Replace keystone.common.config with keystone.conf package
keystone.common.config is 1200+ lines of super dense, merge-conflict prone, difficult to navigate, and finicky to maintain code. Let's follow nova's lead and break it down into more manageable modules. This patch creates a new Python package, keystone.conf, and moves all of our configuration options into it, mirroring nova's nova.conf package. There are a couple special modules in keystone.conf introduced here as well: - keystone.conf.__init__: This causes all of Keystone options to be registered on import, so consumers of keystone.conf don't have races with config initialization code while trying to use oslo_config.cfg.CONF directly (keystone.conf replaces all uses for oslo_config.cfg.CONF in keystone). - keystone.conf.base: Keystone's [DEFAULT] group options. I'd prefer this to be called 'default.py', but I'm just copying nova's lead here. - keystone.conf.opts: The entry point for oslo.config itself. - keystone.conf.constants: There are a few constants (deprecation messages, default paths, etc) that are used by multiple configuration modules, so they need to live in a common place. Change-Id: Ia3daffe3fef111b42de203762e966cd14d8927e2
This commit is contained in:
parent
f6f4eb2df1
commit
d9c6b50a3a
|
@ -12,17 +12,17 @@
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
import sqlalchemy
|
import sqlalchemy
|
||||||
from sqlalchemy.sql.expression import false
|
from sqlalchemy.sql.expression import false
|
||||||
|
|
||||||
from keystone.assignment.backends import base
|
from keystone.assignment.backends import base
|
||||||
from keystone.common import sql
|
from keystone.common import sql
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
class AssignmentType(object):
|
class AssignmentType(object):
|
||||||
|
|
|
@ -14,16 +14,16 @@
|
||||||
|
|
||||||
import abc
|
import abc
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
import six
|
import six
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _LW
|
from keystone.i18n import _LW
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,6 @@
|
||||||
import functools
|
import functools
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from six.moves import urllib
|
from six.moves import urllib
|
||||||
|
|
||||||
|
@ -28,12 +27,13 @@ from keystone.common import dependency
|
||||||
from keystone.common import utils
|
from keystone.common import utils
|
||||||
from keystone.common import validation
|
from keystone.common import validation
|
||||||
from keystone.common import wsgi
|
from keystone.common import wsgi
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
from keystone import notifications
|
from keystone import notifications
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -17,7 +17,6 @@
|
||||||
import copy
|
import copy
|
||||||
|
|
||||||
from oslo_cache import core as oslo_cache
|
from oslo_cache import core as oslo_cache
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
|
|
||||||
|
@ -27,13 +26,14 @@ from keystone.common import cache
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import driver_hints
|
from keystone.common import driver_hints
|
||||||
from keystone.common import manager
|
from keystone.common import manager
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
from keystone.i18n import _LI, _LE
|
from keystone.i18n import _LI, _LE
|
||||||
from keystone import notifications
|
from keystone import notifications
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
# This is a general cache region for assignment administration (CRUD
|
# This is a general cache region for assignment administration (CRUD
|
||||||
|
|
|
@ -14,16 +14,16 @@
|
||||||
|
|
||||||
import abc
|
import abc
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
import six
|
import six
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -17,15 +17,15 @@
|
||||||
|
|
||||||
import functools
|
import functools
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
|
|
||||||
from keystone.assignment import controllers
|
from keystone.assignment import controllers
|
||||||
|
|
||||||
from keystone.common import json_home
|
from keystone.common import json_home
|
||||||
from keystone.common import router
|
from keystone.common import router
|
||||||
from keystone.common import wsgi
|
from keystone.common import wsgi
|
||||||
|
import keystone.conf
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
build_os_inherit_relation = functools.partial(
|
build_os_inherit_relation = functools.partial(
|
||||||
json_home.build_v3_extension_resource_relation,
|
json_home.build_v3_extension_resource_relation,
|
||||||
|
|
|
@ -15,7 +15,6 @@
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
from keystoneclient.common import cms
|
from keystoneclient.common import cms
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
from oslo_serialization import jsonutils
|
from oslo_serialization import jsonutils
|
||||||
|
@ -23,11 +22,11 @@ from oslo_utils import importutils
|
||||||
import six
|
import six
|
||||||
import stevedore
|
import stevedore
|
||||||
|
|
||||||
from keystone.common import config
|
|
||||||
from keystone.common import controller
|
from keystone.common import controller
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import utils
|
from keystone.common import utils
|
||||||
from keystone.common import wsgi
|
from keystone.common import wsgi
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.federation import constants
|
from keystone.federation import constants
|
||||||
from keystone.i18n import _, _LI, _LW
|
from keystone.i18n import _, _LI, _LW
|
||||||
|
@ -36,7 +35,7 @@ from keystone.resource import controllers as resource_controllers
|
||||||
|
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
# registry of authentication methods
|
# registry of authentication methods
|
||||||
AUTH_METHODS = {}
|
AUTH_METHODS = {}
|
||||||
|
@ -75,7 +74,7 @@ def load_auth_methods():
|
||||||
return
|
return
|
||||||
# config.setup_authentication should be idempotent, call it to ensure we
|
# config.setup_authentication should be idempotent, call it to ensure we
|
||||||
# have setup all the appropriate configuration options we may need.
|
# have setup all the appropriate configuration options we may need.
|
||||||
config.setup_authentication()
|
keystone.conf.auth.setup_authentication()
|
||||||
for plugin in set(CONF.auth.methods):
|
for plugin in set(CONF.auth.methods):
|
||||||
AUTH_METHODS[plugin] = load_auth_method(plugin)
|
AUTH_METHODS[plugin] = load_auth_method(plugin)
|
||||||
AUTH_PLUGINS_LOADED = True
|
AUTH_PLUGINS_LOADED = True
|
||||||
|
@ -389,7 +388,7 @@ class Auth(controller.V3Controller):
|
||||||
|
|
||||||
def __init__(self, *args, **kw):
|
def __init__(self, *args, **kw):
|
||||||
super(Auth, self).__init__(*args, **kw)
|
super(Auth, self).__init__(*args, **kw)
|
||||||
config.setup_authentication()
|
keystone.conf.auth.setup_authentication()
|
||||||
|
|
||||||
def authenticate_for_token(self, request, auth=None):
|
def authenticate_for_token(self, request, auth=None):
|
||||||
"""Authenticate user and issue a token."""
|
"""Authenticate user and issue a token."""
|
||||||
|
|
|
@ -14,15 +14,15 @@
|
||||||
|
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
import six
|
import six
|
||||||
|
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -16,16 +16,16 @@
|
||||||
|
|
||||||
import abc
|
import abc
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
import six
|
import six
|
||||||
|
|
||||||
from keystone import auth
|
from keystone import auth
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
@six.add_metaclass(abc.ABCMeta)
|
@six.add_metaclass(abc.ABCMeta)
|
||||||
|
|
|
@ -12,7 +12,6 @@
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
import six
|
import six
|
||||||
|
|
||||||
|
@ -20,6 +19,7 @@ from keystone import auth
|
||||||
from keystone.auth.plugins import mapped
|
from keystone.auth.plugins import mapped
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import wsgi
|
from keystone.common import wsgi
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
from keystone.models import token_model
|
from keystone.models import token_model
|
||||||
|
@ -27,7 +27,7 @@ from keystone.models import token_model
|
||||||
|
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('federation_api', 'identity_api', 'token_provider_api')
|
@dependency.requires('federation_api', 'identity_api', 'token_provider_api')
|
||||||
|
|
|
@ -14,14 +14,14 @@
|
||||||
|
|
||||||
import abc
|
import abc
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
import six
|
import six
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -15,7 +15,6 @@
|
||||||
|
|
||||||
import itertools
|
import itertools
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
import sqlalchemy
|
import sqlalchemy
|
||||||
from sqlalchemy.sql import true
|
from sqlalchemy.sql import true
|
||||||
|
|
||||||
|
@ -23,11 +22,12 @@ from keystone.catalog.backends import base
|
||||||
from keystone.common import driver_hints
|
from keystone.common import driver_hints
|
||||||
from keystone.common import sql
|
from keystone.common import sql
|
||||||
from keystone.common import utils
|
from keystone.common import utils
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
class Region(sql.ModelBase, sql.DictBase):
|
class Region(sql.ModelBase, sql.DictBase):
|
||||||
|
|
|
@ -15,19 +15,19 @@
|
||||||
import itertools
|
import itertools
|
||||||
import os.path
|
import os.path
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
import six
|
import six
|
||||||
|
|
||||||
from keystone.catalog.backends import base
|
from keystone.catalog.backends import base
|
||||||
from keystone.common import utils
|
from keystone.common import utils
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _LC
|
from keystone.i18n import _LC
|
||||||
|
|
||||||
|
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
def parse_templates(template_lines):
|
def parse_templates(template_lines):
|
||||||
|
|
|
@ -16,7 +16,6 @@
|
||||||
"""Main entry point into the Catalog service."""
|
"""Main entry point into the Catalog service."""
|
||||||
|
|
||||||
from oslo_cache import core as oslo_cache
|
from oslo_cache import core as oslo_cache
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
|
|
||||||
|
@ -25,12 +24,13 @@ from keystone.common import cache
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import driver_hints
|
from keystone.common import driver_hints
|
||||||
from keystone.common import manager
|
from keystone.common import manager
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
from keystone import notifications
|
from keystone import notifications
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -25,12 +25,12 @@ from oslo_log import versionutils
|
||||||
from oslo_serialization import jsonutils
|
from oslo_serialization import jsonutils
|
||||||
import pbr.version
|
import pbr.version
|
||||||
|
|
||||||
from keystone.common import config
|
|
||||||
from keystone.common import driver_hints
|
from keystone.common import driver_hints
|
||||||
from keystone.common import openssl
|
from keystone.common import openssl
|
||||||
from keystone.common import sql
|
from keystone.common import sql
|
||||||
from keystone.common.sql import migration_helpers
|
from keystone.common.sql import migration_helpers
|
||||||
from keystone.common import utils
|
from keystone.common import utils
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.federation import idp
|
from keystone.federation import idp
|
||||||
from keystone.federation import utils as mapping_engine
|
from keystone.federation import utils as mapping_engine
|
||||||
|
@ -39,7 +39,7 @@ from keystone.server import backends
|
||||||
from keystone import token
|
from keystone import token
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
@ -955,9 +955,9 @@ command_opt = cfg.SubCommandOpt('command',
|
||||||
def main(argv=None, config_files=None):
|
def main(argv=None, config_files=None):
|
||||||
CONF.register_cli_opt(command_opt)
|
CONF.register_cli_opt(command_opt)
|
||||||
|
|
||||||
config.configure()
|
keystone.conf.configure()
|
||||||
sql.initialize()
|
sql.initialize()
|
||||||
config.set_default_for_default_log_levels()
|
keystone.conf.set_default_for_default_log_levels()
|
||||||
|
|
||||||
CONF(args=argv[1:],
|
CONF(args=argv[1:],
|
||||||
project='keystone',
|
project='keystone',
|
||||||
|
@ -966,5 +966,5 @@ def main(argv=None, config_files=None):
|
||||||
default_config_files=config_files)
|
default_config_files=config_files)
|
||||||
if not CONF.default_config_files:
|
if not CONF.default_config_files:
|
||||||
LOG.warning(_LW('Config file not found, using default configs.'))
|
LOG.warning(_LW('Config file not found, using default configs.'))
|
||||||
config.setup_logging()
|
keystone.conf.setup_logging()
|
||||||
CONF.command.cmd_class.main()
|
CONF.command.cmd_class.main()
|
||||||
|
|
|
@ -16,12 +16,12 @@
|
||||||
import dogpile.cache
|
import dogpile.cache
|
||||||
from dogpile.cache import api
|
from dogpile.cache import api
|
||||||
from oslo_cache import core as cache
|
from oslo_cache import core as cache
|
||||||
from oslo_config import cfg
|
|
||||||
|
|
||||||
from keystone.common.cache import _context_cache
|
from keystone.common.cache import _context_cache
|
||||||
|
import keystone.conf
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
CACHE_REGION = cache.create_region()
|
CACHE_REGION = cache.create_region()
|
||||||
|
|
||||||
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -15,7 +15,6 @@
|
||||||
import functools
|
import functools
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
from oslo_utils import strutils
|
from oslo_utils import strutils
|
||||||
|
@ -26,13 +25,14 @@ from keystone.common import dependency
|
||||||
from keystone.common import driver_hints
|
from keystone.common import driver_hints
|
||||||
from keystone.common import utils
|
from keystone.common import utils
|
||||||
from keystone.common import wsgi
|
from keystone.common import wsgi
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _, _LW
|
from keystone.i18n import _, _LW
|
||||||
from keystone.models import token_model
|
from keystone.models import token_model
|
||||||
|
|
||||||
|
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
def v2_deprecated(f):
|
def v2_deprecated(f):
|
||||||
|
|
|
@ -20,14 +20,14 @@ import time
|
||||||
from dogpile.cache import api
|
from dogpile.cache import api
|
||||||
from dogpile.cache.backends import memcached
|
from dogpile.cache.backends import memcached
|
||||||
from oslo_cache.backends import memcache_pool
|
from oslo_cache.backends import memcache_pool
|
||||||
from oslo_config import cfg
|
|
||||||
from six.moves import range
|
from six.moves import range
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
NO_VALUE = api.NO_VALUE
|
NO_VALUE = api.NO_VALUE
|
||||||
random = _random.SystemRandom()
|
random = _random.SystemRandom()
|
||||||
|
|
||||||
|
|
|
@ -22,12 +22,12 @@ from dogpile.cache import proxy
|
||||||
from dogpile.cache import region
|
from dogpile.cache import region
|
||||||
from dogpile.cache import util as dogpile_util
|
from dogpile.cache import util as dogpile_util
|
||||||
from dogpile.core import nameregistry
|
from dogpile.core import nameregistry
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
from oslo_utils import importutils
|
from oslo_utils import importutils
|
||||||
from oslo_utils import reflection
|
from oslo_utils import reflection
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
from keystone.i18n import _LI
|
from keystone.i18n import _LI
|
||||||
|
@ -39,7 +39,7 @@ __all__ = ('KeyValueStore', 'KeyValueStoreLock', 'LockTimeout',
|
||||||
|
|
||||||
|
|
||||||
BACKENDS_REGISTERED = False
|
BACKENDS_REGISTERED = False
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
KEY_VALUE_STORE_REGISTRY = weakref.WeakValueDictionary()
|
KEY_VALUE_STORE_REGISTRY = weakref.WeakValueDictionary()
|
||||||
LOCK_WINDOW = 1
|
LOCK_WINDOW = 1
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
|
@ -16,14 +16,14 @@
|
||||||
import os
|
import os
|
||||||
import subprocess # nosec : see comments in the code below
|
import subprocess # nosec : see comments in the code below
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
|
|
||||||
from keystone.common import utils
|
from keystone.common import utils
|
||||||
|
import keystone.conf
|
||||||
from keystone.i18n import _LI, _LE, _LW
|
from keystone.i18n import _LI, _LE, _LW
|
||||||
|
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
PUBLIC_DIR_PERMS = 0o755 # -rwxr-xr-x
|
PUBLIC_DIR_PERMS = 0o755 # -rwxr-xr-x
|
||||||
PRIVATE_DIR_PERMS = 0o750 # -rwxr-x---
|
PRIVATE_DIR_PERMS = 0o750 # -rwxr-x---
|
||||||
|
|
|
@ -15,11 +15,11 @@ import oslo_messaging
|
||||||
import osprofiler.notifier
|
import osprofiler.notifier
|
||||||
import osprofiler.web
|
import osprofiler.web
|
||||||
|
|
||||||
from keystone.common import config
|
import keystone.conf
|
||||||
from keystone.i18n import _LI
|
from keystone.i18n import _LI
|
||||||
|
|
||||||
|
|
||||||
CONF = config.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -10,10 +10,10 @@
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
import webob
|
import webob
|
||||||
from webob.descriptors import environ_getter
|
from webob.descriptors import environ_getter
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
|
|
||||||
|
@ -21,7 +21,7 @@ from keystone.i18n import _
|
||||||
# Environment variable used to pass the request context
|
# Environment variable used to pass the request context
|
||||||
CONTEXT_ENV = 'openstack.context'
|
CONTEXT_ENV = 'openstack.context'
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
class Request(webob.Request):
|
class Request(webob.Request):
|
||||||
|
|
|
@ -20,7 +20,6 @@ CONF() because it sets up configuration options.
|
||||||
"""
|
"""
|
||||||
import functools
|
import functools
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_db import exception as db_exception
|
from oslo_db import exception as db_exception
|
||||||
from oslo_db import options as db_options
|
from oslo_db import options as db_options
|
||||||
from oslo_db.sqlalchemy import enginefacade
|
from oslo_db.sqlalchemy import enginefacade
|
||||||
|
@ -35,11 +34,12 @@ from sqlalchemy import types as sql_types
|
||||||
|
|
||||||
from keystone.common import driver_hints
|
from keystone.common import driver_hints
|
||||||
from keystone.common import utils
|
from keystone.common import utils
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
ModelBase = declarative.declarative_base()
|
ModelBase = declarative.declarative_base()
|
||||||
|
|
|
@ -12,12 +12,12 @@
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
import sqlalchemy as sql
|
import sqlalchemy as sql
|
||||||
|
|
||||||
from keystone.common.sql import migration_helpers
|
from keystone.common.sql import migration_helpers
|
||||||
|
import keystone.conf
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
_RELAY_STATE_PREFIX = 'relay_state_prefix'
|
_RELAY_STATE_PREFIX = 'relay_state_prefix'
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -19,19 +19,19 @@ import sys
|
||||||
|
|
||||||
import migrate
|
import migrate
|
||||||
from migrate import exceptions
|
from migrate import exceptions
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_db.sqlalchemy import migration
|
from oslo_db.sqlalchemy import migration
|
||||||
from oslo_utils import importutils
|
from oslo_utils import importutils
|
||||||
import six
|
import six
|
||||||
import sqlalchemy
|
import sqlalchemy
|
||||||
|
|
||||||
from keystone.common import sql
|
from keystone.common import sql
|
||||||
|
import keystone.conf
|
||||||
from keystone import contrib
|
from keystone import contrib
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
DEFAULT_EXTENSIONS = []
|
DEFAULT_EXTENSIONS = []
|
||||||
|
|
||||||
MIGRATED_EXTENSIONS = ['endpoint_policy',
|
MIGRATED_EXTENSIONS = ['endpoint_policy',
|
||||||
|
|
|
@ -15,18 +15,18 @@
|
||||||
|
|
||||||
import hashlib
|
import hashlib
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
|
|
||||||
from keystone.auth import controllers
|
from keystone.auth import controllers
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.federation import constants as federation_constants
|
from keystone.federation import constants as federation_constants
|
||||||
from keystone.federation import utils
|
from keystone.federation import utils
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -25,7 +25,6 @@ import os
|
||||||
import pwd
|
import pwd
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_serialization import jsonutils
|
from oslo_serialization import jsonutils
|
||||||
from oslo_utils import reflection
|
from oslo_utils import reflection
|
||||||
|
@ -36,11 +35,12 @@ import six
|
||||||
from six import moves
|
from six import moves
|
||||||
|
|
||||||
from keystone.common import authorization
|
from keystone.common import authorization
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _, _LE, _LW
|
from keystone.i18n import _, _LE, _LW
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
WHITELISTED_PROPERTIES = [
|
WHITELISTED_PROPERTIES = [
|
||||||
'tenant_id', 'project_id', 'user_id',
|
'tenant_id', 'project_id', 'user_id',
|
||||||
|
|
|
@ -24,7 +24,6 @@ import itertools
|
||||||
import re
|
import re
|
||||||
import wsgiref.util
|
import wsgiref.util
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
import oslo_i18n
|
import oslo_i18n
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_serialization import jsonutils
|
from oslo_serialization import jsonutils
|
||||||
|
@ -39,6 +38,7 @@ from keystone.common import dependency
|
||||||
from keystone.common import json_home
|
from keystone.common import json_home
|
||||||
from keystone.common import request as request_mod
|
from keystone.common import request as request_mod
|
||||||
from keystone.common import utils
|
from keystone.common import utils
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
from keystone.i18n import _LI
|
from keystone.i18n import _LI
|
||||||
|
@ -46,7 +46,7 @@ from keystone.i18n import _LW
|
||||||
from keystone.models import token_model
|
from keystone.models import token_model
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
# Environment variable used to pass the request context
|
# Environment variable used to pass the request context
|
||||||
|
|
|
@ -0,0 +1,189 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
import logging
|
||||||
|
|
||||||
|
from oslo_cache import core as cache
|
||||||
|
from oslo_config import cfg
|
||||||
|
from oslo_log import log
|
||||||
|
import oslo_messaging
|
||||||
|
from oslo_middleware import cors
|
||||||
|
from osprofiler import opts as profiler
|
||||||
|
|
||||||
|
from keystone.conf import assignment
|
||||||
|
from keystone.conf import auth
|
||||||
|
from keystone.conf import base
|
||||||
|
from keystone.conf import catalog
|
||||||
|
from keystone.conf import credential
|
||||||
|
from keystone.conf import domain_config
|
||||||
|
from keystone.conf import endpoint_filter
|
||||||
|
from keystone.conf import endpoint_policy
|
||||||
|
from keystone.conf import eventlet_server
|
||||||
|
from keystone.conf import federation
|
||||||
|
from keystone.conf import fernet_tokens
|
||||||
|
from keystone.conf import identity
|
||||||
|
from keystone.conf import identity_mapping
|
||||||
|
from keystone.conf import kvs
|
||||||
|
from keystone.conf import ldap
|
||||||
|
from keystone.conf import memcache
|
||||||
|
from keystone.conf import oauth1
|
||||||
|
from keystone.conf import os_inherit
|
||||||
|
from keystone.conf import paste_deploy
|
||||||
|
from keystone.conf import policy
|
||||||
|
from keystone.conf import resource
|
||||||
|
from keystone.conf import revoke
|
||||||
|
from keystone.conf import role
|
||||||
|
from keystone.conf import saml
|
||||||
|
from keystone.conf import shadow_users
|
||||||
|
from keystone.conf import signing
|
||||||
|
from keystone.conf import token
|
||||||
|
from keystone.conf import tokenless_auth
|
||||||
|
from keystone.conf import trust
|
||||||
|
|
||||||
|
|
||||||
|
CONF = cfg.CONF
|
||||||
|
|
||||||
|
|
||||||
|
conf_modules = [
|
||||||
|
assignment,
|
||||||
|
auth,
|
||||||
|
base,
|
||||||
|
catalog,
|
||||||
|
credential,
|
||||||
|
domain_config,
|
||||||
|
endpoint_filter,
|
||||||
|
endpoint_policy,
|
||||||
|
eventlet_server,
|
||||||
|
federation,
|
||||||
|
fernet_tokens,
|
||||||
|
identity,
|
||||||
|
identity_mapping,
|
||||||
|
kvs,
|
||||||
|
ldap,
|
||||||
|
memcache,
|
||||||
|
oauth1,
|
||||||
|
os_inherit,
|
||||||
|
paste_deploy,
|
||||||
|
policy,
|
||||||
|
resource,
|
||||||
|
revoke,
|
||||||
|
role,
|
||||||
|
saml,
|
||||||
|
shadow_users,
|
||||||
|
signing,
|
||||||
|
token,
|
||||||
|
tokenless_auth,
|
||||||
|
trust,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
# Options are registered when keystone.conf is first imported.
|
||||||
|
for module in conf_modules:
|
||||||
|
module.register_opts(CONF)
|
||||||
|
|
||||||
|
|
||||||
|
oslo_messaging.set_transport_defaults(control_exchange='keystone')
|
||||||
|
|
||||||
|
|
||||||
|
def set_default_for_default_log_levels():
|
||||||
|
"""Set the default for the default_log_levels option for keystone.
|
||||||
|
|
||||||
|
Keystone uses some packages that other OpenStack services don't use that do
|
||||||
|
logging. This will set the default_log_levels default level for those
|
||||||
|
packages.
|
||||||
|
|
||||||
|
This function needs to be called before CONF().
|
||||||
|
|
||||||
|
"""
|
||||||
|
extra_log_level_defaults = [
|
||||||
|
'dogpile=INFO',
|
||||||
|
'routes=INFO',
|
||||||
|
]
|
||||||
|
|
||||||
|
log.register_options(CONF)
|
||||||
|
log.set_defaults(default_log_levels=log.get_default_log_levels() +
|
||||||
|
extra_log_level_defaults)
|
||||||
|
|
||||||
|
|
||||||
|
def setup_logging():
|
||||||
|
"""Set up logging for the keystone package."""
|
||||||
|
log.setup(CONF, 'keystone')
|
||||||
|
logging.captureWarnings(True)
|
||||||
|
|
||||||
|
|
||||||
|
def configure(conf=None):
|
||||||
|
if conf is None:
|
||||||
|
conf = CONF
|
||||||
|
|
||||||
|
conf.register_cli_opt(
|
||||||
|
cfg.BoolOpt('standard-threads', default=False,
|
||||||
|
help='Do not monkey-patch threading system modules.'))
|
||||||
|
conf.register_cli_opt(
|
||||||
|
cfg.StrOpt('pydev-debug-host',
|
||||||
|
help='Host to connect to for remote debugger.'))
|
||||||
|
conf.register_cli_opt(
|
||||||
|
cfg.PortOpt('pydev-debug-port',
|
||||||
|
help='Port to connect to for remote debugger.'))
|
||||||
|
|
||||||
|
for module in conf_modules:
|
||||||
|
module.register_opts(conf)
|
||||||
|
|
||||||
|
# register any non-default auth methods here (used by extensions, etc)
|
||||||
|
auth.setup_authentication()
|
||||||
|
|
||||||
|
# add oslo.cache related config options
|
||||||
|
cache.configure(conf)
|
||||||
|
|
||||||
|
|
||||||
|
def set_external_opts_defaults():
|
||||||
|
"""Update default configuration options for oslo.middleware."""
|
||||||
|
# CORS Defaults
|
||||||
|
# TODO(krotscheck): Update with https://review.openstack.org/#/c/285368/
|
||||||
|
cfg.set_defaults(cors.CORS_OPTS,
|
||||||
|
allow_headers=['X-Auth-Token',
|
||||||
|
'X-Openstack-Request-Id',
|
||||||
|
'X-Subject-Token',
|
||||||
|
'X-Project-Id',
|
||||||
|
'X-Project-Name',
|
||||||
|
'X-Project-Domain-Id',
|
||||||
|
'X-Project-Domain-Name',
|
||||||
|
'X-Domain-Id',
|
||||||
|
'X-Domain-Name'],
|
||||||
|
expose_headers=['X-Auth-Token',
|
||||||
|
'X-Openstack-Request-Id',
|
||||||
|
'X-Subject-Token'],
|
||||||
|
allow_methods=['GET',
|
||||||
|
'PUT',
|
||||||
|
'POST',
|
||||||
|
'DELETE',
|
||||||
|
'PATCH']
|
||||||
|
)
|
||||||
|
|
||||||
|
# configure OSprofiler options
|
||||||
|
profiler.set_defaults(CONF, enabled=False, trace_sqlalchemy=False)
|
||||||
|
|
||||||
|
# Oslo.cache is always enabled by default for request-local caching
|
||||||
|
# TODO(morganfainberg): Fix this to not use internal interface when
|
||||||
|
# oslo.cache has proper interface to set defaults added. This is is
|
||||||
|
# just a bad way to do this.
|
||||||
|
opts = cache._opts.list_opts()
|
||||||
|
for opt_list in opts:
|
||||||
|
if opt_list[0] == 'cache':
|
||||||
|
for o in opt_list[1]:
|
||||||
|
if o.name == 'enabled':
|
||||||
|
o.default = True
|
||||||
|
|
||||||
|
|
||||||
|
def set_config_defaults():
|
||||||
|
"""Override all configuration default values for keystone."""
|
||||||
|
set_default_for_default_log_levels()
|
||||||
|
set_external_opts_defaults()
|
|
@ -0,0 +1,48 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the assignment backend driver in the keystone.assignment
|
||||||
|
namespace. Only an SQL driver is supplied. If an assignment driver is not
|
||||||
|
specified, the identity driver will choose the assignment driver (driver
|
||||||
|
selection based on `[identity]/driver` option is deprecated and will be removed
|
||||||
|
in the "O" release).
|
||||||
|
"""))
|
||||||
|
|
||||||
|
prohibited_implied_role = cfg.ListOpt(
|
||||||
|
'prohibited_implied_role',
|
||||||
|
default=['admin'],
|
||||||
|
help=utils.fmt("""
|
||||||
|
A list of role names which are prohibited from being an implied role.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
driver,
|
||||||
|
prohibited_implied_role
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,88 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import constants
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
methods = cfg.ListOpt(
|
||||||
|
'methods',
|
||||||
|
default=constants._DEFAULT_AUTH_METHODS,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Allowed authentication methods.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
password = cfg.StrOpt( # nosec : This is the name of the plugin, not
|
||||||
|
'password', # a password that needs to be protected.
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the password auth plugin module in the keystone.auth.password
|
||||||
|
namespace.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
token = cfg.StrOpt(
|
||||||
|
'token',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the token auth plugin module in the keystone.auth.token
|
||||||
|
namespace.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
# deals with REMOTE_USER authentication
|
||||||
|
external = cfg.StrOpt(
|
||||||
|
'external',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the external (REMOTE_USER) auth plugin module in the
|
||||||
|
keystone.auth.external namespace. Supplied drivers are DefaultDomain and
|
||||||
|
Domain. The default driver is DefaultDomain.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
oauth1 = cfg.StrOpt(
|
||||||
|
'oauth1',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the oAuth1.0 auth plugin module in the keystone.auth.oauth1
|
||||||
|
namespace.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
methods,
|
||||||
|
password,
|
||||||
|
token,
|
||||||
|
external,
|
||||||
|
oauth1,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def _register_auth_plugin_opt(conf, option):
|
||||||
|
conf.register_opt(option, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def setup_authentication(conf=None):
|
||||||
|
"""Register non-default auth methods (used by extensions, etc)."""
|
||||||
|
# register any non-default auth methods here (used by extensions, etc)
|
||||||
|
if conf is None:
|
||||||
|
conf = cfg.CONF
|
||||||
|
for method_name in conf.auth.methods:
|
||||||
|
if method_name not in constants._DEFAULT_AUTH_METHODS:
|
||||||
|
option = cfg.StrOpt(method_name)
|
||||||
|
_register_auth_plugin_opt(conf, option)
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
setup_authentication(conf)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,224 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
_DEPRECATE_DII_MSG = utils.fmt("""
|
||||||
|
The option to set domain_id_immutable to false has been deprecated in the M
|
||||||
|
release and will be removed in the O release.
|
||||||
|
""")
|
||||||
|
|
||||||
|
|
||||||
|
admin_token = cfg.StrOpt(
|
||||||
|
'admin_token',
|
||||||
|
secret=True,
|
||||||
|
default=None,
|
||||||
|
help=utils.fmt("""
|
||||||
|
A "shared secret" that can be used to bootstrap Keystone. This "token" does not
|
||||||
|
represent a user, and carries no explicit authorization. If set to `None`, the
|
||||||
|
value is ignored and the `admin_token` log in mechanism is effectively
|
||||||
|
disabled. To completely disable `admin_token` in production (highly
|
||||||
|
recommended), remove AdminTokenAuthMiddleware from your paste application
|
||||||
|
pipelines (for example, in keystone-paste.ini).
|
||||||
|
"""))
|
||||||
|
|
||||||
|
public_endpoint = cfg.StrOpt(
|
||||||
|
'public_endpoint',
|
||||||
|
help=utils.fmt("""
|
||||||
|
The base public endpoint URL for Keystone that is advertised to clients (NOTE:
|
||||||
|
this does NOT affect how Keystone listens for connections). Defaults to the
|
||||||
|
base host URL of the request. E.g. a request to http://server:5000/v3/users
|
||||||
|
will default to http://server:5000. You should only need to set this value if
|
||||||
|
the base URL contains a path (e.g. /prefix/v3) or the endpoint should be found
|
||||||
|
on a different server.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
admin_endpoint = cfg.StrOpt(
|
||||||
|
'admin_endpoint',
|
||||||
|
help=utils.fmt("""
|
||||||
|
The base admin endpoint URL for Keystone that is advertised to clients (NOTE:
|
||||||
|
this does NOT affect how Keystone listens for connections). Defaults to the
|
||||||
|
base host URL of the request. E.g. a request to http://server:35357/v3/users
|
||||||
|
will default to http://server:35357. You should only need to set this value if
|
||||||
|
the base URL contains a path (e.g. /prefix/v3) or the endpoint should be found
|
||||||
|
on a different server.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
max_project_tree_depth = cfg.IntOpt(
|
||||||
|
'max_project_tree_depth',
|
||||||
|
default=5,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Maximum depth of the project hierarchy, excluding the project acting as a
|
||||||
|
domain at the top of the hierarchy. WARNING: setting it to a large value may
|
||||||
|
adversely impact performance.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
max_param_size = cfg.IntOpt(
|
||||||
|
'max_param_size',
|
||||||
|
default=64,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Limit the sizes of user & project ID/names.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
# we allow tokens to be a bit larger to accommodate PKI
|
||||||
|
max_token_size = cfg.IntOpt(
|
||||||
|
'max_token_size',
|
||||||
|
default=8192,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Similar to max_param_size, but provides an exception for token values.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
member_role_id = cfg.StrOpt(
|
||||||
|
'member_role_id',
|
||||||
|
default='9fe2ff9ee4384b1894a90878d3e92bab',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Similar to the member_role_name option, this represents the default role ID
|
||||||
|
used to associate users with their default projects in the v2 API. This will be
|
||||||
|
used as the explicit role where one is not specified by the v2 API.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
member_role_name = cfg.StrOpt(
|
||||||
|
'member_role_name',
|
||||||
|
default='_member_',
|
||||||
|
help=utils.fmt("""
|
||||||
|
This is the role name used in combination with the member_role_id option; see
|
||||||
|
that option for more detail.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
# NOTE(lbragstad/morganfainberg): This value of 10k was measured as having an
|
||||||
|
# approximate 30% clock-time savings over the old default of 40k. The passlib
|
||||||
|
# default is not static and grows over time to constantly approximate ~300ms of
|
||||||
|
# CPU time to hash; this was considered too high. This value still exceeds the
|
||||||
|
# glibc default of 5k.
|
||||||
|
crypt_strength = cfg.IntOpt(
|
||||||
|
'crypt_strength',
|
||||||
|
default=10000,
|
||||||
|
min=1000,
|
||||||
|
max=100000,
|
||||||
|
help=utils.fmt("""
|
||||||
|
The value passed as the keyword "rounds" to passlib\'s encrypt method.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
list_limit = cfg.IntOpt(
|
||||||
|
'list_limit',
|
||||||
|
help=utils.fmt("""
|
||||||
|
The maximum number of entities that will be returned in a collection, with no
|
||||||
|
limit set by default. This global limit may be then overridden for a specific
|
||||||
|
driver, by specifying a list_limit in the appropriate section (e.g.
|
||||||
|
[assignment]).
|
||||||
|
"""))
|
||||||
|
|
||||||
|
domain_id_immutable = cfg.BoolOpt(
|
||||||
|
'domain_id_immutable',
|
||||||
|
default=True,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=_DEPRECATE_DII_MSG,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Set this to false if you want to enable the ability for user, group and project
|
||||||
|
entities to be moved between domains by updating their domain_id. Allowing such
|
||||||
|
movement is not recommended if the scope of a domain admin is being restricted
|
||||||
|
by use of an appropriate policy file (see policy.v3cloudsample as an example).
|
||||||
|
This ability is deprecated and will be removed in a future release.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
strict_password_check = cfg.BoolOpt(
|
||||||
|
'strict_password_check',
|
||||||
|
default=False,
|
||||||
|
help=utils.fmt("""
|
||||||
|
If set to true, strict password length checking is performed for password
|
||||||
|
manipulation. If a password exceeds the maximum length, the operation will fail
|
||||||
|
with an HTTP 403 Forbidden error. If set to false, passwords are automatically
|
||||||
|
truncated to the maximum length.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
secure_proxy_ssl_header = cfg.StrOpt(
|
||||||
|
'secure_proxy_ssl_header',
|
||||||
|
default='HTTP_X_FORWARDED_PROTO',
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=utils.fmt("""
|
||||||
|
Use http_proxy_to_wsgi middleware configuration instead.
|
||||||
|
"""),
|
||||||
|
help=utils.fmt("""
|
||||||
|
The HTTP header used to determine the scheme for the original request, even if
|
||||||
|
it was removed by an SSL terminating proxy.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
insecure_debug = cfg.BoolOpt(
|
||||||
|
'insecure_debug',
|
||||||
|
default=False,
|
||||||
|
help=utils.fmt("""
|
||||||
|
If set to true the server will return information in the response that may
|
||||||
|
allow an unauthenticated or authenticated user to get more information than
|
||||||
|
normal, such as why authentication failed. This may be useful for debugging but
|
||||||
|
is insecure.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
default_publisher_id = cfg.StrOpt(
|
||||||
|
'default_publisher_id',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Default publisher_id for outgoing notifications
|
||||||
|
"""))
|
||||||
|
|
||||||
|
notification_format = cfg.StrOpt(
|
||||||
|
'notification_format',
|
||||||
|
default='basic',
|
||||||
|
choices=['basic', 'cadf'],
|
||||||
|
help=utils.fmt("""
|
||||||
|
Define the notification format for Identity Service events. A "basic"
|
||||||
|
notification has information about the resource being operated on. A "cadf"
|
||||||
|
notification has the same information, as well as information about the
|
||||||
|
initiator of the event.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
notification_opt_out = cfg.MultiStrOpt(
|
||||||
|
'notification_opt_out',
|
||||||
|
default=[],
|
||||||
|
help=utils.fmt("""
|
||||||
|
Define the notification options to opt-out from. The value expected is:
|
||||||
|
identity.<resource_type>.<operation>. This field can be set multiple times in
|
||||||
|
order to add more notifications to opt-out from. For example:
|
||||||
|
notification_opt_out=identity.user.create
|
||||||
|
notification_opt_out=identity.authenticate.success
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = 'DEFAULT'
|
||||||
|
ALL_OPTS = [
|
||||||
|
admin_token,
|
||||||
|
public_endpoint,
|
||||||
|
admin_endpoint,
|
||||||
|
max_project_tree_depth,
|
||||||
|
max_param_size,
|
||||||
|
max_token_size,
|
||||||
|
member_role_id,
|
||||||
|
member_role_name,
|
||||||
|
crypt_strength,
|
||||||
|
list_limit,
|
||||||
|
domain_id_immutable,
|
||||||
|
strict_password_check,
|
||||||
|
secure_proxy_ssl_header,
|
||||||
|
insecure_debug,
|
||||||
|
default_publisher_id,
|
||||||
|
notification_format,
|
||||||
|
notification_opt_out,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,70 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
template_file = cfg.StrOpt(
|
||||||
|
'template_file',
|
||||||
|
default='default_catalog.templates',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Catalog template file name for use with the template catalog backend.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
default='sql',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the catalog backend driver in the keystone.catalog namespace.
|
||||||
|
Supplied drivers are kvs, sql, templated, and endpoint_filter.sql
|
||||||
|
"""))
|
||||||
|
|
||||||
|
aching = cfg.BoolOpt(
|
||||||
|
'caching',
|
||||||
|
default=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Toggle for catalog caching. This has no effect unless global caching is
|
||||||
|
enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
cache_time = cfg.IntOpt(
|
||||||
|
'cache_time',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Time to cache catalog data (in seconds). This has no effect unless global and
|
||||||
|
catalog caching are enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
list_limit = cfg.IntOpt(
|
||||||
|
'list_limit',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Maximum number of entities that will be returned in a catalog collection.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
template_file,
|
||||||
|
driver,
|
||||||
|
aching,
|
||||||
|
cache_time,
|
||||||
|
list_limit,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,30 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
"""Constants for use in the keystone.conf package.
|
||||||
|
|
||||||
|
These constants are shared by more than one module in the keystone.conf
|
||||||
|
package.
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
_DEFAULT_AUTH_METHODS = ['external', 'password', 'token', 'oauth1']
|
||||||
|
|
||||||
|
_CERTFILE = '/etc/keystone/ssl/certs/signing_cert.pem'
|
||||||
|
_KEYFILE = '/etc/keystone/ssl/private/signing_key.pem'
|
||||||
|
|
||||||
|
_DEPRECATE_PKI_MSG = utils.fmt("""
|
||||||
|
PKI token support has been deprecated in the M release and will be removed in
|
||||||
|
the O release. Fernet or UUID tokens are recommended.
|
||||||
|
""")
|
|
@ -0,0 +1,38 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
default='sql',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the credential backend driver in the keystone.credential
|
||||||
|
namespace.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
driver,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,56 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
default='sql',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the domain config backend driver in the
|
||||||
|
keystone.resource.domain_config namespace.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
caching = cfg.BoolOpt(
|
||||||
|
'caching',
|
||||||
|
default=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Toggle for domain config caching. This has no effect unless global caching is
|
||||||
|
enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
cache_time = cfg.IntOpt(
|
||||||
|
'cache_time',
|
||||||
|
default=300,
|
||||||
|
help=utils.fmt("""
|
||||||
|
TTL (in seconds) to cache domain config data. This has no effect unless domain
|
||||||
|
config caching is enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
driver,
|
||||||
|
caching,
|
||||||
|
cache_time,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,46 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
default='sql',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the endpoint filter backend driver in the
|
||||||
|
keystone.endpoint_filter namespace.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
return_all_endpoints_if_no_filter = cfg.BoolOpt(
|
||||||
|
'return_all_endpoints_if_no_filter',
|
||||||
|
default=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Toggle to return all active endpoints if no filter exists.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
driver,
|
||||||
|
return_all_endpoints_if_no_filter,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,52 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
enabled = cfg.BoolOpt(
|
||||||
|
'enabled',
|
||||||
|
default=True,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=utils.fmt("""
|
||||||
|
The option to enable the OS-ENDPOINT-POLICY extension has been deprecated in
|
||||||
|
the M release and will be removed in the O release. The OS-ENDPOINT-POLICY
|
||||||
|
extension will be enabled by default.
|
||||||
|
"""),
|
||||||
|
help=utils.fmt("""
|
||||||
|
Enable endpoint_policy functionality.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
default='sql',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the endpoint policy backend driver in the
|
||||||
|
keystone.endpoint_policy namespace.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
enabled,
|
||||||
|
driver,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,90 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
_DEPRECATE_EVENTLET_MSG = utils.fmt("""
|
||||||
|
Support for running keystone under eventlet has been removed in the N release.
|
||||||
|
These options remain for backwards compatibility because they are used for URL
|
||||||
|
substitutions.
|
||||||
|
""")
|
||||||
|
|
||||||
|
|
||||||
|
public_bind_host = cfg.StrOpt(
|
||||||
|
'public_bind_host',
|
||||||
|
default='0.0.0.0', # nosec : Bind to all interfaces by default for
|
||||||
|
# backwards compatibility.
|
||||||
|
deprecated_opts=[
|
||||||
|
cfg.DeprecatedOpt('bind_host', group='DEFAULT'),
|
||||||
|
cfg.DeprecatedOpt('public_bind_host', group='DEFAULT'),
|
||||||
|
],
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=_DEPRECATE_EVENTLET_MSG,
|
||||||
|
help=utils.fmt("""
|
||||||
|
The IP address of the network interface for the public service to listen on.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
public_port = cfg.PortOpt(
|
||||||
|
'public_port',
|
||||||
|
default=5000,
|
||||||
|
deprecated_name='public_port',
|
||||||
|
deprecated_group='DEFAULT',
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=_DEPRECATE_EVENTLET_MSG,
|
||||||
|
help=utils.fmt("""
|
||||||
|
The port number which the public service listens on.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
admin_bind_host = cfg.StrOpt(
|
||||||
|
'admin_bind_host',
|
||||||
|
default='0.0.0.0', # nosec : Bind to all interfaces by default for
|
||||||
|
# backwards compatibility.
|
||||||
|
deprecated_opts=[
|
||||||
|
cfg.DeprecatedOpt('bind_host', group='DEFAULT'),
|
||||||
|
cfg.DeprecatedOpt('admin_bind_host', group='DEFAULT'),
|
||||||
|
],
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=_DEPRECATE_EVENTLET_MSG,
|
||||||
|
help=utils.fmt("""
|
||||||
|
The IP address of the network interface for the admin service to listen on.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
admin_port = cfg.PortOpt(
|
||||||
|
'admin_port',
|
||||||
|
default=35357,
|
||||||
|
deprecated_name='admin_port',
|
||||||
|
deprecated_group='DEFAULT',
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=_DEPRECATE_EVENTLET_MSG,
|
||||||
|
help=utils.fmt("""
|
||||||
|
The port number which the admin service listens on.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
public_bind_host,
|
||||||
|
public_port,
|
||||||
|
admin_bind_host,
|
||||||
|
admin_port,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,97 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
default='sql',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the federation backend driver in the keystone.federation
|
||||||
|
namespace.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
assertion_prefix = cfg.StrOpt(
|
||||||
|
'assertion_prefix',
|
||||||
|
default='',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Value to be used when filtering assertion parameters from the environment.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
remote_id_attribute = cfg.StrOpt(
|
||||||
|
'remote_id_attribute',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Value to be used to obtain the entity ID of the Identity Provider from the
|
||||||
|
environment (e.g. if using the mod_shib plugin this value is
|
||||||
|
`Shib-Identity-Provider`).
|
||||||
|
"""))
|
||||||
|
|
||||||
|
federated_domain_name = cfg.StrOpt(
|
||||||
|
'federated_domain_name',
|
||||||
|
default='Federated',
|
||||||
|
help=utils.fmt("""
|
||||||
|
A domain name that is reserved to allow federated ephemeral users to have a
|
||||||
|
domain concept. Note that an admin will not be able to create a domain with
|
||||||
|
this name or update an existing domain to this name. You are not advised to
|
||||||
|
change this value unless you really have to.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
trusted_dashboard = cfg.MultiStrOpt(
|
||||||
|
'trusted_dashboard',
|
||||||
|
default=[],
|
||||||
|
help=utils.fmt("""
|
||||||
|
A list of trusted dashboard hosts. Before accepting a Single Sign-On request to
|
||||||
|
return a token, the origin host must be a member of the trusted_dashboard list.
|
||||||
|
This configuration option may be repeated for multiple values. For example:
|
||||||
|
trusted_dashboard=http://acme.com/auth/websso
|
||||||
|
trusted_dashboard=http://beta.com/auth/websso
|
||||||
|
"""))
|
||||||
|
|
||||||
|
sso_callback_template = cfg.StrOpt(
|
||||||
|
'sso_callback_template',
|
||||||
|
default='/etc/keystone/sso_callback_template.html',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Location of Single Sign-On callback handler, will return a token to a trusted
|
||||||
|
dashboard host.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
caching = cfg.BoolOpt(
|
||||||
|
'caching',
|
||||||
|
default=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Toggle for federation caching. This has no effect unless global caching is
|
||||||
|
enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
driver,
|
||||||
|
assertion_prefix,
|
||||||
|
remote_id_attribute,
|
||||||
|
federated_domain_name,
|
||||||
|
trusted_dashboard,
|
||||||
|
sso_callback_template,
|
||||||
|
caching,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,49 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
key_repository = cfg.StrOpt(
|
||||||
|
'key_repository',
|
||||||
|
default='/etc/keystone/fernet-keys/',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Directory containing Fernet token keys.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
max_active_keys = cfg.IntOpt(
|
||||||
|
'max_active_keys',
|
||||||
|
default=3,
|
||||||
|
help=utils.fmt("""
|
||||||
|
This controls how many keys are held in rotation by keystone-manage
|
||||||
|
fernet_rotate before they are discarded. The default value of 3 means that
|
||||||
|
keystone will maintain one staged key, one primary key, and one secondary key.
|
||||||
|
Increasing this value means that additional secondary keys will be kept in the
|
||||||
|
rotation.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
key_repository,
|
||||||
|
max_active_keys,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,120 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
import passlib.utils
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
default_domain_id = cfg.StrOpt(
|
||||||
|
'default_domain_id',
|
||||||
|
default='default',
|
||||||
|
help=utils.fmt("""
|
||||||
|
This references the domain to use for all Identity API v2 requests (which are
|
||||||
|
not aware of domains). A domain with this ID will be created for you by
|
||||||
|
keystone-manage db_sync in migration 008. The domain referenced by this ID
|
||||||
|
cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.
|
||||||
|
There is nothing special about this domain, other than the fact that it must
|
||||||
|
exist to order to maintain support for your v2 clients.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
domain_specific_drivers_enabled = cfg.BoolOpt(
|
||||||
|
'domain_specific_drivers_enabled',
|
||||||
|
default=False,
|
||||||
|
help=utils.fmt("""
|
||||||
|
A subset (or all) of domains can have their own identity driver, each with
|
||||||
|
their own partial configuration options, stored in either the resource backend
|
||||||
|
or in a file in a domain configuration directory (depending on the setting of
|
||||||
|
domain_configurations_from_database). Only values specific to the domain need
|
||||||
|
to be specified in this manner. This feature is disabled by default; set to
|
||||||
|
true to enable.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
domain_configurations_from_database = cfg.BoolOpt(
|
||||||
|
'domain_configurations_from_database',
|
||||||
|
default=False,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Extract the domain specific configuration options from the resource backend
|
||||||
|
where they have been stored with the domain data. This feature is disabled by
|
||||||
|
default (in which case the domain specific options will be loaded from files in
|
||||||
|
the domain configuration directory); set to true to enable.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
domain_config_dir = cfg.StrOpt(
|
||||||
|
'domain_config_dir',
|
||||||
|
default='/etc/keystone/domains',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Path for Keystone to locate the domain specific identity configuration files if
|
||||||
|
domain_specific_drivers_enabled is set to true.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
default='sql',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the identity backend driver in the keystone.identity namespace.
|
||||||
|
Supplied drivers are ldap and sql.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
caching = cfg.BoolOpt(
|
||||||
|
'caching',
|
||||||
|
default=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Toggle for identity caching. This has no effect unless global caching is
|
||||||
|
enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
cache_time = cfg.IntOpt(
|
||||||
|
'cache_time',
|
||||||
|
default=600,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Time to cache identity data (in seconds). This has no effect unless global and
|
||||||
|
identity caching are enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
max_password_length = cfg.IntOpt(
|
||||||
|
'max_password_length',
|
||||||
|
default=4096,
|
||||||
|
max=passlib.utils.MAX_PASSWORD_SIZE,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Maximum supported length for user passwords; decrease to improve
|
||||||
|
performance.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
list_limit = cfg.IntOpt(
|
||||||
|
'list_limit',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Maximum number of entities that will be returned in an identity collection.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
default_domain_id,
|
||||||
|
domain_specific_drivers_enabled,
|
||||||
|
domain_configurations_from_database,
|
||||||
|
domain_config_dir,
|
||||||
|
driver,
|
||||||
|
caching,
|
||||||
|
cache_time,
|
||||||
|
max_password_length,
|
||||||
|
list_limit,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,67 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
default='sql',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the identity mapping backend driver in the
|
||||||
|
keystone.identity.id_mapping namespace.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
generator = cfg.StrOpt(
|
||||||
|
'generator',
|
||||||
|
default='sha256',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the public ID generator for user and group entities in the
|
||||||
|
keystone.identity.id_generator namespace. The Keystone identity mapper only
|
||||||
|
supports generators that produce no more than 64 characters.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
backward_compatible_ids = cfg.BoolOpt(
|
||||||
|
'backward_compatible_ids',
|
||||||
|
default=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
The format of user and group IDs changed in Juno for backends that do not
|
||||||
|
generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the
|
||||||
|
underlying attribute in LDAP. By default this mapping is disabled, which
|
||||||
|
ensures that existing IDs will not change. Even when the mapping is enabled by
|
||||||
|
using domain specific drivers, any users and groups from the default domain
|
||||||
|
being handled by LDAP will still not be mapped to ensure their IDs remain
|
||||||
|
backward compatible. Setting this value to False will enable the mapping for
|
||||||
|
even the default LDAP driver. It is only safe to do this if you do not already
|
||||||
|
have assignments for users and groups from the default LDAP domain, and it is
|
||||||
|
acceptable for Keystone to provide the different IDs to clients than it did
|
||||||
|
previously. Typically this means that the only time you can set this value to
|
||||||
|
False is when configuring a fresh installation.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
driver,
|
||||||
|
generator,
|
||||||
|
backward_compatible_ids,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,66 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
backends = cfg.ListOpt(
|
||||||
|
'backends',
|
||||||
|
default=[],
|
||||||
|
help=utils.fmt("""
|
||||||
|
Extra dogpile.cache backend modules to register with the dogpile.cache
|
||||||
|
library.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
config_prefix = cfg.StrOpt(
|
||||||
|
'config_prefix',
|
||||||
|
default='keystone.kvs',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Prefix for building the configuration dictionary for the KVS region. This
|
||||||
|
should not need to be changed unless there is another dogpile.cache region with
|
||||||
|
the same configuration name.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
enable_key_mangler = cfg.BoolOpt(
|
||||||
|
'enable_key_mangler',
|
||||||
|
default=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Toggle to disable using a key-mangling function to ensure fixed length keys.
|
||||||
|
This is toggle-able for debugging purposes, it is highly recommended to always
|
||||||
|
leave this set to true.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
default_lock_timeout = cfg.IntOpt(
|
||||||
|
'default_lock_timeout',
|
||||||
|
default=5,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Default lock timeout (in seconds) for distributed locking.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
backends,
|
||||||
|
config_prefix,
|
||||||
|
enable_key_mangler,
|
||||||
|
default_lock_timeout,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,545 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
_DEPRECATED_LDAP_WRITE = utils.fmt("""
|
||||||
|
Write support for Identity LDAP backends has been deprecated in the M release
|
||||||
|
and will be removed in the O release.
|
||||||
|
""")
|
||||||
|
|
||||||
|
|
||||||
|
url = cfg.StrOpt(
|
||||||
|
'url',
|
||||||
|
default='ldap://localhost',
|
||||||
|
help=utils.fmt("""
|
||||||
|
URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified
|
||||||
|
as a comma separated string. The first URL to successfully bind is used for the
|
||||||
|
connection.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user = cfg.StrOpt(
|
||||||
|
'user',
|
||||||
|
help=utils.fmt("""
|
||||||
|
User BindDN to query the LDAP server.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
password = cfg.StrOpt(
|
||||||
|
'password',
|
||||||
|
secret=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Password for the BindDN to query the LDAP server.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
suffix = cfg.StrOpt(
|
||||||
|
'suffix',
|
||||||
|
default='cn=example,cn=com',
|
||||||
|
help=utils.fmt("""
|
||||||
|
LDAP server suffix
|
||||||
|
"""))
|
||||||
|
|
||||||
|
use_dumb_member = cfg.BoolOpt(
|
||||||
|
'use_dumb_member',
|
||||||
|
default=False,
|
||||||
|
help=utils.fmt("""
|
||||||
|
If true, will add a dummy member to groups. This is required if the objectclass
|
||||||
|
for groups requires the "member" attribute.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
dumb_member = cfg.StrOpt(
|
||||||
|
'dumb_member',
|
||||||
|
default='cn=dumb,dc=nonexistent',
|
||||||
|
help=utils.fmt("""
|
||||||
|
DN of the "dummy member" to use when "use_dumb_member" is enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
allow_subtree_delete = cfg.BoolOpt(
|
||||||
|
'allow_subtree_delete',
|
||||||
|
default=False,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Delete subtrees using the subtree delete control. Only enable this option if
|
||||||
|
your LDAP server supports subtree deletion.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
query_scope = cfg.StrOpt(
|
||||||
|
'query_scope',
|
||||||
|
default='one',
|
||||||
|
choices=['one', 'sub'],
|
||||||
|
help=utils.fmt("""
|
||||||
|
The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub"
|
||||||
|
represents subtree/wholeSubtree options.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
page_size = cfg.IntOpt(
|
||||||
|
'page_size',
|
||||||
|
default=0,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Maximum results per page; a value of zero ("0") disables paging.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
alias_dereferencing = cfg.StrOpt(
|
||||||
|
'alias_dereferencing',
|
||||||
|
default='default',
|
||||||
|
choices=['never', 'searching', 'always', 'finding', 'default'],
|
||||||
|
help=utils.fmt("""
|
||||||
|
The LDAP dereferencing option for queries. The "default" option falls back to
|
||||||
|
using default dereferencing configured by your ldap.conf.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
debug_level = cfg.IntOpt(
|
||||||
|
'debug_level',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging
|
||||||
|
is not enabled. This value is a bitmask, consult your LDAP documentation for
|
||||||
|
possible values.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
chase_referrals = cfg.BoolOpt(
|
||||||
|
'chase_referrals',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Override the system's default referral chasing behavior for queries.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_tree_dn = cfg.StrOpt(
|
||||||
|
'user_tree_dn',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Search base for users. Defaults to the suffix value.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_filter = cfg.StrOpt(
|
||||||
|
'user_filter',
|
||||||
|
help=utils.fmt("""
|
||||||
|
LDAP search filter for users.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_objectclass = cfg.StrOpt(
|
||||||
|
'user_objectclass',
|
||||||
|
default='inetOrgPerson',
|
||||||
|
help=utils.fmt("""
|
||||||
|
LDAP objectclass for users.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_id_attribute = cfg.StrOpt(
|
||||||
|
'user_id_attribute',
|
||||||
|
default='cn',
|
||||||
|
help=utils.fmt("""
|
||||||
|
LDAP attribute mapped to user id. WARNING: must not be a multivalued
|
||||||
|
attribute.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_name_attribute = cfg.StrOpt(
|
||||||
|
'user_name_attribute',
|
||||||
|
default='sn',
|
||||||
|
help=utils.fmt("""
|
||||||
|
LDAP attribute mapped to user name.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_description_attribute = cfg.StrOpt(
|
||||||
|
'user_description_attribute',
|
||||||
|
default='description',
|
||||||
|
help=utils.fmt("""
|
||||||
|
LDAP attribute mapped to user description.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_mail_attribute = cfg.StrOpt(
|
||||||
|
'user_mail_attribute',
|
||||||
|
default='mail',
|
||||||
|
help=utils.fmt("""
|
||||||
|
LDAP attribute mapped to user email.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_pass_attribute = cfg.StrOpt(
|
||||||
|
'user_pass_attribute',
|
||||||
|
default='userPassword',
|
||||||
|
help=utils.fmt("""
|
||||||
|
LDAP attribute mapped to password.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_enabled_attribute = cfg.StrOpt(
|
||||||
|
'user_enabled_attribute',
|
||||||
|
default='enabled',
|
||||||
|
help=utils.fmt("""
|
||||||
|
LDAP attribute mapped to user enabled flag.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_enabled_invert = cfg.BoolOpt(
|
||||||
|
'user_enabled_invert',
|
||||||
|
default=False,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Invert the meaning of the boolean enabled values. Some LDAP servers use a
|
||||||
|
boolean lock attribute where "true" means an account is disabled. Setting
|
||||||
|
"user_enabled_invert = true" will allow these lock attributes to be used. This
|
||||||
|
setting will have no effect if "user_enabled_mask" or "user_enabled_emulation"
|
||||||
|
settings are in use.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_enabled_mask = cfg.IntOpt(
|
||||||
|
'user_enabled_mask',
|
||||||
|
default=0,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Bitmask integer to indicate the bit that the enabled value is stored in if the
|
||||||
|
LDAP server represents "enabled" as a bit on an integer rather than a boolean.
|
||||||
|
A value of "0" indicates the mask is not used. If this is not set to "0" the
|
||||||
|
typical value is "2". This is typically used when "user_enabled_attribute =
|
||||||
|
userAccountControl".
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_enabled_default = cfg.StrOpt(
|
||||||
|
'user_enabled_default',
|
||||||
|
default='True',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Default value to enable users. This should match an appropriate int value if
|
||||||
|
the LDAP server uses non-boolean (bitmask) values to indicate if a user is
|
||||||
|
enabled or disabled. If this is not set to "True" the typical value is "512".
|
||||||
|
This is typically used when "user_enabled_attribute = userAccountControl".
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_attribute_ignore = cfg.ListOpt(
|
||||||
|
'user_attribute_ignore',
|
||||||
|
default=['default_project_id'],
|
||||||
|
help=utils.fmt("""
|
||||||
|
List of attributes stripped off the user on update.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_default_project_id_attribute = cfg.StrOpt(
|
||||||
|
'user_default_project_id_attribute',
|
||||||
|
help=utils.fmt("""
|
||||||
|
LDAP attribute mapped to default_project_id for users.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_allow_create = cfg.BoolOpt(
|
||||||
|
'user_allow_create',
|
||||||
|
default=True,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Allow user creation in LDAP backend.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_allow_update = cfg.BoolOpt(
|
||||||
|
'user_allow_update',
|
||||||
|
default=True,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Allow user updates in LDAP backend.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_allow_delete = cfg.BoolOpt(
|
||||||
|
'user_allow_delete',
|
||||||
|
default=True,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Allow user deletion in LDAP backend.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_enabled_emulation = cfg.BoolOpt(
|
||||||
|
'user_enabled_emulation',
|
||||||
|
default=False,
|
||||||
|
help=utils.fmt("""
|
||||||
|
If true, Keystone uses an alternative method to determine if a user is enabled
|
||||||
|
or not by checking if they are a member of the "user_enabled_emulation_dn"
|
||||||
|
group.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_enabled_emulation_dn = cfg.StrOpt(
|
||||||
|
'user_enabled_emulation_dn',
|
||||||
|
help=utils.fmt("""
|
||||||
|
DN of the group entry to hold enabled users when using enabled emulation.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_enabled_emulation_use_group_config = cfg.BoolOpt(
|
||||||
|
'user_enabled_emulation_use_group_config',
|
||||||
|
default=False,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Use the "group_member_attribute" and "group_objectclass" settings to determine
|
||||||
|
membership in the emulated enabled group.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
user_additional_attribute_mapping = cfg.ListOpt(
|
||||||
|
'user_additional_attribute_mapping',
|
||||||
|
default=[],
|
||||||
|
help=utils.fmt("""
|
||||||
|
List of additional LDAP attributes used for mapping additional attribute
|
||||||
|
mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, where
|
||||||
|
ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API
|
||||||
|
attribute.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
group_tree_dn = cfg.StrOpt(
|
||||||
|
'group_tree_dn',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Search base for groups. Defaults to the suffix value.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
group_filter = cfg.StrOpt(
|
||||||
|
'group_filter',
|
||||||
|
help=utils.fmt("""
|
||||||
|
LDAP search filter for groups.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
group_objectclass = cfg.StrOpt(
|
||||||
|
'group_objectclass',
|
||||||
|
default='groupOfNames',
|
||||||
|
help=utils.fmt("""
|
||||||
|
LDAP objectclass for groups.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
group_id_attribute = cfg.StrOpt(
|
||||||
|
'group_id_attribute',
|
||||||
|
default='cn',
|
||||||
|
help=utils.fmt("""
|
||||||
|
LDAP attribute mapped to group id.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
group_name_attribute = cfg.StrOpt(
|
||||||
|
'group_name_attribute',
|
||||||
|
default='ou',
|
||||||
|
help=utils.fmt("""
|
||||||
|
LDAP attribute mapped to group name.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
group_member_attribute = cfg.StrOpt(
|
||||||
|
'group_member_attribute',
|
||||||
|
default='member',
|
||||||
|
help=utils.fmt("""
|
||||||
|
LDAP attribute mapped to show group membership.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
group_desc_attribute = cfg.StrOpt(
|
||||||
|
'group_desc_attribute',
|
||||||
|
default='description',
|
||||||
|
help=utils.fmt("""
|
||||||
|
LDAP attribute mapped to group description.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
group_attribute_ignore = cfg.ListOpt(
|
||||||
|
'group_attribute_ignore',
|
||||||
|
default=[],
|
||||||
|
help=utils.fmt("""
|
||||||
|
List of attributes stripped off the group on update.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
group_allow_create = cfg.BoolOpt(
|
||||||
|
'group_allow_create',
|
||||||
|
default=True,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Allow group creation in LDAP backend.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
group_allow_update = cfg.BoolOpt(
|
||||||
|
'group_allow_update',
|
||||||
|
default=True,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Allow group update in LDAP backend.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
group_allow_delete = cfg.BoolOpt(
|
||||||
|
'group_allow_delete',
|
||||||
|
default=True,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=_DEPRECATED_LDAP_WRITE,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Allow group deletion in LDAP backend.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
group_additional_attribute_mapping = cfg.ListOpt(
|
||||||
|
'group_additional_attribute_mapping',
|
||||||
|
default=[],
|
||||||
|
help=utils.fmt("""
|
||||||
|
Additional attribute mappings for groups. Attribute mapping format is
|
||||||
|
<ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and
|
||||||
|
user_attr is the Identity API attribute.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
tls_cacertfile = cfg.StrOpt(
|
||||||
|
'tls_cacertfile',
|
||||||
|
help=utils.fmt("""
|
||||||
|
CA certificate file path for communicating with LDAP servers.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
tls_cacertdir = cfg.StrOpt(
|
||||||
|
'tls_cacertdir',
|
||||||
|
help=utils.fmt("""
|
||||||
|
CA certificate directory path for communicating with LDAP servers.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
use_tls = cfg.BoolOpt(
|
||||||
|
'use_tls',
|
||||||
|
default=False,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Enable TLS for communicating with LDAP servers.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
tls_req_cert = cfg.StrOpt(
|
||||||
|
'tls_req_cert',
|
||||||
|
default='demand',
|
||||||
|
choices=['demand', 'never', 'allow'],
|
||||||
|
help=utils.fmt("""
|
||||||
|
Specifies what checks to perform on client certificates in an incoming TLS
|
||||||
|
session.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
use_pool = cfg.BoolOpt(
|
||||||
|
'use_pool',
|
||||||
|
default=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Enable LDAP connection pooling.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
pool_size = cfg.IntOpt(
|
||||||
|
'pool_size',
|
||||||
|
default=10,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Connection pool size.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
pool_retry_max = cfg.IntOpt(
|
||||||
|
'pool_retry_max',
|
||||||
|
default=3,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Maximum count of reconnect trials.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
pool_retry_delay = cfg.FloatOpt(
|
||||||
|
'pool_retry_delay',
|
||||||
|
default=0.1,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Time span in seconds to wait between two reconnect trials.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
pool_connection_timeout = cfg.IntOpt(
|
||||||
|
'pool_connection_timeout',
|
||||||
|
default=-1,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Connector timeout in seconds. Value -1 indicates indefinite wait for
|
||||||
|
response.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
pool_connection_lifetime = cfg.IntOpt(
|
||||||
|
'pool_connection_lifetime',
|
||||||
|
default=600,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Connection lifetime in seconds.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
use_auth_pool = cfg.BoolOpt(
|
||||||
|
'use_auth_pool',
|
||||||
|
default=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Enable LDAP connection pooling for end user authentication. If use_pool is
|
||||||
|
disabled, then this setting is meaningless and is not used at all.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
auth_pool_size = cfg.IntOpt(
|
||||||
|
'auth_pool_size',
|
||||||
|
default=100,
|
||||||
|
help=utils.fmt("""
|
||||||
|
End user auth connection pool size.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
auth_pool_connection_lifetime = cfg.IntOpt(
|
||||||
|
'auth_pool_connection_lifetime',
|
||||||
|
default=60,
|
||||||
|
help=utils.fmt("""
|
||||||
|
End user auth connection lifetime in seconds.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
group_members_are_ids = cfg.BoolOpt(
|
||||||
|
'group_members_are_ids',
|
||||||
|
default=False,
|
||||||
|
help=utils.fmt("""
|
||||||
|
If the members of the group objectclass are user IDs rather than DNs, set this
|
||||||
|
to true. This is the case when using posixGroup as the group objectclass and
|
||||||
|
OpenDirectory.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
url,
|
||||||
|
user,
|
||||||
|
password,
|
||||||
|
suffix,
|
||||||
|
use_dumb_member,
|
||||||
|
dumb_member,
|
||||||
|
allow_subtree_delete,
|
||||||
|
query_scope,
|
||||||
|
page_size,
|
||||||
|
alias_dereferencing,
|
||||||
|
debug_level,
|
||||||
|
chase_referrals,
|
||||||
|
user_tree_dn,
|
||||||
|
user_filter,
|
||||||
|
user_objectclass,
|
||||||
|
user_id_attribute,
|
||||||
|
user_name_attribute,
|
||||||
|
user_description_attribute,
|
||||||
|
user_mail_attribute,
|
||||||
|
user_pass_attribute,
|
||||||
|
user_enabled_attribute,
|
||||||
|
user_enabled_invert,
|
||||||
|
user_enabled_mask,
|
||||||
|
user_enabled_default,
|
||||||
|
user_attribute_ignore,
|
||||||
|
user_default_project_id_attribute,
|
||||||
|
user_allow_create,
|
||||||
|
user_allow_update,
|
||||||
|
user_allow_delete,
|
||||||
|
user_enabled_emulation,
|
||||||
|
user_enabled_emulation_dn,
|
||||||
|
user_enabled_emulation_use_group_config,
|
||||||
|
user_additional_attribute_mapping,
|
||||||
|
group_tree_dn,
|
||||||
|
group_filter,
|
||||||
|
group_objectclass,
|
||||||
|
group_id_attribute,
|
||||||
|
group_name_attribute,
|
||||||
|
group_member_attribute,
|
||||||
|
group_desc_attribute,
|
||||||
|
group_attribute_ignore,
|
||||||
|
group_allow_create,
|
||||||
|
group_allow_update,
|
||||||
|
group_allow_delete,
|
||||||
|
group_additional_attribute_mapping,
|
||||||
|
tls_cacertfile,
|
||||||
|
tls_cacertdir,
|
||||||
|
use_tls,
|
||||||
|
tls_req_cert,
|
||||||
|
use_pool,
|
||||||
|
pool_size,
|
||||||
|
pool_retry_max,
|
||||||
|
pool_retry_delay,
|
||||||
|
pool_connection_timeout,
|
||||||
|
pool_connection_lifetime,
|
||||||
|
use_auth_pool,
|
||||||
|
auth_pool_size,
|
||||||
|
auth_pool_connection_lifetime,
|
||||||
|
group_members_are_ids,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,86 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
servers = cfg.ListOpt(
|
||||||
|
'servers',
|
||||||
|
default=['localhost:11211'],
|
||||||
|
help=utils.fmt("""
|
||||||
|
Memcache servers in the format of "host:port".
|
||||||
|
"""))
|
||||||
|
|
||||||
|
dead_retry = cfg.IntOpt(
|
||||||
|
'dead_retry',
|
||||||
|
default=5 * 60,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Number of seconds memcached server is considered dead before it is tried again.
|
||||||
|
This is used by the key value store system (e.g. token pooled memcached
|
||||||
|
persistence backend).
|
||||||
|
"""))
|
||||||
|
|
||||||
|
socket_timeout = cfg.IntOpt(
|
||||||
|
'socket_timeout',
|
||||||
|
default=3,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Timeout in seconds for every call to a server. This is used by the key value
|
||||||
|
store system (e.g. token pooled memcached persistence backend).
|
||||||
|
"""))
|
||||||
|
|
||||||
|
pool_maxsize = cfg.IntOpt(
|
||||||
|
'pool_maxsize',
|
||||||
|
default=10,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Max total number of open connections to every memcached server. This is used by
|
||||||
|
the key value store system (e.g. token pooled memcached persistence
|
||||||
|
backend).
|
||||||
|
"""))
|
||||||
|
|
||||||
|
pool_unused_timeout = cfg.IntOpt(
|
||||||
|
'pool_unused_timeout',
|
||||||
|
default=60,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Number of seconds a connection to memcached is held unused in the pool before
|
||||||
|
it is closed. This is used by the key value store system (e.g. token pooled
|
||||||
|
memcached persistence backend).
|
||||||
|
"""))
|
||||||
|
|
||||||
|
pool_connection_get_timeout = cfg.IntOpt(
|
||||||
|
'pool_connection_get_timeout',
|
||||||
|
default=10,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Number of seconds that an operation will wait to get a memcache client
|
||||||
|
connection. This is used by the key value store system (e.g. token pooled
|
||||||
|
memcached persistence backend).
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
servers,
|
||||||
|
dead_retry,
|
||||||
|
socket_timeout,
|
||||||
|
pool_maxsize,
|
||||||
|
pool_unused_timeout,
|
||||||
|
pool_connection_get_timeout,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,53 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
default='sql',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the OAuth backend driver in the keystone.oauth1 namespace.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
request_token_duration = cfg.IntOpt(
|
||||||
|
'request_token_duration',
|
||||||
|
default=28800,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Duration (in seconds) for the OAuth Request Token.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
access_token_duration = cfg.IntOpt(
|
||||||
|
'access_token_duration',
|
||||||
|
default=86400,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Duration (in seconds) for the OAuth Access Token.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
driver,
|
||||||
|
request_token_duration,
|
||||||
|
access_token_duration,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,97 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
"""Single point of entry to generate the sample configuration file.
|
||||||
|
|
||||||
|
This module collects all the necessary info from the other modules in this
|
||||||
|
package. It is assumed that:
|
||||||
|
|
||||||
|
* Every other module in this package has a 'list_opts' function which
|
||||||
|
returns a dict where:
|
||||||
|
|
||||||
|
* The keys are strings which are the group names.
|
||||||
|
|
||||||
|
* The value of each key is a list of config options for that group.
|
||||||
|
|
||||||
|
* The conf package doesn't have further packages with config options.
|
||||||
|
|
||||||
|
* This module is only used in the context of sample file generation.
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
|
import collections
|
||||||
|
import importlib
|
||||||
|
import os
|
||||||
|
import pkgutil
|
||||||
|
|
||||||
|
|
||||||
|
LIST_OPTS_FUNC_NAME = 'list_opts'
|
||||||
|
IGNORED_MODULES = ('opts', 'constants', 'utils')
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
opts = collections.defaultdict(list)
|
||||||
|
module_names = _list_module_names()
|
||||||
|
imported_modules = _import_modules(module_names)
|
||||||
|
_append_config_options(imported_modules, opts)
|
||||||
|
return _tupleize(opts)
|
||||||
|
|
||||||
|
|
||||||
|
def _tupleize(d):
|
||||||
|
"""Convert a dict of options to the 2-tuple format."""
|
||||||
|
return [(key, value) for key, value in d.items()]
|
||||||
|
|
||||||
|
|
||||||
|
def _list_module_names():
|
||||||
|
module_names = []
|
||||||
|
package_path = os.path.dirname(os.path.abspath(__file__))
|
||||||
|
for _, module_name, ispkg in pkgutil.iter_modules(path=[package_path]):
|
||||||
|
if module_name in IGNORED_MODULES or ispkg:
|
||||||
|
# Skip this module.
|
||||||
|
continue
|
||||||
|
else:
|
||||||
|
module_names.append(module_name)
|
||||||
|
return module_names
|
||||||
|
|
||||||
|
|
||||||
|
def _import_modules(module_names):
|
||||||
|
imported_modules = []
|
||||||
|
for module_name in module_names:
|
||||||
|
full_module_path = '.'.join(__name__.split('.')[:-1] + [module_name])
|
||||||
|
module = importlib.import_module(full_module_path)
|
||||||
|
if not hasattr(module, LIST_OPTS_FUNC_NAME):
|
||||||
|
raise Exception(
|
||||||
|
"The module '%s' should have a '%s' function which "
|
||||||
|
"returns the config options." % (
|
||||||
|
full_module_path,
|
||||||
|
LIST_OPTS_FUNC_NAME))
|
||||||
|
else:
|
||||||
|
imported_modules.append(module)
|
||||||
|
return imported_modules
|
||||||
|
|
||||||
|
|
||||||
|
def _process_old_opts(configs):
|
||||||
|
"""Convert old-style 2-tuple configs to dicts."""
|
||||||
|
if isinstance(configs, tuple):
|
||||||
|
configs = [configs]
|
||||||
|
return {label: options for label, options in configs}
|
||||||
|
|
||||||
|
|
||||||
|
def _append_config_options(imported_modules, config_options):
|
||||||
|
for module in imported_modules:
|
||||||
|
configs = module.list_opts()
|
||||||
|
# TODO(markus_z): Remove this compatibility shim once all list_opts()
|
||||||
|
# functions have been updated to return dicts.
|
||||||
|
if not isinstance(configs, dict):
|
||||||
|
configs = _process_old_opts(configs)
|
||||||
|
for key, val in configs.items():
|
||||||
|
config_options[key].extend(val)
|
|
@ -0,0 +1,48 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
_DEPRECATE_INHERIT_MSG = utils.fmt("""
|
||||||
|
The option to enable the OS-INHERIT extension has been deprecated in the M
|
||||||
|
release and will be removed in the O release. The OS-INHERIT extension will be
|
||||||
|
enabled by default.
|
||||||
|
""")
|
||||||
|
|
||||||
|
|
||||||
|
enabled = cfg.BoolOpt(
|
||||||
|
'enabled',
|
||||||
|
default=True,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=_DEPRECATE_INHERIT_MSG,
|
||||||
|
help=utils.fmt("""
|
||||||
|
role-assignment inheritance to projects from owning domain or from projects
|
||||||
|
higher in the hierarchy can be optionally disabled. In the future, this option
|
||||||
|
will be removed and the hierarchy will be always enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
enabled,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,37 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
config_file = cfg.StrOpt(
|
||||||
|
'config_file',
|
||||||
|
default='keystone-paste.ini',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Name of the paste configuration file that defines the available pipelines.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
config_file,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,45 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
default='sql',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the policy backend driver in the keystone.policy namespace.
|
||||||
|
Supplied drivers are rules and sql.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
list_limit = cfg.IntOpt(
|
||||||
|
'list_limit',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Maximum number of entities that will be returned in a policy collection.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
driver,
|
||||||
|
list_limit,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,105 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the resource backend driver in the keystone.resource namespace.
|
||||||
|
Only an SQL driver is supplied. If a resource driver is not specified, the
|
||||||
|
assignment driver will choose the resource driver.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
caching = cfg.BoolOpt(
|
||||||
|
'caching',
|
||||||
|
default=True,
|
||||||
|
deprecated_opts=[cfg.DeprecatedOpt('caching', group='assignment')],
|
||||||
|
help=utils.fmt("""
|
||||||
|
Toggle for resource caching. This has no effect unless global caching is
|
||||||
|
enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
cache_time = cfg.IntOpt(
|
||||||
|
'cache_time',
|
||||||
|
deprecated_opts=[cfg.DeprecatedOpt('cache_time', group='assignment')],
|
||||||
|
help=utils.fmt("""
|
||||||
|
TTL (in seconds) to cache resource data. This has no effect unless global
|
||||||
|
caching is enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
list_limit = cfg.IntOpt(
|
||||||
|
'list_limit',
|
||||||
|
deprecated_opts=[cfg.DeprecatedOpt('list_limit', group='assignment')],
|
||||||
|
help=utils.fmt("""
|
||||||
|
Maximum number of entities that will be returned in a resource collection.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
admin_project_domain_name = cfg.StrOpt(
|
||||||
|
'admin_project_domain_name',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Name of the domain that owns the `admin_project_name`. Defaults to None.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
admin_project_name = cfg.StrOpt(
|
||||||
|
'admin_project_name',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Special project for performing administrative operations on remote services.
|
||||||
|
Tokens scoped to this project will contain the key/value
|
||||||
|
`is_admin_project=true`. Defaults to None.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
project_name_url_safe = cfg.StrOpt(
|
||||||
|
'project_name_url_safe',
|
||||||
|
choices=['off', 'new', 'strict'],
|
||||||
|
default='off',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Whether the names of projects are restricted from containing url reserved
|
||||||
|
characters. If set to new, attempts to create or update a project with a url
|
||||||
|
unsafe name will return an error. In addition, if set to strict, attempts to
|
||||||
|
scope a token using an unsafe project name will return an error.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
domain_name_url_safe = cfg.StrOpt(
|
||||||
|
'domain_name_url_safe',
|
||||||
|
choices=['off', 'new', 'strict'],
|
||||||
|
default='off',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Whether the names of domains are restricted from containing url reserved
|
||||||
|
characters. If set to new, attempts to create or update a domain with a url
|
||||||
|
unsafe name will return an error. In addition, if set to strict, attempts to
|
||||||
|
scope a token using a domain name which is unsafe will return an error.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
driver,
|
||||||
|
caching,
|
||||||
|
cache_time,
|
||||||
|
list_limit,
|
||||||
|
admin_project_domain_name,
|
||||||
|
admin_project_name,
|
||||||
|
project_name_url_safe,
|
||||||
|
domain_name_url_safe,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,67 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
default='sql',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for an implementation of the backend for persisting revocation
|
||||||
|
events in the keystone.revoke namespace. Supplied drivers are kvs and sql.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
expiration_buffer = cfg.IntOpt(
|
||||||
|
'expiration_buffer',
|
||||||
|
default=1800,
|
||||||
|
help=utils.fmt("""
|
||||||
|
This value (calculated in seconds) is added to token expiration before a
|
||||||
|
revocation event may be removed from the backend.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
caching = cfg.BoolOpt(
|
||||||
|
'caching',
|
||||||
|
default=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Toggle for revocation event caching. This has no effect unless global caching
|
||||||
|
is enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
cache_time = cfg.IntOpt(
|
||||||
|
'cache_time',
|
||||||
|
default=3600,
|
||||||
|
deprecated_opts=[
|
||||||
|
cfg.DeprecatedOpt('revocation_cache_time', group='token')],
|
||||||
|
help=utils.fmt("""
|
||||||
|
Time to cache the revocation list and the revocation events (in seconds). This
|
||||||
|
has no effect unless global and token caching are enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
driver,
|
||||||
|
expiration_buffer,
|
||||||
|
caching,
|
||||||
|
cache_time,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,62 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
# The role driver has no default for backward compatibility reasons. If role
|
||||||
|
# driver is not specified, the assignment driver chooses the backend.
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the role backend driver in the keystone.role namespace. Only an
|
||||||
|
SQL driver is supplied
|
||||||
|
"""))
|
||||||
|
|
||||||
|
caching = cfg.BoolOpt(
|
||||||
|
'caching',
|
||||||
|
default=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Toggle for role caching. This has no effect unless global caching is enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
cache_time = cfg.IntOpt(
|
||||||
|
'cache_time',
|
||||||
|
help=utils.fmt("""
|
||||||
|
TTL (in seconds) to cache role data. This has no effect unless global caching
|
||||||
|
is enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
list_limit = cfg.IntOpt(
|
||||||
|
'list_limit',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Maximum number of entities that will be returned in a role collection.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
driver,
|
||||||
|
caching,
|
||||||
|
cache_time,
|
||||||
|
list_limit,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,175 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import constants
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
assertion_expiration_time = cfg.IntOpt(
|
||||||
|
'assertion_expiration_time',
|
||||||
|
default=3600,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Default TTL, in seconds, for any generated SAML assertion created by Keystone.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
xmlsec1_binary = cfg.StrOpt(
|
||||||
|
'xmlsec1_binary',
|
||||||
|
default='xmlsec1',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Binary to be called for XML signing. Install the appropriate package, specify
|
||||||
|
absolute path or adjust your PATH environment variable if the binary cannot be
|
||||||
|
found.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
certfile = cfg.StrOpt(
|
||||||
|
'certfile',
|
||||||
|
default=constants._CERTFILE,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Path of the certfile for SAML signing. For non-production environments, you may
|
||||||
|
be interested in using `keystone-manage pki_setup` to generate self-signed
|
||||||
|
certificates. Note, the path cannot contain a comma.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
keyfile = cfg.StrOpt(
|
||||||
|
'keyfile',
|
||||||
|
default=constants._KEYFILE,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Path of the keyfile for SAML signing. Note, the path cannot contain a comma.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
idp_entity_id = cfg.StrOpt(
|
||||||
|
'idp_entity_id',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entity ID value for unique Identity Provider identification. Usually FQDN is
|
||||||
|
set with a suffix. A value is required to generate IDP Metadata. For example:
|
||||||
|
https://keystone.example.com/v3/OS-FEDERATION/saml2/idp
|
||||||
|
"""))
|
||||||
|
|
||||||
|
idp_sso_endpoint = cfg.StrOpt(
|
||||||
|
'idp_sso_endpoint',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Identity Provider Single-Sign-On service value, required in the Identity
|
||||||
|
Provider's metadata. A value is required to generate IDP Metadata. For example:
|
||||||
|
https://keystone.example.com/v3/OS-FEDERATION/saml2/sso
|
||||||
|
"""))
|
||||||
|
|
||||||
|
idp_lang = cfg.StrOpt(
|
||||||
|
'idp_lang', default='en',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Language used by the organization.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
idp_organization_name = cfg.StrOpt(
|
||||||
|
'idp_organization_name',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Organization name the installation belongs to.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
idp_organization_display_name = cfg.StrOpt(
|
||||||
|
'idp_organization_display_name',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Organization name to be displayed.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
idp_organization_url = cfg.StrOpt(
|
||||||
|
'idp_organization_url',
|
||||||
|
help=utils.fmt("""
|
||||||
|
URL of the organization.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
idp_contact_company = cfg.StrOpt(
|
||||||
|
'idp_contact_company',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Company of contact person.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
idp_contact_name = cfg.StrOpt(
|
||||||
|
'idp_contact_name',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Given name of contact person
|
||||||
|
"""))
|
||||||
|
|
||||||
|
idp_contact_surname = cfg.StrOpt(
|
||||||
|
'idp_contact_surname',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Surname of contact person.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
idp_contact_email = cfg.StrOpt(
|
||||||
|
'idp_contact_email',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Email address of contact person.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
idp_contact_telephone = cfg.StrOpt(
|
||||||
|
'idp_contact_telephone',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Telephone number of contact person.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
idp_contact_type = cfg.StrOpt(
|
||||||
|
'idp_contact_type',
|
||||||
|
default='other',
|
||||||
|
choices=['technical', 'support', 'administrative', 'billing', 'other'],
|
||||||
|
help=utils.fmt("""
|
||||||
|
The contact type describing the main point of contact for the identity
|
||||||
|
provider.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
idp_metadata_path = cfg.StrOpt(
|
||||||
|
'idp_metadata_path',
|
||||||
|
default='/etc/keystone/saml2_idp_metadata.xml',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Path to the Identity Provider Metadata file. This file should be generated with
|
||||||
|
the keystone-manage saml_idp_metadata command.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
relay_state_prefix = cfg.StrOpt(
|
||||||
|
'relay_state_prefix',
|
||||||
|
default='ss:mem:',
|
||||||
|
help=utils.fmt("""
|
||||||
|
The prefix to use for the RelayState SAML attribute, used when generating ECP
|
||||||
|
wrapped assertions.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
assertion_expiration_time,
|
||||||
|
xmlsec1_binary,
|
||||||
|
certfile,
|
||||||
|
keyfile,
|
||||||
|
idp_entity_id,
|
||||||
|
idp_sso_endpoint,
|
||||||
|
idp_lang,
|
||||||
|
idp_organization_name,
|
||||||
|
idp_organization_display_name,
|
||||||
|
idp_organization_url,
|
||||||
|
idp_contact_company,
|
||||||
|
idp_contact_name,
|
||||||
|
idp_contact_surname,
|
||||||
|
idp_contact_email,
|
||||||
|
idp_contact_telephone,
|
||||||
|
idp_contact_type,
|
||||||
|
idp_metadata_path,
|
||||||
|
relay_state_prefix,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,95 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
disable_user_account_days_inactive = cfg.IntOpt(
|
||||||
|
'disable_user_account_days_inactive',
|
||||||
|
default=0,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Number of days for which a user can be inactive before the account becomes
|
||||||
|
disabled. Setting the value to 0 disables this feature.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
lockout_failure_attempts = cfg.IntOpt(
|
||||||
|
'lockout_failure_attempts',
|
||||||
|
default=0,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Number of times a user can fail login attempts until the user account is
|
||||||
|
locked. Setting the value to 0 disables this feature.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
lockout_duration = cfg.IntOpt(
|
||||||
|
'lockout_duration',
|
||||||
|
default=1800,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Number of seconds a user account will be locked.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
password_expires_days = cfg.IntOpt(
|
||||||
|
'password_expires_days',
|
||||||
|
default=0,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Number of days for which a password will be considered valid before requiring
|
||||||
|
the user to change it. Setting the value to 0 disables this feature. Note: this
|
||||||
|
feature is only supported via the SQL backend driver for identity.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
unique_last_password_count = cfg.IntOpt(
|
||||||
|
'unique_last_password_count',
|
||||||
|
default=0,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Number of latest password iterations for which the password must be unique.
|
||||||
|
Setting the value to 0 disables this feature. Note: this feature is only
|
||||||
|
supported via the SQL backend driver for identity.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
assword_change_limit_per_day = cfg.IntOpt(
|
||||||
|
'password_change_limit_per_day',
|
||||||
|
default=0,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Maximum number of times a user can change their password in a day. Setting the
|
||||||
|
value to 0 disables this feature.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
password_regex = cfg.StrOpt(
|
||||||
|
'password_regex',
|
||||||
|
default=None,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Regular expression used to validate password strength requirements. Setting the
|
||||||
|
value to None disables this feature. The following is an example of a pattern
|
||||||
|
which requires at least 1 letter, 1 digit, and have a minimum length of 7
|
||||||
|
characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
disable_user_account_days_inactive,
|
||||||
|
lockout_failure_attempts,
|
||||||
|
lockout_duration,
|
||||||
|
password_expires_days,
|
||||||
|
unique_last_password_count,
|
||||||
|
assword_change_limit_per_day,
|
||||||
|
password_regex,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,38 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
default='sql',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the shadow users backend driver in the
|
||||||
|
keystone.identity.shadow_users namespace.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
driver,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,103 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import constants
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
certfile = cfg.StrOpt(
|
||||||
|
'certfile',
|
||||||
|
default=constants._CERTFILE,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=constants._DEPRECATE_PKI_MSG,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Path of the certfile for token signing. For non-production environments, you
|
||||||
|
may be interested in using `keystone-manage pki_setup` to generate self-signed
|
||||||
|
certificates.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
keyfile = cfg.StrOpt(
|
||||||
|
'keyfile',
|
||||||
|
default=constants._KEYFILE,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=constants._DEPRECATE_PKI_MSG,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Path of the keyfile for token signing.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
ca_certs = cfg.StrOpt(
|
||||||
|
'ca_certs',
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=constants._DEPRECATE_PKI_MSG,
|
||||||
|
default='/etc/keystone/ssl/certs/ca.pem',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Path of the CA for token signing.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
ca_key = cfg.StrOpt(
|
||||||
|
'ca_key',
|
||||||
|
default='/etc/keystone/ssl/private/cakey.pem',
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=constants._DEPRECATE_PKI_MSG,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Path of the CA key for token signing.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
key_size = cfg.IntOpt(
|
||||||
|
'key_size',
|
||||||
|
default=2048,
|
||||||
|
min=1024,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=constants._DEPRECATE_PKI_MSG,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Key size (in bits) for token signing cert (auto generated certificate).
|
||||||
|
"""))
|
||||||
|
|
||||||
|
valid_days = cfg.IntOpt(
|
||||||
|
'valid_days',
|
||||||
|
default=3650,
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=constants._DEPRECATE_PKI_MSG,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Days the token signing cert is valid for (auto generated certificate).
|
||||||
|
"""))
|
||||||
|
|
||||||
|
cert_subject = cfg.StrOpt(
|
||||||
|
'cert_subject',
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=constants._DEPRECATE_PKI_MSG,
|
||||||
|
default=('/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'),
|
||||||
|
help=utils.fmt("""
|
||||||
|
Certificate subject (auto generated certificate) for token signing.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
certfile,
|
||||||
|
keyfile,
|
||||||
|
ca_certs,
|
||||||
|
ca_key,
|
||||||
|
key_size,
|
||||||
|
valid_days,
|
||||||
|
cert_subject,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,137 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import constants
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
bind = cfg.ListOpt(
|
||||||
|
'bind',
|
||||||
|
default=[],
|
||||||
|
help=utils.fmt("""
|
||||||
|
External auth mechanisms that should add bind information to token, e.g.,
|
||||||
|
kerberos,x509.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
enforce_token_bind = cfg.StrOpt(
|
||||||
|
'enforce_token_bind',
|
||||||
|
default='permissive',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Enforcement policy on tokens presented to Keystone with bind information. One
|
||||||
|
of disabled, permissive, strict, required or a specifically required bind mode,
|
||||||
|
e.g., kerberos or x509 to require binding to that authentication.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
expiration = cfg.IntOpt(
|
||||||
|
'expiration',
|
||||||
|
default=3600,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Amount of time a token should remain valid (in seconds).
|
||||||
|
"""))
|
||||||
|
|
||||||
|
provider = cfg.StrOpt(
|
||||||
|
'provider',
|
||||||
|
default='uuid',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Controls the token construction, validation, and revocation operations.
|
||||||
|
Entrypoint in the keystone.token.provider namespace. Core providers are
|
||||||
|
[fernet|pkiz|pki|uuid].
|
||||||
|
"""))
|
||||||
|
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
default='sql',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the token persistence backend driver in the
|
||||||
|
keystone.token.persistence namespace. Supplied drivers are kvs, memcache,
|
||||||
|
memcache_pool, and sql.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
caching = cfg.BoolOpt(
|
||||||
|
'caching',
|
||||||
|
default=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Toggle for token system caching. This has no effect unless global caching is
|
||||||
|
enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
cache_time = cfg.IntOpt(
|
||||||
|
'cache_time',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Time to cache tokens (in seconds). This has no effect unless global and token
|
||||||
|
caching are enabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
revoke_by_id = cfg.BoolOpt(
|
||||||
|
'revoke_by_id',
|
||||||
|
default=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Revoke token by token identifier. Setting revoke_by_id to true enables various
|
||||||
|
forms of enumerating tokens, e.g. `list tokens for user`. These enumerations
|
||||||
|
are processed to determine the list of tokens to revoke. Only disable if you
|
||||||
|
are switching to using the Revoke extension with a backend other than KVS,
|
||||||
|
which stores events in memory.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
allow_rescope_scoped_token = cfg.BoolOpt(
|
||||||
|
'allow_rescope_scoped_token',
|
||||||
|
default=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Allow rescoping of scoped token. Setting allow_rescoped_scoped_token to false
|
||||||
|
prevents a user from exchanging a scoped token for any other token.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
hash_algorithm = cfg.StrOpt(
|
||||||
|
'hash_algorithm',
|
||||||
|
default='md5',
|
||||||
|
deprecated_for_removal=True,
|
||||||
|
deprecated_reason=constants._DEPRECATE_PKI_MSG,
|
||||||
|
help=utils.fmt("""
|
||||||
|
The hash algorithm to use for PKI tokens. This can be set to any algorithm that
|
||||||
|
hashlib supports. WARNING: Before changing this value, the auth_token
|
||||||
|
middleware must be configured with the hash_algorithms, otherwise token
|
||||||
|
revocation will not be processed correctly.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
infer_roles = cfg.BoolOpt(
|
||||||
|
'infer_roles',
|
||||||
|
default=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Add roles to token that are not explicitly added, but that are linked
|
||||||
|
implicitly to other roles.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
bind,
|
||||||
|
enforce_token_bind,
|
||||||
|
expiration,
|
||||||
|
provider,
|
||||||
|
driver,
|
||||||
|
caching,
|
||||||
|
cache_time,
|
||||||
|
revoke_by_id,
|
||||||
|
allow_rescope_scoped_token,
|
||||||
|
hash_algorithm,
|
||||||
|
infer_roles,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,63 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
trusted_issuer = cfg.MultiStrOpt(
|
||||||
|
'trusted_issuer',
|
||||||
|
default=[],
|
||||||
|
help=utils.fmt("""
|
||||||
|
The list of trusted issuers to further filter the certificates that are allowed
|
||||||
|
to participate in the X.509 tokenless authorization. If the option is absent
|
||||||
|
then no certificates will be allowed. The naming format for the attributes of a
|
||||||
|
Distinguished Name(DN) must be separated by a comma and contain no spaces. This
|
||||||
|
configuration option may be repeated for multiple values. For example:
|
||||||
|
trusted_issuer=CN=john,OU=keystone,O=openstack
|
||||||
|
trusted_issuer=CN=mary,OU=eng,O=abc
|
||||||
|
"""))
|
||||||
|
|
||||||
|
protocol = cfg.StrOpt(
|
||||||
|
'protocol',
|
||||||
|
default='x509',
|
||||||
|
help=utils.fmt("""
|
||||||
|
The protocol name for the X.509 tokenless authorization along with the option
|
||||||
|
issuer_attribute below can look up its corresponding mapping.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
issuer_attribute = cfg.StrOpt(
|
||||||
|
'issuer_attribute',
|
||||||
|
default='SSL_CLIENT_I_DN',
|
||||||
|
help=utils.fmt("""
|
||||||
|
The issuer attribute that is served as an IdP ID for the X.509 tokenless
|
||||||
|
authorization along with the protocol to look up its corresponding mapping. It
|
||||||
|
is the environment variable in the WSGI environment that references to the
|
||||||
|
issuer of the client certificate.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
trusted_issuer,
|
||||||
|
protocol,
|
||||||
|
issuer_attribute,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,61 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
from keystone.conf import utils
|
||||||
|
|
||||||
|
|
||||||
|
enabled = cfg.BoolOpt(
|
||||||
|
'enabled',
|
||||||
|
default=True,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Delegation and impersonation features can be optionally disabled.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
allow_redelegation = cfg.BoolOpt(
|
||||||
|
'allow_redelegation',
|
||||||
|
default=False,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Enable redelegation feature.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
max_redelegation_count = cfg.IntOpt(
|
||||||
|
'max_redelegation_count',
|
||||||
|
default=3,
|
||||||
|
help=utils.fmt("""
|
||||||
|
Maximum depth of trust redelegation.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
driver = cfg.StrOpt(
|
||||||
|
'driver',
|
||||||
|
default='sql',
|
||||||
|
help=utils.fmt("""
|
||||||
|
Entrypoint for the trust backend driver in the keystone.trust namespace.
|
||||||
|
"""))
|
||||||
|
|
||||||
|
|
||||||
|
GROUP_NAME = __name__.split('.')[-1]
|
||||||
|
ALL_OPTS = [
|
||||||
|
enabled,
|
||||||
|
allow_redelegation,
|
||||||
|
max_redelegation_count,
|
||||||
|
driver,
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
def register_opts(conf):
|
||||||
|
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||||
|
|
||||||
|
|
||||||
|
def list_opts():
|
||||||
|
return {GROUP_NAME: ALL_OPTS}
|
|
@ -0,0 +1,26 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
|
||||||
|
def fmt(docstr):
|
||||||
|
"""Format a docstring for use as documentation in sample config."""
|
||||||
|
# Replace newlines with spaces, as docstrings contain literal newlines that
|
||||||
|
# should not be rendered into the sample configuration file (instead, line
|
||||||
|
# wrappings should be applied automatically).
|
||||||
|
docstr = docstr.replace('\n', ' ')
|
||||||
|
|
||||||
|
# Because it's common for docstrings to begin and end with a newline, there
|
||||||
|
# is now whitespace at the beginning and end of the documentation as a side
|
||||||
|
# effect of replacing newlines with spaces.
|
||||||
|
docstr = docstr.strip()
|
||||||
|
|
||||||
|
return docstr
|
|
@ -12,14 +12,14 @@
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
|
|
||||||
from keystone.catalog.backends import sql
|
from keystone.catalog.backends import sql
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import utils
|
from keystone.common import utils
|
||||||
|
import keystone.conf
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('catalog_api')
|
@dependency.requires('catalog_api')
|
||||||
|
|
|
@ -16,17 +16,17 @@
|
||||||
|
|
||||||
import abc
|
import abc
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
import six
|
import six
|
||||||
|
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import driver_hints
|
from keystone.common import driver_hints
|
||||||
from keystone.common import manager
|
from keystone.common import manager
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
|
@ -12,18 +12,18 @@
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
|
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import manager
|
from keystone.common import manager
|
||||||
|
import keystone.conf
|
||||||
from keystone.endpoint_policy.backends import base
|
from keystone.endpoint_policy.backends import base
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _, _LE, _LW
|
from keystone.i18n import _, _LE, _LW
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -12,15 +12,15 @@
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_utils import encodeutils
|
from oslo_utils import encodeutils
|
||||||
import six
|
import six
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone.i18n import _, _LW
|
from keystone.i18n import _, _LW
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
# Tests use this to make exception message format errors fatal
|
# Tests use this to make exception message format errors fatal
|
||||||
|
|
|
@ -14,7 +14,6 @@
|
||||||
|
|
||||||
import string
|
import string
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from six.moves import urllib
|
from six.moves import urllib
|
||||||
import webob
|
import webob
|
||||||
|
@ -26,6 +25,7 @@ from keystone.common import dependency
|
||||||
from keystone.common import utils as k_utils
|
from keystone.common import utils as k_utils
|
||||||
from keystone.common import validation
|
from keystone.common import validation
|
||||||
from keystone.common import wsgi
|
from keystone.common import wsgi
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.federation import idp as keystone_idp
|
from keystone.federation import idp as keystone_idp
|
||||||
from keystone.federation import schema
|
from keystone.federation import schema
|
||||||
|
@ -34,7 +34,7 @@ from keystone.i18n import _
|
||||||
from keystone.models import token_model
|
from keystone.models import token_model
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -12,13 +12,13 @@
|
||||||
|
|
||||||
"""Main entry point into the Federation service."""
|
"""Main entry point into the Federation service."""
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
|
|
||||||
from keystone.common import cache
|
from keystone.common import cache
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import extension
|
from keystone.common import extension
|
||||||
from keystone.common import manager
|
from keystone.common import manager
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.federation.backends import base
|
from keystone.federation.backends import base
|
||||||
from keystone.federation import utils
|
from keystone.federation import utils
|
||||||
|
@ -27,7 +27,7 @@ from keystone.federation import utils
|
||||||
# This is a general cache region for service providers.
|
# This is a general cache region for service providers.
|
||||||
MEMOIZE = cache.get_memoization_decorator(group='federation')
|
MEMOIZE = cache.get_memoization_decorator(group='federation')
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
EXTENSION_DATA = {
|
EXTENSION_DATA = {
|
||||||
'name': 'OpenStack Federation APIs',
|
'name': 'OpenStack Federation APIs',
|
||||||
'namespace': 'http://docs.openstack.org/identity/api/ext/'
|
'namespace': 'http://docs.openstack.org/identity/api/ext/'
|
||||||
|
|
|
@ -15,7 +15,6 @@ import os
|
||||||
import subprocess # nosec : see comments in the code below
|
import subprocess # nosec : see comments in the code below
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_utils import fileutils
|
from oslo_utils import fileutils
|
||||||
from oslo_utils import importutils
|
from oslo_utils import importutils
|
||||||
|
@ -33,12 +32,13 @@ if not xmldsig:
|
||||||
xmldsig = importutils.try_import("xmldsig")
|
xmldsig = importutils.try_import("xmldsig")
|
||||||
|
|
||||||
from keystone.common import utils
|
from keystone.common import utils
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _, _LE
|
from keystone.i18n import _, _LE
|
||||||
|
|
||||||
|
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
class SAMLGenerator(object):
|
class SAMLGenerator(object):
|
||||||
|
|
|
@ -21,11 +21,12 @@ from oslo_log import log
|
||||||
from oslo_utils import timeutils
|
from oslo_utils import timeutils
|
||||||
import six
|
import six
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _, _LW
|
from keystone.i18n import _, _LW
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
@ -268,6 +269,7 @@ def get_remote_id_parameter(protocol):
|
||||||
try:
|
try:
|
||||||
remote_id_parameter = CONF[protocol]['remote_id_attribute']
|
remote_id_parameter = CONF[protocol]['remote_id_attribute']
|
||||||
except AttributeError:
|
except AttributeError:
|
||||||
|
# TODO(dolph): Move configuration registration to keystone.conf
|
||||||
CONF.register_opt(cfg.StrOpt('remote_id_attribute'),
|
CONF.register_opt(cfg.StrOpt('remote_id_attribute'),
|
||||||
group=protocol)
|
group=protocol)
|
||||||
try:
|
try:
|
||||||
|
|
|
@ -14,13 +14,13 @@
|
||||||
|
|
||||||
import abc
|
import abc
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
import six
|
import six
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
def filter_user(user_ref):
|
def filter_user(user_ref):
|
||||||
|
|
|
@ -15,12 +15,12 @@ from __future__ import absolute_import
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
import ldap.filter
|
import ldap.filter
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
import six
|
import six
|
||||||
|
|
||||||
from keystone.common import driver_hints
|
from keystone.common import driver_hints
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _, _LW
|
from keystone.i18n import _, _LW
|
||||||
from keystone.identity.backends import base
|
from keystone.identity.backends import base
|
||||||
|
@ -28,7 +28,7 @@ from keystone.identity.backends.ldap import common as common_ldap
|
||||||
from keystone.identity.backends.ldap import models
|
from keystone.identity.backends.ldap import models
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
_DEPRECATION_MSG = _('%s for the LDAP identity backend has been deprecated in '
|
_DEPRECATION_MSG = _('%s for the LDAP identity backend has been deprecated in '
|
||||||
|
|
|
@ -14,19 +14,19 @@
|
||||||
|
|
||||||
"""Workflow Logic the Identity service."""
|
"""Workflow Logic the Identity service."""
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
|
|
||||||
from keystone.common import controller
|
from keystone.common import controller
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import validation
|
from keystone.common import validation
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _, _LW
|
from keystone.i18n import _, _LW
|
||||||
from keystone.identity import schema
|
from keystone.identity import schema
|
||||||
from keystone import notifications
|
from keystone import notifications
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -26,10 +26,10 @@ from oslo_log import versionutils
|
||||||
from keystone import assignment # TODO(lbragstad): Decouple this dependency
|
from keystone import assignment # TODO(lbragstad): Decouple this dependency
|
||||||
from keystone.common import cache
|
from keystone.common import cache
|
||||||
from keystone.common import clean
|
from keystone.common import clean
|
||||||
from keystone.common import config
|
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import driver_hints
|
from keystone.common import driver_hints
|
||||||
from keystone.common import manager
|
from keystone.common import manager
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _, _LW
|
from keystone.i18n import _, _LW
|
||||||
from keystone.identity.backends import base as identity_interface
|
from keystone.identity.backends import base as identity_interface
|
||||||
|
@ -39,7 +39,7 @@ from keystone.identity.shadow_backends import base as shadow_interface
|
||||||
from keystone import notifications
|
from keystone import notifications
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
@ -117,7 +117,7 @@ class DomainConfigs(dict):
|
||||||
# config dict to make sure we call the right driver
|
# config dict to make sure we call the right driver
|
||||||
domain_config = {}
|
domain_config = {}
|
||||||
domain_config['cfg'] = cfg.ConfigOpts()
|
domain_config['cfg'] = cfg.ConfigOpts()
|
||||||
config.configure(conf=domain_config['cfg'])
|
keystone.conf.configure(conf=domain_config['cfg'])
|
||||||
domain_config['cfg'](args=[], project='keystone',
|
domain_config['cfg'](args=[], project='keystone',
|
||||||
default_config_files=file_list)
|
default_config_files=file_list)
|
||||||
domain_config['driver'] = self._load_driver(domain_config)
|
domain_config['driver'] = self._load_driver(domain_config)
|
||||||
|
@ -254,7 +254,7 @@ class DomainConfigs(dict):
|
||||||
|
|
||||||
domain_config = {}
|
domain_config = {}
|
||||||
domain_config['cfg'] = cfg.ConfigOpts()
|
domain_config['cfg'] = cfg.ConfigOpts()
|
||||||
config.configure(conf=domain_config['cfg'])
|
keystone.conf.configure(conf=domain_config['cfg'])
|
||||||
domain_config['cfg'](args=[], project='keystone',
|
domain_config['cfg'](args=[], project='keystone',
|
||||||
default_config_files=[])
|
default_config_files=[])
|
||||||
|
|
||||||
|
|
|
@ -16,15 +16,15 @@
|
||||||
|
|
||||||
import abc
|
import abc
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
import six
|
import six
|
||||||
|
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import manager
|
from keystone.common import manager
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
@dependency.provider('id_generator_api')
|
@dependency.provider('id_generator_api')
|
||||||
|
|
|
@ -11,7 +11,6 @@
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
from keystonemiddleware import auth_token
|
from keystonemiddleware import auth_token
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_context import context as oslo_context
|
from oslo_context import context as oslo_context
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
|
@ -20,6 +19,7 @@ from keystone.common import authorization
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import tokenless_auth
|
from keystone.common import tokenless_auth
|
||||||
from keystone.common import wsgi
|
from keystone.common import wsgi
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.federation import constants as federation_constants
|
from keystone.federation import constants as federation_constants
|
||||||
from keystone.federation import utils
|
from keystone.federation import utils
|
||||||
|
@ -28,7 +28,7 @@ from keystone.middleware import core
|
||||||
from keystone.models import token_model
|
from keystone.models import token_model
|
||||||
from keystone.token.providers import common
|
from keystone.token.providers import common
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
__all__ = ('AuthContextMiddleware',)
|
__all__ = ('AuthContextMiddleware',)
|
||||||
|
|
|
@ -12,16 +12,16 @@
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_serialization import jsonutils
|
from oslo_serialization import jsonutils
|
||||||
|
|
||||||
from keystone.common import wsgi
|
from keystone.common import wsgi
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _LW
|
from keystone.i18n import _LW
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
# Header used to transmit the auth token
|
# Header used to transmit the auth token
|
||||||
|
|
|
@ -13,16 +13,16 @@
|
||||||
"""Unified in-memory token model."""
|
"""Unified in-memory token model."""
|
||||||
|
|
||||||
from keystoneclient.common import cms
|
from keystoneclient.common import cms
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_utils import reflection
|
from oslo_utils import reflection
|
||||||
from oslo_utils import timeutils
|
from oslo_utils import timeutils
|
||||||
import six
|
import six
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.federation import constants
|
from keystone.federation import constants
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
# supported token versions
|
# supported token versions
|
||||||
V2 = 'v2.0'
|
V2 = 'v2.0'
|
||||||
V3 = 'v3.0'
|
V3 = 'v3.0'
|
||||||
|
|
|
@ -19,7 +19,6 @@ import functools
|
||||||
import inspect
|
import inspect
|
||||||
import socket
|
import socket
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
import oslo_messaging
|
import oslo_messaging
|
||||||
from oslo_utils import reflection
|
from oslo_utils import reflection
|
||||||
|
@ -33,6 +32,7 @@ from pycadf import resource
|
||||||
from keystone.i18n import _, _LE
|
from keystone.i18n import _, _LE
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import utils
|
from keystone.common import utils
|
||||||
|
import keystone.conf
|
||||||
|
|
||||||
_CATALOG_HELPER_OBJ = None
|
_CATALOG_HELPER_OBJ = None
|
||||||
|
|
||||||
|
@ -69,7 +69,7 @@ _notifier = None
|
||||||
SERVICE = 'identity'
|
SERVICE = 'identity'
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
# NOTE(morganfainberg): Special case notifications that are only used
|
# NOTE(morganfainberg): Special case notifications that are only used
|
||||||
# internally for handling token persistence token deletions
|
# internally for handling token persistence token deletions
|
||||||
|
|
|
@ -14,7 +14,6 @@
|
||||||
|
|
||||||
"""Extensions supporting OAuth1."""
|
"""Extensions supporting OAuth1."""
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_serialization import jsonutils
|
from oslo_serialization import jsonutils
|
||||||
from oslo_utils import timeutils
|
from oslo_utils import timeutils
|
||||||
|
|
||||||
|
@ -23,6 +22,7 @@ from keystone.common import dependency
|
||||||
from keystone.common import utils
|
from keystone.common import utils
|
||||||
from keystone.common import validation
|
from keystone.common import validation
|
||||||
from keystone.common import wsgi
|
from keystone.common import wsgi
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
from keystone import notifications
|
from keystone import notifications
|
||||||
|
@ -31,7 +31,7 @@ from keystone.oauth1 import schema
|
||||||
from keystone.oauth1 import validator
|
from keystone.oauth1 import validator
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
def _emit_user_oauth_consumer_token_invalidate(payload):
|
def _emit_user_oauth_consumer_token_invalidate(payload):
|
||||||
|
|
|
@ -20,13 +20,13 @@ import uuid
|
||||||
|
|
||||||
import oauthlib.common
|
import oauthlib.common
|
||||||
from oauthlib import oauth1
|
from oauthlib import oauth1
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
|
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import extension
|
from keystone.common import extension
|
||||||
from keystone.common import manager
|
from keystone.common import manager
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _LE
|
from keystone.i18n import _LE
|
||||||
from keystone import notifications
|
from keystone import notifications
|
||||||
|
@ -53,7 +53,7 @@ class Token(object):
|
||||||
self.verifier = verifier
|
self.verifier = verifier
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -13,11 +13,11 @@
|
||||||
import abc
|
import abc
|
||||||
import six
|
import six
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from oslo_config import cfg
|
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
@six.add_metaclass(abc.ABCMeta)
|
@six.add_metaclass(abc.ABCMeta)
|
||||||
|
|
|
@ -15,15 +15,15 @@
|
||||||
|
|
||||||
"""Policy engine for keystone."""
|
"""Policy engine for keystone."""
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_policy import policy as common_policy
|
from oslo_policy import policy as common_policy
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.policy.backends import base
|
from keystone.policy.backends import base
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -14,17 +14,17 @@
|
||||||
|
|
||||||
"""Main entry point into the Policy service."""
|
"""Main entry point into the Policy service."""
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
|
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import manager
|
from keystone.common import manager
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone import notifications
|
from keystone import notifications
|
||||||
from keystone.policy.backends import base
|
from keystone.policy.backends import base
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
@dependency.provider('policy_api')
|
@dependency.provider('policy_api')
|
||||||
|
|
|
@ -15,17 +15,17 @@
|
||||||
import abc
|
import abc
|
||||||
import copy
|
import copy
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
import six
|
import six
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
from keystone.i18n import _LE
|
from keystone.i18n import _LE
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -14,13 +14,13 @@
|
||||||
|
|
||||||
import abc
|
import abc
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
import six
|
import six
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
@six.add_metaclass(abc.ABCMeta)
|
@six.add_metaclass(abc.ABCMeta)
|
||||||
|
|
|
@ -17,19 +17,19 @@
|
||||||
|
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
|
|
||||||
from keystone.common import controller
|
from keystone.common import controller
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import validation
|
from keystone.common import validation
|
||||||
from keystone.common import wsgi
|
from keystone.common import wsgi
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
from keystone import notifications
|
from keystone import notifications
|
||||||
from keystone.resource import schema
|
from keystone.resource import schema
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
@dependency.requires('resource_api')
|
@dependency.requires('resource_api')
|
||||||
|
|
|
@ -12,7 +12,6 @@
|
||||||
|
|
||||||
"""Main entry point into the Resource service."""
|
"""Main entry point into the Resource service."""
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
import six
|
import six
|
||||||
|
@ -24,13 +23,14 @@ from keystone.common import dependency
|
||||||
from keystone.common import driver_hints
|
from keystone.common import driver_hints
|
||||||
from keystone.common import manager
|
from keystone.common import manager
|
||||||
from keystone.common import utils
|
from keystone.common import utils
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _, _LE, _LW
|
from keystone.i18n import _, _LE, _LW
|
||||||
from keystone import notifications
|
from keystone import notifications
|
||||||
from keystone.resource.backends import base
|
from keystone.resource.backends import base
|
||||||
from keystone.resource.config_backends import base as config_base
|
from keystone.resource.config_backends import base as config_base
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
MEMOIZE = cache.get_memoization_decorator(group='resource')
|
MEMOIZE = cache.get_memoization_decorator(group='resource')
|
||||||
|
|
||||||
|
|
|
@ -15,14 +15,14 @@
|
||||||
import abc
|
import abc
|
||||||
import datetime
|
import datetime
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_utils import timeutils
|
from oslo_utils import timeutils
|
||||||
import six
|
import six
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
def revoked_before_cutoff_time():
|
def revoked_before_cutoff_time():
|
||||||
|
|
|
@ -13,13 +13,13 @@
|
||||||
"""Main entry point into the Revoke service."""
|
"""Main entry point into the Revoke service."""
|
||||||
|
|
||||||
import oslo_cache
|
import oslo_cache
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import versionutils
|
from oslo_log import versionutils
|
||||||
|
|
||||||
from keystone.common import cache
|
from keystone.common import cache
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import extension
|
from keystone.common import extension
|
||||||
from keystone.common import manager
|
from keystone.common import manager
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
from keystone.models import revoke_model
|
from keystone.models import revoke_model
|
||||||
|
@ -27,7 +27,7 @@ from keystone import notifications
|
||||||
from keystone.revoke.backends import base
|
from keystone.revoke.backends import base
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
EXTENSION_DATA = {
|
EXTENSION_DATA = {
|
||||||
|
|
|
@ -12,31 +12,30 @@
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
|
|
||||||
from keystone.common import config
|
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import sql
|
from keystone.common import sql
|
||||||
|
import keystone.conf
|
||||||
from keystone.i18n import _LW
|
from keystone.i18n import _LW
|
||||||
from keystone.server import backends
|
from keystone.server import backends
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
def configure(version=None, config_files=None,
|
def configure(version=None, config_files=None,
|
||||||
pre_setup_logging_fn=lambda: None):
|
pre_setup_logging_fn=lambda: None):
|
||||||
config.configure()
|
keystone.conf.configure()
|
||||||
sql.initialize()
|
sql.initialize()
|
||||||
config.set_config_defaults()
|
keystone.conf.set_config_defaults()
|
||||||
|
|
||||||
CONF(project='keystone', version=version,
|
CONF(project='keystone', version=version,
|
||||||
default_config_files=config_files)
|
default_config_files=config_files)
|
||||||
|
|
||||||
pre_setup_logging_fn()
|
pre_setup_logging_fn()
|
||||||
config.setup_logging()
|
keystone.conf.setup_logging()
|
||||||
|
|
||||||
if CONF.insecure_debug:
|
if CONF.insecure_debug:
|
||||||
LOG.warning(_LW(
|
LOG.warning(_LW(
|
||||||
|
|
|
@ -14,11 +14,12 @@
|
||||||
|
|
||||||
import os
|
import os
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
import oslo_i18n
|
import oslo_i18n
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
|
|
||||||
from keystone.common import profiler
|
from keystone.common import profiler
|
||||||
|
import keystone.conf
|
||||||
|
from keystone import exception
|
||||||
|
|
||||||
|
|
||||||
# NOTE(dstanek): i18n.enable_lazy() must be called before
|
# NOTE(dstanek): i18n.enable_lazy() must be called before
|
||||||
|
@ -28,12 +29,11 @@ from keystone.common import profiler
|
||||||
oslo_i18n.enable_lazy()
|
oslo_i18n.enable_lazy()
|
||||||
|
|
||||||
|
|
||||||
from keystone.common import config
|
|
||||||
from keystone.server import common
|
from keystone.server import common
|
||||||
from keystone.version import service as keystone_service
|
from keystone.version import service as keystone_service
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
def initialize_application(name,
|
def initialize_application(name,
|
||||||
|
@ -63,7 +63,7 @@ def initialize_application(name,
|
||||||
|
|
||||||
def loadapp():
|
def loadapp():
|
||||||
return keystone_service.loadapp(
|
return keystone_service.loadapp(
|
||||||
'config:%s' % config.find_paste_config(), name)
|
'config:%s' % find_paste_config(), name)
|
||||||
|
|
||||||
_unused, application = common.setup_backends(
|
_unused, application = common.setup_backends(
|
||||||
startup_application_fn=loadapp)
|
startup_application_fn=loadapp)
|
||||||
|
@ -75,6 +75,41 @@ def initialize_application(name,
|
||||||
return application
|
return application
|
||||||
|
|
||||||
|
|
||||||
|
def find_paste_config():
|
||||||
|
"""Find Keystone's paste.deploy configuration file.
|
||||||
|
|
||||||
|
Keystone's paste.deploy configuration file is specified in the
|
||||||
|
``[paste_deploy]`` section of the main Keystone configuration file,
|
||||||
|
``keystone.conf``.
|
||||||
|
|
||||||
|
For example::
|
||||||
|
|
||||||
|
[paste_deploy]
|
||||||
|
config_file = keystone-paste.ini
|
||||||
|
|
||||||
|
:returns: The selected configuration filename
|
||||||
|
:raises: exception.ConfigFileNotFound
|
||||||
|
|
||||||
|
"""
|
||||||
|
if CONF.paste_deploy.config_file:
|
||||||
|
paste_config = CONF.paste_deploy.config_file
|
||||||
|
paste_config_value = paste_config
|
||||||
|
if not os.path.isabs(paste_config):
|
||||||
|
paste_config = CONF.find_file(paste_config)
|
||||||
|
elif CONF.config_file:
|
||||||
|
paste_config = CONF.config_file[0]
|
||||||
|
paste_config_value = paste_config
|
||||||
|
else:
|
||||||
|
# this provides backwards compatibility for keystone.conf files that
|
||||||
|
# still have the entire paste configuration included, rather than just
|
||||||
|
# a [paste_deploy] configuration section referring to an external file
|
||||||
|
paste_config = CONF.find_file('keystone.conf')
|
||||||
|
paste_config_value = 'keystone.conf'
|
||||||
|
if not paste_config or not os.path.exists(paste_config):
|
||||||
|
raise exception.ConfigFileNotFound(config_file=paste_config_value)
|
||||||
|
return paste_config
|
||||||
|
|
||||||
|
|
||||||
def _get_config_files(env=None):
|
def _get_config_files(env=None):
|
||||||
if env is None:
|
if env is None:
|
||||||
env = os.environ
|
env = os.environ
|
||||||
|
|
|
@ -13,15 +13,15 @@
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
import mock
|
import mock
|
||||||
from oslo_config import cfg
|
|
||||||
from six.moves import range
|
from six.moves import range
|
||||||
from testtools import matchers
|
from testtools import matchers
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.tests import unit
|
from keystone.tests import unit
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
class AssignmentTestHelperMixin(object):
|
class AssignmentTestHelperMixin(object):
|
||||||
|
|
|
@ -12,16 +12,16 @@
|
||||||
|
|
||||||
import ldap
|
import ldap
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
|
|
||||||
from keystone.common import cache
|
from keystone.common import cache
|
||||||
|
import keystone.conf
|
||||||
from keystone.tests import unit
|
from keystone.tests import unit
|
||||||
from keystone.tests.unit import default_fixtures
|
from keystone.tests.unit import default_fixtures
|
||||||
from keystone.tests.unit.ksfixtures import database
|
from keystone.tests.unit.ksfixtures import database
|
||||||
from keystone.tests.unit.ksfixtures import ldapdb
|
from keystone.tests.unit.ksfixtures import ldapdb
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
def create_group_container(identity_api):
|
def create_group_container(identity_api):
|
||||||
|
|
|
@ -16,7 +16,6 @@ import uuid
|
||||||
|
|
||||||
import fixtures
|
import fixtures
|
||||||
import mock
|
import mock
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_config import fixture as config_fixture
|
from oslo_config import fixture as config_fixture
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
from pycadf import cadftaxonomy
|
from pycadf import cadftaxonomy
|
||||||
|
@ -24,12 +23,13 @@ from pycadf import cadftype
|
||||||
from pycadf import eventfactory
|
from pycadf import eventfactory
|
||||||
from pycadf import resource as cadfresource
|
from pycadf import resource as cadfresource
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import notifications
|
from keystone import notifications
|
||||||
from keystone.tests import unit
|
from keystone.tests import unit
|
||||||
from keystone.tests.unit import test_v3
|
from keystone.tests.unit import test_v3
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
EXP_RESOURCE_TYPE = uuid.uuid4().hex
|
EXP_RESOURCE_TYPE = uuid.uuid4().hex
|
||||||
CREATED_OPERATION = notifications.ACTIONS.created
|
CREATED_OPERATION = notifications.ACTIONS.created
|
||||||
|
|
|
@ -14,19 +14,19 @@
|
||||||
import datetime
|
import datetime
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_config import fixture as config_fixture
|
from oslo_config import fixture as config_fixture
|
||||||
from oslo_serialization import jsonutils
|
from oslo_serialization import jsonutils
|
||||||
import six
|
import six
|
||||||
|
|
||||||
from keystone.common import utils as common_utils
|
from keystone.common import utils as common_utils
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.tests import unit
|
from keystone.tests import unit
|
||||||
from keystone.tests.unit import utils
|
from keystone.tests.unit import utils
|
||||||
from keystone.version import service
|
from keystone.version import service
|
||||||
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
TZ = utils.TZ
|
TZ = utils.TZ
|
||||||
|
|
||||||
|
|
|
@ -12,17 +12,18 @@
|
||||||
|
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_config import fixture as config_fixture
|
from oslo_config import fixture as config_fixture
|
||||||
from oslo_serialization import jsonutils
|
from oslo_serialization import jsonutils
|
||||||
|
|
||||||
from keystone.auth.plugins import mapped
|
from keystone.auth.plugins import mapped
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.federation import utils as mapping_utils
|
from keystone.federation import utils as mapping_utils
|
||||||
from keystone.tests import unit
|
from keystone.tests import unit
|
||||||
from keystone.tests.unit import mapping_fixtures
|
from keystone.tests.unit import mapping_fixtures
|
||||||
|
|
||||||
|
|
||||||
|
CONF = keystone.conf.CONF
|
||||||
FAKE_MAPPING_ID = uuid.uuid4().hex
|
FAKE_MAPPING_ID = uuid.uuid4().hex
|
||||||
|
|
||||||
|
|
||||||
|
@ -741,7 +742,7 @@ class TestUnicodeAssertionData(unit.BaseTestCase):
|
||||||
|
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
super(TestUnicodeAssertionData, self).setUp()
|
super(TestUnicodeAssertionData, self).setUp()
|
||||||
self.config_fixture = self.useFixture(config_fixture.Config(cfg.CONF))
|
self.config_fixture = self.useFixture(config_fixture.Config(CONF))
|
||||||
self.config_fixture.config(group='federation',
|
self.config_fixture.config(group='federation',
|
||||||
assertion_prefix='PFX')
|
assertion_prefix='PFX')
|
||||||
|
|
||||||
|
|
|
@ -29,7 +29,6 @@ import uuid
|
||||||
import warnings
|
import warnings
|
||||||
|
|
||||||
import fixtures
|
import fixtures
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_config import fixture as config_fixture
|
from oslo_config import fixture as config_fixture
|
||||||
from oslo_context import context as oslo_context
|
from oslo_context import context as oslo_context
|
||||||
from oslo_context import fixture as oslo_ctx_fixture
|
from oslo_context import fixture as oslo_ctx_fixture
|
||||||
|
@ -43,11 +42,11 @@ import testtools
|
||||||
from testtools import testcase
|
from testtools import testcase
|
||||||
|
|
||||||
from keystone import auth
|
from keystone import auth
|
||||||
from keystone.common import config
|
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common.kvs import core as kvs_core
|
from keystone.common.kvs import core as kvs_core
|
||||||
from keystone.common import request
|
from keystone.common import request
|
||||||
from keystone.common import sql
|
from keystone.common import sql
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.identity.backends.ldap import common as ks_ldap
|
from keystone.identity.backends.ldap import common as ks_ldap
|
||||||
from keystone import notifications
|
from keystone import notifications
|
||||||
|
@ -57,8 +56,8 @@ from keystone.version import controllers
|
||||||
from keystone.version import service
|
from keystone.version import service
|
||||||
|
|
||||||
|
|
||||||
config.configure()
|
keystone.conf.configure()
|
||||||
config.set_config_defaults()
|
keystone.conf.set_config_defaults()
|
||||||
|
|
||||||
PID = six.text_type(os.getpid())
|
PID = six.text_type(os.getpid())
|
||||||
TESTSDIR = os.path.dirname(os.path.abspath(__file__))
|
TESTSDIR = os.path.dirname(os.path.abspath(__file__))
|
||||||
|
@ -77,7 +76,7 @@ def _calc_tmpdir():
|
||||||
|
|
||||||
TMPDIR = _calc_tmpdir()
|
TMPDIR = _calc_tmpdir()
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
log.register_options(CONF)
|
log.register_options(CONF)
|
||||||
|
|
||||||
IN_MEM_DB_CONN_STRING = 'sqlite://'
|
IN_MEM_DB_CONN_STRING = 'sqlite://'
|
||||||
|
@ -664,7 +663,7 @@ class TestCase(BaseTestCase):
|
||||||
def mocked_register_auth_plugin_opt(conf, opt):
|
def mocked_register_auth_plugin_opt(conf, opt):
|
||||||
self.config_fixture.register_opt(opt, group='auth')
|
self.config_fixture.register_opt(opt, group='auth')
|
||||||
self.useFixture(fixtures.MockPatchObject(
|
self.useFixture(fixtures.MockPatchObject(
|
||||||
config, '_register_auth_plugin_opt',
|
keystone.conf.auth, '_register_auth_plugin_opt',
|
||||||
new=mocked_register_auth_plugin_opt))
|
new=mocked_register_auth_plugin_opt))
|
||||||
|
|
||||||
self.sql_driver_version_overrides = {}
|
self.sql_driver_version_overrides = {}
|
||||||
|
|
|
@ -27,11 +27,11 @@ import re
|
||||||
import shelve
|
import shelve
|
||||||
|
|
||||||
import ldap
|
import ldap
|
||||||
from oslo_config import cfg
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
import six
|
import six
|
||||||
from six import moves
|
from six import moves
|
||||||
|
|
||||||
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.identity.backends.ldap import common
|
from keystone.identity.backends.ldap import common
|
||||||
|
|
||||||
|
@ -45,7 +45,7 @@ SCOPE_NAMES = {
|
||||||
CONTROL_TREEDELETE = '1.2.840.113556.1.4.805'
|
CONTROL_TREEDELETE = '1.2.840.113556.1.4.805'
|
||||||
|
|
||||||
LOG = log.getLogger(__name__)
|
LOG = log.getLogger(__name__)
|
||||||
CONF = cfg.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
def _internal_attr(attr_name, value_or_values):
|
def _internal_attr(attr_name, value_or_values):
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue