[config-ref] update keystone config options for Ocata

Change-Id: I5e69def1e88780119084276b1aceb2d8d3af7b0c
This commit is contained in:
KATO Tomoyuki 2017-02-13 17:17:57 +09:00
parent bde00b78aa
commit 310033209a
4 changed files with 121 additions and 11 deletions

View File

@ -19,25 +19,23 @@
* - **[DEFAULT]** * - **[DEFAULT]**
- -
* - ``admin_endpoint`` = ``None`` * - ``admin_endpoint`` = ``None``
- (String) The base admin endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:35357/v3/users`, then this will option will be automatically treated as `http://server:35357`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host. - (URI) The base admin endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:35357/v3/users`, then this will option will be automatically treated as `http://server:35357`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host.
* - ``admin_token`` = ``None`` * - ``admin_token`` = ``None``
- (String) Using this feature is *NOT* recommended. Instead, use the `keystone-manage bootstrap` command. The value of this option is treated as a "shared secret" that can be used to bootstrap Keystone through the API. This "token" does not represent a user (it has no identity), and carries no explicit authorization (it effectively bypasses most authorization checks). If set to `None`, the value is ignored and the `admin_token` middleware is effectively disabled. However, to completely disable `admin_token` in production (highly recommended, as it presents a security risk), remove `AdminTokenAuthMiddleware` (the `admin_token_auth` filter) from your paste application pipelines (for example, in `keystone-paste.ini`). - (String) Using this feature is *NOT* recommended. Instead, use the `keystone-manage bootstrap` command. The value of this option is treated as a "shared secret" that can be used to bootstrap Keystone through the API. This "token" does not represent a user (it has no identity), and carries no explicit authorization (it effectively bypasses most authorization checks). If set to `None`, the value is ignored and the `admin_token` middleware is effectively disabled. However, to completely disable `admin_token` in production (highly recommended, as it presents a security risk), remove `AdminTokenAuthMiddleware` (the `admin_token_auth` filter) from your paste application pipelines (for example, in `keystone-paste.ini`).
* - ``domain_id_immutable`` = ``True``
- (Boolean) DEPRECATED: Set this to false if you want to enable the ability for user, group and project entities to be moved between domains by updating their `domain_id` attribute. Allowing such movement is not recommended if the scope of a domain admin is being restricted by use of an appropriate policy file (see `etc/policy.v3cloudsample.json` as an example). This feature is deprecated and will be removed in a future release, in favor of strictly immutable domain IDs. The option to set domain_id_immutable to false has been deprecated in the M release and will be removed in the O release.
* - ``list_limit`` = ``None`` * - ``list_limit`` = ``None``
- (Integer) The maximum number of entities that will be returned in a collection. This global limit may be then overridden for a specific driver, by specifying a list_limit in the appropriate section (for example, `[assignment]`). No limit is set by default. In larger deployments, it is recommended that you set this to a reasonable number to prevent operations like listing all users and projects from placing an unnecessary load on the system. - (Integer) The maximum number of entities that will be returned in a collection. This global limit may be then overridden for a specific driver, by specifying a list_limit in the appropriate section (for example, `[assignment]`). No limit is set by default. In larger deployments, it is recommended that you set this to a reasonable number to prevent operations like listing all users and projects from placing an unnecessary load on the system.
* - ``max_param_size`` = ``64`` * - ``max_param_size`` = ``64``
- (Integer) Limit the sizes of user & project ID/names. - (Integer) Limit the sizes of user & project ID/names.
* - ``max_project_tree_depth`` = ``5`` * - ``max_project_tree_depth`` = ``5``
- (Integer) Maximum depth of the project hierarchy, excluding the project acting as a domain at the top of the hierarchy. WARNING: Setting it to a large value may adversely impact performance. - (Integer) Maximum depth of the project hierarchy, excluding the project acting as a domain at the top of the hierarchy. WARNING: Setting it to a large value may adversely impact performance.
* - ``max_token_size`` = ``8192`` * - ``max_token_size`` = ``255``
- (Integer) Similar to `[DEFAULT] max_param_size`, but provides an exception for token values. With PKI / PKIZ tokens, this needs to be set close to 8192 (any higher, and other HTTP implementations may break), depending on the size of your service catalog and other factors. With Fernet tokens, this can be set as low as 255. With UUID tokens, this should be set to 32). - (Integer) Similar to `[DEFAULT] max_param_size`, but provides an exception for token values. With Fernet tokens, this can be set as low as 255. With UUID tokens, this should be set to 32).
* - ``member_role_id`` = ``9fe2ff9ee4384b1894a90878d3e92bab`` * - ``member_role_id`` = ``9fe2ff9ee4384b1894a90878d3e92bab``
- (String) Similar to the `[DEFAULT] member_role_name` option, this represents the default role ID used to associate users with their default projects in the v2 API. This will be used as the explicit role where one is not specified by the v2 API. You do not need to set this value unless you want keystone to use an existing role with a different ID, other than the arbitrarily defined `_member_` role (in which case, you should set `[DEFAULT] member_role_name` as well). - (String) Similar to the `[DEFAULT] member_role_name` option, this represents the default role ID used to associate users with their default projects in the v2 API. This will be used as the explicit role where one is not specified by the v2 API. You do not need to set this value unless you want keystone to use an existing role with a different ID, other than the arbitrarily defined `_member_` role (in which case, you should set `[DEFAULT] member_role_name` as well).
* - ``member_role_name`` = ``_member_`` * - ``member_role_name`` = ``_member_``
- (String) This is the role name used in combination with the `[DEFAULT] member_role_id` option; see that option for more detail. You do not need to set this option unless you want keystone to use an existing role (in which case, you should set `[DEFAULT] member_role_id` as well). - (String) This is the role name used in combination with the `[DEFAULT] member_role_id` option; see that option for more detail. You do not need to set this option unless you want keystone to use an existing role (in which case, you should set `[DEFAULT] member_role_id` as well).
* - ``public_endpoint`` = ``None`` * - ``public_endpoint`` = ``None``
- (String) The base public endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:5000/v3/users`, then this will option will be automatically treated as `http://server:5000`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host. - (URI) The base public endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:5000/v3/users`, then this will option will be automatically treated as `http://server:5000`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host.
* - ``secure_proxy_ssl_header`` = ``HTTP_X_FORWARDED_PROTO`` * - ``secure_proxy_ssl_header`` = ``HTTP_X_FORWARDED_PROTO``
- (String) DEPRECATED: The HTTP header used to determine the scheme for the original request, even if it was removed by an SSL terminating proxy. This option has been deprecated in the N release and will be removed in the P release. Use oslo.middleware.http_proxy_to_wsgi configuration instead. - (String) DEPRECATED: The HTTP header used to determine the scheme for the original request, even if it was removed by an SSL terminating proxy. This option has been deprecated in the N release and will be removed in the P release. Use oslo.middleware.http_proxy_to_wsgi configuration instead.
* - ``strict_password_check`` = ``False`` * - ``strict_password_check`` = ``False``

View File

@ -22,3 +22,57 @@
- (Integer) Size of executor thread pool. - (Integer) Size of executor thread pool.
* - ``insecure_debug`` = ``False`` * - ``insecure_debug`` = ``False``
- (Boolean) If set to true, then the server will return information in HTTP responses that may allow an unauthenticated or authenticated user to get more information than normal, such as additional details about why authentication failed. This may be useful for debugging but is insecure. - (Boolean) If set to true, then the server will return information in HTTP responses that may allow an unauthenticated or authenticated user to get more information than normal, such as additional details about why authentication failed. This may be useful for debugging but is insecure.
* - **[healthcheck]**
-
* - ``backends`` =
- (List) Additional backends that can perform health checks and report that information back as part of a request.
* - ``detailed`` = ``False``
- (Boolean) Show more detailed information as part of the response
* - ``disable_by_file_path`` = ``None``
- (String) Check the presence of a file to determine if an application is running on a port. Used by DisableByFileHealthcheck plugin.
* - ``disable_by_file_paths`` =
- (List) Check the presence of a file based on a port to determine if an application is running on a port. Expects a "port:path" list of strings. Used by DisableByFilesPortsHealthcheck plugin.
* - ``path`` = ``/healthcheck``
- (String) DEPRECATED: The path to respond to healtcheck requests on.
* - **[profiler]**
-
* - ``connection_string`` = ``messaging://``
- (String) Connection string for a notifier backend. Default value is messaging:// which sets the notifier to oslo_messaging.
Examples of possible values:
* messaging://: use oslo_messaging driver for sending notifications.
* mongodb://127.0.0.1:27017 : use mongodb driver for sending notifications.
* elasticsearch://127.0.0.1:9200 : use elasticsearch driver for sending notifications.
* - ``enabled`` = ``False``
- (Boolean) Enables the profiling for all services on this node. Default value is False (fully disable the profiling feature).
Possible values:
* True: Enables the feature
* False: Disables the feature. The profiling cannot be started via this project operations. If the profiling is triggered by another project, this project part will be empty.
* - ``es_doc_type`` = ``notification``
- (String) Document type for notification indexing in elasticsearch.
* - ``es_scroll_size`` = ``10000``
- (Integer) Elasticsearch splits large requests in batches. This parameter defines maximum size of each batch (for example: es_scroll_size=10000).
* - ``es_scroll_time`` = ``2m``
- (String) This parameter is a time value parameter (for example: es_scroll_time=2m), indicating for how long the nodes that participate in the search will maintain relevant resources in order to continue and support it.
* - ``hmac_keys`` = ``SECRET_KEY``
- (String) Secret key(s) to use for encrypting context data for performance profiling. This string value should have the following format: <key1>[,<key2>,...<keyn>], where each key is some random string. A user who triggers the profiling via the REST API has to set one of these keys in the headers of the REST API call to include profiling results of this node for this particular project.
Both "enabled" flag and "hmac_keys" config options should be set to enable profiling. Also, to generate correct profiling information across all services at least one key needs to be consistent between OpenStack projects. This ensures it can be used from client side to generate the trace, containing information from all possible resources.
* - ``sentinel_service_name`` = ``mymaster``
- (String) Redissentinel uses a service name to identify a master redis service. This parameter defines the name (for example: sentinal_service_name=mymaster).
* - ``socket_timeout`` = ``0.1``
- (Floating point) Redissentinel provides a timeout option on the connections. This parameter defines that timeout (for example: socket_timeout=0.1).
* - ``trace_sqlalchemy`` = ``False``
- (Boolean) Enables SQL requests profiling in services. Default value is False (SQL requests won't be traced).
Possible values:
* True: Enables SQL requests profiling. Each SQL query will be part of the trace and can the be analyzed by how much time was spent for that.
* False: Disables SQL requests profiling. The spent time is only shown on a higher level of operations. Single SQL queries cannot be analyzed this way.

View File

@ -29,8 +29,8 @@
* - ``sentinel_group_name`` = ``oslo-messaging-zeromq`` * - ``sentinel_group_name`` = ``oslo-messaging-zeromq``
- (String) Redis replica set name. - (String) Redis replica set name.
* - ``sentinel_hosts`` = * - ``sentinel_hosts`` =
- (List) DEPRECATED: List of Redis Sentinel hosts (fault tolerance mode) e.g. [host:port, host1:port ... ] Replaced by [DEFAULT]/transport_url - (List) DEPRECATED: List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port ... ] Replaced by [DEFAULT]/transport_url
* - ``socket_timeout`` = ``10000`` * - ``socket_timeout`` = ``10000``
- (Integer) Timeout in ms on blocking socket operations - (Integer) Timeout in ms on blocking socket operations.
* - ``wait_timeout`` = ``2000`` * - ``wait_timeout`` = ``2000``
- (Integer) Time in ms to wait between connection attempts. - (Integer) Time in ms to wait between connection attempts.

View File

@ -7,7 +7,6 @@ crypt_strength security
debug disable debug disable
default_log_levels disable default_log_levels disable
default_publisher_id disable default_publisher_id disable
domain_id_immutable api
executor_thread_pool_size common executor_thread_pool_size common
fatal_deprecations disable fatal_deprecations disable
insecure_debug common insecure_debug common
@ -32,11 +31,19 @@ notification_format disable
notification_opt_out disable notification_opt_out disable
public_endpoint api public_endpoint api
publish_errors disable publish_errors disable
rate_limit_burst disable
rate_limit_except_level disable
rate_limit_interval disable
rpc_ack_timeout_base disable
rpc_ack_timeout_multiplier disable
rpc_backend disable rpc_backend disable
rpc_cast_timeout disable
rpc_conn_pool_size disable rpc_conn_pool_size disable
rpc_message_ttl disable
rpc_poll_timeout disable rpc_poll_timeout disable
rpc_response_timeout disable rpc_response_timeout disable
rpc_retry_attempts disable
rpc_thread_pool_size disable
rpc_use_acks disable
rpc_zmq_bind_address disable rpc_zmq_bind_address disable
rpc_zmq_bind_port_retries disable rpc_zmq_bind_port_retries disable
rpc_zmq_contexts disable rpc_zmq_contexts disable
@ -49,17 +56,25 @@ rpc_zmq_serialization disable
rpc_zmq_topic_backlog disable rpc_zmq_topic_backlog disable
secure_proxy_ssl_header api secure_proxy_ssl_header api
strict_password_check api strict_password_check api
subscribe_on disable
syslog_log_facility disable syslog_log_facility disable
transport_url disable transport_url disable
use_dynamic_connections disable
use_pub_sub disable use_pub_sub disable
use_router_proxy disable use_router_proxy disable
use_stderr disable use_stderr disable
use_syslog disable use_syslog disable
verbose disable verbose disable
watch_log_file disable watch_log_file disable
zmq_failover_connections disable
zmq_immediate disable zmq_immediate disable
zmq_linger disable
zmq_target_expire disable zmq_target_expire disable
zmq_target_update disable zmq_target_update disable
zmq_tcp_keepalive disable
zmq_tcp_keepalive_cnt disable
zmq_tcp_keepalive_idle disable
zmq_tcp_keepalive_intvl disable
audit/namespace debug audit/namespace debug
cache/backend disable cache/backend disable
cache/backend_argument disable cache/backend_argument disable
@ -106,6 +121,11 @@ database/slave_connection disable
database/sqlite_db disable database/sqlite_db disable
database/sqlite_synchronous disable database/sqlite_synchronous disable
database/use_db_reconnect disable database/use_db_reconnect disable
healthcheck/backends common
healthcheck/detailed common
healthcheck/disable_by_file_path common
healthcheck/disable_by_file_paths common
healthcheck/path common
keystone_authtoken/admin_password disable keystone_authtoken/admin_password disable
keystone_authtoken/admin_tenant_name disable keystone_authtoken/admin_tenant_name disable
keystone_authtoken/admin_token disable keystone_authtoken/admin_token disable
@ -142,6 +162,8 @@ keystone_authtoken/memcache_use_advanced_pool disable
keystone_authtoken/memcached_servers disable keystone_authtoken/memcached_servers disable
keystone_authtoken/region_name disable keystone_authtoken/region_name disable
keystone_authtoken/revocation_cache_time disable keystone_authtoken/revocation_cache_time disable
keystone_authtoken/service_token_roles disable
keystone_authtoken/service_token_roles_required disable
keystone_authtoken/signing_dir disable keystone_authtoken/signing_dir disable
keystone_authtoken/token_cache_time disable keystone_authtoken/token_cache_time disable
matchmaker_redis/check_timeout redis matchmaker_redis/check_timeout redis
@ -164,9 +186,11 @@ oslo_messaging_amqp/connection_retry_interval_max disable
oslo_messaging_amqp/container_name disable oslo_messaging_amqp/container_name disable
oslo_messaging_amqp/default_notification_exchange disable oslo_messaging_amqp/default_notification_exchange disable
oslo_messaging_amqp/default_notify_timeout disable oslo_messaging_amqp/default_notify_timeout disable
oslo_messaging_amqp/default_reply_retry disable
oslo_messaging_amqp/default_reply_timeout disable oslo_messaging_amqp/default_reply_timeout disable
oslo_messaging_amqp/default_rpc_exchange disable oslo_messaging_amqp/default_rpc_exchange disable
oslo_messaging_amqp/default_send_timeout disable oslo_messaging_amqp/default_send_timeout disable
oslo_messaging_amqp/default_sender_link_timeout disable
oslo_messaging_amqp/group_request_prefix disable oslo_messaging_amqp/group_request_prefix disable
oslo_messaging_amqp/idle_timeout disable oslo_messaging_amqp/idle_timeout disable
oslo_messaging_amqp/link_retry_delay disable oslo_messaging_amqp/link_retry_delay disable
@ -174,6 +198,7 @@ oslo_messaging_amqp/multicast_address disable
oslo_messaging_amqp/notify_address_prefix disable oslo_messaging_amqp/notify_address_prefix disable
oslo_messaging_amqp/notify_server_credit disable oslo_messaging_amqp/notify_server_credit disable
oslo_messaging_amqp/password disable oslo_messaging_amqp/password disable
oslo_messaging_amqp/pre_settled disable
oslo_messaging_amqp/reply_link_credit disable oslo_messaging_amqp/reply_link_credit disable
oslo_messaging_amqp/rpc_address_prefix disable oslo_messaging_amqp/rpc_address_prefix disable
oslo_messaging_amqp/rpc_server_credit disable oslo_messaging_amqp/rpc_server_credit disable
@ -188,6 +213,16 @@ oslo_messaging_amqp/ssl_key_password disable
oslo_messaging_amqp/trace disable oslo_messaging_amqp/trace disable
oslo_messaging_amqp/unicast_address disable oslo_messaging_amqp/unicast_address disable
oslo_messaging_amqp/username disable oslo_messaging_amqp/username disable
oslo_messaging_kafka/conn_pool_min_size disable
oslo_messaging_kafka/conn_pool_ttl disable
oslo_messaging_kafka/consumer_group disable
oslo_messaging_kafka/kafka_consumer_timeout disable
oslo_messaging_kafka/kafka_default_host disable
oslo_messaging_kafka/kafka_default_port disable
oslo_messaging_kafka/kafka_max_fetch_bytes disable
oslo_messaging_kafka/pool_size disable
oslo_messaging_kafka/producer_batch_size disable
oslo_messaging_kafka/producer_batch_timeout disable
oslo_messaging_notifications/driver disable oslo_messaging_notifications/driver disable
oslo_messaging_notifications/topics disable oslo_messaging_notifications/topics disable
oslo_messaging_notifications/transport_url disable oslo_messaging_notifications/transport_url disable
@ -199,6 +234,7 @@ oslo_messaging_rabbit/default_notification_exchange disable
oslo_messaging_rabbit/default_notification_retry_attempts disable oslo_messaging_rabbit/default_notification_retry_attempts disable
oslo_messaging_rabbit/default_rpc_exchange disable oslo_messaging_rabbit/default_rpc_exchange disable
oslo_messaging_rabbit/default_rpc_retry_attempts disable oslo_messaging_rabbit/default_rpc_retry_attempts disable
oslo_messaging_rabbit/default_serializer_type disable
oslo_messaging_rabbit/fake_rabbit disable oslo_messaging_rabbit/fake_rabbit disable
oslo_messaging_rabbit/frame_max disable oslo_messaging_rabbit/frame_max disable
oslo_messaging_rabbit/heartbeat_interval disable oslo_messaging_rabbit/heartbeat_interval disable
@ -247,8 +283,13 @@ oslo_messaging_rabbit/socket_timeout disable
oslo_messaging_rabbit/ssl disable oslo_messaging_rabbit/ssl disable
oslo_messaging_rabbit/ssl_options disable oslo_messaging_rabbit/ssl_options disable
oslo_messaging_rabbit/tcp_user_timeout disable oslo_messaging_rabbit/tcp_user_timeout disable
oslo_messaging_zmq/rpc_cast_timeout disable oslo_messaging_zmq/rpc_ack_timeout_base disable
oslo_messaging_zmq/rpc_ack_timeout_multiplier disable
oslo_messaging_zmq/rpc_message_ttl disable
oslo_messaging_zmq/rpc_poll_timeout disable oslo_messaging_zmq/rpc_poll_timeout disable
oslo_messaging_zmq/rpc_retry_attempts disable
oslo_messaging_zmq/rpc_thread_pool_size disable
oslo_messaging_zmq/rpc_use_acks disable
oslo_messaging_zmq/rpc_zmq_bind_address disable oslo_messaging_zmq/rpc_zmq_bind_address disable
oslo_messaging_zmq/rpc_zmq_bind_port_retries disable oslo_messaging_zmq/rpc_zmq_bind_port_retries disable
oslo_messaging_zmq/rpc_zmq_contexts disable oslo_messaging_zmq/rpc_zmq_contexts disable
@ -259,14 +300,31 @@ oslo_messaging_zmq/rpc_zmq_max_port disable
oslo_messaging_zmq/rpc_zmq_min_port disable oslo_messaging_zmq/rpc_zmq_min_port disable
oslo_messaging_zmq/rpc_zmq_serialization disable oslo_messaging_zmq/rpc_zmq_serialization disable
oslo_messaging_zmq/rpc_zmq_topic_backlog disable oslo_messaging_zmq/rpc_zmq_topic_backlog disable
oslo_messaging_zmq/subscribe_on disable
oslo_messaging_zmq/use_dynamic_connections disable
oslo_messaging_zmq/use_pub_sub disable oslo_messaging_zmq/use_pub_sub disable
oslo_messaging_zmq/use_router_proxy disable oslo_messaging_zmq/use_router_proxy disable
oslo_messaging_zmq/zmq_failover_connections disable
oslo_messaging_zmq/zmq_immediate disable oslo_messaging_zmq/zmq_immediate disable
oslo_messaging_zmq/zmq_linger disable
oslo_messaging_zmq/zmq_target_expire disable oslo_messaging_zmq/zmq_target_expire disable
oslo_messaging_zmq/zmq_target_update disable oslo_messaging_zmq/zmq_target_update disable
oslo_messaging_zmq/zmq_tcp_keepalive disable
oslo_messaging_zmq/zmq_tcp_keepalive_cnt disable
oslo_messaging_zmq/zmq_tcp_keepalive_idle disable
oslo_messaging_zmq/zmq_tcp_keepalive_intvl disable
oslo_middleware/enable_proxy_headers_parsing api oslo_middleware/enable_proxy_headers_parsing api
oslo_middleware/max_request_body_size api oslo_middleware/max_request_body_size api
oslo_middleware/secure_proxy_ssl_header api oslo_middleware/secure_proxy_ssl_header api
oslo_policy/policy_default_rule disable oslo_policy/policy_default_rule disable
oslo_policy/policy_dirs disable oslo_policy/policy_dirs disable
oslo_policy/policy_file disable oslo_policy/policy_file disable
profiler/connection_string common
profiler/enabled common
profiler/es_doc_type common
profiler/es_scroll_size common
profiler/es_scroll_time common
profiler/hmac_keys common
profiler/sentinel_service_name common
profiler/socket_timeout common
profiler/trace_sqlalchemy common