53a83c2073
Based upon the keystone caching (using dogpile.cache) implementation
token caching is implemented in this patchset.
This patchset inclues basic Token caching as the first implementation
of this caching layer. The following methods are cached:
* token_api.get_token,
* token_api.list_revoked_tokens
* token_provider_api.validate_v3_token
* token_provider_api.check_v3_token
* token_provider_api.check_v2_token
* token_provider_api.validate_v2_token
* token_provider_api.validate_token
Calls to token_api.delete_token and token_api.delete_tokens will
properly invalidate the cache for the tokens being acted upon, as
well as invalidating the cache for the revoked_tokens_list and the
validate/check token calls.
Token caching is configurable independantly of the revocation_list
caching.
Lifted expiration checks from the token drivers to the token manager.
This ensures that cached tokens will still raise TokenNotFound when
expired.
For cache consistency, all token_ids are transformed into the short
token hash at the provider and token_driver level. Some methods would
have access to the full ID (PKI Tokens), and some methods would not.
Cache invalidation is inconsistent without token_id normalization.
DocImpact
partial-blueprint: caching-layer-for-driver-calls
Change-Id: Ifada0db0043fede504a091670ccc521196c2f19c
368 lines
12 KiB
Plaintext
368 lines
12 KiB
Plaintext
[DEFAULT]
|
|
# A "shared secret" between keystone and other openstack services
|
|
# admin_token = ADMIN
|
|
|
|
# The IP address of the network interface to listen on
|
|
# bind_host = 0.0.0.0
|
|
|
|
# The port number which the public service listens on
|
|
# public_port = 5000
|
|
|
|
# The port number which the public admin listens on
|
|
# admin_port = 35357
|
|
|
|
# The base endpoint URLs for keystone that are advertised to clients
|
|
# (NOTE: this does NOT affect how keystone listens for connections)
|
|
# public_endpoint = http://localhost:%(public_port)s/
|
|
# admin_endpoint = http://localhost:%(admin_port)s/
|
|
|
|
# The port number which the OpenStack Compute service listens on
|
|
# compute_port = 8774
|
|
|
|
# Path to your policy definition containing identity actions
|
|
# policy_file = policy.json
|
|
|
|
# Rule to check if no matching policy definition is found
|
|
# FIXME(dolph): This should really be defined as [policy] default_rule
|
|
# policy_default_rule = admin_required
|
|
|
|
# Role for migrating membership relationships
|
|
# During a SQL upgrade, the following values will be used to create a new role
|
|
# that will replace records in the user_tenant_membership table with explicit
|
|
# role grants. After migration, the member_role_id will be used in the API
|
|
# add_user_to_project, and member_role_name will be ignored.
|
|
# member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
|
|
# member_role_name = _member_
|
|
|
|
# enforced by optional sizelimit middleware (keystone.middleware:RequestBodySizeLimiter)
|
|
# max_request_body_size = 114688
|
|
|
|
# limit the sizes of user & tenant ID/names
|
|
# max_param_size = 64
|
|
|
|
# similar to max_param_size, but provides an exception for token values
|
|
# max_token_size = 8192
|
|
|
|
# === Logging Options ===
|
|
# Print debugging output
|
|
# (includes plaintext request logging, potentially including passwords)
|
|
# debug = False
|
|
|
|
# Print more verbose output
|
|
# verbose = False
|
|
|
|
# Name of log file to output to. If not set, logging will go to stdout.
|
|
# log_file = keystone.log
|
|
|
|
# The directory to keep log files in (will be prepended to --logfile)
|
|
# log_dir = /var/log/keystone
|
|
|
|
# Use syslog for logging.
|
|
# use_syslog = False
|
|
|
|
# syslog facility to receive log lines
|
|
# syslog_log_facility = LOG_USER
|
|
|
|
# If this option is specified, the logging configuration file specified is
|
|
# used and overrides any other logging options specified. Please see the
|
|
# Python logging module documentation for details on logging configuration
|
|
# files.
|
|
# log_config = logging.conf
|
|
|
|
# A logging.Formatter log message format string which may use any of the
|
|
# available logging.LogRecord attributes.
|
|
# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
|
|
|
|
# Format string for %(asctime)s in log records.
|
|
# log_date_format = %Y-%m-%d %H:%M:%S
|
|
|
|
# onready allows you to send a notification when the process is ready to serve
|
|
# For example, to have it notify using systemd, one could set shell command:
|
|
# onready = systemd-notify --ready
|
|
# or a module with notify() method:
|
|
# onready = keystone.common.systemd
|
|
|
|
[sql]
|
|
# The SQLAlchemy connection string used to connect to the database
|
|
# connection = sqlite:///keystone.db
|
|
|
|
# the timeout before idle sql connections are reaped
|
|
# idle_timeout = 200
|
|
|
|
[identity]
|
|
# driver = keystone.identity.backends.sql.Identity
|
|
|
|
# This references the domain to use for all Identity API v2 requests (which are
|
|
# not aware of domains). A domain with this ID will be created for you by
|
|
# keystone-manage db_sync in migration 008. The domain referenced by this ID
|
|
# cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.
|
|
# There is nothing special about this domain, other than the fact that it must
|
|
# exist to order to maintain support for your v2 clients.
|
|
# default_domain_id = default
|
|
#
|
|
# A subset (or all) of domains can have their own identity driver, each with
|
|
# their own partial configuration file in a domain configuration directory.
|
|
# Only values specific to the domain need to be placed in the domain specific
|
|
# configuration file. This feature is disabled by default; set
|
|
# domain_specific_drivers_enabled to True to enable.
|
|
# domain_specific_drivers_enabled = False
|
|
# domain_config_dir = /etc/keystone/domains
|
|
|
|
# Maximum supported length for user passwords; decrease to improve performance.
|
|
# max_password_length = 4096
|
|
|
|
[credential]
|
|
# driver = keystone.credential.backends.sql.Credential
|
|
|
|
[trust]
|
|
# driver = keystone.trust.backends.sql.Trust
|
|
|
|
# delegation and impersonation features can be optionally disabled
|
|
# enabled = True
|
|
|
|
[os_inherit]
|
|
# role-assignment inheritance to projects from owning domain can be
|
|
# optionally enabled
|
|
# enabled = False
|
|
|
|
[catalog]
|
|
# dynamic, sql-based backend (supports API/CLI-based management commands)
|
|
# driver = keystone.catalog.backends.sql.Catalog
|
|
|
|
# static, file-based backend (does *NOT* support any management commands)
|
|
# driver = keystone.catalog.backends.templated.TemplatedCatalog
|
|
|
|
# template_file = default_catalog.templates
|
|
|
|
[endpoint_filter]
|
|
# extension for creating associations between project and endpoints in order to
|
|
# provide a tailored catalog for project-scoped token requests.
|
|
# driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
|
|
# return_all_endpoints_if_no_filter = True
|
|
|
|
[token]
|
|
# Provides token persistence.
|
|
# driver = keystone.token.backends.sql.Token
|
|
|
|
# Controls the token construction, validation, and revocation operations.
|
|
# Core providers are keystone.token.providers.[pki|uuid].Provider
|
|
# provider =
|
|
|
|
# Amount of time a token should remain valid (in seconds)
|
|
# expiration = 86400
|
|
|
|
# External auth mechanisms that should add bind information to token.
|
|
# eg kerberos, x509
|
|
# bind =
|
|
|
|
# Enforcement policy on tokens presented to keystone with bind information.
|
|
# One of disabled, permissive, strict, required or a specifically required bind
|
|
# mode e.g. kerberos or x509 to require binding to that authentication.
|
|
# enforce_token_bind = permissive
|
|
|
|
# Token specific caching toggle. This has no effect unless the global caching
|
|
# option is set to True
|
|
# caching = True
|
|
|
|
# Token specific cache time-to-live (TTL) in seconds.
|
|
# cache_time =
|
|
|
|
# Revocation-List specific cache time-to-live (TTL) in seconds.
|
|
# revocation_cache_time = 3600
|
|
|
|
[cache]
|
|
# Global cache functionality toggle.
|
|
# enabled = False
|
|
|
|
# Prefix for building the configuration dictionary for the cache region. This
|
|
# should not need to be changed unless there is another dogpile.cache region
|
|
# with the same configuration name
|
|
# config_prefix = cache.keystone
|
|
|
|
# Default TTL, in seconds, for any cached item in the dogpile.cache region.
|
|
# This applies to any cached method that doesn't have an explicit cache
|
|
# expiration time defined for it.
|
|
# expiration_time = 600
|
|
|
|
# Dogpile.cache backend module. It is recommended that Memcache
|
|
# (dogpile.cache.memcache) or Redis (dogpile.cache.redis) be used in production
|
|
# deployments. Small workloads (single process) like devstack can use the
|
|
# dogpile.cache.memory backend.
|
|
# backend = keystone.common.cache.noop
|
|
|
|
# Arguments supplied to the backend module. Specify this option once per
|
|
# argument to be passed to the dogpile.cache backend.
|
|
# Example format: <argname>:<value>
|
|
# backend_argument =
|
|
|
|
# Proxy Classes to import that will affect the way the dogpile.cache backend
|
|
# functions. See the dogpile.cache documentation on changing-backend-behavior.
|
|
# Comma delimited list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2
|
|
# proxies =
|
|
|
|
# Use a key-mangling function (sha1) to ensure fixed length cache-keys. This
|
|
# is toggle-able for debugging purposes, it is highly recommended to always
|
|
# leave this set to True.
|
|
# use_key_mangler = True
|
|
|
|
# Extra debugging from the cache backend (cache keys, get/set/delete/etc calls)
|
|
# This is only really useful if you need to see the specific cache-backend
|
|
# get/set/delete calls with the keys/values. Typically this should be left
|
|
# set to False.
|
|
# debug_cache_backend = False
|
|
|
|
[policy]
|
|
# driver = keystone.policy.backends.sql.Policy
|
|
|
|
[ec2]
|
|
# driver = keystone.contrib.ec2.backends.kvs.Ec2
|
|
|
|
[assignment]
|
|
# driver =
|
|
|
|
[oauth1]
|
|
# driver = keystone.contrib.oauth1.backends.sql.OAuth1
|
|
|
|
# The Identity service may include expire attributes.
|
|
# If no such attribute is included, then the token lasts indefinitely.
|
|
# Specify how quickly the request token will expire (in seconds)
|
|
# request_token_duration = 28800
|
|
# Specify how quickly the access token will expire (in seconds)
|
|
# access_token_duration = 86400
|
|
|
|
[ssl]
|
|
#enable = True
|
|
#certfile = /etc/keystone/pki/certs/ssl_cert.pem
|
|
#keyfile = /etc/keystone/pki/private/ssl_key.pem
|
|
#ca_certs = /etc/keystone/pki/certs/cacert.pem
|
|
#ca_key = /etc/keystone/pki/private/cakey.pem
|
|
#key_size = 1024
|
|
#valid_days = 3650
|
|
#ca_password = None
|
|
#cert_required = False
|
|
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
|
|
|
|
[signing]
|
|
# Deprecated in favor of provider in the [token] section
|
|
# Allowed values are PKI or UUID
|
|
#token_format =
|
|
|
|
#certfile = /etc/keystone/pki/certs/signing_cert.pem
|
|
#keyfile = /etc/keystone/pki/private/signing_key.pem
|
|
#ca_certs = /etc/keystone/pki/certs/cacert.pem
|
|
#ca_key = /etc/keystone/pki/private/cakey.pem
|
|
#key_size = 2048
|
|
#valid_days = 3650
|
|
#ca_password = None
|
|
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
|
|
|
|
[ldap]
|
|
# url = ldap://localhost
|
|
# user = dc=Manager,dc=example,dc=com
|
|
# password = None
|
|
# suffix = cn=example,cn=com
|
|
# use_dumb_member = False
|
|
# allow_subtree_delete = False
|
|
# dumb_member = cn=dumb,dc=example,dc=com
|
|
|
|
# Maximum results per page; a value of zero ('0') disables paging (default)
|
|
# page_size = 0
|
|
|
|
# The LDAP dereferencing option for queries. This can be either 'never',
|
|
# 'searching', 'always', 'finding' or 'default'. The 'default' option falls
|
|
# back to using default dereferencing configured by your ldap.conf.
|
|
# alias_dereferencing = default
|
|
|
|
# The LDAP scope for queries, this can be either 'one'
|
|
# (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree)
|
|
# query_scope = one
|
|
|
|
# user_tree_dn = ou=Users,dc=example,dc=com
|
|
# user_filter =
|
|
# user_objectclass = inetOrgPerson
|
|
# user_domain_id_attribute = businessCategory
|
|
# user_id_attribute = cn
|
|
# user_name_attribute = sn
|
|
# user_mail_attribute = email
|
|
# user_pass_attribute = userPassword
|
|
# user_enabled_attribute = enabled
|
|
# user_enabled_mask = 0
|
|
# user_enabled_default = True
|
|
# user_attribute_ignore = tenant_id,tenants
|
|
# user_allow_create = True
|
|
# user_allow_update = True
|
|
# user_allow_delete = True
|
|
# user_enabled_emulation = False
|
|
# user_enabled_emulation_dn =
|
|
|
|
# tenant_tree_dn = ou=Projects,dc=example,dc=com
|
|
# tenant_filter =
|
|
# tenant_objectclass = groupOfNames
|
|
# tenant_domain_id_attribute = businessCategory
|
|
# tenant_id_attribute = cn
|
|
# tenant_member_attribute = member
|
|
# tenant_name_attribute = ou
|
|
# tenant_desc_attribute = desc
|
|
# tenant_enabled_attribute = enabled
|
|
# tenant_attribute_ignore =
|
|
# tenant_allow_create = True
|
|
# tenant_allow_update = True
|
|
# tenant_allow_delete = True
|
|
# tenant_enabled_emulation = False
|
|
# tenant_enabled_emulation_dn =
|
|
|
|
# role_tree_dn = ou=Roles,dc=example,dc=com
|
|
# role_filter =
|
|
# role_objectclass = organizationalRole
|
|
# role_id_attribute = cn
|
|
# role_name_attribute = ou
|
|
# role_member_attribute = roleOccupant
|
|
# role_attribute_ignore =
|
|
# role_allow_create = True
|
|
# role_allow_update = True
|
|
# role_allow_delete = True
|
|
|
|
# group_tree_dn =
|
|
# group_filter =
|
|
# group_objectclass = groupOfNames
|
|
# group_id_attribute = cn
|
|
# group_name_attribute = ou
|
|
# group_member_attribute = member
|
|
# group_desc_attribute = desc
|
|
# group_attribute_ignore =
|
|
# group_allow_create = True
|
|
# group_allow_update = True
|
|
# group_allow_delete = True
|
|
|
|
# ldap TLS options
|
|
# if both tls_cacertfile and tls_cacertdir are set then
|
|
# tls_cacertfile will be used and tls_cacertdir is ignored
|
|
# valid options for tls_req_cert are demand, never, and allow
|
|
# use_tls = False
|
|
# tls_cacertfile =
|
|
# tls_cacertdir =
|
|
# tls_req_cert = demand
|
|
|
|
# Additional attribute mappings can be used to map ldap attributes to internal
|
|
# keystone attributes. This allows keystone to fulfill ldap objectclass
|
|
# requirements. An example to map the description and gecos attributes to a
|
|
# user's name would be:
|
|
# user_additional_attribute_mapping = description:name, gecos:name
|
|
#
|
|
# domain_additional_attribute_mapping =
|
|
# group_additional_attribute_mapping =
|
|
# role_additional_attribute_mapping =
|
|
# project_additional_attribute_mapping =
|
|
# user_additional_attribute_mapping =
|
|
|
|
[auth]
|
|
methods = external,password,token,oauth1
|
|
#external = keystone.auth.plugins.external.ExternalDefault
|
|
password = keystone.auth.plugins.password.Password
|
|
token = keystone.auth.plugins.token.Token
|
|
oauth1 = keystone.auth.plugins.oauth1.OAuth
|
|
|
|
[paste_deploy]
|
|
# Name of the paste configuration file that defines the available pipelines
|
|
config_file = keystone-paste.ini
|