openstack/openstack-manuals
Code Issues Proposed changes

[config-ref] Update keystone tables

Browse Source 
Change-Id: Id5bb093eb05a38aa0bd4cd11f2c08de9a5f64c46
This commit is contained in:
Gauvain Pocentek 2017-04-29 17:11:46 +02:00
parent 121b7a06f3
commit 0806ec8ea4
27 changed files with 617 additions and 306 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
doc/config-reference/source/identity/config-options.rst
View File

@ -12,6 +12,7 @@ service options.
.. include:: ../tables/keystone-ca.rst
.. include:: ../tables/keystone-catalog.rst
.. include:: ../tables/keystone-common.rst
.. include:: ../tables/keystone-compliance.rst
.. include:: ../tables/keystone-credential.rst
.. include:: ../tables/keystone-debug.rst
.. include:: ../tables/keystone-domain.rst

74
doc/config-reference/source/tables/keystone-api.rst
View File

@ -37,7 +37,11 @@
* - ``public_endpoint`` = ``None``
- (URI) The base public endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:5000/v3/users`, then this will option will be automatically treated as `http://server:5000`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host.
* - ``secure_proxy_ssl_header`` = ``HTTP_X_FORWARDED_PROTO``
- (String) DEPRECATED: The HTTP header used to determine the scheme for the original request, even if it was removed by an SSL terminating proxy. This option has been deprecated in the N release and will be removed in the P release. Use oslo.middleware.http_proxy_to_wsgi configuration instead.
- (String) The HTTP header used to determine the scheme for the original request, even if it was removed by an SSL terminating proxy.
- **Deprecated**
This option has been deprecated in the N release and will be removed in the P release. Use oslo.middleware.http_proxy_to_wsgi configuration instead.
* - ``strict_password_check`` = ``False``
- (Boolean) If set to true, strict password length checking is performed for password manipulation. If a password exceeds the maximum length, the operation will fail with an HTTP 403 Forbidden error. If set to false, passwords are automatically truncated to the maximum length.
* - **[oslo_middleware]**
@ -47,4 +51,70 @@
* - ``max_request_body_size`` = ``114688``
- (Integer) The maximum body size for each request, in bytes.
* - ``secure_proxy_ssl_header`` = ``X-Forwarded-Proto``
- (String) DEPRECATED: The HTTP Header that will be used to determine what the original request protocol scheme was, even if it was hidden by a SSL termination proxy.
- (String) The HTTP Header that will be used to determine what the original request protocol scheme was, even if it was hidden by a SSL termination proxy.
- **Deprecated**
No deprecation reason provided for this option.
* - **[shadow_users]**
-
* - ``driver`` = ``sql``
- (String) Entry point for the shadow users backend driver in the `keystone.identity.shadow_users` namespace. This driver is used for persisting local user references to externally-managed identities (via federation, LDAP, etc). Keystone only provides a `sql` driver, so there is no reason to change this option unless you are providing a custom entry point.
* - **[paste_deploy]**
-
* - ``config_file`` = ``keystone-paste.ini``
- (String) Name of (or absolute path to) the Paste Deploy configuration file that composes middleware and the keystone application itself into actual WSGI entry points. See http://pythonpaste.org/deploy/ for additional documentation on the file's format.
* - **[endpoint_filter]**
-
* - ``driver`` = ``sql``
- (String) Entry point for the endpoint filter driver in the `keystone.endpoint_filter` namespace. Only a `sql` option is provided by keystone, so there is no reason to set this unless you are providing a custom entry point.
* - ``return_all_endpoints_if_no_filter`` = ``True``
- (Boolean) This controls keystone's behavior if the configured endpoint filters do not result in any endpoints for a user + project pair (and therefore a potentially empty service catalog). If set to true, keystone will return the entire service catalog. If set to false, keystone will return an empty service catalog.
* - **[eventlet_server]**
-
* - ``public_bind_host`` = ``0.0.0.0``
- (Unknown) The IP address of the network interface for the public service to listen on.
- **Deprecated**
Support for running keystone under eventlet has been removed in the Newton release. These options remain for backwards compatibility because they are used for URL substitutions.
* - ``public_port`` = ``5000``
- (Port number) The port number for the public service to listen on.
- **Deprecated**
Support for running keystone under eventlet has been removed in the Newton release. These options remain for backwards compatibility because they are used for URL substitutions.
* - ``admin_bind_host`` = ``0.0.0.0``
- (Unknown) The IP address of the network interface for the admin service to listen on.
- **Deprecated**
Support for running keystone under eventlet has been removed in the Newton release. These options remain for backwards compatibility because they are used for URL substitutions.
* - ``admin_port`` = ``35357``
- (Port number) The port number for the admin service to listen on.
- **Deprecated**
Support for running keystone under eventlet has been removed in the Newton release. These options remain for backwards compatibility because they are used for URL substitutions.
* - **[endpoint_policy]**
-
* - ``driver`` = ``sql``
- (String) Entry point for the endpoint policy driver in the `keystone.endpoint_policy` namespace. Only a `sql` driver is provided by keystone, so there is no reason to set this unless you are providing a custom entry point.
* - **[resource]**
-
* - ``driver`` = ``sql``
- (String) Entry point for the resource driver in the `keystone.resource` namespace. Only a `sql` driver is supplied by keystone. Unless you are writing proprietary drivers for keystone, you do not need to set this option.
* - ``caching`` = ``True``
- (Boolean) Toggle for resource caching. This has no effect unless global caching is enabled.
* - ``cache_time`` = ``None``
- (Integer) Time to cache resource data in seconds. This has no effect unless global caching is enabled.
* - ``list_limit`` = ``None``
- (Integer) Maximum number of entities that will be returned in a resource collection.
* - ``admin_project_domain_name`` = ``None``
- (String) Name of the domain that owns the `admin_project_name`. If left unset, then there is no admin project. `[resource] admin_project_name` must also be set to use this option.
* - ``admin_project_name`` = ``None``
- (String) This is a special project which represents cloud-level administrator privileges across services. Tokens scoped to this project will contain a true `is_admin_project` attribute to indicate to policy systems that the role assignments on that specific project should apply equally across every project. If left unset, then there is no admin project, and thus no explicit means of cross-project role assignments. `[resource] admin_project_domain_name` must also be set to use this option.
* - ``project_name_url_safe`` = ``off``
- (String) This controls whether the names of projects are restricted from containing URL-reserved characters. If set to `new`, attempts to create or update a project with a URL-unsafe name will fail. If set to `strict`, attempts to scope a token with a URL-unsafe project name will fail, thereby forcing all project names to be updated to be URL-safe.
* - ``domain_name_url_safe`` = ``off``
- (String) This controls whether the names of domains are restricted from containing URL-reserved characters. If set to `new`, attempts to create or update a domain with a URL-unsafe name will fail. If set to `strict`, attempts to scope a token with a URL-unsafe domain name will fail, thereby forcing all domain names to be updated to be URL-safe.

4
doc/config-reference/source/tables/keystone-assignment.rst
View File

@ -18,7 +18,7 @@
- Description
* - **[assignment]**
-
* - ``driver`` = ``None``
- (String) Entrypoint for the assignment backend driver in the keystone.assignment namespace. Only an SQL driver is supplied. If an assignment driver is not specified, the identity driver will choose the assignment driver (driver selection based on `[identity]/driver` option is deprecated and will be removed in the "O" release).
* - ``driver`` = ``sql``
- (String) Entry point for the assignment backend driver (where role assignments are stored) in the `keystone.assignment` namespace. Only a SQL driver is supplied by keystone itself. Unless you are writing proprietary drivers for keystone, you do not need to set this option.
* - ``prohibited_implied_role`` = ``admin``
- (List) A list of role names which are prohibited from being an implied role.

18
doc/config-reference/source/tables/keystone-auth.rst
View File

@ -18,13 +18,15 @@
- Description
* - **[auth]**
-
* - ``external`` = ``None``
- (String) Entrypoint for the external (REMOTE_USER) auth plugin module in the keystone.auth.external namespace. Supplied drivers are DefaultDomain and Domain. The default driver is DefaultDomain.
* - ``methods`` = ``external, password, token, oauth1``
- (List) Allowed authentication methods.
* - ``oauth1`` = ``None``
- (String) Entrypoint for the oAuth1.0 auth plugin module in the keystone.auth.oauth1 namespace.
* - ``methods`` = ``external, password, token, oauth1, mapped``
- (List) Allowed authentication methods. Note: You should disable the `external` auth method if you are currently using federation. External auth and federation both use the REMOTE_USER variable. Since both the mapped and external plugin are being invoked to validate attributes in the request environment, it can cause conflicts.
* - ``password`` = ``None``
- (String) Entrypoint for the password auth plugin module in the keystone.auth.password namespace.
- (String) Entry point for the password auth plugin module in the `keystone.auth.password` namespace. You do not need to set this unless you are overriding keystone's own password authentication plugin.
* - ``token`` = ``None``
- (String) Entrypoint for the token auth plugin module in the keystone.auth.token namespace.
- (String) Entry point for the token auth plugin module in the `keystone.auth.token` namespace. You do not need to set this unless you are overriding keystone's own token authentication plugin.
* - ``external`` = ``None``
- (String) Entry point for the external (`REMOTE_USER`) auth plugin module in the `keystone.auth.external` namespace. Supplied drivers are `DefaultDomain` and `Domain`. The default driver is `DefaultDomain`, which assumes that all users identified by the username specified to keystone in the `REMOTE_USER` variable exist within the context of the default domain. The `Domain` option expects an additional environment variable be presented to keystone, `REMOTE_DOMAIN`, containing the domain name of the `REMOTE_USER` (if `REMOTE_DOMAIN` is not set, then the default domain will be used instead). You do not need to set this unless you are taking advantage of "external authentication", where the application server (such as Apache) is handling authentication instead of keystone.
* - ``oauth1`` = ``None``
- (String) Entry point for the OAuth 1.0a auth plugin module in the `keystone.auth.oauth1` namespace. You do not need to set this unless you are overriding keystone's own `oauth1` authentication plugin.
* - ``mapped`` = ``None``
- (String) Entry point for the mapped auth plugin module in the `keystone.auth.mapped` namespace. You do not need to set this unless you are overriding keystone's own `mapped` authentication plugin.

70
doc/config-reference/source/tables/keystone-ca.rst
View File

@ -16,41 +16,47 @@
* - Configuration option = Default value
- Description
* - **[eventlet_server_ssl]**
-
* - ``ca_certs`` = ``/etc/keystone/ssl/certs/ca.pem``
- (String) DEPRECATED: Path of the CA cert file for SSL.
* - ``cert_required`` = ``False``
- (Boolean) DEPRECATED: Require client certificate.
* - ``certfile`` = ``/etc/keystone/ssl/certs/keystone.pem``
- (String) DEPRECATED: Path of the certfile for SSL. For non-production environments, you may be interested in using `keystone-manage ssl_setup` to generate self-signed certificates.
* - ``enable`` = ``False``
- (Boolean) DEPRECATED: Toggle for SSL support on the Keystone eventlet servers.
* - ``keyfile`` = ``/etc/keystone/ssl/private/keystonekey.pem``
- (String) DEPRECATED: Path of the keyfile for SSL.
* - **[signing]**
-
* - ``ca_certs`` = ``/etc/keystone/ssl/certs/ca.pem``
- (String) DEPRECATED: Path of the CA for token signing. PKI token support has been deprecated in the M release and will be removed in the O release. Fernet or UUID tokens are recommended.
* - ``ca_key`` = ``/etc/keystone/ssl/private/cakey.pem``
- (String) DEPRECATED: Path of the CA key for token signing. PKI token support has been deprecated in the M release and will be removed in the O release. Fernet or UUID tokens are recommended.
* - ``cert_subject`` = ``/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com``
- (String) DEPRECATED: Certificate subject (auto generated certificate) for token signing. PKI token support has been deprecated in the M release and will be removed in the O release. Fernet or UUID tokens are recommended.
* - ``certfile`` = ``/etc/keystone/ssl/certs/signing_cert.pem``
- (String) DEPRECATED: Path of the certfile for token signing. For non-production environments, you may be interested in using `keystone-manage pki_setup` to generate self-signed certificates. PKI token support has been deprecated in the M release and will be removed in the O release. Fernet or UUID tokens are recommended.
* - ``key_size`` = ``2048``
- (Integer) DEPRECATED: Key size (in bits) for token signing cert (auto generated certificate). PKI token support has been deprecated in the M release and will be removed in the O release. Fernet or UUID tokens are recommended.
- (String) Absolute path to the public certificate file to use for signing responses to revocation lists requests. Set this together with `[signing] keyfile`. For non-production environments, you may be interested in using `keystone-manage pki_setup` to generate self-signed certificates.
- **Deprecated**
`keystone-manage pki_setup` was deprecated in Mitaka and removed in Pike. These options remain for backwards compatibility.
* - ``keyfile`` = ``/etc/keystone/ssl/private/signing_key.pem``
- (String) DEPRECATED: Path of the keyfile for token signing. PKI token support has been deprecated in the M release and will be removed in the O release. Fernet or UUID tokens are recommended.
* - ``valid_days`` = ``3650``
- (Integer) DEPRECATED: Days the token signing cert is valid for (auto generated certificate). PKI token support has been deprecated in the M release and will be removed in the O release. Fernet or UUID tokens are recommended.
* - **[ssl]**
-
- (String) Absolute path to the private key file to use for signing responses to revocation lists requests. Set this together with `[signing] certfile`.
- **Deprecated**
`keystone-manage pki_setup` was deprecated in Mitaka and removed in Pike. These options remain for backwards compatibility.
* - ``ca_certs`` = ``/etc/keystone/ssl/certs/ca.pem``
- (String) Absolute path to the public certificate authority (CA) file to use when creating self-signed certificates with `keystone-manage pki_setup`. Set this together with `[signing] ca_key`. There is no reason to set this option unless you are requesting revocation lists in a non-production environment. Use a `[signing] certfile` issued from a trusted certificate authority instead.
- **Deprecated**
`keystone-manage pki_setup` was deprecated in Mitaka and removed in Pike. These options remain for backwards compatibility.
* - ``ca_key`` = ``/etc/keystone/ssl/private/cakey.pem``
- (String) Path of the CA key file for SSL.
* - ``cert_subject`` = ``/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost``
- (String) SSL certificate subject (auto generated certificate).
* - ``key_size`` = ``1024``
- (Integer) SSL key length (in bits) (auto generated certificate).
- (String) Absolute path to the private certificate authority (CA) key file to use when creating self-signed certificates with `keystone-manage pki_setup`. Set this together with `[signing] ca_certs`. There is no reason to set this option unless you are requesting revocation lists in a non-production environment. Use a `[signing] certfile` issued from a trusted certificate authority instead.
- **Deprecated**
`keystone-manage pki_setup` was deprecated in Mitaka and removed in Pike. These options remain for backwards compatibility.
* - ``key_size`` = ``2048``
- (Integer) Key size (in bits) to use when generating a self-signed token signing certificate. There is no reason to set this option unless you are requesting revocation lists in a non-production environment. Use a `[signing] certfile` issued from a trusted certificate authority instead.
- **Deprecated**
`keystone-manage pki_setup` was deprecated in Mitaka and removed in Pike. These options remain for backwards compatibility.
* - ``valid_days`` = ``3650``
- (Integer) Days the certificate is valid for once signed (auto generated certificate).
- (Integer) The validity period (in days) to use when generating a self-signed token signing certificate. There is no reason to set this option unless you are requesting revocation lists in a non-production environment. Use a `[signing] certfile` issued from a trusted certificate authority instead.
- **Deprecated**
`keystone-manage pki_setup` was deprecated in Mitaka and removed in Pike. These options remain for backwards compatibility.
* - ``cert_subject`` = ``/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com``
- (String) The certificate subject to use when generating a self-signed token signing certificate. There is no reason to set this option unless you are requesting revocation lists in a non-production environment. Use a `[signing] certfile` issued from a trusted certificate authority instead.
- **Deprecated**
`keystone-manage pki_setup` was deprecated in Mitaka and removed in Pike. These options remain for backwards compatibility.

12
doc/config-reference/source/tables/keystone-cache.rst
View File

@ -19,10 +19,12 @@
* - **[memcache]**
-
* - ``dead_retry`` = ``300``
- (Integer) Number of seconds memcached server is considered dead before it is tried again. This is used by the key value store system (e.g. token pooled memcached persistence backend).
* - ``pool_connection_get_timeout`` = ``10``
- (Integer) Number of seconds that an operation will wait to get a memcache client connection. This is used by the key value store system (e.g. token pooled memcached persistence backend).
- (Integer) Number of seconds memcached server is considered dead before it is tried again. This is used by the key value store system.
* - ``socket_timeout`` = ``3``
- (Integer) Timeout in seconds for every call to a server. This is used by the key value store system.
* - ``pool_maxsize`` = ``10``
- (Integer) Max total number of open connections to every memcached server. This is used by the key value store system (e.g. token pooled memcached persistence backend).
- (Integer) Max total number of open connections to every memcached server. This is used by the key value store system.
* - ``pool_unused_timeout`` = ``60``
- (Integer) Number of seconds a connection to memcached is held unused in the pool before it is closed. This is used by the key value store system (e.g. token pooled memcached persistence backend).
- (Integer) Number of seconds a connection to memcached is held unused in the pool before it is closed. This is used by the key value store system.
* - ``pool_connection_get_timeout`` = ``10``
- (Integer) Number of seconds that an operation will wait to get a memcache client connection. This is used by the key value store system.

18
doc/config-reference/source/tables/keystone-catalog.rst
View File

@ -18,13 +18,13 @@
- Description
* - **[catalog]**
-
* - ``cache_time`` = ``None``
- (Integer) Time to cache catalog data (in seconds). This has no effect unless global and catalog caching are enabled.
* - ``caching`` = ``True``
- (Boolean) Toggle for catalog caching. This has no effect unless global caching is enabled.
* - ``driver`` = ``sql``
- (String) Entrypoint for the catalog backend driver in the keystone.catalog namespace. Supplied drivers are kvs, sql, templated, and endpoint_filter.sql
* - ``list_limit`` = ``None``
- (Integer) Maximum number of entities that will be returned in a catalog collection.
* - ``template_file`` = ``default_catalog.templates``
- (String) Catalog template file name for use with the template catalog backend.
- (String) Absolute path to the file used for the templated catalog backend. This option is only used if the `[catalog] driver` is set to `templated`.
* - ``driver`` = ``sql``
- (String) Entry point for the catalog driver in the `keystone.catalog` namespace. Keystone provides a `sql` option (which supports basic CRUD operations through SQL), a `templated` option (which loads the catalog from a templated catalog file on disk), and a `endpoint_filter.sql` option (which supports arbitrary service catalogs per project).
* - ``caching`` = ``True``
- (Boolean) Toggle for catalog caching. This has no effect unless global caching is enabled. In a typical deployment, there is no reason to disable this.
* - ``cache_time`` = ``None``
- (Integer) Time to cache catalog data (in seconds). This has no effect unless global and catalog caching are both enabled. Catalog data (services, endpoints, etc.) typically does not change frequently, and so a longer duration than the global default may be desirable.
* - ``list_limit`` = ``None``
- (Integer) Maximum number of entities that will be returned in a catalog collection. There is typically no reason to set this, as it would be unusual for a deployment to have enough services or endpoints to exceed a reasonable limit.

19
doc/config-reference/source/tables/keystone-common.rst
View File

@ -19,7 +19,7 @@
* - **[DEFAULT]**
-
* - ``executor_thread_pool_size`` = ``64``
- (Integer) Size of executor thread pool.
- (Integer) Size of executor thread pool when executor is threading or eventlet.
* - ``insecure_debug`` = ``False``
- (Boolean) If set to true, then the server will return information in HTTP responses that may allow an unauthenticated or authenticated user to get more information than normal, such as additional details about why authentication failed. This may be useful for debugging but is insecure.
* - **[healthcheck]**
@ -33,26 +33,23 @@
* - ``disable_by_file_paths`` =
- (List) Check the presence of a file based on a port to determine if an application is running on a port. Expects a "port:path" list of strings. Used by DisableByFilesPortsHealthcheck plugin.
* - ``path`` = ``/healthcheck``
- (String) DEPRECATED: The path to respond to healtcheck requests on.
- (String) The path to respond to healtcheck requests on.
- **Deprecated**
No deprecation reason provided for this option.
* - **[profiler]**
-
* - ``connection_string`` = ``messaging://``
- (String) Connection string for a notifier backend. Default value is messaging:// which sets the notifier to oslo_messaging.
Examples of possible values:
* messaging://: use oslo_messaging driver for sending notifications.
* mongodb://127.0.0.1:27017 : use mongodb driver for sending notifications.
* elasticsearch://127.0.0.1:9200 : use elasticsearch driver for sending notifications.
* - ``enabled`` = ``False``
- (Boolean) Enables the profiling for all services on this node. Default value is False (fully disable the profiling feature).
Possible values:
* True: Enables the feature
* False: Disables the feature. The profiling cannot be started via this project operations. If the profiling is triggered by another project, this project part will be empty.
* - ``es_doc_type`` = ``notification``
- (String) Document type for notification indexing in elasticsearch.
@ -62,7 +59,6 @@
- (String) This parameter is a time value parameter (for example: es_scroll_time=2m), indicating for how long the nodes that participate in the search will maintain relevant resources in order to continue and support it.
* - ``hmac_keys`` = ``SECRET_KEY``
- (String) Secret key(s) to use for encrypting context data for performance profiling. This string value should have the following format: <key1>[,<key2>,...<keyn>], where each key is some random string. A user who triggers the profiling via the REST API has to set one of these keys in the headers of the REST API call to include profiling results of this node for this particular project.
Both "enabled" flag and "hmac_keys" config options should be set to enable profiling. Also, to generate correct profiling information across all services at least one key needs to be consistent between OpenStack projects. This ensures it can be used from client side to generate the trace, containing information from all possible resources.
* - ``sentinel_service_name`` = ``mymaster``
- (String) Redissentinel uses a service name to identify a master redis service. This parameter defines the name (for example: sentinal_service_name=mymaster).
@ -70,9 +66,6 @@
- (Floating point) Redissentinel provides a timeout option on the connections. This parameter defines that timeout (for example: socket_timeout=0.1).
* - ``trace_sqlalchemy`` = ``False``
- (Boolean) Enables SQL requests profiling in services. Default value is False (SQL requests won't be traced).
Possible values:
* True: Enables SQL requests profiling. Each SQL query will be part of the trace and can the be analyzed by how much time was spent for that.
* False: Disables SQL requests profiling. The spent time is only shown on a higher level of operations. Single SQL queries cannot be analyzed this way.

38
doc/config-reference/source/tables/keystone-compliance.rst Normal file
View File

@ -0,0 +1,38 @@
..
Warning: Do not edit this file. It is automatically generated from the
software project's code and your changes will be overwritten.
The tool to generate this file lives in openstack-doc-tools repository.
Please make any changes needed in the code, then run the
autogenerate-config-doc tool from the openstack-doc-tools repository, or
ask for help on the documentation mailing list, IRC channel or meeting.
.. _keystone-compliance:
.. list-table:: Description of Security compliance configuration options
:header-rows: 1
:class: config-ref-table
* - Configuration option = Default value
- Description
* - **[security_compliance]**
-
* - ``disable_user_account_days_inactive`` = ``None``
- (Integer) The maximum number of days a user can go without authenticating before being considered "inactive" and automatically disabled (locked). This feature is disabled by default; set any value to enable it. This feature depends on the `sql` backend for the `[identity] driver`. When a user exceeds this threshold and is considered "inactive", the user's `enabled` attribute in the HTTP API may not match the value of the user's `enabled` column in the user table.
* - ``lockout_failure_attempts`` = ``None``
- (Integer) The maximum number of times that a user can fail to authenticate before the user account is locked for the number of seconds specified by `[security_compliance] lockout_duration`. This feature is disabled by default. If this feature is enabled and `[security_compliance] lockout_duration` is not set, then users may be locked out indefinitely until the user is explicitly enabled via the API. This feature depends on the `sql` backend for the `[identity] driver`.
* - ``lockout_duration`` = ``1800``
- (Integer) The number of seconds a user account will be locked when the maximum number of failed authentication attempts (as specified by `[security_compliance] lockout_failure_attempts`) is exceeded. Setting this option will have no effect unless you also set `[security_compliance] lockout_failure_attempts` to a non-zero value. This feature depends on the `sql` backend for the `[identity] driver`.
* - ``password_expires_days`` = ``None``
- (Integer) The number of days for which a password will be considered valid before requiring it to be changed. This feature is disabled by default. If enabled, new password changes will have an expiration date, however existing passwords would not be impacted. This feature depends on the `sql` backend for the `[identity] driver`.
* - ``unique_last_password_count`` = ``1``
- (Integer) This controls the number of previous user password iterations to keep in history, in order to enforce that newly created passwords are unique. Setting the value to one (the default) disables this feature. Thus, to enable this feature, values must be greater than 1. This feature depends on the `sql` backend for the `[identity] driver`.
* - ``minimum_password_age`` = ``0``
- (Integer) The number of days that a password must be used before the user can change it. This prevents users from changing their passwords immediately in order to wipe out their password history and reuse an old password. This feature does not prevent administrators from manually resetting passwords. It is disabled by default and allows for immediate password changes. This feature depends on the `sql` backend for the `[identity] driver`. Note: If `[security_compliance] password_expires_days` is set, then the value for this option should be less than the `password_expires_days`.
* - ``password_regex`` = ``None``
- (String) The regular expression used to validate password strength requirements. By default, the regular expression will match any password. The following is an example of a pattern which requires at least 1 letter, 1 digit, and have a minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature depends on the `sql` backend for the `[identity] driver`.
* - ``password_regex_description`` = ``None``
- (String) Describe your password regular expression here in language for humans. If a password fails to match the regular expression, the contents of this configuration variable will be returned to users to explain why their requested password was insufficient.
* - ``change_password_upon_first_use`` = ``False``
- (Boolean) Enabling this option requires users to change their password when the user is created, or upon administrative reset. Before accessing any services, affected users will have to change their password. To ignore this requirement for specific users, such as service users, set the `options` attribute `ignore_change_password_upon_first_use` to `True` for the desired user via the update user API. This feature is disabled by default. This feature is only applicable with the `sql` backend for the `[identity] driver`.

6
doc/config-reference/source/tables/keystone-credential.rst
View File

@ -19,4 +19,8 @@
* - **[credential]**
-
* - ``driver`` = ``sql``
- (String) Entrypoint for the credential backend driver in the keystone.credential namespace.
- (String) Entry point for the credential backend driver in the `keystone.credential` namespace. Keystone only provides a `sql` driver, so there's no reason to change this unless you are providing a custom entry point.
* - ``provider`` = ``fernet``
- (String) Entry point for credential encryption and decryption operations in the `keystone.credential.provider` namespace. Keystone only provides a `fernet` driver, so there's no reason to change this unless you are providing a custom entry point to encrypt and decrypt credentials.
* - ``key_repository`` = ``/etc/keystone/credential-keys/``
- (String) Directory containing Fernet keys used to encrypt and decrypt credentials stored in the credential backend. Fernet keys used to encrypt credentials have no relationship to Fernet keys used to encrypt Fernet tokens. Both sets of keys should be managed separately and require different rotation policies. Do not share this repository with the repository used to manage keys for Fernet tokens.

10
doc/config-reference/source/tables/keystone-domain.rst
View File

@ -18,9 +18,9 @@
- Description
* - **[domain_config]**
-
* - ``cache_time`` = ``300``
- (Integer) TTL (in seconds) to cache domain config data. This has no effect unless domain config caching is enabled.
* - ``caching`` = ``True``
- (Boolean) Toggle for domain config caching. This has no effect unless global caching is enabled.
* - ``driver`` = ``sql``
- (String) Entrypoint for the domain config backend driver in the keystone.resource.domain_config namespace.
- (String) Entry point for the domain-specific configuration driver in the `keystone.resource.domain_config` namespace. Only a `sql` option is provided by keystone, so there is no reason to set this unless you are providing a custom entry point.
* - ``caching`` = ``True``
- (Boolean) Toggle for caching of the domain-specific configuration backend. This has no effect unless global caching is enabled. There is normally no reason to disable this.
* - ``cache_time`` = ``300``
- (Integer) Time-to-live (TTL, in seconds) to cache domain-specific configuration data. This has no effect unless `[domain_config] caching` is enabled.

20
doc/config-reference/source/tables/keystone-federation.rst
View File

@ -18,15 +18,17 @@
- Description
* - **[federation]**
-
* - ``assertion_prefix`` =
- (String) Value to be used when filtering assertion parameters from the environment.
* - ``driver`` = ``sql``
- (String) Entrypoint for the federation backend driver in the keystone.federation namespace.
* - ``federated_domain_name`` = ``Federated``
- (String) A domain name that is reserved to allow federated ephemeral users to have a domain concept. Note that an admin will not be able to create a domain with this name or update an existing domain to this name. You are not advised to change this value unless you really have to.
- (String) Entry point for the federation backend driver in the `keystone.federation` namespace. Keystone only provides a `sql` driver, so there is no reason to set this option unless you are providing a custom entry point.
* - ``assertion_prefix`` =
- (String) Prefix to use when filtering environment variable names for federated assertions. Matched variables are passed into the federated mapping engine.
* - ``remote_id_attribute`` = ``None``
- (String) Value to be used to obtain the entity ID of the Identity Provider from the environment (e.g. if using the mod_shib plugin this value is `Shib-Identity-Provider`).
* - ``sso_callback_template`` = ``/etc/keystone/sso_callback_template.html``
- (String) Location of Single Sign-On callback handler, will return a token to a trusted dashboard host.
- (String) Value to be used to obtain the entity ID of the Identity Provider from the environment. For `mod_shib`, this would be `Shib-Identity-Provider`. For For `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`, this could be `MELLON_IDP`.
* - ``federated_domain_name`` = ``Federated``
- (String) An arbitrary domain name that is reserved to allow federated ephemeral users to have a domain concept. Note that an admin will not be able to create a domain with this name or update an existing domain to this name. You are not advised to change this value unless you really have to.
* - ``trusted_dashboard`` = ``[]``
- (Multi-valued) A list of trusted dashboard hosts. Before accepting a Single Sign-On request to return a token, the origin host must be a member of the trusted_dashboard list. This configuration option may be repeated for multiple values. For example: trusted_dashboard=http://acme.com/auth/websso trusted_dashboard=http://beta.com/auth/websso
- (Multi-valued) A list of trusted dashboard hosts. Before accepting a Single Sign-On request to return a token, the origin host must be a member of this list. This configuration option may be repeated for multiple values. You must set this in order to use web-based SSO flows. For example: trusted_dashboard=https://acme.example.com/auth/websso trusted_dashboard=https://beta.example.com/auth/websso
* - ``sso_callback_template`` = ``/etc/keystone/sso_callback_template.html``
- (String) Absolute path to an HTML file used as a Single Sign-On callback handler. This page is expected to redirect the user from keystone back to a trusted dashboard host, by form encoding a token in a POST request. Keystone's default value should be sufficient for most deployments.
* - ``caching`` = ``True``
- (Boolean) Toggle for federation caching. This has no effect unless global caching is enabled. There is typically no reason to disable this.

4
doc/config-reference/source/tables/keystone-fernet_tokens.rst
View File

@ -19,6 +19,6 @@
* - **[fernet_tokens]**
-
* - ``key_repository`` = ``/etc/keystone/fernet-keys/``
- (String) Directory containing Fernet token keys.
- (String) Directory containing Fernet token keys. This directory must exist before using `keystone-manage fernet_setup` for the first time, must be writable by the user running `keystone-manage fernet_setup` or `keystone-manage fernet_rotate`, and of course must be readable by keystone's server process. The repository may contain keys in one of three states: a single staged key (always index 0) used for token validation, a single primary key (always the highest index) used for token creation and validation, and any number of secondary keys (all other index values) used for token validation. With multiple keystone nodes, each node must share the same key repository contents, with the exception of the staged key (index 0). It is safe to run `keystone-manage fernet_rotate` once on any one node to promote a staged key (index 0) to be the new primary (incremented from the previous highest index), and produce a new staged key (a new key with index 0); the resulting repository can then be atomically replicated to other nodes without any risk of race conditions (for example, it is safe to run `keystone-manage fernet_rotate` on host A, wait any amount of time, create a tarball of the directory on host A, unpack it on host B to a temporary location, and atomically move (`mv`) the directory into place on host B). Running `keystone-manage fernet_rotate` *twice* on a key repository without syncing other nodes will result in tokens that can not be validated by all nodes.
* - ``max_active_keys`` = ``3``
- (Integer) This controls how many keys are held in rotation by keystone-manage fernet_rotate before they are discarded. The default value of 3 means that keystone will maintain one staged key, one primary key, and one secondary key. Increasing this value means that additional secondary keys will be kept in the rotation.
- (Integer) This controls how many keys are held in rotation by `keystone-manage fernet_rotate` before they are discarded. The default value of 3 means that keystone will maintain one staged key (always index 0), one primary key (the highest numerical index), and one secondary key (every other index). Increasing this value means that additional secondary keys will be kept in the rotation.

28
doc/config-reference/source/tables/keystone-identity.rst
View File

@ -18,21 +18,21 @@
- Description
* - **[identity]**
-
* - ``default_domain_id`` = ``default``
- (String) This references the domain to use for all Identity API v2 requests (which are not aware of domains). A domain with this ID can optionally be created for you by `keystone-manage bootstrap`. The domain referenced by this ID cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. There is nothing special about this domain, other than the fact that it must exist to order to maintain support for your v2 clients. There is typically no reason to change this value.
* - ``domain_specific_drivers_enabled`` = ``False``
- (Boolean) A subset (or all) of domains can have their own identity driver, each with their own partial configuration options, stored in either the resource backend or in a file in a domain configuration directory (depending on the setting of `[identity] domain_configurations_from_database`). Only values specific to the domain need to be specified in this manner. This feature is disabled by default, but may be enabled by default in a future release; set to true to enable.
* - ``domain_configurations_from_database`` = ``False``
- (Boolean) By default, domain-specific configuration data is read from files in the directory identified by `[identity] domain_config_dir`. Enabling this configuration option allows you to instead manage domain-specific configurations through the API, which are then persisted in the backend (typically, a SQL database), rather than using configuration files on disk.
* - ``domain_config_dir`` = ``/etc/keystone/domains``
- (String) Absolute path where keystone should locate domain-specific `[identity]` configuration files. This option has no effect unless `[identity] domain_specific_drivers_enabled` is set to true. There is typically no reason to change this value.
* - ``driver`` = ``sql``
- (String) Entry point for the identity backend driver in the `keystone.identity` namespace. Keystone provides a `sql` and `ldap` driver. This option is also used as the default driver selection (along with the other configuration variables in this section) in the event that `[identity] domain_specific_drivers_enabled` is enabled, but no applicable domain-specific configuration is defined for the domain in question. Unless your deployment primarily relies on `ldap` AND is not using domain-specific configuration, you should typically leave this set to `sql`.
* - ``caching`` = ``True``
- (Boolean) Toggle for identity caching. This has no effect unless global caching is enabled. There is typically no reason to disable this.
* - ``cache_time`` = ``600``
- (Integer) Time to cache identity data (in seconds). This has no effect unless global and identity caching are enabled.
* - ``caching`` = ``True``
- (Boolean) Toggle for identity caching. This has no effect unless global caching is enabled.
* - ``default_domain_id`` = ``default``
- (String) This references the domain to use for all Identity API v2 requests (which are not aware of domains). A domain with this ID will be created for you by keystone-manage db_sync in migration 008. The domain referenced by this ID cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. There is nothing special about this domain, other than the fact that it must exist to order to maintain support for your v2 clients.
* - ``domain_config_dir`` = ``/etc/keystone/domains``
- (String) Path for Keystone to locate the domain specific identity configuration files if domain_specific_drivers_enabled is set to true.
* - ``domain_configurations_from_database`` = ``False``
- (Boolean) Extract the domain specific configuration options from the resource backend where they have been stored with the domain data. This feature is disabled by default (in which case the domain specific options will be loaded from files in the domain configuration directory); set to true to enable.
* - ``domain_specific_drivers_enabled`` = ``False``
- (Boolean) A subset (or all) of domains can have their own identity driver, each with their own partial configuration options, stored in either the resource backend or in a file in a domain configuration directory (depending on the setting of domain_configurations_from_database). Only values specific to the domain need to be specified in this manner. This feature is disabled by default; set to true to enable.
* - ``driver`` = ``sql``
- (String) Entrypoint for the identity backend driver in the keystone.identity namespace. Supplied drivers are ldap and sql.
* - ``max_password_length`` = ``4096``
- (Integer) Maximum allowed length for user passwords. Decrease this value to improve performance. Changing this value does not effect existing passwords.
* - ``list_limit`` = ``None``
- (Integer) Maximum number of entities that will be returned in an identity collection.
* - ``max_password_length`` = ``4096``
- (Integer) Maximum supported length for user passwords; decrease to improve performance.

214
doc/config-reference/source/tables/keystone-ldap.rst
View File

@ -18,121 +18,107 @@
- Description
* - **[ldap]**
-
* - ``alias_dereferencing`` = ``default``
- (String) The LDAP dereferencing option for queries. The "default" option falls back to using default dereferencing configured by your ldap.conf.
* - ``allow_subtree_delete`` = ``False``
- (Boolean) Delete subtrees using the subtree delete control. Only enable this option if your LDAP server supports subtree deletion.
* - ``auth_pool_connection_lifetime`` = ``60``
- (Integer) End user auth connection lifetime in seconds.
* - ``auth_pool_size`` = ``100``
- (Integer) End user auth connection pool size.
* - ``chase_referrals`` = ``None``
- (Boolean) Override the system's default referral chasing behavior for queries.
* - ``debug_level`` = ``None``
- (Integer) Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging is not enabled. This value is a bitmask, consult your LDAP documentation for possible values.
* - ``dumb_member`` = ``cn=dumb,dc=nonexistent``
- (String) DN of the "dummy member" to use when "use_dumb_member" is enabled.
* - ``group_additional_attribute_mapping`` =
- (List) Additional attribute mappings for groups. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.
* - ``group_allow_create`` = ``True``
- (Boolean) DEPRECATED: Allow group creation in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release.
* - ``group_allow_delete`` = ``True``
- (Boolean) DEPRECATED: Allow group deletion in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release.
* - ``group_allow_update`` = ``True``
- (Boolean) DEPRECATED: Allow group update in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release.
* - ``group_attribute_ignore`` =
- (List) List of attributes stripped off the group on update.
* - ``group_desc_attribute`` = ``description``
- (String) LDAP attribute mapped to group description.
* - ``group_filter`` = ``None``
- (String) LDAP search filter for groups.
* - ``group_id_attribute`` = ``cn``
- (String) LDAP attribute mapped to group id.
* - ``group_member_attribute`` = ``member``
- (String) LDAP attribute mapped to show group membership.
* - ``group_members_are_ids`` = ``False``
- (Boolean) If the members of the group objectclass are user IDs rather than DNs, set this to true. This is the case when using posixGroup as the group objectclass and OpenDirectory.
* - ``group_name_attribute`` = ``ou``
- (String) LDAP attribute mapped to group name.
* - ``group_objectclass`` = ``groupOfNames``
- (String) LDAP objectclass for groups.
* - ``group_tree_dn`` = ``None``
- (String) Search base for groups. Defaults to the suffix value.
* - ``page_size`` = ``0``
- (Integer) Maximum results per page; a value of zero ("0") disables paging.
* - ``password`` = ``None``
- (String) Password for the BindDN to query the LDAP server.
* - ``pool_connection_lifetime`` = ``600``
- (Integer) Connection lifetime in seconds.
* - ``pool_connection_timeout`` = ``-1``
- (Integer) Connector timeout in seconds. Value -1 indicates indefinite wait for response.
* - ``pool_retry_delay`` = ``0.1``
- (Floating point) Time span in seconds to wait between two reconnect trials.
* - ``pool_retry_max`` = ``3``
- (Integer) Maximum count of reconnect trials.
* - ``pool_size`` = ``10``
- (Integer) Connection pool size.
* - ``query_scope`` = ``one``
- (String) The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub" represents subtree/wholeSubtree options.
* - ``suffix`` = ``cn=example,cn=com``
- (String) LDAP server suffix
* - ``tls_cacertdir`` = ``None``
- (String) CA certificate directory path for communicating with LDAP servers.
* - ``tls_cacertfile`` = ``None``
- (String) CA certificate file path for communicating with LDAP servers.
* - ``tls_req_cert`` = ``demand``
- (String) Specifies what checks to perform on client certificates in an incoming TLS session.
* - ``url`` = ``ldap://localhost``
- (String) URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified as a comma separated string. The first URL to successfully bind is used for the connection.
* - ``use_auth_pool`` = ``True``
- (Boolean) Enable LDAP connection pooling for end user authentication. If use_pool is disabled, then this setting is meaningless and is not used at all.
* - ``use_dumb_member`` = ``False``
- (Boolean) If true, will add a dummy member to groups. This is required if the objectclass for groups requires the "member" attribute.
* - ``use_pool`` = ``True``
- (Boolean) Enable LDAP connection pooling.
* - ``use_tls`` = ``False``
- (Boolean) Enable TLS for communicating with LDAP servers.
* - ``user`` = ``None``
- (String) User BindDN to query the LDAP server.
* - ``user_additional_attribute_mapping`` =
- (List) List of additional LDAP attributes used for mapping additional attribute mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.
* - ``user_allow_create`` = ``True``
- (Boolean) DEPRECATED: Allow user creation in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release.
* - ``user_allow_delete`` = ``True``
- (Boolean) DEPRECATED: Allow user deletion in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release.
* - ``user_allow_update`` = ``True``
- (Boolean) DEPRECATED: Allow user updates in LDAP backend. Write support for Identity LDAP backends has been deprecated in the M release and will be removed in the O release.
* - ``user_attribute_ignore`` = ``default_project_id``
- (List) List of attributes stripped off the user on update.
* - ``user_default_project_id_attribute`` = ``None``
- (String) LDAP attribute mapped to default_project_id for users.
* - ``user_description_attribute`` = ``description``
- (String) LDAP attribute mapped to user description.
* - ``user_enabled_attribute`` = ``enabled``
- (String) LDAP attribute mapped to user enabled flag.
* - ``user_enabled_default`` = ``True``
- (String) Default value to enable users. This should match an appropriate int value if the LDAP server uses non-boolean (bitmask) values to indicate if a user is enabled or disabled. If this is not set to "True" the typical value is "512". This is typically used when "user_enabled_attribute = userAccountControl".
* - ``user_enabled_emulation`` = ``False``
- (Boolean) If true, Keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the "user_enabled_emulation_dn" group.
* - ``user_enabled_emulation_dn`` = ``None``
- (String) DN of the group entry to hold enabled users when using enabled emulation.
* - ``user_enabled_emulation_use_group_config`` = ``False``
- (Boolean) Use the "group_member_attribute" and "group_objectclass" settings to determine membership in the emulated enabled group.
* - ``user_enabled_invert`` = ``False``
- (Boolean) Invert the meaning of the boolean enabled values. Some LDAP servers use a boolean lock attribute where "true" means an account is disabled. Setting "user_enabled_invert = true" will allow these lock attributes to be used. This setting will have no effect if "user_enabled_mask" or "user_enabled_emulation" settings are in use.
* - ``user_enabled_mask`` = ``0``
- (Integer) Bitmask integer to indicate the bit that the enabled value is stored in if the LDAP server represents "enabled" as a bit on an integer rather than a boolean. A value of "0" indicates the mask is not used. If this is not set to "0" the typical value is "2". This is typically used when "user_enabled_attribute = userAccountControl".
* - ``user_filter`` = ``None``
- (String) LDAP search filter for users.
* - ``user_id_attribute`` = ``cn``
- (String) LDAP attribute mapped to user id. WARNING: must not be a multivalued attribute.
* - ``user_mail_attribute`` = ``mail``
- (String) LDAP attribute mapped to user email.
* - ``user_name_attribute`` = ``sn``
- (String) LDAP attribute mapped to user name.
* - ``user_objectclass`` = ``inetOrgPerson``
- (String) LDAP objectclass for users.
* - ``user_pass_attribute`` = ``userPassword``
- (String) LDAP attribute mapped to password.
- (String) The user name of the administrator bind DN to use when querying the LDAP server, if your LDAP server requires it.
* - ``password`` = ``None``
- (String) The password of the administrator bind DN to use when querying the LDAP server, if your LDAP server requires it.
* - ``suffix`` = ``cn=example,cn=com``
- (String) The default LDAP server suffix to use, if a DN is not defined via either `[ldap] user_tree_dn` or `[ldap] group_tree_dn`.
* - ``query_scope`` = ``one``
- (String) The search scope which defines how deep to search within the search base. A value of `one` (representing `oneLevel` or `singleLevel`) indicates a search of objects immediately below to the base object, but does not include the base object itself. A value of `sub` (representing `subtree` or `wholeSubtree`) indicates a search of both the base object itself and the entire subtree below it.
* - ``page_size`` = ``0``
- (Integer) Defines the maximum number of results per page that keystone should request from the LDAP server when listing objects. A value of zero (`0`) disables paging.
* - ``alias_dereferencing`` = ``default``
- (String) The LDAP dereferencing option to use for queries involving aliases. A value of `default` falls back to using default dereferencing behavior configured by your `ldap.conf`. A value of `never` prevents aliases from being dereferenced at all. A value of `searching` dereferences aliases only after name resolution. A value of `finding` dereferences aliases only during name resolution. A value of `always` dereferences aliases in all cases.
* - ``debug_level`` = ``None``
- (Integer) Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging is not enabled. This value is a bitmask, consult your LDAP documentation for possible values.
* - ``chase_referrals`` = ``None``
- (Boolean) Sets keystone's referral chasing behavior across directory partitions. If left unset, the system's default behavior will be used.
* - ``user_tree_dn`` = ``None``
- (String) Search base for users. Defaults to the suffix value.
- (String) The search base to use for users. Defaults to the `[ldap] suffix` value.
* - ``user_filter`` = ``None``
- (String) The LDAP search filter to use for users.
* - ``user_objectclass`` = ``inetOrgPerson``
- (String) The LDAP object class to use for users.
* - ``user_id_attribute`` = ``cn``
- (String) The LDAP attribute mapped to user IDs in keystone. This must NOT be a multivalued attribute. User IDs are expected to be globally unique across keystone domains and URL-safe.
* - ``user_name_attribute`` = ``sn``
- (String) The LDAP attribute mapped to user names in keystone. User names are expected to be unique only within a keystone domain and are not expected to be URL-safe.
* - ``user_description_attribute`` = ``description``
- (String) The LDAP attribute mapped to user descriptions in keystone.
* - ``user_mail_attribute`` = ``mail``
- (String) The LDAP attribute mapped to user emails in keystone.
* - ``user_pass_attribute`` = ``userPassword``
- (String) The LDAP attribute mapped to user passwords in keystone.
* - ``user_enabled_attribute`` = ``enabled``
- (String) The LDAP attribute mapped to the user enabled attribute in keystone. If setting this option to `userAccountControl`, then you may be interested in setting `[ldap] user_enabled_mask` and `[ldap] user_enabled_default` as well.
* - ``user_enabled_invert`` = ``False``
- (Boolean) Logically negate the boolean value of the enabled attribute obtained from the LDAP server. Some LDAP servers use a boolean lock attribute where "true" means an account is disabled. Setting `[ldap] user_enabled_invert = true` will allow these lock attributes to be used. This option will have no effect if either the `[ldap] user_enabled_mask` or `[ldap] user_enabled_emulation` options are in use.
* - ``user_enabled_mask`` = ``0``
- (Integer) Bitmask integer to select which bit indicates the enabled value if the LDAP server represents "enabled" as a bit on an integer rather than as a discrete boolean. A value of `0` indicates that the mask is not used. If this is not set to `0` the typical value is `2`. This is typically used when `[ldap] user_enabled_attribute = userAccountControl`. Setting this option causes keystone to ignore the value of `[ldap] user_enabled_invert`.
* - ``user_enabled_default`` = ``True``
- (String) The default value to enable users. This should match an appropriate integer value if the LDAP server uses non-boolean (bitmask) values to indicate if a user is enabled or disabled. If this is not set to `True`, then the typical value is `512`. This is typically used when `[ldap] user_enabled_attribute = userAccountControl`.
* - ``user_attribute_ignore`` = ``default_project_id``
- (List) List of user attributes to ignore on create and update, or whether a specific user attribute should be filtered for list or show user.
* - ``user_default_project_id_attribute`` = ``None``
- (String) The LDAP attribute mapped to a user's default_project_id in keystone. This is most commonly used when keystone has write access to LDAP.
* - ``user_enabled_emulation`` = ``False``
- (Boolean) If enabled, keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the group defined by the `[ldap] user_enabled_emulation_dn` option. Enabling this option causes keystone to ignore the value of `[ldap] user_enabled_invert`.
* - ``user_enabled_emulation_dn`` = ``None``
- (String) DN of the group entry to hold enabled users when using enabled emulation. Setting this option has no effect unless `[ldap] user_enabled_emulation` is also enabled.
* - ``user_enabled_emulation_use_group_config`` = ``False``
- (Boolean) Use the `[ldap] group_member_attribute` and `[ldap] group_objectclass` settings to determine membership in the emulated enabled group. Enabling this option has no effect unless `[ldap] user_enabled_emulation` is also enabled.
* - ``user_additional_attribute_mapping`` =
- (List) A list of LDAP attribute to keystone user attribute pairs used for mapping additional attributes to users in keystone. The expected format is `<ldap_attr>:<user_attr>`, where `ldap_attr` is the attribute in the LDAP object and `user_attr` is the attribute which should appear in the identity API.
* - ``group_tree_dn`` = ``None``
- (String) The search base to use for groups. Defaults to the `[ldap] suffix` value.
* - ``group_filter`` = ``None``
- (String) The LDAP search filter to use for groups.
* - ``group_objectclass`` = ``groupOfNames``
- (String) The LDAP object class to use for groups. If setting this option to `posixGroup`, you may also be interested in enabling the `[ldap] group_members_are_ids` option.
* - ``group_id_attribute`` = ``cn``
- (String) The LDAP attribute mapped to group IDs in keystone. This must NOT be a multivalued attribute. Group IDs are expected to be globally unique across keystone domains and URL-safe.
* - ``group_name_attribute`` = ``ou``
- (String) The LDAP attribute mapped to group names in keystone. Group names are expected to be unique only within a keystone domain and are not expected to be URL-safe.
* - ``group_member_attribute`` = ``member``
- (String) The LDAP attribute used to indicate that a user is a member of the group.
* - ``group_members_are_ids`` = ``False``
- (Boolean) Enable this option if the members of the group object class are keystone user IDs rather than LDAP DNs. This is the case when using `posixGroup` as the group object class in Open Directory.
* - ``group_desc_attribute`` = ``description``
- (String) The LDAP attribute mapped to group descriptions in keystone.
* - ``group_attribute_ignore`` =
- (List) List of group attributes to ignore on create and update. or whether a specific group attribute should be filtered for list or show group.
* - ``group_additional_attribute_mapping`` =
- (List) A list of LDAP attribute to keystone group attribute pairs used for mapping additional attributes to groups in keystone. The expected format is `<ldap_attr>:<group_attr>`, where `ldap_attr` is the attribute in the LDAP object and `group_attr` is the attribute which should appear in the identity API.
* - ``group_ad_nesting`` = ``False``
- (Boolean) If enabled, group queries will use Active Directory specific filters for nested groups.
* - ``tls_cacertfile`` = ``None``
- (String) An absolute path to a CA certificate file to use when communicating with LDAP servers. This option will take precedence over `[ldap] tls_cacertdir`, so there is no reason to set both.
* - ``tls_cacertdir`` = ``None``
- (String) An absolute path to a CA certificate directory to use when communicating with LDAP servers. There is no reason to set this option if you've also set `[ldap] tls_cacertfile`.
* - ``use_tls`` = ``False``
- (Boolean) Enable TLS when communicating with LDAP servers. You should also set the `[ldap] tls_cacertfile` and `[ldap] tls_cacertdir` options when using this option. Do not set this option if you are using LDAP over SSL (LDAPS) instead of TLS.
* - ``tls_req_cert`` = ``demand``
- (String) Specifies which checks to perform against client certificates on incoming TLS sessions. If set to `demand`, then a certificate will always be requested and required from the LDAP server. If set to `allow`, then a certificate will always be requested but not required from the LDAP server. If set to `never`, then a certificate will never be requested.
* - ``connection_timeout`` = ``-1``
- (Integer) The connection timeout to use with the LDAP server. A value of `-1` means that connections will never timeout.
* - ``use_pool`` = ``True``
- (Boolean) Enable LDAP connection pooling for queries to the LDAP server. There is typically no reason to disable this.
* - ``pool_size`` = ``10``
- (Integer) The size of the LDAP connection pool. This option has no effect unless `[ldap] use_pool` is also enabled.
* - ``pool_retry_max`` = ``3``
- (Integer) The maximum number of times to attempt reconnecting to the LDAP server before aborting. A value of zero prevents retries. This option has no effect unless `[ldap] use_pool` is also enabled.
* - ``pool_retry_delay`` = ``0.1``
- (Floating point) The number of seconds to wait before attempting to reconnect to the LDAP server. This option has no effect unless `[ldap] use_pool` is also enabled.
* - ``pool_connection_timeout`` = ``-1``
- (Integer) The connection timeout to use when pooling LDAP connections. A value of `-1` means that connections will never timeout. This option has no effect unless `[ldap] use_pool` is also enabled.
* - ``pool_connection_lifetime`` = ``600``
- (Integer) The maximum connection lifetime to the LDAP server in seconds. When this lifetime is exceeded, the connection will be unbound and removed from the connection pool. This option has no effect unless `[ldap] use_pool` is also enabled.
* - ``use_auth_pool`` = ``True``
- (Boolean) Enable LDAP connection pooling for end user authentication. There is typically no reason to disable this.
* - ``auth_pool_size`` = ``100``
- (Integer) The size of the connection pool to use for end user authentication. This option has no effect unless `[ldap] use_auth_pool` is also enabled.
* - ``auth_pool_connection_lifetime`` = ``60``
- (Integer) The maximum end user authentication connection lifetime to the LDAP server in seconds. When this lifetime is exceeded, the connection will be unbound and removed from the connection pool. This option has no effect unless `[ldap] use_auth_pool` is also enabled.

8
doc/config-reference/source/tables/keystone-mapping.rst
View File

@ -18,9 +18,9 @@
- Description
* - **[identity_mapping]**
-
* - ``backward_compatible_ids`` = ``True``
- (Boolean) The format of user and group IDs changed in Juno for backends that do not generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the underlying attribute in LDAP. By default this mapping is disabled, which ensures that existing IDs will not change. Even when the mapping is enabled by using domain specific drivers, any users and groups from the default domain being handled by LDAP will still not be mapped to ensure their IDs remain backward compatible. Setting this value to False will enable the mapping for even the default LDAP driver. It is only safe to do this if you do not already have assignments for users and groups from the default LDAP domain, and it is acceptable for Keystone to provide the different IDs to clients than it did previously. Typically this means that the only time you can set this value to False is when configuring a fresh installation.
* - ``driver`` = ``sql``
- (String) Entrypoint for the identity mapping backend driver in the keystone.identity.id_mapping namespace.
- (String) Entry point for the identity mapping backend driver in the `keystone.identity.id_mapping` namespace. Keystone only provides a `sql` driver, so there is no reason to change this unless you are providing a custom entry point.
* - ``generator`` = ``sha256``
- (String) Entrypoint for the public ID generator for user and group entities in the keystone.identity.id_generator namespace. The Keystone identity mapper only supports generators that produce no more than 64 characters.
- (String) Entry point for the public ID generator for user and group entities in the `keystone.identity.id_generator` namespace. The Keystone identity mapper only supports generators that produce 64 bytes or less. Keystone only provides a `sha256` entry point, so there is no reason to change this value unless you're providing a custom entry point.
* - ``backward_compatible_ids`` = ``True``
- (Boolean) The format of user and group IDs changed in Juno for backends that do not generate UUIDs (for example, LDAP), with keystone providing a hash mapping to the underlying attribute in LDAP. By default this mapping is disabled, which ensures that existing IDs will not change. Even when the mapping is enabled by using domain-specific drivers (`[identity] domain_specific_drivers_enabled`), any users and groups from the default domain being handled by LDAP will still not be mapped to ensure their IDs remain backward compatible. Setting this value to false will enable the new mapping for all backends, including the default LDAP driver. It is only guaranteed to be safe to enable this option if you do not already have assignments for users and groups from the default LDAP domain, and you consider it to be acceptable for Keystone to provide the different IDs to clients than it did previously (existing IDs in the API will suddenly change). Typically this means that the only time you can set this value to false is when configuring a fresh installation, although that is the recommended value.

8
doc/config-reference/source/tables/keystone-oauth.rst
View File

@ -18,9 +18,9 @@
- Description
* - **[oauth1]**
-
* - ``access_token_duration`` = ``86400``
- (Integer) Duration (in seconds) for the OAuth Access Token.
* - ``driver`` = ``sql``
- (String) Entrypoint for the OAuth backend driver in the keystone.oauth1 namespace.
- (String) Entry point for the OAuth backend driver in the `keystone.oauth1` namespace. Typically, there is no reason to set this option unless you are providing a custom entry point.
* - ``request_token_duration`` = ``28800``
- (Integer) Duration (in seconds) for the OAuth Request Token.
- (Integer) Number of seconds for the OAuth Request Token to remain valid after being created. This is the amount of time the user has to authorize the token. Setting this option to zero means that request tokens will last forever.
* - ``access_token_duration`` = ``86400``
- (Integer) Number of seconds for the OAuth Access Token to remain valid after being created. This is the amount of time the consumer has to interact with the service provider (which is typically keystone). Setting this option to zero means that access tokens will last forever.

2
doc/config-reference/source/tables/keystone-policy.rst
View File

@ -19,6 +19,6 @@
* - **[policy]**
-
* - ``driver`` = ``sql``
- (String) Entrypoint for the policy backend driver in the keystone.policy namespace. Supplied drivers are rules and sql.
- (String) Entry point for the policy backend driver in the `keystone.policy` namespace. Supplied drivers are `rules` (which does not support any CRUD operations for the v3 policy API) and `sql`. Typically, there is no reason to set this option unless you are providing a custom entry point.
* - ``list_limit`` = ``None``
- (Integer) Maximum number of entities that will be returned in a policy collection.

24
doc/config-reference/source/tables/keystone-redis.rst
View File

@ -21,15 +21,31 @@
* - ``check_timeout`` = ``20000``
- (Integer) Time in ms to wait before the transaction is killed.
* - ``host`` = ``127.0.0.1``
- (String) DEPRECATED: Host to locate redis. Replaced by [DEFAULT]/transport_url
- (String) Host to locate redis.
- **Deprecated**
Replaced by [DEFAULT]/transport_url
* - ``password`` =
- (String) DEPRECATED: Password for Redis server (optional). Replaced by [DEFAULT]/transport_url
- (String) Password for Redis server (optional).
- **Deprecated**
Replaced by [DEFAULT]/transport_url
* - ``port`` = ``6379``
- (Port number) DEPRECATED: Use this port to connect to redis host. Replaced by [DEFAULT]/transport_url
- (Port number) Use this port to connect to redis host.
- **Deprecated**
Replaced by [DEFAULT]/transport_url
* - ``sentinel_group_name`` = ``oslo-messaging-zeromq``
- (String) Redis replica set name.
* - ``sentinel_hosts`` =
- (List) DEPRECATED: List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port ... ] Replaced by [DEFAULT]/transport_url
- (List) List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port ... ]
- **Deprecated**
Replaced by [DEFAULT]/transport_url
* - ``socket_timeout`` = ``10000``
- (Integer) Timeout in ms on blocking socket operations.
* - ``wait_timeout`` = ``2000``

12
doc/config-reference/source/tables/keystone-revoke.rst
View File

@ -18,11 +18,11 @@
- Description
* - **[revoke]**
-
* - ``cache_time`` = ``3600``
- (Integer) Time to cache the revocation list and the revocation events (in seconds). This has no effect unless global and token caching are enabled.
* - ``driver`` = ``sql``
- (String) Entry point for the token revocation backend driver in the `keystone.revoke` namespace. Keystone only provides a `sql` driver, so there is no reason to set this option unless you are providing a custom entry point.
* - ``expiration_buffer`` = ``1800``
- (Integer) The number of seconds after a token has expired before a corresponding revocation event may be purged from the backend.
* - ``caching`` = ``True``
- (Boolean) Toggle for revocation event caching. This has no effect unless global caching is enabled.
* - ``driver`` = ``sql``
- (String) Entrypoint for an implementation of the backend for persisting revocation events in the keystone.revoke namespace. Supplied drivers are kvs and sql.
* - ``expiration_buffer`` = ``1800``
- (Integer) This value (calculated in seconds) is added to token expiration before a revocation event may be removed from the backend.
* - ``cache_time`` = ``3600``
- (Integer) Time to cache the revocation list and the revocation events (in seconds). This has no effect unless global and `[revoke] caching` are both enabled.

12
doc/config-reference/source/tables/keystone-role.rst
View File

@ -18,11 +18,11 @@
- Description
* - **[role]**
-
* - ``cache_time`` = ``None``
- (Integer) TTL (in seconds) to cache role data. This has no effect unless global caching is enabled.
* - ``caching`` = ``True``
- (Boolean) Toggle for role caching. This has no effect unless global caching is enabled.
* - ``driver`` = ``None``
- (String) Entrypoint for the role backend driver in the keystone.role namespace. Supplied drivers are ldap and sql.
- (String) Entry point for the role backend driver in the `keystone.role` namespace. Keystone only provides a `sql` driver, so there's no reason to change this unless you are providing a custom entry point.
* - ``caching`` = ``True``
- (Boolean) Toggle for role caching. This has no effect unless global caching is enabled. In a typical deployment, there is no reason to disable this.
* - ``cache_time`` = ``None``
- (Integer) Time to cache role data, in seconds. This has no effect unless both global caching and `[role] caching` are enabled.
* - ``list_limit`` = ``None``
- (Integer) Maximum number of entities that will be returned in a role collection.
- (Integer) Maximum number of entities that will be returned in a role collection. This may be useful to tune if you have a large number of discrete roles in your deployment.

68
doc/config-reference/source/tables/keystone-saml.rst
View File

@ -19,38 +19,38 @@
* - **[saml]**
-
* - ``assertion_expiration_time`` = ``3600``
- (Integer) Default TTL, in seconds, for any generated SAML assertion created by Keystone.
* - ``certfile`` = ``/etc/keystone/ssl/certs/signing_cert.pem``
- (String) Path of the certfile for SAML signing. For non-production environments, you may be interested in using `keystone-manage pki_setup` to generate self-signed certificates. Note, the path cannot contain a comma.
* - ``idp_contact_company`` = ``None``
- (String) Company of contact person.
* - ``idp_contact_email`` = ``None``
- (String) Email address of contact person.
* - ``idp_contact_name`` = ``None``
- (String) Given name of contact person
* - ``idp_contact_surname`` = ``None``
- (String) Surname of contact person.
* - ``idp_contact_telephone`` = ``None``
- (String) Telephone number of contact person.
* - ``idp_contact_type`` = ``other``
- (String) The contact type describing the main point of contact for the identity provider.
* - ``idp_entity_id`` = ``None``
- (String) Entity ID value for unique Identity Provider identification. Usually FQDN is set with a suffix. A value is required to generate IDP Metadata. For example: https://keystone.example.com/v3/OS-FEDERATION/saml2/idp
* - ``idp_lang`` = ``en``
- (String) Language used by the organization.
* - ``idp_metadata_path`` = ``/etc/keystone/saml2_idp_metadata.xml``
- (String) Path to the Identity Provider Metadata file. This file should be generated with the keystone-manage saml_idp_metadata command.
* - ``idp_organization_display_name`` = ``None``
- (String) Organization name to be displayed.
* - ``idp_organization_name`` = ``None``
- (String) Organization name the installation belongs to.
* - ``idp_organization_url`` = ``None``
- (String) URL of the organization.
* - ``idp_sso_endpoint`` = ``None``
- (String) Identity Provider Single-Sign-On service value, required in the Identity Provider's metadata. A value is required to generate IDP Metadata. For example: https://keystone.example.com/v3/OS-FEDERATION/saml2/sso
* - ``keyfile`` = ``/etc/keystone/ssl/private/signing_key.pem``
- (String) Path of the keyfile for SAML signing. Note, the path cannot contain a comma.
* - ``relay_state_prefix`` = ``ss:mem:``
- (String) The prefix to use for the RelayState SAML attribute, used when generating ECP wrapped assertions.
- (Integer) Determines the lifetime for any SAML assertions generated by keystone, using `NotOnOrAfter` attributes.
* - ``xmlsec1_binary`` = ``xmlsec1``
- (String) Binary to be called for XML signing. Install the appropriate package, specify absolute path or adjust your PATH environment variable if the binary cannot be found.
- (String) Name of, or absolute path to, the binary to be used for XML signing. Although only the XML Security Library (`xmlsec1`) is supported, it may have a non-standard name or path on your system. If keystone cannot find the binary itself, you may need to install the appropriate package, use this option to specify an absolute path, or adjust keystone's PATH environment variable.
* - ``certfile`` = ``/etc/keystone/ssl/certs/signing_cert.pem``
- (String) Absolute path to the public certificate file to use for SAML signing. The value cannot contain a comma (`,`).
* - ``keyfile`` = ``/etc/keystone/ssl/private/signing_key.pem``
- (String) Absolute path to the private key file to use for SAML signing. The value cannot contain a comma (`,`).
* - ``idp_entity_id`` = ``None``
- (URI) This is the unique entity identifier of the identity provider (keystone) to use when generating SAML assertions. This value is required to generate identity provider metadata and must be a URI (a URL is recommended). For example: `https://keystone.example.com/v3/OS-FEDERATION/saml2/idp`.
* - ``idp_sso_endpoint`` = ``None``
- (URI) This is the single sign-on (SSO) service location of the identity provider which accepts HTTP POST requests. A value is required to generate identity provider metadata. For example: `https://keystone.example.com/v3/OS-FEDERATION/saml2/sso`.
* - ``idp_lang`` = ``en``
- (String) This is the language used by the identity provider's organization.
* - ``idp_organization_name`` = ``SAML Identity Provider``
- (String) This is the name of the identity provider's organization.
* - ``idp_organization_display_name`` = ``OpenStack SAML Identity Provider``
- (String) This is the name of the identity provider's organization to be displayed.
* - ``idp_organization_url`` = ``https://example.com/``
- (URI) This is the URL of the identity provider's organization. The URL referenced here should be useful to humans.
* - ``idp_contact_company`` = ``Example, Inc.``
- (String) This is the company name of the identity provider's contact person.
* - ``idp_contact_name`` = ``SAML Identity Provider Support``
- (String) This is the given name of the identity provider's contact person.
* - ``idp_contact_surname`` = ``Support``
- (String) This is the surname of the identity provider's contact person.
* - ``idp_contact_email`` = ``support@example.com``
- (String) This is the email address of the identity provider's contact person.
* - ``idp_contact_telephone`` = ``+1 800 555 0100``
- (String) This is the telephone number of the identity provider's contact person.
* - ``idp_contact_type`` = ``other``
- (String) This is the type of contact that best describes the identity provider's contact person.
* - ``idp_metadata_path`` = ``/etc/keystone/saml2_idp_metadata.xml``
- (String) Absolute path to the identity provider metadata file. This file should be generated with the `keystone-manage saml_idp_metadata` command. There is typically no reason to change this value.
* - ``relay_state_prefix`` = ``ss:mem:``
- (String) The prefix of the RelayState SAML attribute to use when generating enhanced client and proxy (ECP) assertions. In a typical deployment, there is no reason to change this value.

46
doc/config-reference/source/tables/keystone-token.rst
View File

@ -18,25 +18,35 @@
- Description
* - **[token]**
-
* - ``allow_rescope_scoped_token`` = ``True``
- (Boolean) Allow rescoping of scoped token. Setting allow_rescoped_scoped_token to false prevents a user from exchanging a scoped token for any other token.
* - ``bind`` =
- (List) External auth mechanisms that should add bind information to token, e.g., kerberos,x509.
* - ``cache_time`` = ``None``
- (Integer) Time to cache tokens (in seconds). This has no effect unless global and token caching are enabled.
* - ``caching`` = ``True``
- (Boolean) Toggle for token system caching. This has no effect unless global caching is enabled.
* - ``driver`` = ``sql``
- (String) Entrypoint for the token persistence backend driver in the keystone.token.persistence namespace. Supplied drivers are kvs, memcache, memcache_pool, and sql.
- (List) This is a list of external authentication mechanisms which should add token binding metadata to tokens, such as `kerberos` or `x509`. Binding metadata is enforced according to the `[token] enforce_token_bind` option.
* - ``enforce_token_bind`` = ``permissive``
- (String) Enforcement policy on tokens presented to Keystone with bind information. One of disabled, permissive, strict, required or a specifically required bind mode, e.g., kerberos or x509 to require binding to that authentication.
- (String) This controls the token binding enforcement policy on tokens presented to keystone with token binding metadata (as specified by the `[token] bind` option). `disabled` completely bypasses token binding validation. `permissive` and `strict` do not require tokens to have binding metadata (but will validate it if present), whereas `required` will always demand tokens to having binding metadata. `permissive` will allow unsupported binding metadata to pass through without validation (usually to be validated at another time by another component), whereas `strict` and `required` will demand that the included binding metadata be supported by keystone.
- **Deprecated**
No deprecation reason provided for this option.
* - ``expiration`` = ``3600``
- (Integer) Amount of time a token should remain valid (in seconds).
* - ``hash_algorithm`` = ``md5``
- (String) DEPRECATED: The hash algorithm to use for PKI tokens. This can be set to any algorithm that hashlib supports. WARNING: Before changing this value, the auth_token middleware must be configured with the hash_algorithms, otherwise token revocation will not be processed correctly. PKI token support has been deprecated in the M release and will be removed in the O release. Fernet or UUID tokens are recommended.
* - ``infer_roles`` = ``True``
- (Boolean) Add roles to token that are not explicitly added, but that are linked implicitly to other roles.
* - ``provider`` = ``uuid``
- (String) Controls the token construction, validation, and revocation operations. Entrypoint in the keystone.token.provider namespace. Core providers are [fernet|pkiz|pki|uuid].
- (Integer) The amount of time that a token should remain valid (in seconds). Drastically reducing this value may break "long-running" operations that involve multiple services to coordinate together, and will force users to authenticate with keystone more frequently. Drastically increasing this value will increase load on the `[token] driver`, as more tokens will be simultaneously valid. Keystone tokens are also bearer tokens, so a shorter duration will also reduce the potential security impact of a compromised token.
* - ``provider`` = ``fernet``
- (String) Entry point for the token provider in the `keystone.token.provider` namespace. The token provider controls the token construction, validation, and revocation operations. Keystone includes `fernet` and `uuid` token providers. `uuid` tokens must be persisted (using the backend specified in the `[token] driver` option), but do not require any extra configuration or setup. `fernet` tokens do not need to be persisted at all, but require that you run `keystone-manage fernet_setup` (also see the `keystone-manage fernet_rotate` command).
* - ``driver`` = ``sql``
- (String) Entry point for the token persistence backend driver in the `keystone.token.persistence` namespace. Keystone provides the `sql` driver. The `sql` option (default) depends on the options in your `[database]` section. If you're using the `fernet` `[token] provider`, this backend will not be utilized to persist tokens at all.
- **Deprecated**
No deprecation reason provided for this option.
* - ``caching`` = ``True``
- (Boolean) Toggle for caching token creation and validation data. This has no effect unless global caching is enabled.
* - ``cache_time`` = ``None``
- (Integer) The number of seconds to cache token creation and validation data. This has no effect unless both global and `[token] caching` are enabled.
* - ``revoke_by_id`` = ``True``
- (Boolean) Revoke token by token identifier. Setting revoke_by_id to true enables various forms of enumerating tokens, e.g. `list tokens for user`. These enumerations are processed to determine the list of tokens to revoke. Only disable if you are switching to using the Revoke extension with a backend other than KVS, which stores events in memory.
- (Boolean) This toggles support for revoking individual tokens by the token identifier and thus various token enumeration operations (such as listing all tokens issued to a specific user). These operations are used to determine the list of tokens to consider revoked. Do not disable this option if you're using the `kvs` `[revoke] driver`.
* - ``allow_rescope_scoped_token`` = ``True``
- (Boolean) This toggles whether scoped tokens may be re-scoped to a new project or domain, thereby preventing users from exchanging a scoped token (including those with a default project scope) for any other token. This forces users to either authenticate for unscoped tokens (and later exchange that unscoped token for tokens with a more specific scope) or to provide their credentials in every request for a scoped token to avoid re-scoping altogether.
* - ``infer_roles`` = ``True``
- (Boolean) This controls whether roles should be included with tokens that are not directly assigned to the token's scope, but are instead linked implicitly to other role assignments.
* - ``cache_on_issue`` = ``True``
- (Boolean) Enable storing issued token data to token validation cache so that first token validation doesn't actually cause full validation cycle. This option has no effect unless global caching and token caching are enabled.
* - ``allow_expired_window`` = ``172800``
- (Integer) This controls the number of seconds that a token can be retrieved for beyond the built-in expiry time. This allows long running operations to succeed. Defaults to two days.

10
doc/config-reference/source/tables/keystone-tokenless.rst
View File

@ -18,9 +18,9 @@
- Description
* - **[tokenless_auth]**
-
* - ``issuer_attribute`` = ``SSL_CLIENT_I_DN``
- (String) The issuer attribute that is served as an IdP ID for the X.509 tokenless authorization along with the protocol to look up its corresponding mapping. It is the environment variable in the WSGI environment that references to the issuer of the client certificate.
* - ``protocol`` = ``x509``
- (String) The protocol name for the X.509 tokenless authorization along with the option issuer_attribute below can look up its corresponding mapping.
* - ``trusted_issuer`` = ``[]``
- (Multi-valued) The list of trusted issuers to further filter the certificates that are allowed to participate in the X.509 tokenless authorization. If the option is absent then no certificates will be allowed. The naming format for the attributes of a Distinguished Name(DN) must be separated by a comma and contain no spaces. This configuration option may be repeated for multiple values. For example: trusted_issuer=CN=john,OU=keystone,O=openstack trusted_issuer=CN=mary,OU=eng,O=abc
- (Multi-valued) The list of distinguished names which identify trusted issuers of client certificates allowed to use X.509 tokenless authorization. If the option is absent then no certificates will be allowed. The format for the values of a distinguished name (DN) must be separated by a comma and contain no spaces. Furthermore, because an individual DN may contain commas, this configuration option may be repeated multiple times to represent multiple values. For example, keystone.conf would include two consecutive lines in order to trust two different DNs, such as `trusted_issuer = CN=john,OU=keystone,O=openstack` and `trusted_issuer = CN=mary,OU=eng,O=abc`.
* - ``protocol`` = ``x509``
- (String) The federated protocol ID used to represent X.509 tokenless authorization. This is used in combination with the value of `[tokenless_auth] issuer_attribute` to find a corresponding federated mapping. In a typical deployment, there is no reason to change this value.
* - ``issuer_attribute`` = ``SSL_CLIENT_I_DN``
- (String) The name of the WSGI environment variable used to pass the issuer of the client certificate to keystone. This attribute is used as an identity provider ID for the X.509 tokenless authorization along with the protocol to look up its corresponding mapping. In a typical deployment, there is no reason to change this value.

12
doc/config-reference/source/tables/keystone-trust.rst
View File

@ -18,11 +18,11 @@
- Description
* - **[trust]**
-
* - ``allow_redelegation`` = ``False``
- (Boolean) Enable redelegation feature.
* - ``driver`` = ``sql``
- (String) Entrypoint for the trust backend driver in the keystone.trust namespace.
* - ``enabled`` = ``True``
- (Boolean) Delegation and impersonation features can be optionally disabled.
- (Boolean) Delegation and impersonation features using trusts can be optionally disabled.
* - ``allow_redelegation`` = ``False``
- (Boolean) Allows authorization to be redelegated from one user to another, effectively chaining trusts together. When disabled, the `remaining_uses` attribute of a trust is constrained to be zero.
* - ``max_redelegation_count`` = ``3``
- (Integer) Maximum depth of trust redelegation.
- (Integer) Maximum number of times that authorization can be redelegated from one user to another in a chain of trusts. This number may be reduced further for a specific trust.
* - ``driver`` = ``sql``
- (String) Entry point for the trust backend driver in the `keystone.trust` namespace. Keystone only provides a `sql` driver, so there is no reason to change this unless you are providing a custom entry point.

184
tools/autogenerate-config-flagmappings/keystone.flagmappings
View File

@ -60,11 +60,11 @@ subscribe_on disable
syslog_log_facility disable
transport_url disable
use_dynamic_connections disable
use_journal disable
use_pub_sub disable
use_router_proxy disable
use_stderr disable
use_syslog disable
verbose disable
watch_log_file disable
zmq_failover_connections disable
zmq_immediate disable
@ -75,7 +75,15 @@ zmq_tcp_keepalive disable
zmq_tcp_keepalive_cnt disable
zmq_tcp_keepalive_idle disable
zmq_tcp_keepalive_intvl disable
assignment/driver assignment
assignment/prohibited_implied_role assignment
audit/namespace debug
auth/external auth
auth/mapped auth
auth/methods auth
auth/oauth1 auth
auth/password auth
auth/token auth
cache/backend disable
cache/backend_argument disable
cache/config_prefix disable
@ -89,6 +97,11 @@ cache/memcache_pool_unused_timeout disable
cache/memcache_servers disable
cache/memcache_socket_timeout disable
cache/proxies disable
catalog/cache_time catalog
catalog/caching catalog
catalog/driver catalog
catalog/list_limit catalog
catalog/template_file catalog
cors/allow_credentials disable
cors/allow_headers disable
cors/allow_methods disable
@ -101,6 +114,9 @@ cors.subdomain/allow_methods disable
cors.subdomain/allowed_origin disable
cors.subdomain/expose_headers disable
cors.subdomain/max_age disable
credential/driver credential
credential/key_repository credential
credential/provider credential
database/backend disable
database/connection disable
database/connection_debug disable
@ -118,14 +134,44 @@ database/mysql_sql_mode disable
database/pool_timeout disable
database/retry_interval disable
database/slave_connection disable
database/sqlite_db disable
database/sqlite_synchronous disable
database/use_db_reconnect disable
domain_config/cache_time domain
domain_config/caching domain
domain_config/driver domain
endpoint_filter/driver api
endpoint_filter/return_all_endpoints_if_no_filter api
endpoint_policy/driver api
eventlet_server/admin_bind_host api
eventlet_server/admin_port api
eventlet_server/public_bind_host api
eventlet_server/public_port api
federation/assertion_prefix federation
federation/caching federation
federation/driver federation
federation/federated_domain_name federation
federation/remote_id_attribute federation
federation/sso_callback_template federation
federation/trusted_dashboard federation
fernet_tokens/key_repository fernet_tokens
fernet_tokens/max_active_keys fernet_tokens
healthcheck/backends common
healthcheck/detailed common
healthcheck/disable_by_file_path common
healthcheck/disable_by_file_paths common
healthcheck/path common
identity/cache_time identity
identity/caching identity
identity/default_domain_id identity
identity/domain_config_dir identity
identity/domain_configurations_from_database identity
identity/domain_specific_drivers_enabled identity
identity/driver identity
identity/list_limit identity
identity/max_password_length identity
identity_mapping/backward_compatible_ids mapping
identity_mapping/driver mapping
identity_mapping/generator mapping
keystone_authtoken/admin_password disable
keystone_authtoken/admin_tenant_name disable
keystone_authtoken/admin_token disable
@ -166,6 +212,58 @@ keystone_authtoken/service_token_roles disable
keystone_authtoken/service_token_roles_required disable
keystone_authtoken/signing_dir disable
keystone_authtoken/token_cache_time disable
ldap/alias_dereferencing ldap
ldap/auth_pool_connection_lifetime ldap
ldap/auth_pool_size ldap
ldap/chase_referrals ldap
ldap/connection_timeout ldap
ldap/debug_level ldap
ldap/group_ad_nesting ldap
ldap/group_additional_attribute_mapping ldap
ldap/group_attribute_ignore ldap
ldap/group_desc_attribute ldap
ldap/group_filter ldap
ldap/group_id_attribute ldap
ldap/group_member_attribute ldap
ldap/group_members_are_ids ldap
ldap/group_name_attribute ldap
ldap/group_objectclass ldap
ldap/group_tree_dn ldap
ldap/page_size ldap
ldap/password ldap
ldap/pool_connection_lifetime ldap
ldap/pool_connection_timeout ldap
ldap/pool_retry_delay ldap
ldap/pool_retry_max ldap
ldap/pool_size ldap
ldap/query_scope ldap
ldap/suffix ldap
ldap/tls_cacertdir ldap
ldap/tls_cacertfile ldap
ldap/tls_req_cert ldap
ldap/url ldap
ldap/use_auth_pool ldap
ldap/use_pool ldap
ldap/use_tls ldap
ldap/user ldap
ldap/user_additional_attribute_mapping ldap
ldap/user_attribute_ignore ldap
ldap/user_default_project_id_attribute ldap
ldap/user_description_attribute ldap
ldap/user_enabled_attribute ldap
ldap/user_enabled_default ldap
ldap/user_enabled_emulation ldap
ldap/user_enabled_emulation_dn ldap
ldap/user_enabled_emulation_use_group_config ldap
ldap/user_enabled_invert ldap
ldap/user_enabled_mask ldap
ldap/user_filter ldap
ldap/user_id_attribute ldap
ldap/user_mail_attribute ldap
ldap/user_name_attribute ldap
ldap/user_objectclass ldap
ldap/user_pass_attribute ldap
ldap/user_tree_dn ldap
matchmaker_redis/check_timeout redis
matchmaker_redis/host redis
matchmaker_redis/password redis
@ -174,6 +272,14 @@ matchmaker_redis/sentinel_group_name redis
matchmaker_redis/sentinel_hosts redis
matchmaker_redis/socket_timeout redis
matchmaker_redis/wait_timeout redis
memcache/dead_retry cache
memcache/pool_connection_get_timeout cache
memcache/pool_maxsize cache
memcache/pool_unused_timeout cache
memcache/socket_timeout cache
oauth1/access_token_duration oauth
oauth1/driver oauth
oauth1/request_token_duration oauth
oslo_concurrency/disable_process_locking disable
oslo_concurrency/lock_path disable
oslo_messaging_amqp/addressing_mode disable
@ -206,6 +312,7 @@ oslo_messaging_amqp/sasl_config_dir disable
oslo_messaging_amqp/sasl_config_name disable
oslo_messaging_amqp/sasl_mechanisms disable
oslo_messaging_amqp/server_request_prefix disable
oslo_messaging_amqp/ssl disable
oslo_messaging_amqp/ssl_ca_file disable
oslo_messaging_amqp/ssl_cert_file disable
oslo_messaging_amqp/ssl_key_file disable
@ -318,6 +425,9 @@ oslo_middleware/secure_proxy_ssl_header api
oslo_policy/policy_default_rule disable
oslo_policy/policy_dirs disable
oslo_policy/policy_file disable
paste_deploy/config_file api
policy/driver policy
policy/list_limit policy
profiler/connection_string common
profiler/enabled common
profiler/es_doc_type common
@ -327,3 +437,73 @@ profiler/hmac_keys common
profiler/sentinel_service_name common
profiler/socket_timeout common
profiler/trace_sqlalchemy common
resource/admin_project_domain_name api
resource/admin_project_name api
resource/cache_time api
resource/caching api
resource/domain_name_url_safe api
resource/driver api
resource/list_limit api
resource/project_name_url_safe api
revoke/cache_time revoke
revoke/caching revoke
revoke/driver revoke
revoke/expiration_buffer revoke
role/cache_time role
role/caching role
role/driver role
role/list_limit role
saml/assertion_expiration_time saml
saml/certfile saml
saml/idp_contact_company saml
saml/idp_contact_email saml
saml/idp_contact_name saml
saml/idp_contact_surname saml
saml/idp_contact_telephone saml
saml/idp_contact_type saml
saml/idp_entity_id saml
saml/idp_lang saml
saml/idp_metadata_path saml
saml/idp_organization_display_name saml
saml/idp_organization_name saml
saml/idp_organization_url saml
saml/idp_sso_endpoint saml
saml/keyfile saml
saml/relay_state_prefix saml
saml/xmlsec1_binary saml
security_compliance/change_password_upon_first_use compliance
security_compliance/disable_user_account_days_inactive compliance
security_compliance/lockout_duration compliance
security_compliance/lockout_failure_attempts compliance
security_compliance/minimum_password_age compliance
security_compliance/password_expires_days compliance
security_compliance/password_regex compliance
security_compliance/password_regex_description compliance
security_compliance/unique_last_password_count compliance
shadow_users/driver api
signing/ca_certs ca
signing/ca_key ca
signing/cert_subject ca
signing/certfile ca
signing/key_size ca
signing/keyfile ca
signing/valid_days ca
token/allow_expired_window token
token/allow_rescope_scoped_token token
token/bind token
token/cache_on_issue token
token/cache_time token
token/caching token
token/driver token
token/enforce_token_bind token
token/expiration token
token/infer_roles token
token/provider token
token/revoke_by_id token
tokenless_auth/issuer_attribute tokenless
tokenless_auth/protocol tokenless
tokenless_auth/trusted_issuer tokenless
trust/allow_redelegation trust
trust/driver trust
trust/enabled trust
trust/max_redelegation_count trust

1
tools/autogenerate-config-flagmappings/keystone.headers
View File

@ -1,5 +1,6 @@
assignment assignment
catalog catalog
compliance Security compliance
credential credential
domain domain
federation federation