration file. This feature is disabled by '
|
||||
'default; set to True to enable.')),
|
||||
help='A subset (or all) of domains can have their own '
|
||||
'identity driver, each with their own partial '
|
||||
'configuration file in a domain configuration '
|
||||
'directory. Only values specific to the domain '
|
||||
'need to be placed in the domain specific '
|
||||
'configuration file. This feature is disabled by '
|
||||
'default; set to True to enable.'),
|
||||
cfg.StrOpt('domain_config_dir',
|
||||
default='/etc/keystone/domains',
|
||||
help=('Path for Keystone to locate the domain specific'
|
||||
'identity configuration files if '
|
||||
'domain_specific_drivers_enabled is set to true.')),
|
||||
help='Path for Keystone to locate the domain specific'
|
||||
'identity configuration files if '
|
||||
'domain_specific_drivers_enabled is set to true.'),
|
||||
cfg.StrOpt('driver',
|
||||
default=('keystone.identity.backends'
|
||||
'.sql.Identity'),
|
||||
help='Keystone Identity backend driver'),
|
||||
cfg.IntOpt('max_password_length', default=4096,
|
||||
help=('Maximum supported length for user passwords; '
|
||||
'decrease to improve performance.')),
|
||||
help='Maximum supported length for user passwords; '
|
||||
'decrease to improve performance.'),
|
||||
cfg.IntOpt('list_limit', default=None,
|
||||
help=('Maximum number of entities that will be returned in '
|
||||
'an identity collection'))],
|
||||
help='Maximum number of entities that will be returned in '
|
||||
'an identity collection')],
|
||||
'trust': [
|
||||
cfg.BoolOpt('enabled', default=True,
|
||||
help=('delegation and impersonation features can be '
|
||||
'optionally disabled')),
|
||||
help='delegation and impersonation features can be '
|
||||
'optionally disabled'),
|
||||
cfg.StrOpt('driver',
|
||||
default='keystone.trust.backends.sql.Trust',
|
||||
help='Keystone Trust backend driver')],
|
||||
'os_inherit': [
|
||||
cfg.BoolOpt('enabled', default=False,
|
||||
help=('role-assignment inheritance to projects from '
|
||||
'owning domain can be optionally enabled'))],
|
||||
help='role-assignment inheritance to projects from '
|
||||
'owning domain can be optionally enabled')],
|
||||
'token': [
|
||||
cfg.ListOpt('bind', default=[],
|
||||
help=('External auth mechanisms that should add bind '
|
||||
'information to token e.g. kerberos, x509')),
|
||||
help='External auth mechanisms that should add bind '
|
||||
'information to token e.g. kerberos, x509'),
|
||||
cfg.StrOpt('enforce_token_bind', default='permissive',
|
||||
help=('Enforcement policy on tokens presented to keystone '
|
||||
'with bind information. One of disabled, permissive, '
|
||||
'strict, required or a specifically required bind '
|
||||
'mode e.g. kerberos or x509 to require binding to '
|
||||
'that authentication.')),
|
||||
help='Enforcement policy on tokens presented to keystone '
|
||||
'with bind information. One of disabled, permissive, '
|
||||
'strict, required or a specifically required bind '
|
||||
'mode e.g. kerberos or x509 to require binding to '
|
||||
'that authentication.'),
|
||||
cfg.IntOpt('expiration', default=3600,
|
||||
help=('Amount of time a token should remain valid '
|
||||
'(in seconds)')),
|
||||
help='Amount of time a token should remain valid '
|
||||
'(in seconds)'),
|
||||
cfg.StrOpt('provider', default=None,
|
||||
help=('Controls the token construction, validation, and '
|
||||
'revocation operations. Core providers are '
|
||||
'keystone.token.providers.[pki|uuid].Provider')),
|
||||
help='Controls the token construction, validation, and '
|
||||
'revocation operations. Core providers are '
|
||||
'keystone.token.providers.[pki|uuid].Provider'),
|
||||
cfg.StrOpt('driver',
|
||||
default='keystone.token.backends.sql.Token',
|
||||
help='Keystone Token persistence backend driver'),
|
||||
cfg.BoolOpt('caching', default=True,
|
||||
help=('Toggle for token system cacheing. This has no '
|
||||
'effect unless global caching is enabled.')),
|
||||
help='Toggle for token system cacheing. This has no '
|
||||
'effect unless global caching is enabled.'),
|
||||
cfg.IntOpt('revocation_cache_time', default=3600,
|
||||
help=('Time to cache the revocation list (in seconds). '
|
||||
'This has no effect unless global and token '
|
||||
'caching are enabled.')),
|
||||
help='Time to cache the revocation list (in seconds). '
|
||||
'This has no effect unless global and token '
|
||||
'caching are enabled.'),
|
||||
cfg.IntOpt('cache_time', default=None,
|
||||
help=('Time to cache tokens (in seconds). This has no '
|
||||
'effect unless global and token caching are '
|
||||
'enabled.'))],
|
||||
help='Time to cache tokens (in seconds). This has no '
|
||||
'effect unless global and token caching are '
|
||||
'enabled.')],
|
||||
'cache': [
|
||||
cfg.StrOpt('config_prefix', default='cache.keystone',
|
||||
help=('Prefix for building the configuration dictionary '
|
||||
'for the cache region. This should not need to be '
|
||||
'changed unless there is another dogpile.cache '
|
||||
'region with the same configuration name')),
|
||||
help='Prefix for building the configuration dictionary '
|
||||
'for the cache region. This should not need to be '
|
||||
'changed unless there is another dogpile.cache '
|
||||
'region with the same configuration name'),
|
||||
cfg.IntOpt('expiration_time', default=600,
|
||||
help=('Default TTL, in seconds, for any cached item in '
|
||||
'the dogpile.cache region. This applies to any '
|
||||
'cached method that doesn\'t have an explicit '
|
||||
'cache expiration time defined for it.')),
|
||||
help='Default TTL, in seconds, for any cached item in '
|
||||
'the dogpile.cache region. This applies to any '
|
||||
'cached method that doesn\'t have an explicit '
|
||||
'cache expiration time defined for it.'),
|
||||
# NOTE(morganfainberg): the dogpile.cache.memory acceptable in devstack
|
||||
# and other such single-process/thread deployments. Running
|
||||
# dogpile.cache.memory in any other configuration has the same pitfalls
|
||||
@ -207,43 +207,43 @@ FILE_OPTIONS = {
|
||||
# unintentionally, we register a no-op as the keystone default caching
|
||||
# backend.
|
||||
cfg.StrOpt('backend', default='keystone.common.cache.noop',
|
||||
help=('Dogpile.cache backend module. It is recommended '
|
||||
'that Memcache (dogpile.cache.memcache) or Redis '
|
||||
'(dogpile.cache.redis) be used in production '
|
||||
'deployments. Small workloads (single process) '
|
||||
'like devstack can use the dogpile.cache.memory '
|
||||
'backend.')),
|
||||
help='Dogpile.cache backend module. It is recommended '
|
||||
'that Memcache (dogpile.cache.memcache) or Redis '
|
||||
'(dogpile.cache.redis) be used in production '
|
||||
'deployments. Small workloads (single process) '
|
||||
'like devstack can use the dogpile.cache.memory '
|
||||
'backend.'),
|
||||
cfg.BoolOpt('use_key_mangler', default=True,
|
||||
help=('Use a key-mangling function (sha1) to ensure '
|
||||
'fixed length cache-keys. This is toggle-able for '
|
||||
'debugging purposes, it is highly recommended to '
|
||||
'always leave this set to True.')),
|
||||
help='Use a key-mangling function (sha1) to ensure '
|
||||
'fixed length cache-keys. This is toggle-able for '
|
||||
'debugging purposes, it is highly recommended to '
|
||||
'always leave this set to True.'),
|
||||
cfg.MultiStrOpt('backend_argument', default=[],
|
||||
help=('Arguments supplied to the backend module. '
|
||||
'Specify this option once per argument to be '
|
||||
'passed to the dogpile.cache backend. Example '
|
||||
'format: <argname>:<value>')),
|
||||
help='Arguments supplied to the backend module. '
|
||||
'Specify this option once per argument to be '
|
||||
'passed to the dogpile.cache backend. Example '
|
||||
'format: <argname>:<value>'),
|
||||
cfg.ListOpt('proxies', default=[],
|
||||
help=('Proxy Classes to import that will affect the way '
|
||||
'the dogpile.cache backend functions. See the '
|
||||
'dogpile.cache documentation on '
|
||||
'changing-backend-behavior. Comma delimited '
|
||||
'list e.g. '
|
||||
'my.dogpile.proxy.Class, my.dogpile.proxyClass2')),
|
||||
help='Proxy Classes to import that will affect the way '
|
||||
'the dogpile.cache backend functions. See the '
|
||||
'dogpile.cache documentation on '
|
||||
'changing-backend-behavior. Comma delimited '
|
||||
'list e.g. '
|
||||
'my.dogpile.proxy.Class, my.dogpile.proxyClass2'),
|
||||
cfg.BoolOpt('enabled', default=False,
|
||||
help=('Global toggle for all caching using the '
|
||||
'should_cache_fn mechanism')),
|
||||
help='Global toggle for all caching using the '
|
||||
'should_cache_fn mechanism'),
|
||||
cfg.BoolOpt('debug_cache_backend', default=False,
|
||||
help=('Extra debugging from the cache backend (cache '
|
||||
'keys, get/set/delete/etc calls) This is only '
|
||||
'really useful if you need to see the specific '
|
||||
'cache-backend get/set/delete calls with the '
|
||||
'keys/values. Typically this should be left set '
|
||||
'to False.'))],
|
||||
help='Extra debugging from the cache backend (cache '
|
||||
'keys, get/set/delete/etc calls) This is only '
|
||||
'really useful if you need to see the specific '
|
||||
'cache-backend get/set/delete calls with the '
|
||||
'keys/values. Typically this should be left set '
|
||||
'to False.')],
|
||||
'ssl': [
|
||||
cfg.BoolOpt('enable', default=False,
|
||||
help=('Toggle for SSL support on the keystone '
|
||||
'eventlet servers.')),
|
||||
help='Toggle for SSL support on the keystone '
|
||||
'eventlet servers.'),
|
||||
cfg.StrOpt('certfile',
|
||||
default="/etc/keystone/ssl/certs/keystone.pem",
|
||||
help='Path of the certfile for SSL.'),
|
||||
@ -256,7 +256,7 @@ FILE_OPTIONS = {
|
||||
cfg.StrOpt('ca_key',
|
||||
default='/etc/keystone/ssl/private/cakey.pem',
|
||||
help='Path of the CA key file for SSL'),
|
||||
cfg.BoolOpt('cert_required', default=False),
|
||||
cfg.BoolOpt('cert_required', default=False,),
|
||||
cfg.IntOpt('key_size', default=1024,
|
||||
help='SSL Key Length (in bits) (auto generated '
|
||||
'certificate)'),
|
||||
@ -269,8 +269,8 @@ FILE_OPTIONS = {
|
||||
'certificate)')],
|
||||
'signing': [
|
||||
cfg.StrOpt('token_format', default=None,
|
||||
help=('Deprecated in favor of provider in the '
|
||||
'[token] section')),
|
||||
help='Deprecated in favor of provider in the '
|
||||
'[token] section'),
|
||||
cfg.StrOpt('certfile',
|
||||
default='/etc/keystone/ssl/certs/signing_cert.pem',
|
||||
help='Path of the certfile for token signing.'),
|
||||
@ -301,14 +301,14 @@ FILE_OPTIONS = {
|
||||
cfg.StrOpt('driver', default=None,
|
||||
help='Keystone Assignment backend driver'),
|
||||
cfg.BoolOpt('caching', default=True,
|
||||
help=('Toggle for assignment caching. This has no effect '
|
||||
'unless global caching is enabled.')),
|
||||
help='Toggle for assignment caching. This has no effect '
|
||||
'unless global caching is enabled.'),
|
||||
cfg.IntOpt('cache_time', default=None,
|
||||
help='TTL (in seconds) to cache assignment data. This has '
|
||||
'no effect unless global caching is enabled.'),
|
||||
cfg.IntOpt('list_limit', default=None,
|
||||
help=('Maximum number of entities that will be returned '
|
||||
'in an assignment collection'))],
|
||||
help='Maximum number of entities that will be returned '
|
||||
'in an assignment collection')],
|
||||
'credential': [
|
||||
cfg.StrOpt('driver',
|
||||
default=('keystone.credential.backends'
|
||||
@ -334,8 +334,8 @@ FILE_OPTIONS = {
|
||||
default='keystone.policy.backends.sql.Policy',
|
||||
help='Keystone Policy backend driver'),
|
||||
cfg.IntOpt('list_limit', default=None,
|
||||
help=('Maximum number of entities that will be returned '
|
||||
'in a policy collection'))],
|
||||
help='Maximum number of entities that will be returned '
|
||||
'in a policy collection')],
|
||||
'ec2': [
|
||||
cfg.StrOpt('driver',
|
||||
default='keystone.contrib.ec2.backends.kvs.Ec2',
|
||||
@ -367,92 +367,164 @@ FILE_OPTIONS = {
|
||||
cfg.BoolOpt('allow_subtree_delete', default=False,
|
||||
help='allow deleting subtrees'),
|
||||
cfg.StrOpt('query_scope', default='one',
|
||||
help=('The LDAP scope for queries, this can be either '
|
||||
'"one" (onelevel/singleLevel) or "sub" '
|
||||
'(subtree/wholeSubtree)')),
|
||||
help='The LDAP scope for queries, this can be either '
|
||||
'"one" (onelevel/singleLevel) or "sub" '
|
||||
'(subtree/wholeSubtree)'),
|
||||
cfg.IntOpt('page_size', default=0,
|
||||
help=('Maximum results per page; a value of zero ("0") '
|
||||
'disables paging')),
|
||||
help='Maximum results per page; a value of zero ("0") '
|
||||
'disables paging'),
|
||||
cfg.StrOpt('alias_dereferencing', default='default',
|
||||
help=('The LDAP dereferencing option for queries. This '
|
||||
'can be either "never", "searching", "always", '
|
||||
'"finding" or "default". The "default" option falls '
|
||||
'back to using default dereferencing configured by '
|
||||
'your ldap.conf.')),
|
||||
|
||||
cfg.StrOpt('user_tree_dn', default=None),
|
||||
cfg.StrOpt('user_filter', default=None),
|
||||
cfg.StrOpt('user_objectclass', default='inetOrgPerson'),
|
||||
cfg.StrOpt('user_id_attribute', default='cn'),
|
||||
cfg.StrOpt('user_name_attribute', default='sn'),
|
||||
cfg.StrOpt('user_mail_attribute', default='email'),
|
||||
cfg.StrOpt('user_pass_attribute', default='userPassword'),
|
||||
cfg.StrOpt('user_enabled_attribute', default='enabled'),
|
||||
help='The LDAP dereferencing option for queries. This '
|
||||
'can be either "never", "searching", "always", '
|
||||
'"finding" or "default". The "default" option falls '
|
||||
'back to using default dereferencing configured by '
|
||||
'your ldap.conf.'),
|
||||
cfg.StrOpt('user_tree_dn', default=None,
|
||||
help='Search base for users'),
|
||||
cfg.StrOpt('user_filter', default=None,
|
||||
help='LDAP search filter for users'),
|
||||
cfg.StrOpt('user_objectclass', default='inetOrgPerson',
|
||||
help='LDAP objectClass for users'),
|
||||
cfg.StrOpt('user_id_attribute', default='cn',
|
||||
help='LDAP attribute mapped to user id'),
|
||||
cfg.StrOpt('user_name_attribute', default='sn',
|
||||
help='LDAP attribute mapped to user name'),
|
||||
cfg.StrOpt('user_mail_attribute', default='email',
|
||||
help='LDAP attribute mapped to user email'),
|
||||
cfg.StrOpt('user_pass_attribute', default='userPassword',
|
||||
help='LDAP attribute mapped to password'),
|
||||
cfg.StrOpt('user_enabled_attribute', default='enabled',
|
||||
help='LDAP attribute mapped to user enabled flag'),
|
||||
cfg.IntOpt('user_enabled_mask', default=0),
|
||||
cfg.StrOpt('user_enabled_default', default='True'),
|
||||
cfg.ListOpt('user_attribute_ignore',
|
||||
default=['default_project_id', 'tenants']),
|
||||
cfg.StrOpt('user_default_project_id_attribute', default=None),
|
||||
cfg.BoolOpt('user_allow_create', default=True),
|
||||
cfg.BoolOpt('user_allow_update', default=True),
|
||||
cfg.BoolOpt('user_allow_delete', default=True),
|
||||
default=['default_project_id', 'tenants'],
|
||||
help='List of attributes stripped off the user on update'),
|
||||
cfg.StrOpt('user_default_project_id_attribute', default=None,
|
||||
help='LDAP attribute mapped to default_project_id for '
|
||||
'users'),
|
||||
cfg.BoolOpt('user_allow_create', default=True,
|
||||
help='Allow user creation in LDAP backend'),
|
||||
cfg.BoolOpt('user_allow_update', default=True,
|
||||
help='Allow user updates in LDAP backend'),
|
||||
cfg.BoolOpt('user_allow_delete', default=True,
|
||||
help='Allow user deletion in LDAP backend'),
|
||||
cfg.BoolOpt('user_enabled_emulation', default=False),
|
||||
cfg.StrOpt('user_enabled_emulation_dn', default=None),
|
||||
cfg.ListOpt('user_additional_attribute_mapping',
|
||||
default=[]),
|
||||
default=[],
|
||||
help='List of additional LDAP attributes used for mapping '
|
||||
'Additional attribute mappings for users. Attribute '
|
||||
'mapping format is <ldap_attr>:<user_attr>, where '
|
||||
'ldap_attr is the attribute in the LDAP entry and '
|
||||
'user_attr is the Identity API attribute.'),
|
||||
|
||||
cfg.StrOpt('tenant_tree_dn', default=None),
|
||||
cfg.StrOpt('tenant_filter', default=None),
|
||||
cfg.StrOpt('tenant_objectclass', default='groupOfNames'),
|
||||
cfg.StrOpt('tenant_id_attribute', default='cn'),
|
||||
cfg.StrOpt('tenant_member_attribute', default='member'),
|
||||
cfg.StrOpt('tenant_name_attribute', default='ou'),
|
||||
cfg.StrOpt('tenant_desc_attribute', default='description'),
|
||||
cfg.StrOpt('tenant_enabled_attribute', default='enabled'),
|
||||
cfg.StrOpt('tenant_tree_dn', default=None,
|
||||
help='Search base for projects'),
|
||||
cfg.StrOpt('tenant_filter', default=None,
|
||||
help='LDAP search filter for projects'),
|
||||
cfg.StrOpt('tenant_objectclass', default='groupOfNames',
|
||||
help='LDAP objectClass for projects'),
|
||||
cfg.StrOpt('tenant_id_attribute', default='cn',
|
||||
help='LDAP attribute mapped to project id'),
|
||||
cfg.StrOpt('tenant_member_attribute', default='member',
|
||||
help='LDAP attribute mapped to project membership for '
|
||||
'user'),
|
||||
cfg.StrOpt('tenant_name_attribute', default='ou',
|
||||
help='LDAP attribute mapped to project name'),
|
||||
cfg.StrOpt('tenant_desc_attribute', default='description',
|
||||
help='LDAP attribute mapped to project description'),
|
||||
cfg.StrOpt('tenant_enabled_attribute', default='enabled',
|
||||
help='LDAP attribute mapped to project enabled'),
|
||||
cfg.StrOpt('tenant_domain_id_attribute',
|
||||
default='businessCategory'),
|
||||
cfg.ListOpt('tenant_attribute_ignore', default=[]),
|
||||
cfg.BoolOpt('tenant_allow_create', default=True),
|
||||
cfg.BoolOpt('tenant_allow_update', default=True),
|
||||
cfg.BoolOpt('tenant_allow_delete', default=True),
|
||||
default='businessCategory',
|
||||
help='LDAP attribute mapped to project domain_id'),
|
||||
cfg.ListOpt('tenant_attribute_ignore', default=[],
|
||||
help='List of attributes stripped off the project on '
|
||||
'update'),
|
||||
cfg.BoolOpt('tenant_allow_create', default=True,
|
||||
help='Allow tenant creation in LDAP backend'),
|
||||
cfg.BoolOpt('tenant_allow_update', default=True,
|
||||
help='Allow tenant update in LDAP backend'),
|
||||
cfg.BoolOpt('tenant_allow_delete', default=True,
|
||||
help='Allow tenant deletion in LDAP backend'),
|
||||
cfg.BoolOpt('tenant_enabled_emulation', default=False),
|
||||
cfg.StrOpt('tenant_enabled_emulation_dn', default=None),
|
||||
cfg.ListOpt('tenant_additional_attribute_mapping',
|
||||
default=[]),
|
||||
default=[],
|
||||
help='Additional attribute mappings for projects. '
|
||||
'Attribute mapping format is '
|
||||
'<ldap_attr>:<user_attr>, where ldap_attr is the '
|
||||
'attribute in the LDAP entry and user_attr is the '
|
||||
'Identity API attribute.'),
|
||||
|
||||
cfg.StrOpt('role_tree_dn', default=None),
|
||||
cfg.StrOpt('role_filter', default=None),
|
||||
cfg.StrOpt('role_objectclass', default='organizationalRole'),
|
||||
cfg.StrOpt('role_id_attribute', default='cn'),
|
||||
cfg.StrOpt('role_name_attribute', default='ou'),
|
||||
cfg.StrOpt('role_tree_dn', default=None,
|
||||
help='Search base for roles'),
|
||||
cfg.StrOpt('role_filter', default=None,
|
||||
help='LDAP search filter for roles'),
|
||||
cfg.StrOpt('role_objectclass', default='organizationalRole',
|
||||
help='LDAP objectClass for roles'),
|
||||
cfg.StrOpt('role_id_attribute', default='cn',
|
||||
help='LDAP attribute mapped to role id'),
|
||||
cfg.StrOpt('role_name_attribute', default='ou',
|
||||
help='LDAP attribute mapped to role name'),
|
||||
cfg.StrOpt('role_member_attribute', default='roleOccupant'),
|
||||
cfg.ListOpt('role_attribute_ignore', default=[]),
|
||||
cfg.BoolOpt('role_allow_create', default=True),
|
||||
cfg.BoolOpt('role_allow_update', default=True),
|
||||
cfg.BoolOpt('role_allow_delete', default=True),
|
||||
cfg.ListOpt('role_attribute_ignore', default=[],
|
||||
help='List of attributes stripped off the role on update'),
|
||||
cfg.BoolOpt('role_allow_create', default=True,
|
||||
help='Allow role creation in LDAP backend'),
|
||||
cfg.BoolOpt('role_allow_update', default=True,
|
||||
help='Allow role update in LDAP backend'),
|
||||
cfg.BoolOpt('role_allow_delete', default=True,
|
||||
help='Allow role deletion in LDAP backend'),
|
||||
cfg.ListOpt('role_additional_attribute_mapping',
|
||||
default=[]),
|
||||
default=[],
|
||||
help='Additional attribute mappings for roles. Attribute '
|
||||
'mapping format is <ldap_attr>:<user_attr>, where '
|
||||
'ldap_attr is the attribute in the LDAP entry and '
|
||||
'user_attr is the Identity API attribute.'),
|
||||
|
||||
cfg.StrOpt('group_tree_dn', default=None),
|
||||
cfg.StrOpt('group_filter', default=None),
|
||||
cfg.StrOpt('group_objectclass', default='groupOfNames'),
|
||||
cfg.StrOpt('group_id_attribute', default='cn'),
|
||||
cfg.StrOpt('group_name_attribute', default='ou'),
|
||||
cfg.StrOpt('group_member_attribute', default='member'),
|
||||
cfg.StrOpt('group_desc_attribute', default='description'),
|
||||
cfg.ListOpt('group_attribute_ignore', default=[]),
|
||||
cfg.BoolOpt('group_allow_create', default=True),
|
||||
cfg.BoolOpt('group_allow_update', default=True),
|
||||
cfg.BoolOpt('group_allow_delete', default=True),
|
||||
cfg.StrOpt('group_tree_dn', default=None,
|
||||
help='Search base for groups'),
|
||||
cfg.StrOpt('group_filter', default=None,
|
||||
help='LDAP search filter for groups'),
|
||||
cfg.StrOpt('group_objectclass', default='groupOfNames',
|
||||
help='LDAP objectClass for groups'),
|
||||
cfg.StrOpt('group_id_attribute', default='cn',
|
||||
help='LDAP attribute mapped to group id'),
|
||||
cfg.StrOpt('group_name_attribute', default='ou',
|
||||
help='LDAP attribute mapped to group name'),
|
||||
cfg.StrOpt('group_member_attribute', default='member',
|
||||
help='LDAP attribute mapped to show group membership'),
|
||||
cfg.StrOpt('group_desc_attribute', default='description',
|
||||
help='LDAP attribute mapped to group description'),
|
||||
cfg.ListOpt('group_attribute_ignore', default=[],
|
||||
help='List of attributes stripped off the group on '
|
||||
'update'),
|
||||
cfg.BoolOpt('group_allow_create', default=True,
|
||||
help='Allow group creation in LDAP backend'),
|
||||
cfg.BoolOpt('group_allow_update', default=True,
|
||||
help='Allow group update in LDAP backend'),
|
||||
cfg.BoolOpt('group_allow_delete', default=True,
|
||||
help='Allow group deletion in LDAP backend'),
|
||||
cfg.ListOpt('group_additional_attribute_mapping',
|
||||
default=[]),
|
||||
default=[],
|
||||
help='Additional attribute mappings for groups. Attribute '
|
||||
'mapping format is <ldap_attr>:<user_attr>, where '
|
||||
'ldap_attr is the attribute in the LDAP entry and '
|
||||
'user_attr is the Identity API attribute.'),
|
||||
|
||||
cfg.StrOpt('tls_cacertfile', default=None),
|
||||
cfg.StrOpt('tls_cacertdir', default=None),
|
||||
cfg.BoolOpt('use_tls', default=False),
|
||||
cfg.StrOpt('tls_cacertfile', default=None,
|
||||
help='CA certificate file path for communicating with '
|
||||
'LDAP servers'),
|
||||
cfg.StrOpt('tls_cacertdir', default=None,
|
||||
help='CA certificate directory path for communicating with '
|
||||
'LDAP servers'),
|
||||
cfg.BoolOpt('use_tls', default=False,
|
||||
help='Enable TLS for communicating with LDAP servers'),
|
||||
cfg.StrOpt('tls_req_cert', default='demand',
|
||||
help=('valid options for tls_req_cert are demand, never, '
|
||||
'and allow'))],
|
||||
help='valid options for tls_req_cert are demand, never, '
|
||||
'and allow')],
|
||||
'pam': [
|
||||
cfg.StrOpt('userid', default=None),
|
||||
cfg.StrOpt('password', default=None)],
|
||||
@ -471,15 +543,15 @@ FILE_OPTIONS = {
|
||||
help='The external (REMOTE_USER) auth plugin module.')],
|
||||
'paste_deploy': [
|
||||
cfg.StrOpt('config_file', default='keystone-paste.ini',
|
||||
help=('Name of the paste configuration file that defines '
|
||||
'the available pipelines'))],
|
||||
help='Name of the paste configuration file that defines '
|
||||
'the available pipelines')],
|
||||
'memcache': [
|
||||
cfg.ListOpt('servers', default=['localhost:11211'],
|
||||
help='Memcache servers in the format of "host:port"'),
|
||||
cfg.IntOpt('max_compare_and_set_retry', default=16,
|
||||
help=('Number of compare-and-set attempts to make when '
|
||||
'using compare-and-set in the token memcache back '
|
||||
'end'))],
|
||||
help='Number of compare-and-set attempts to make when '
|
||||
'using compare-and-set in the token memcache back '
|
||||
'end')],
|
||||
'catalog': [
|
||||
cfg.StrOpt('template_file',
|
||||
default='default_catalog.templates',
|
||||
@ -489,22 +561,22 @@ FILE_OPTIONS = {
|
||||
default='keystone.catalog.backends.sql.Catalog',
|
||||
help='Keystone catalog backend driver'),
|
||||
cfg.IntOpt('list_limit', default=None,
|
||||
help=('Maximum number of entities that will be returned '
|
||||
'in a catalog collection'))],
|
||||
help='Maximum number of entities that will be returned '
|
||||
'in a catalog collection')],
|
||||
'kvs': [
|
||||
cfg.ListOpt('backends', default=[],
|
||||
help='Extra dogpile.cache backend modules to register '
|
||||
'with the dogpile.cache library'),
|
||||
cfg.StrOpt('config_prefix', default='keystone.kvs',
|
||||
help=('Prefix for building the configuration dictionary '
|
||||
'for the KVS region. This should not need to be '
|
||||
'changed unless there is another dogpile.cache '
|
||||
'region with the same configuration name')),
|
||||
help='Prefix for building the configuration dictionary '
|
||||
'for the KVS region. This should not need to be '
|
||||
'changed unless there is another dogpile.cache '
|
||||
'region with the same configuration name'),
|
||||
cfg.BoolOpt('enable_key_mangler', default=True,
|
||||
help=('Toggle to disable using a key-mangling function '
|
||||
'to ensure fixed length keys. This is toggle-able '
|
||||
'for debugging purposes, it is highly recommended '
|
||||
'to always leave this set to True.')),
|
||||
help='Toggle to disable using a key-mangling function '
|
||||
'to ensure fixed length keys. This is toggle-able '
|
||||
'for debugging purposes, it is highly recommended '
|
||||
'to always leave this set to True.'),
|
||||
cfg.IntOpt('default_lock_timeout', default=5,
|
||||
help='Default lock timeout for distributed locking.')]}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user