OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

keystone.conf.sample 55KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692
  1. [DEFAULT]
  2. #
  3. # From keystone
  4. #
  5. # A "shared secret" that can be used to bootstrap Keystone. This "token" does
  6. # not represent a user, and carries no explicit authorization. To disable in
  7. # production (highly recommended), remove AdminTokenAuthMiddleware from your
  8. # paste application pipelines (for example, in keystone-paste.ini). (string
  9. # value)
  10. #admin_token = ADMIN
  11. # (Deprecated) The port which the OpenStack Compute service listens on. This
  12. # option was only used for string replacement in the templated catalog backend.
  13. # Templated catalogs should replace the "$(compute_port)s" substitution with
  14. # the static port of the compute service. As of Juno, this option is deprecated
  15. # and will be removed in the L release. (integer value)
  16. #compute_port = 8774
  17. # The base public endpoint URL for Keystone that is advertised to clients
  18. # (NOTE: this does NOT affect how Keystone listens for connections). Defaults
  19. # to the base host URL of the request. E.g. a request to
  20. # http://server:5000/v3/users will default to http://server:5000. You should
  21. # only need to set this value if the base URL contains a path (e.g. /prefix/v3)
  22. # or the endpoint should be found on a different server. (string value)
  23. #public_endpoint = <None>
  24. # The base admin endpoint URL for Keystone that is advertised to clients (NOTE:
  25. # this does NOT affect how Keystone listens for connections). Defaults to the
  26. # base host URL of the request. E.g. a request to http://server:35357/v3/users
  27. # will default to http://server:35357. You should only need to set this value
  28. # if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be
  29. # found on a different server. (string value)
  30. #admin_endpoint = <None>
  31. # Maximum depth of the project hierarchy. WARNING: setting it to a large value
  32. # may adversely impact performance. (integer value)
  33. #max_project_tree_depth = 5
  34. # Limit the sizes of user & project ID/names. (integer value)
  35. #max_param_size = 64
  36. # Similar to max_param_size, but provides an exception for token values.
  37. # (integer value)
  38. #max_token_size = 8192
  39. # Similar to the member_role_name option, this represents the default role ID
  40. # used to associate users with their default projects in the v2 API. This will
  41. # be used as the explicit role where one is not specified by the v2 API.
  42. # (string value)
  43. #member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
  44. # This is the role name used in combination with the member_role_id option; see
  45. # that option for more detail. (string value)
  46. #member_role_name = _member_
  47. # The value passed as the keyword "rounds" to passlib's encrypt method.
  48. # (integer value)
  49. #crypt_strength = 40000
  50. # The maximum number of entities that will be returned in a collection, with no
  51. # limit set by default. This global limit may be then overridden for a specific
  52. # driver, by specifying a list_limit in the appropriate section (e.g.
  53. # [assignment]). (integer value)
  54. #list_limit = <None>
  55. # Set this to false if you want to enable the ability for user, group and
  56. # project entities to be moved between domains by updating their domain_id.
  57. # Allowing such movement is not recommended if the scope of a domain admin is
  58. # being restricted by use of an appropriate policy file (see
  59. # policy.v3cloudsample as an example). (boolean value)
  60. #domain_id_immutable = true
  61. # If set to true, strict password length checking is performed for password
  62. # manipulation. If a password exceeds the maximum length, the operation will
  63. # fail with an HTTP 403 Forbidden error. If set to false, passwords are
  64. # automatically truncated to the maximum length. (boolean value)
  65. #strict_password_check = false
  66. # The HTTP header used to determine the scheme for the original request, even
  67. # if it was removed by an SSL terminating proxy. Typical value is
  68. # "HTTP_X_FORWARDED_PROTO". (string value)
  69. #secure_proxy_ssl_header = <None>
  70. #
  71. # From keystone.notifications
  72. #
  73. # Default publisher_id for outgoing notifications (string value)
  74. #default_publisher_id = <None>
  75. # Define the notification format for Identity Service events. A "basic"
  76. # notification has information about the resource being operated on. A "cadf"
  77. # notification has the same information, as well as information about the
  78. # initiator of the event. Valid options are: basic and cadf (string value)
  79. #notification_format = basic
  80. #
  81. # From keystone.openstack.common.eventlet_backdoor
  82. #
  83. # Enable eventlet backdoor. Acceptable values are 0, <port>, and
  84. # <start>:<end>, where 0 results in listening on a random tcp port number;
  85. # <port> results in listening on the specified port number (and not enabling
  86. # backdoor if that port is in use); and <start>:<end> results in listening on
  87. # the smallest unused port number within the specified range of port numbers.
  88. # The chosen port is displayed in the service's log file. (string value)
  89. #backdoor_port = <None>
  90. #
  91. # From keystone.openstack.common.policy
  92. #
  93. # The JSON file that defines policies. (string value)
  94. #policy_file = policy.json
  95. # Default rule. Enforced when a requested rule is not found. (string value)
  96. #policy_default_rule = default
  97. # Directories where policy configuration files are stored. They can be relative
  98. # to any directory in the search path defined by the config_dir option, or
  99. # absolute paths. The file defined by policy_file must exist for these
  100. # directories to be searched. (multi valued)
  101. #policy_dirs = policy.d
  102. #
  103. # From oslo.log
  104. #
  105. # Print debugging output (set logging level to DEBUG instead of default WARNING
  106. # level). (boolean value)
  107. #debug = false
  108. # Print more verbose output (set logging level to INFO instead of default
  109. # WARNING level). (boolean value)
  110. #verbose = false
  111. # The name of a logging configuration file. This file is appended to any
  112. # existing logging configuration files. For details about logging configuration
  113. # files, see the Python logging module documentation. (string value)
  114. # Deprecated group/name - [DEFAULT]/log_config
  115. #log_config_append = <None>
  116. # DEPRECATED. A logging.Formatter log message format string which may use any
  117. # of the available logging.LogRecord attributes. This option is deprecated.
  118. # Please use logging_context_format_string and logging_default_format_string
  119. # instead. (string value)
  120. #log_format = <None>
  121. # Format string for %%(asctime)s in log records. Default: %(default)s . (string
  122. # value)
  123. #log_date_format = %Y-%m-%d %H:%M:%S
  124. # (Optional) Name of log file to output to. If no default is set, logging will
  125. # go to stdout. (string value)
  126. # Deprecated group/name - [DEFAULT]/logfile
  127. #log_file = <None>
  128. # (Optional) The base directory used for relative --log-file paths. (string
  129. # value)
  130. # Deprecated group/name - [DEFAULT]/logdir
  131. #log_dir = <None>
  132. # Use syslog for logging. Existing syslog format is DEPRECATED during I, and
  133. # will change in J to honor RFC5424. (boolean value)
  134. #use_syslog = false
  135. # (Optional) Enables or disables syslog rfc5424 format for logging. If enabled,
  136. # prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The
  137. # format without the APP-NAME is deprecated in I, and will be removed in J.
  138. # (boolean value)
  139. #use_syslog_rfc_format = false
  140. # Syslog facility to receive log lines. (string value)
  141. #syslog_log_facility = LOG_USER
  142. # Log output to standard error. (boolean value)
  143. #use_stderr = true
  144. # Format string to use for log messages with context. (string value)
  145. #logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
  146. # Format string to use for log messages without context. (string value)
  147. #logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
  148. # Data to append to log format when level is DEBUG. (string value)
  149. #logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
  150. # Prefix each line of exception output with this format. (string value)
  151. #logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s
  152. # List of logger=LEVEL pairs. (list value)
  153. #default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN
  154. # Enables or disables publication of error events. (boolean value)
  155. #publish_errors = false
  156. # Enables or disables fatal status of deprecations. (boolean value)
  157. #fatal_deprecations = false
  158. # The format for an instance that is passed with the log message. (string
  159. # value)
  160. #instance_format = "[instance: %(uuid)s] "
  161. # The format for an instance UUID that is passed with the log message. (string
  162. # value)
  163. #instance_uuid_format = "[instance: %(uuid)s] "
  164. #
  165. # From oslo.messaging
  166. #
  167. # ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
  168. # The "host" option should point or resolve to this address. (string value)
  169. #rpc_zmq_bind_address = *
  170. # MatchMaker driver. (string value)
  171. #rpc_zmq_matchmaker = oslo_messaging._drivers.matchmaker.MatchMakerLocalhost
  172. # ZeroMQ receiver listening port. (integer value)
  173. #rpc_zmq_port = 9501
  174. # Number of ZeroMQ contexts, defaults to 1. (integer value)
  175. #rpc_zmq_contexts = 1
  176. # Maximum number of ingress messages to locally buffer per topic. Default is
  177. # unlimited. (integer value)
  178. #rpc_zmq_topic_backlog = <None>
  179. # Directory for holding IPC sockets. (string value)
  180. #rpc_zmq_ipc_dir = /var/run/openstack
  181. # Name of this node. Must be a valid hostname, FQDN, or IP address. Must match
  182. # "host" option, if running Nova. (string value)
  183. #rpc_zmq_host = localhost
  184. # Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
  185. # (integer value)
  186. #rpc_cast_timeout = 30
  187. # Heartbeat frequency. (integer value)
  188. #matchmaker_heartbeat_freq = 300
  189. # Heartbeat time-to-live. (integer value)
  190. #matchmaker_heartbeat_ttl = 600
  191. # Size of RPC thread pool. (integer value)
  192. #rpc_thread_pool_size = 64
  193. # Driver or drivers to handle sending notifications. (multi valued)
  194. #notification_driver =
  195. # AMQP topic used for OpenStack notifications. (list value)
  196. # Deprecated group/name - [rpc_notifier2]/topics
  197. #notification_topics = notifications
  198. # Seconds to wait for a response from a call. (integer value)
  199. #rpc_response_timeout = 60
  200. # A URL representing the messaging driver to use and its full configuration. If
  201. # not set, we fall back to the rpc_backend option and driver specific
  202. # configuration. (string value)
  203. #transport_url = <None>
  204. # The messaging driver to use, defaults to rabbit. Other drivers include qpid
  205. # and zmq. (string value)
  206. #rpc_backend = rabbit
  207. # The default exchange under which topics are scoped. May be overridden by an
  208. # exchange name specified in the transport_url option. (string value)
  209. #control_exchange = keystone
  210. [assignment]
  211. #
  212. # From keystone
  213. #
  214. # Assignment backend driver. (string value)
  215. #driver = <None>
  216. [auth]
  217. #
  218. # From keystone
  219. #
  220. # Default auth methods. (list value)
  221. #methods = external,password,token
  222. # The password auth plugin module. (string value)
  223. #password = keystone.auth.plugins.password.Password
  224. # The token auth plugin module. (string value)
  225. #token = keystone.auth.plugins.token.Token
  226. # The external (REMOTE_USER) auth plugin module. (string value)
  227. #external = keystone.auth.plugins.external.DefaultDomain
  228. [cache]
  229. #
  230. # From keystone
  231. #
  232. # Prefix for building the configuration dictionary for the cache region. This
  233. # should not need to be changed unless there is another dogpile.cache region
  234. # with the same configuration name. (string value)
  235. #config_prefix = cache.keystone
  236. # Default TTL, in seconds, for any cached item in the dogpile.cache region.
  237. # This applies to any cached method that doesn't have an explicit cache
  238. # expiration time defined for it. (integer value)
  239. #expiration_time = 600
  240. # Dogpile.cache backend module. It is recommended that Memcache with pooling
  241. # (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in
  242. # production deployments. Small workloads (single process) like devstack can
  243. # use the dogpile.cache.memory backend. (string value)
  244. #backend = keystone.common.cache.noop
  245. # Arguments supplied to the backend module. Specify this option once per
  246. # argument to be passed to the dogpile.cache backend. Example format:
  247. # "<argname>:<value>". (multi valued)
  248. #backend_argument =
  249. # Proxy classes to import that will affect the way the dogpile.cache backend
  250. # functions. See the dogpile.cache documentation on changing-backend-behavior.
  251. # (list value)
  252. #proxies =
  253. # Global toggle for all caching using the should_cache_fn mechanism. (boolean
  254. # value)
  255. #enabled = false
  256. # Extra debugging from the cache backend (cache keys, get/set/delete/etc
  257. # calls). This is only really useful if you need to see the specific cache-
  258. # backend get/set/delete calls with the keys/values. Typically this should be
  259. # left set to false. (boolean value)
  260. #debug_cache_backend = false
  261. # Memcache servers in the format of "host:port". (dogpile.cache.memcache and
  262. # keystone.cache.memcache_pool backends only). (list value)
  263. #memcache_servers = localhost:11211
  264. # Number of seconds memcached server is considered dead before it is tried
  265. # again. (dogpile.cache.memcache and keystone.cache.memcache_pool backends
  266. # only). (integer value)
  267. #memcache_dead_retry = 300
  268. # Timeout in seconds for every call to a server. (dogpile.cache.memcache and
  269. # keystone.cache.memcache_pool backends only). (integer value)
  270. #memcache_socket_timeout = 3
  271. # Max total number of open connections to every memcached server.
  272. # (keystone.cache.memcache_pool backend only). (integer value)
  273. #memcache_pool_maxsize = 10
  274. # Number of seconds a connection to memcached is held unused in the pool before
  275. # it is closed. (keystone.cache.memcache_pool backend only). (integer value)
  276. #memcache_pool_unused_timeout = 60
  277. # Number of seconds that an operation will wait to get a memcache client
  278. # connection. (integer value)
  279. #memcache_pool_connection_get_timeout = 10
  280. [catalog]
  281. #
  282. # From keystone
  283. #
  284. # Catalog template file name for use with the template catalog backend. (string
  285. # value)
  286. #template_file = default_catalog.templates
  287. # Catalog backend driver. (string value)
  288. #driver = keystone.catalog.backends.sql.Catalog
  289. # Toggle for catalog caching. This has no effect unless global caching is
  290. # enabled. (boolean value)
  291. #caching = true
  292. # Time to cache catalog data (in seconds). This has no effect unless global and
  293. # catalog caching are enabled. (integer value)
  294. #cache_time = <None>
  295. # Maximum number of entities that will be returned in a catalog collection.
  296. # (integer value)
  297. #list_limit = <None>
  298. [credential]
  299. #
  300. # From keystone
  301. #
  302. # Credential backend driver. (string value)
  303. #driver = keystone.credential.backends.sql.Credential
  304. [database]
  305. #
  306. # From oslo.db
  307. #
  308. # The file name to use with SQLite. (string value)
  309. # Deprecated group/name - [DEFAULT]/sqlite_db
  310. #sqlite_db = oslo.sqlite
  311. # If True, SQLite uses synchronous mode. (boolean value)
  312. # Deprecated group/name - [DEFAULT]/sqlite_synchronous
  313. #sqlite_synchronous = true
  314. # The back end to use for the database. (string value)
  315. # Deprecated group/name - [DEFAULT]/db_backend
  316. #backend = sqlalchemy
  317. # The SQLAlchemy connection string to use to connect to the database. (string
  318. # value)
  319. # Deprecated group/name - [DEFAULT]/sql_connection
  320. # Deprecated group/name - [DATABASE]/sql_connection
  321. # Deprecated group/name - [sql]/connection
  322. #connection = <None>
  323. # The SQLAlchemy connection string to use to connect to the slave database.
  324. # (string value)
  325. #slave_connection = <None>
  326. # The SQL mode to be used for MySQL sessions. This option, including the
  327. # default, overrides any server-set SQL mode. To use whatever SQL mode is set
  328. # by the server configuration, set this to no value. Example: mysql_sql_mode=
  329. # (string value)
  330. #mysql_sql_mode = TRADITIONAL
  331. # Timeout before idle SQL connections are reaped. (integer value)
  332. # Deprecated group/name - [DEFAULT]/sql_idle_timeout
  333. # Deprecated group/name - [DATABASE]/sql_idle_timeout
  334. # Deprecated group/name - [sql]/idle_timeout
  335. #idle_timeout = 3600
  336. # Minimum number of SQL connections to keep open in a pool. (integer value)
  337. # Deprecated group/name - [DEFAULT]/sql_min_pool_size
  338. # Deprecated group/name - [DATABASE]/sql_min_pool_size
  339. #min_pool_size = 1
  340. # Maximum number of SQL connections to keep open in a pool. (integer value)
  341. # Deprecated group/name - [DEFAULT]/sql_max_pool_size
  342. # Deprecated group/name - [DATABASE]/sql_max_pool_size
  343. #max_pool_size = <None>
  344. # Maximum number of database connection retries during startup. Set to -1 to
  345. # specify an infinite retry count. (integer value)
  346. # Deprecated group/name - [DEFAULT]/sql_max_retries
  347. # Deprecated group/name - [DATABASE]/sql_max_retries
  348. #max_retries = 10
  349. # Interval between retries of opening a SQL connection. (integer value)
  350. # Deprecated group/name - [DEFAULT]/sql_retry_interval
  351. # Deprecated group/name - [DATABASE]/reconnect_interval
  352. #retry_interval = 10
  353. # If set, use this value for max_overflow with SQLAlchemy. (integer value)
  354. # Deprecated group/name - [DEFAULT]/sql_max_overflow
  355. # Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
  356. #max_overflow = <None>
  357. # Verbosity of SQL debugging information: 0=None, 100=Everything. (integer
  358. # value)
  359. # Deprecated group/name - [DEFAULT]/sql_connection_debug
  360. #connection_debug = 0
  361. # Add Python stack traces to SQL as comment strings. (boolean value)
  362. # Deprecated group/name - [DEFAULT]/sql_connection_trace
  363. #connection_trace = false
  364. # If set, use this value for pool_timeout with SQLAlchemy. (integer value)
  365. # Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout
  366. #pool_timeout = <None>
  367. # Enable the experimental use of database reconnect on connection lost.
  368. # (boolean value)
  369. #use_db_reconnect = false
  370. # Seconds between retries of a database transaction. (integer value)
  371. #db_retry_interval = 1
  372. # If True, increases the interval between retries of a database operation up to
  373. # db_max_retry_interval. (boolean value)
  374. #db_inc_retry_interval = true
  375. # If db_inc_retry_interval is set, the maximum seconds between retries of a
  376. # database operation. (integer value)
  377. #db_max_retry_interval = 10
  378. # Maximum retries in case of connection error or deadlock error before error is
  379. # raised. Set to -1 to specify an infinite retry count. (integer value)
  380. #db_max_retries = 20
  381. [endpoint_filter]
  382. #
  383. # From keystone
  384. #
  385. # Endpoint Filter backend driver (string value)
  386. #driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
  387. # Toggle to return all active endpoints if no filter exists. (boolean value)
  388. #return_all_endpoints_if_no_filter = true
  389. [endpoint_policy]
  390. #
  391. # From keystone
  392. #
  393. # Endpoint policy backend driver (string value)
  394. #driver = keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy
  395. [eventlet_server]
  396. #
  397. # From keystone
  398. #
  399. # The number of worker processes to serve the public eventlet application.
  400. # Defaults to number of CPUs (minimum of 2). (integer value)
  401. # Deprecated group/name - [DEFAULT]/public_workers
  402. #public_workers = <None>
  403. # The number of worker processes to serve the admin eventlet application.
  404. # Defaults to number of CPUs (minimum of 2). (integer value)
  405. # Deprecated group/name - [DEFAULT]/admin_workers
  406. #admin_workers = <None>
  407. # The IP address of the network interface for the public service to listen on.
  408. # (string value)
  409. # Deprecated group/name - [DEFAULT]/bind_host
  410. # Deprecated group/name - [DEFAULT]/public_bind_host
  411. #public_bind_host = 0.0.0.0
  412. # The port number which the public service listens on. (integer value)
  413. # Deprecated group/name - [DEFAULT]/public_port
  414. #public_port = 5000
  415. # The IP address of the network interface for the admin service to listen on.
  416. # (string value)
  417. # Deprecated group/name - [DEFAULT]/bind_host
  418. # Deprecated group/name - [DEFAULT]/admin_bind_host
  419. #admin_bind_host = 0.0.0.0
  420. # The port number which the admin service listens on. (integer value)
  421. # Deprecated group/name - [DEFAULT]/admin_port
  422. #admin_port = 35357
  423. # Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e.
  424. # sockets used by the Keystone wsgi server for client connections. (boolean
  425. # value)
  426. # Deprecated group/name - [DEFAULT]/tcp_keepalive
  427. #tcp_keepalive = false
  428. # Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only
  429. # applies if tcp_keepalive is true. (integer value)
  430. # Deprecated group/name - [DEFAULT]/tcp_keepidle
  431. #tcp_keepidle = 600
  432. [eventlet_server_ssl]
  433. #
  434. # From keystone
  435. #
  436. # Toggle for SSL support on the Keystone eventlet servers. (boolean value)
  437. # Deprecated group/name - [ssl]/enable
  438. #enable = false
  439. # Path of the certfile for SSL. For non-production environments, you may be
  440. # interested in using `keystone-manage ssl_setup` to generate self-signed
  441. # certificates. (string value)
  442. # Deprecated group/name - [ssl]/certfile
  443. #certfile = /etc/keystone/ssl/certs/keystone.pem
  444. # Path of the keyfile for SSL. (string value)
  445. # Deprecated group/name - [ssl]/keyfile
  446. #keyfile = /etc/keystone/ssl/private/keystonekey.pem
  447. # Path of the CA cert file for SSL. (string value)
  448. # Deprecated group/name - [ssl]/ca_certs
  449. #ca_certs = /etc/keystone/ssl/certs/ca.pem
  450. # Require client certificate. (boolean value)
  451. # Deprecated group/name - [ssl]/cert_required
  452. #cert_required = false
  453. [federation]
  454. #
  455. # From keystone
  456. #
  457. # Federation backend driver. (string value)
  458. #driver = keystone.contrib.federation.backends.sql.Federation
  459. # Value to be used when filtering assertion parameters from the environment.
  460. # (string value)
  461. #assertion_prefix =
  462. # Value to be used to obtain the entity ID of the Identity Provider from the
  463. # environment (e.g. if using the mod_shib plugin this value is `Shib-Identity-
  464. # Provider`). (string value)
  465. #remote_id_attribute = <None>
  466. # A domain name that is reserved to allow federated ephemeral users to have a
  467. # domain concept. Note that an admin will not be able to create a domain with
  468. # this name or update an existing domain to this name. You are not advised to
  469. # change this value unless you really have to. Changing this option to empty
  470. # string or None will not have any impact and default name will be used.
  471. # (string value)
  472. #federated_domain_name = Federated
  473. # A list of trusted dashboard hosts. Before accepting a Single Sign-On request
  474. # to return a token, the origin host must be a member of the trusted_dashboard
  475. # list. This configuration option may be repeated for multiple values. For
  476. # example: trusted_dashboard=http://acme.com trusted_dashboard=http://beta.com
  477. # (multi valued)
  478. #trusted_dashboard =
  479. # Location of Single Sign-On callback handler, will return a token to a trusted
  480. # dashboard host. (string value)
  481. #sso_callback_template = /etc/keystone/sso_callback_template.html
  482. [fernet_tokens]
  483. #
  484. # From keystone
  485. #
  486. # Directory containing Fernet token keys. (string value)
  487. #key_repository = /etc/keystone/fernet-keys/
  488. # This controls how many keys are held in rotation by keystone-manage
  489. # fernet_rotate before they are discarded. The default value of 3 means that
  490. # keystone will maintain one staged key, one primary key, and one secondary
  491. # key. Increasing this value means that additional secondary keys will be kept
  492. # in the rotation. (integer value)
  493. #max_active_keys = 3
  494. [identity]
  495. #
  496. # From keystone
  497. #
  498. # This references the domain to use for all Identity API v2 requests (which are
  499. # not aware of domains). A domain with this ID will be created for you by
  500. # keystone-manage db_sync in migration 008. The domain referenced by this ID
  501. # cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.
  502. # There is nothing special about this domain, other than the fact that it must
  503. # exist to order to maintain support for your v2 clients. (string value)
  504. #default_domain_id = default
  505. # A subset (or all) of domains can have their own identity driver, each with
  506. # their own partial configuration options, stored in either the resource
  507. # backend or in a file in a domain configuration directory (depending on the
  508. # setting of domain_configurations_from_database). Only values specific to the
  509. # domain need to be specified in this manner. This feature is disabled by
  510. # default; set to true to enable. (boolean value)
  511. #domain_specific_drivers_enabled = false
  512. # Extract the domain specific configuration options from the resource backend
  513. # where they have been stored with the domain data. This feature is disabled by
  514. # default (in which case the domain specific options will be loaded from files
  515. # in the domain configuration directory); set to true to enable. This feature
  516. # is not yet supported. (boolean value)
  517. #domain_configurations_from_database = false
  518. # Path for Keystone to locate the domain specific identity configuration files
  519. # if domain_specific_drivers_enabled is set to true. (string value)
  520. #domain_config_dir = /etc/keystone/domains
  521. # Identity backend driver. (string value)
  522. #driver = keystone.identity.backends.sql.Identity
  523. # Toggle for identity caching. This has no effect unless global caching is
  524. # enabled. (boolean value)
  525. #caching = true
  526. # Time to cache identity data (in seconds). This has no effect unless global
  527. # and identity caching are enabled. (integer value)
  528. #cache_time = 600
  529. # Maximum supported length for user passwords; decrease to improve performance.
  530. # (integer value)
  531. #max_password_length = 4096
  532. # Maximum number of entities that will be returned in an identity collection.
  533. # (integer value)
  534. #list_limit = <None>
  535. [identity_mapping]
  536. #
  537. # From keystone
  538. #
  539. # Keystone Identity Mapping backend driver. (string value)
  540. #driver = keystone.identity.mapping_backends.sql.Mapping
  541. # Public ID generator for user and group entities. The Keystone identity mapper
  542. # only supports generators that produce no more than 64 characters. (string
  543. # value)
  544. #generator = keystone.identity.id_generators.sha256.Generator
  545. # The format of user and group IDs changed in Juno for backends that do not
  546. # generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the
  547. # underlying attribute in LDAP. By default this mapping is disabled, which
  548. # ensures that existing IDs will not change. Even when the mapping is enabled
  549. # by using domain specific drivers, any users and groups from the default
  550. # domain being handled by LDAP will still not be mapped to ensure their IDs
  551. # remain backward compatible. Setting this value to False will enable the
  552. # mapping for even the default LDAP driver. It is only safe to do this if you
  553. # do not already have assignments for users and groups from the default LDAP
  554. # domain, and it is acceptable for Keystone to provide the different IDs to
  555. # clients than it did previously. Typically this means that the only time you
  556. # can set this value to False is when configuring a fresh installation.
  557. # (boolean value)
  558. #backward_compatible_ids = true
  559. [kvs]
  560. #
  561. # From keystone
  562. #
  563. # Extra dogpile.cache backend modules to register with the dogpile.cache
  564. # library. (list value)
  565. #backends =
  566. # Prefix for building the configuration dictionary for the KVS region. This
  567. # should not need to be changed unless there is another dogpile.cache region
  568. # with the same configuration name. (string value)
  569. #config_prefix = keystone.kvs
  570. # Toggle to disable using a key-mangling function to ensure fixed length keys.
  571. # This is toggle-able for debugging purposes, it is highly recommended to
  572. # always leave this set to true. (boolean value)
  573. #enable_key_mangler = true
  574. # Default lock timeout for distributed locking. (integer value)
  575. #default_lock_timeout = 5
  576. [ldap]
  577. #
  578. # From keystone
  579. #
  580. # URL for connecting to the LDAP server. (string value)
  581. #url = ldap://localhost
  582. # User BindDN to query the LDAP server. (string value)
  583. #user = <None>
  584. # Password for the BindDN to query the LDAP server. (string value)
  585. #password = <None>
  586. # LDAP server suffix (string value)
  587. #suffix = cn=example,cn=com
  588. # If true, will add a dummy member to groups. This is required if the
  589. # objectclass for groups requires the "member" attribute. (boolean value)
  590. #use_dumb_member = false
  591. # DN of the "dummy member" to use when "use_dumb_member" is enabled. (string
  592. # value)
  593. #dumb_member = cn=dumb,dc=nonexistent
  594. # Delete subtrees using the subtree delete control. Only enable this option if
  595. # your LDAP server supports subtree deletion. (boolean value)
  596. #allow_subtree_delete = false
  597. # The LDAP scope for queries, this can be either "one" (onelevel/singleLevel)
  598. # or "sub" (subtree/wholeSubtree). (string value)
  599. #query_scope = one
  600. # Maximum results per page; a value of zero ("0") disables paging. (integer
  601. # value)
  602. #page_size = 0
  603. # The LDAP dereferencing option for queries. This can be either "never",
  604. # "searching", "always", "finding" or "default". The "default" option falls
  605. # back to using default dereferencing configured by your ldap.conf. (string
  606. # value)
  607. #alias_dereferencing = default
  608. # Sets the LDAP debugging level for LDAP calls. A value of 0 means that
  609. # debugging is not enabled. This value is a bitmask, consult your LDAP
  610. # documentation for possible values. (integer value)
  611. #debug_level = <None>
  612. # Override the system's default referral chasing behavior for queries. (boolean
  613. # value)
  614. #chase_referrals = <None>
  615. # Search base for users. (string value)
  616. #user_tree_dn = <None>
  617. # LDAP search filter for users. (string value)
  618. #user_filter = <None>
  619. # LDAP objectclass for users. (string value)
  620. #user_objectclass = inetOrgPerson
  621. # LDAP attribute mapped to user id. WARNING: must not be a multivalued
  622. # attribute. (string value)
  623. #user_id_attribute = cn
  624. # LDAP attribute mapped to user name. (string value)
  625. #user_name_attribute = sn
  626. # LDAP attribute mapped to user email. (string value)
  627. #user_mail_attribute = mail
  628. # LDAP attribute mapped to password. (string value)
  629. #user_pass_attribute = userPassword
  630. # LDAP attribute mapped to user enabled flag. (string value)
  631. #user_enabled_attribute = enabled
  632. # Invert the meaning of the boolean enabled values. Some LDAP servers use a
  633. # boolean lock attribute where "true" means an account is disabled. Setting
  634. # "user_enabled_invert = true" will allow these lock attributes to be used.
  635. # This setting will have no effect if "user_enabled_mask" or
  636. # "user_enabled_emulation" settings are in use. (boolean value)
  637. #user_enabled_invert = false
  638. # Bitmask integer to indicate the bit that the enabled value is stored in if
  639. # the LDAP server represents "enabled" as a bit on an integer rather than a
  640. # boolean. A value of "0" indicates the mask is not used. If this is not set to
  641. # "0" the typical value is "2". This is typically used when
  642. # "user_enabled_attribute = userAccountControl". (integer value)
  643. #user_enabled_mask = 0
  644. # Default value to enable users. This should match an appropriate int value if
  645. # the LDAP server uses non-boolean (bitmask) values to indicate if a user is
  646. # enabled or disabled. If this is not set to "True" the typical value is "512".
  647. # This is typically used when "user_enabled_attribute = userAccountControl".
  648. # (string value)
  649. #user_enabled_default = True
  650. # List of attributes stripped off the user on update. (list value)
  651. #user_attribute_ignore = default_project_id,tenants
  652. # LDAP attribute mapped to default_project_id for users. (string value)
  653. #user_default_project_id_attribute = <None>
  654. # Allow user creation in LDAP backend. (boolean value)
  655. #user_allow_create = true
  656. # Allow user updates in LDAP backend. (boolean value)
  657. #user_allow_update = true
  658. # Allow user deletion in LDAP backend. (boolean value)
  659. #user_allow_delete = true
  660. # If true, Keystone uses an alternative method to determine if a user is
  661. # enabled or not by checking if they are a member of the
  662. # "user_enabled_emulation_dn" group. (boolean value)
  663. #user_enabled_emulation = false
  664. # DN of the group entry to hold enabled users when using enabled emulation.
  665. # (string value)
  666. #user_enabled_emulation_dn = <None>
  667. # List of additional LDAP attributes used for mapping additional attribute
  668. # mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>,
  669. # where ldap_attr is the attribute in the LDAP entry and user_attr is the
  670. # Identity API attribute. (list value)
  671. #user_additional_attribute_mapping =
  672. # Search base for projects (string value)
  673. # Deprecated group/name - [ldap]/tenant_tree_dn
  674. #project_tree_dn = <None>
  675. # LDAP search filter for projects. (string value)
  676. # Deprecated group/name - [ldap]/tenant_filter
  677. #project_filter = <None>
  678. # LDAP objectclass for projects. (string value)
  679. # Deprecated group/name - [ldap]/tenant_objectclass
  680. #project_objectclass = groupOfNames
  681. # LDAP attribute mapped to project id. (string value)
  682. # Deprecated group/name - [ldap]/tenant_id_attribute
  683. #project_id_attribute = cn
  684. # LDAP attribute mapped to project membership for user. (string value)
  685. # Deprecated group/name - [ldap]/tenant_member_attribute
  686. #project_member_attribute = member
  687. # LDAP attribute mapped to project name. (string value)
  688. # Deprecated group/name - [ldap]/tenant_name_attribute
  689. #project_name_attribute = ou
  690. # LDAP attribute mapped to project description. (string value)
  691. # Deprecated group/name - [ldap]/tenant_desc_attribute
  692. #project_desc_attribute = description
  693. # LDAP attribute mapped to project enabled. (string value)
  694. # Deprecated group/name - [ldap]/tenant_enabled_attribute
  695. #project_enabled_attribute = enabled
  696. # LDAP attribute mapped to project domain_id. (string value)
  697. # Deprecated group/name - [ldap]/tenant_domain_id_attribute
  698. #project_domain_id_attribute = businessCategory
  699. # List of attributes stripped off the project on update. (list value)
  700. # Deprecated group/name - [ldap]/tenant_attribute_ignore
  701. #project_attribute_ignore =
  702. # Allow project creation in LDAP backend. (boolean value)
  703. # Deprecated group/name - [ldap]/tenant_allow_create
  704. #project_allow_create = true
  705. # Allow project update in LDAP backend. (boolean value)
  706. # Deprecated group/name - [ldap]/tenant_allow_update
  707. #project_allow_update = true
  708. # Allow project deletion in LDAP backend. (boolean value)
  709. # Deprecated group/name - [ldap]/tenant_allow_delete
  710. #project_allow_delete = true
  711. # If true, Keystone uses an alternative method to determine if a project is
  712. # enabled or not by checking if they are a member of the
  713. # "project_enabled_emulation_dn" group. (boolean value)
  714. # Deprecated group/name - [ldap]/tenant_enabled_emulation
  715. #project_enabled_emulation = false
  716. # DN of the group entry to hold enabled projects when using enabled emulation.
  717. # (string value)
  718. # Deprecated group/name - [ldap]/tenant_enabled_emulation_dn
  719. #project_enabled_emulation_dn = <None>
  720. # Additional attribute mappings for projects. Attribute mapping format is
  721. # <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
  722. # and user_attr is the Identity API attribute. (list value)
  723. # Deprecated group/name - [ldap]/tenant_additional_attribute_mapping
  724. #project_additional_attribute_mapping =
  725. # Search base for roles. (string value)
  726. #role_tree_dn = <None>
  727. # LDAP search filter for roles. (string value)
  728. #role_filter = <None>
  729. # LDAP objectclass for roles. (string value)
  730. #role_objectclass = organizationalRole
  731. # LDAP attribute mapped to role id. (string value)
  732. #role_id_attribute = cn
  733. # LDAP attribute mapped to role name. (string value)
  734. #role_name_attribute = ou
  735. # LDAP attribute mapped to role membership. (string value)
  736. #role_member_attribute = roleOccupant
  737. # List of attributes stripped off the role on update. (list value)
  738. #role_attribute_ignore =
  739. # Allow role creation in LDAP backend. (boolean value)
  740. #role_allow_create = true
  741. # Allow role update in LDAP backend. (boolean value)
  742. #role_allow_update = true
  743. # Allow role deletion in LDAP backend. (boolean value)
  744. #role_allow_delete = true
  745. # Additional attribute mappings for roles. Attribute mapping format is
  746. # <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
  747. # and user_attr is the Identity API attribute. (list value)
  748. #role_additional_attribute_mapping =
  749. # Search base for groups. (string value)
  750. #group_tree_dn = <None>
  751. # LDAP search filter for groups. (string value)
  752. #group_filter = <None>
  753. # LDAP objectclass for groups. (string value)
  754. #group_objectclass = groupOfNames
  755. # LDAP attribute mapped to group id. (string value)
  756. #group_id_attribute = cn
  757. # LDAP attribute mapped to group name. (string value)
  758. #group_name_attribute = ou
  759. # LDAP attribute mapped to show group membership. (string value)
  760. #group_member_attribute = member
  761. # LDAP attribute mapped to group description. (string value)
  762. #group_desc_attribute = description
  763. # List of attributes stripped off the group on update. (list value)
  764. #group_attribute_ignore =
  765. # Allow group creation in LDAP backend. (boolean value)
  766. #group_allow_create = true
  767. # Allow group update in LDAP backend. (boolean value)
  768. #group_allow_update = true
  769. # Allow group deletion in LDAP backend. (boolean value)
  770. #group_allow_delete = true
  771. # Additional attribute mappings for groups. Attribute mapping format is
  772. # <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
  773. # and user_attr is the Identity API attribute. (list value)
  774. #group_additional_attribute_mapping =
  775. # CA certificate file path for communicating with LDAP servers. (string value)
  776. #tls_cacertfile = <None>
  777. # CA certificate directory path for communicating with LDAP servers. (string
  778. # value)
  779. #tls_cacertdir = <None>
  780. # Enable TLS for communicating with LDAP servers. (boolean value)
  781. #use_tls = false
  782. # Valid options for tls_req_cert are demand, never, and allow. (string value)
  783. #tls_req_cert = demand
  784. # Enable LDAP connection pooling. (boolean value)
  785. #use_pool = false
  786. # Connection pool size. (integer value)
  787. #pool_size = 10
  788. # Maximum count of reconnect trials. (integer value)
  789. #pool_retry_max = 3
  790. # Time span in seconds to wait between two reconnect trials. (floating point
  791. # value)
  792. #pool_retry_delay = 0.1
  793. # Connector timeout in seconds. Value -1 indicates indefinite wait for
  794. # response. (integer value)
  795. #pool_connection_timeout = -1
  796. # Connection lifetime in seconds. (integer value)
  797. #pool_connection_lifetime = 600
  798. # Enable LDAP connection pooling for end user authentication. If use_pool is
  799. # disabled, then this setting is meaningless and is not used at all. (boolean
  800. # value)
  801. #use_auth_pool = false
  802. # End user auth connection pool size. (integer value)
  803. #auth_pool_size = 100
  804. # End user auth connection lifetime in seconds. (integer value)
  805. #auth_pool_connection_lifetime = 60
  806. [matchmaker_redis]
  807. #
  808. # From oslo.messaging
  809. #
  810. # Host to locate redis. (string value)
  811. #host = 127.0.0.1
  812. # Use this port to connect to redis host. (integer value)
  813. #port = 6379
  814. # Password for Redis server (optional). (string value)
  815. #password = <None>
  816. [matchmaker_ring]
  817. #
  818. # From oslo.messaging
  819. #
  820. # Matchmaker ring file (JSON). (string value)
  821. # Deprecated group/name - [DEFAULT]/matchmaker_ringfile
  822. #ringfile = /etc/oslo/matchmaker_ring.json
  823. [memcache]
  824. #
  825. # From keystone
  826. #
  827. # Memcache servers in the format of "host:port". (list value)
  828. #servers = localhost:11211
  829. # Number of seconds memcached server is considered dead before it is tried
  830. # again. This is used by the key value store system (e.g. token pooled
  831. # memcached persistence backend). (integer value)
  832. #dead_retry = 300
  833. # Timeout in seconds for every call to a server. This is used by the key value
  834. # store system (e.g. token pooled memcached persistence backend). (integer
  835. # value)
  836. #socket_timeout = 3
  837. # Max total number of open connections to every memcached server. This is used
  838. # by the key value store system (e.g. token pooled memcached persistence
  839. # backend). (integer value)
  840. #pool_maxsize = 10
  841. # Number of seconds a connection to memcached is held unused in the pool before
  842. # it is closed. This is used by the key value store system (e.g. token pooled
  843. # memcached persistence backend). (integer value)
  844. #pool_unused_timeout = 60
  845. # Number of seconds that an operation will wait to get a memcache client
  846. # connection. This is used by the key value store system (e.g. token pooled
  847. # memcached persistence backend). (integer value)
  848. #pool_connection_get_timeout = 10
  849. [oauth1]
  850. #
  851. # From keystone
  852. #
  853. # Credential backend driver. (string value)
  854. #driver = keystone.contrib.oauth1.backends.sql.OAuth1
  855. # Duration (in seconds) for the OAuth Request Token. (integer value)
  856. #request_token_duration = 28800
  857. # Duration (in seconds) for the OAuth Access Token. (integer value)
  858. #access_token_duration = 86400
  859. [os_inherit]
  860. #
  861. # From keystone
  862. #
  863. # role-assignment inheritance to projects from owning domain or from projects
  864. # higher in the hierarchy can be optionally enabled. (boolean value)
  865. #enabled = false
  866. [oslo_messaging_amqp]
  867. #
  868. # From oslo.messaging
  869. #
  870. # address prefix used when sending to a specific server (string value)
  871. # Deprecated group/name - [amqp1]/server_request_prefix
  872. #server_request_prefix = exclusive
  873. # address prefix used when broadcasting to all servers (string value)
  874. # Deprecated group/name - [amqp1]/broadcast_prefix
  875. #broadcast_prefix = broadcast
  876. # address prefix when sending to any server in group (string value)
  877. # Deprecated group/name - [amqp1]/group_request_prefix
  878. #group_request_prefix = unicast
  879. # Name for the AMQP container (string value)
  880. # Deprecated group/name - [amqp1]/container_name
  881. #container_name = <None>
  882. # Timeout for inactive connections (in seconds) (integer value)
  883. # Deprecated group/name - [amqp1]/idle_timeout
  884. #idle_timeout = 0
  885. # Debug: dump AMQP frames to stdout (boolean value)
  886. # Deprecated group/name - [amqp1]/trace
  887. #trace = false
  888. # CA certificate PEM file for verifing server certificate (string value)
  889. # Deprecated group/name - [amqp1]/ssl_ca_file
  890. #ssl_ca_file =
  891. # Identifying certificate PEM file to present to clients (string value)
  892. # Deprecated group/name - [amqp1]/ssl_cert_file
  893. #ssl_cert_file =
  894. # Private key PEM file used to sign cert_file certificate (string value)
  895. # Deprecated group/name - [amqp1]/ssl_key_file
  896. #ssl_key_file =
  897. # Password for decrypting ssl_key_file (if encrypted) (string value)
  898. # Deprecated group/name - [amqp1]/ssl_key_password
  899. #ssl_key_password = <None>
  900. # Accept clients using either SSL or plain TCP (boolean value)
  901. # Deprecated group/name - [amqp1]/allow_insecure_clients
  902. #allow_insecure_clients = false
  903. [oslo_messaging_qpid]
  904. #
  905. # From oslo.messaging
  906. #
  907. # Use durable queues in AMQP. (boolean value)
  908. # Deprecated group/name - [DEFAULT]/rabbit_durable_queues
  909. #amqp_durable_queues = false
  910. # Auto-delete queues in AMQP. (boolean value)
  911. # Deprecated group/name - [DEFAULT]/amqp_auto_delete
  912. #amqp_auto_delete = false
  913. # Size of RPC connection pool. (integer value)
  914. # Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
  915. #rpc_conn_pool_size = 30
  916. # Qpid broker hostname. (string value)
  917. # Deprecated group/name - [DEFAULT]/qpid_hostname
  918. #qpid_hostname = localhost
  919. # Qpid broker port. (integer value)
  920. # Deprecated group/name - [DEFAULT]/qpid_port
  921. #qpid_port = 5672
  922. # Qpid HA cluster host:port pairs. (list value)
  923. # Deprecated group/name - [DEFAULT]/qpid_hosts
  924. #qpid_hosts = $qpid_hostname:$qpid_port
  925. # Username for Qpid connection. (string value)
  926. # Deprecated group/name - [DEFAULT]/qpid_username
  927. #qpid_username =
  928. # Password for Qpid connection. (string value)
  929. # Deprecated group/name - [DEFAULT]/qpid_password
  930. #qpid_password =
  931. # Space separated list of SASL mechanisms to use for auth. (string value)
  932. # Deprecated group/name - [DEFAULT]/qpid_sasl_mechanisms
  933. #qpid_sasl_mechanisms =
  934. # Seconds between connection keepalive heartbeats. (integer value)
  935. # Deprecated group/name - [DEFAULT]/qpid_heartbeat
  936. #qpid_heartbeat = 60
  937. # Transport to use, either 'tcp' or 'ssl'. (string value)
  938. # Deprecated group/name - [DEFAULT]/qpid_protocol
  939. #qpid_protocol = tcp
  940. # Whether to disable the Nagle algorithm. (boolean value)
  941. # Deprecated group/name - [DEFAULT]/qpid_tcp_nodelay
  942. #qpid_tcp_nodelay = true
  943. # The number of prefetched messages held by receiver. (integer value)
  944. # Deprecated group/name - [DEFAULT]/qpid_receiver_capacity
  945. #qpid_receiver_capacity = 1
  946. # The qpid topology version to use. Version 1 is what was originally used by
  947. # impl_qpid. Version 2 includes some backwards-incompatible changes that allow
  948. # broker federation to work. Users should update to version 2 when they are
  949. # able to take everything down, as it requires a clean break. (integer value)
  950. # Deprecated group/name - [DEFAULT]/qpid_topology_version
  951. #qpid_topology_version = 1
  952. [oslo_messaging_rabbit]
  953. #
  954. # From oslo.messaging
  955. #
  956. # Use durable queues in AMQP. (boolean value)
  957. # Deprecated group/name - [DEFAULT]/rabbit_durable_queues
  958. #amqp_durable_queues = false
  959. # Auto-delete queues in AMQP. (boolean value)
  960. # Deprecated group/name - [DEFAULT]/amqp_auto_delete
  961. #amqp_auto_delete = false
  962. # Size of RPC connection pool. (integer value)
  963. # Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
  964. #rpc_conn_pool_size = 30
  965. # SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and
  966. # SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some
  967. # distributions. (string value)
  968. # Deprecated group/name - [DEFAULT]/kombu_ssl_version
  969. #kombu_ssl_version =
  970. # SSL key file (valid only if SSL enabled). (string value)
  971. # Deprecated group/name - [DEFAULT]/kombu_ssl_keyfile
  972. #kombu_ssl_keyfile =
  973. # SSL cert file (valid only if SSL enabled). (string value)
  974. # Deprecated group/name - [DEFAULT]/kombu_ssl_certfile
  975. #kombu_ssl_certfile =
  976. # SSL certification authority file (valid only if SSL enabled). (string value)
  977. # Deprecated group/name - [DEFAULT]/kombu_ssl_ca_certs
  978. #kombu_ssl_ca_certs =
  979. # How long to wait before reconnecting in response to an AMQP consumer cancel
  980. # notification. (floating point value)
  981. # Deprecated group/name - [DEFAULT]/kombu_reconnect_delay
  982. #kombu_reconnect_delay = 1.0
  983. # The RabbitMQ broker address where a single node is used. (string value)
  984. # Deprecated group/name - [DEFAULT]/rabbit_host
  985. #rabbit_host = localhost
  986. # The RabbitMQ broker port where a single node is used. (integer value)
  987. # Deprecated group/name - [DEFAULT]/rabbit_port
  988. #rabbit_port = 5672
  989. # RabbitMQ HA cluster host:port pairs. (list value)
  990. # Deprecated group/name - [DEFAULT]/rabbit_hosts
  991. #rabbit_hosts = $rabbit_host:$rabbit_port
  992. # Connect over SSL for RabbitMQ. (boolean value)
  993. # Deprecated group/name - [DEFAULT]/rabbit_use_ssl
  994. #rabbit_use_ssl = false
  995. # The RabbitMQ userid. (string value)
  996. # Deprecated group/name - [DEFAULT]/rabbit_userid
  997. #rabbit_userid = guest
  998. # The RabbitMQ password. (string value)
  999. # Deprecated group/name - [DEFAULT]/rabbit_password
  1000. #rabbit_password = guest
  1001. # The RabbitMQ login method. (string value)
  1002. # Deprecated group/name - [DEFAULT]/rabbit_login_method
  1003. #rabbit_login_method = AMQPLAIN
  1004. # The RabbitMQ virtual host. (string value)
  1005. # Deprecated group/name - [DEFAULT]/rabbit_virtual_host
  1006. #rabbit_virtual_host = /
  1007. # How frequently to retry connecting with RabbitMQ. (integer value)
  1008. #rabbit_retry_interval = 1
  1009. # How long to backoff for between retries when connecting to RabbitMQ. (integer
  1010. # value)
  1011. # Deprecated group/name - [DEFAULT]/rabbit_retry_backoff
  1012. #rabbit_retry_backoff = 2
  1013. # Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry
  1014. # count). (integer value)
  1015. # Deprecated group/name - [DEFAULT]/rabbit_max_retries
  1016. #rabbit_max_retries = 0
  1017. # Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you
  1018. # must wipe the RabbitMQ database. (boolean value)
  1019. # Deprecated group/name - [DEFAULT]/rabbit_ha_queues
  1020. #rabbit_ha_queues = false
  1021. # Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value)
  1022. # Deprecated group/name - [DEFAULT]/fake_rabbit
  1023. #fake_rabbit = false
  1024. [oslo_middleware]
  1025. #
  1026. # From oslo.middleware
  1027. #
  1028. # The maximum body size for each request, in bytes. (integer value)
  1029. # Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
  1030. # Deprecated group/name - [DEFAULT]/max_request_body_size
  1031. #max_request_body_size = 114688
  1032. [paste_deploy]
  1033. #
  1034. # From keystone
  1035. #
  1036. # Name of the paste configuration file that defines the available pipelines.
  1037. # (string value)
  1038. #config_file = keystone-paste.ini
  1039. [policy]
  1040. #
  1041. # From keystone
  1042. #
  1043. # Policy backend driver. (string value)
  1044. #driver = keystone.policy.backends.sql.Policy
  1045. # Maximum number of entities that will be returned in a policy collection.
  1046. # (integer value)
  1047. #list_limit = <None>
  1048. [resource]
  1049. #
  1050. # From keystone
  1051. #
  1052. # Resource backend driver. If a resource driver is not specified, the
  1053. # assignment driver will choose the resource driver. (string value)
  1054. #driver = <None>
  1055. # Toggle for resource caching. This has no effect unless global caching is
  1056. # enabled. (boolean value)
  1057. # Deprecated group/name - [assignment]/caching
  1058. #caching = true
  1059. # TTL (in seconds) to cache resource data. This has no effect unless global
  1060. # caching is enabled. (integer value)
  1061. # Deprecated group/name - [assignment]/cache_time
  1062. #cache_time = <None>
  1063. # Maximum number of entities that will be returned in a resource collection.
  1064. # (integer value)
  1065. # Deprecated group/name - [assignment]/list_limit
  1066. #list_limit = <None>
  1067. [revoke]
  1068. #
  1069. # From keystone
  1070. #
  1071. # An implementation of the backend for persisting revocation events. (string
  1072. # value)
  1073. #driver = keystone.contrib.revoke.backends.sql.Revoke
  1074. # This value (calculated in seconds) is added to token expiration before a
  1075. # revocation event may be removed from the backend. (integer value)
  1076. #expiration_buffer = 1800
  1077. # Toggle for revocation event caching. This has no effect unless global caching
  1078. # is enabled. (boolean value)
  1079. #caching = true
  1080. [role]
  1081. #
  1082. # From keystone
  1083. #
  1084. # Role backend driver. (string value)
  1085. #driver = <None>
  1086. # Toggle for role caching. This has no effect unless global caching is enabled.
  1087. # (boolean value)
  1088. #caching = true
  1089. # TTL (in seconds) to cache role data. This has no effect unless global caching
  1090. # is enabled. (integer value)
  1091. #cache_time = <None>
  1092. # Maximum number of entities that will be returned in a role collection.
  1093. # (integer value)
  1094. #list_limit = <None>
  1095. [saml]
  1096. #
  1097. # From keystone
  1098. #
  1099. # Default TTL, in seconds, for any generated SAML assertion created by
  1100. # Keystone. (integer value)
  1101. #assertion_expiration_time = 3600
  1102. # Binary to be called for XML signing. Install the appropriate package, specify
  1103. # absolute path or adjust your PATH environment variable if the binary cannot
  1104. # be found. (string value)
  1105. #xmlsec1_binary = xmlsec1
  1106. # Path of the certfile for SAML signing. For non-production environments, you
  1107. # may be interested in using `keystone-manage pki_setup` to generate self-
  1108. # signed certificates. Note, the path cannot contain a comma. (string value)
  1109. #certfile = /etc/keystone/ssl/certs/signing_cert.pem
  1110. # Path of the keyfile for SAML signing. Note, the path cannot contain a comma.
  1111. # (string value)
  1112. #keyfile = /etc/keystone/ssl/private/signing_key.pem
  1113. # Entity ID value for unique Identity Provider identification. Usually FQDN is
  1114. # set with a suffix. A value is required to generate IDP Metadata. For example:
  1115. # https://keystone.example.com/v3/OS-FEDERATION/saml2/idp (string value)
  1116. #idp_entity_id = <None>
  1117. # Identity Provider Single-Sign-On service value, required in the Identity
  1118. # Provider's metadata. A value is required to generate IDP Metadata. For
  1119. # example: https://keystone.example.com/v3/OS-FEDERATION/saml2/sso (string
  1120. # value)
  1121. #idp_sso_endpoint = <None>
  1122. # Language used by the organization. (string value)
  1123. #idp_lang = en
  1124. # Organization name the installation belongs to. (string value)
  1125. #idp_organization_name = <None>
  1126. # Organization name to be displayed. (string value)
  1127. #idp_organization_display_name = <None>
  1128. # URL of the organization. (string value)
  1129. #idp_organization_url = <None>
  1130. # Company of contact person. (string value)
  1131. #idp_contact_company = <None>
  1132. # Given name of contact person (string value)
  1133. #idp_contact_name = <None>
  1134. # Surname of contact person. (string value)
  1135. #idp_contact_surname = <None>
  1136. # Email address of contact person. (string value)
  1137. #idp_contact_email = <None>
  1138. # Telephone number of contact person. (string value)
  1139. #idp_contact_telephone = <None>
  1140. # Contact type. Allowed values are: technical, support, administrative billing,
  1141. # and other (string value)
  1142. #idp_contact_type = other
  1143. # Path to the Identity Provider Metadata file. This file should be generated
  1144. # with the keystone-manage saml_idp_metadata command. (string value)
  1145. #idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml
  1146. [signing]
  1147. #
  1148. # From keystone
  1149. #
  1150. # Path of the certfile for token signing. For non-production environments, you
  1151. # may be interested in using `keystone-manage pki_setup` to generate self-
  1152. # signed certificates. (string value)
  1153. #certfile = /etc/keystone/ssl/certs/signing_cert.pem
  1154. # Path of the keyfile for token signing. (string value)
  1155. #keyfile = /etc/keystone/ssl/private/signing_key.pem
  1156. # Path of the CA for token signing. (string value)
  1157. #ca_certs = /etc/keystone/ssl/certs/ca.pem
  1158. # Path of the CA key for token signing. (string value)
  1159. #ca_key = /etc/keystone/ssl/private/cakey.pem
  1160. # Key size (in bits) for token signing cert (auto generated certificate).
  1161. # (integer value)
  1162. #key_size = 2048
  1163. # Days the token signing cert is valid for (auto generated certificate).
  1164. # (integer value)
  1165. #valid_days = 3650
  1166. # Certificate subject (auto generated certificate) for token signing. (string
  1167. # value)
  1168. #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
  1169. [ssl]
  1170. #
  1171. # From keystone
  1172. #
  1173. # Path of the CA key file for SSL. (string value)
  1174. #ca_key = /etc/keystone/ssl/private/cakey.pem
  1175. # SSL key length (in bits) (auto generated certificate). (integer value)
  1176. #key_size = 1024
  1177. # Days the certificate is valid for once signed (auto generated certificate).
  1178. # (integer value)
  1179. #valid_days = 3650
  1180. # SSL certificate subject (auto generated certificate). (string value)
  1181. #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
  1182. [token]
  1183. #
  1184. # From keystone
  1185. #
  1186. # External auth mechanisms that should add bind information to token, e.g.,
  1187. # kerberos,x509. (list value)
  1188. #bind =
  1189. # Enforcement policy on tokens presented to Keystone with bind information. One
  1190. # of disabled, permissive, strict, required or a specifically required bind
  1191. # mode, e.g., kerberos or x509 to require binding to that authentication.
  1192. # (string value)
  1193. #enforce_token_bind = permissive
  1194. # Amount of time a token should remain valid (in seconds). (integer value)
  1195. #expiration = 3600
  1196. # Controls the token construction, validation, and revocation operations. Core
  1197. # providers are "keystone.token.providers.[fernet|pkiz|pki|uuid].Provider". The
  1198. # default provider is uuid. (string value)
  1199. #provider = keystone.token.providers.uuid.Provider
  1200. # Token persistence backend driver. (string value)
  1201. #driver = keystone.token.persistence.backends.sql.Token
  1202. # Toggle for token system caching. This has no effect unless global caching is
  1203. # enabled. (boolean value)
  1204. #caching = true
  1205. # Time to cache the revocation list and the revocation events if revoke
  1206. # extension is enabled (in seconds). This has no effect unless global and token
  1207. # caching are enabled. (integer value)
  1208. #revocation_cache_time = 3600
  1209. # Time to cache tokens (in seconds). This has no effect unless global and token
  1210. # caching are enabled. (integer value)
  1211. #cache_time = <None>
  1212. # Revoke token by token identifier. Setting revoke_by_id to true enables
  1213. # various forms of enumerating tokens, e.g. `list tokens for user`. These
  1214. # enumerations are processed to determine the list of tokens to revoke. Only
  1215. # disable if you are switching to using the Revoke extension with a backend
  1216. # other than KVS, which stores events in memory. (boolean value)
  1217. #revoke_by_id = true
  1218. # Allow rescoping of scoped token. Setting allow_rescoped_scoped_token to false
  1219. # prevents a user from exchanging a scoped token for any other token. (boolean
  1220. # value)
  1221. #allow_rescope_scoped_token = true
  1222. # The hash algorithm to use for PKI tokens. This can be set to any algorithm
  1223. # that hashlib supports. WARNING: Before changing this value, the auth_token
  1224. # middleware must be configured with the hash_algorithms, otherwise token
  1225. # revocation will not be processed correctly. (string value)
  1226. #hash_algorithm = md5
  1227. [trust]
  1228. #
  1229. # From keystone
  1230. #
  1231. # Delegation and impersonation features can be optionally disabled. (boolean
  1232. # value)
  1233. #enabled = true
  1234. # Enable redelegation feature. (boolean value)
  1235. #allow_redelegation = false
  1236. # Maximum depth of trust redelegation. (integer value)
  1237. #max_redelegation_count = 3
  1238. # Trust backend driver. (string value)
  1239. #driver = keystone.trust.backends.sql.Trust