openstack
/
openstack-manuals
Code Issues Proposed changes

[config-ref] Update keystone tables 

Change-Id: I71246b345591c1402ce596f1f24c97d2d77de614
This commit is contained in:
venkatamahesh 2016-09-03 19:52:28 +05:30
parent 44e31bf4f6
commit 6d9cbcac2b
10 changed files with 163 additions and 310 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/config-reference/source/tables/keystone-amqp.rst
View File

@ -21,10 +21,10 @@
* - ``control_exchange`` = ``keystone``
- (String) The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
* - ``default_publisher_id`` = ``None``
- (String) Default publisher_id for outgoing notifications
- (String) Default `publisher_id` for outgoing notifications. If left undefined, Keystone will default to using the server's host name.
* - ``notification_format`` = ``basic``
- (String) Define the notification format for Identity Service events. A "basic" notification has information about the resource being operated on. A "cadf" notification has the same information, as well as information about the initiator of the event.
- (String) Define the notification format for identity service events. A `basic` notification only has information about the resource being operated on. A `cadf` notification has the same information, as well as information about the initiator of the event. The `cadf` option is entirely backwards compatible with the `basic` option, but is fully CADF-compliant, and is recommended for auditing use cases.
* - ``notification_opt_out`` = ``[]``
- (Multi-valued) Define the notification options to opt-out from. The value expected is: identity.<resource_type>.<operation>. This field can be set multiple times in order to add more notifications to opt-out from. For example: notification_opt_out=identity.user.created notification_opt_out=identity.authenticate.success
- (Multi-valued) If left undefined, keystone will emit notifications for all types of events. You can reduce the number of notifications keystone emits by using this option to enumerate notification topics that should be suppressed. Values are expected to be in the form `identity.<resource_type>.<operation>`. This field can be set multiple times in order to opt-out of multiple notification topics. For example: notification_opt_out=identity.user.create notification_opt_out=identity.authenticate.success
* - ``transport_url`` = ``None``
- (String) A URL representing the messaging driver to use and its full configuration. If not set, we fall back to the rpc_backend option and driver specific configuration.
- (String) A URL representing the messaging driver to use and its full configuration.

84
doc/config-reference/source/tables/keystone-api.rst
View File

@ -19,92 +19,34 @@
* - **[DEFAULT]**
-
* - ``admin_endpoint`` = ``None``
- (String) The base admin endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. E.g. a request to http://server:35357/v3/users will default to http://server:35357. You should only need to set this value if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be found on a different server.
- (String) The base admin endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:35357/v3/users`, then this will option will be automatically treated as `http://server:35357`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host.
* - ``admin_token`` = ``None``
- (String) A "shared secret" that can be used to bootstrap Keystone. This "token" does not represent a user, and carries no explicit authorization. If set to `None`, the value is ignored and the `admin_token` log in mechanism is effectively disabled. To completely disable `admin_token` in production (highly recommended), remove AdminTokenAuthMiddleware from your paste application pipelines (for example, in keystone-paste.ini).
- (String) Using this feature is *NOT* recommended. Instead, use the `keystone-manage bootstrap` command. The value of this option is treated as a "shared secret" that can be used to bootstrap Keystone through the API. This "token" does not represent a user (it has no identity), and carries no explicit authorization (it effectively bypasses most authorization checks). If set to `None`, the value is ignored and the `admin_token` middleware is effectively disabled. However, to completely disable `admin_token` in production (highly recommended, as it presents a security risk), remove `AdminTokenAuthMiddleware` (the `admin_token_auth` filter) from your paste application pipelines (for example, in `keystone-paste.ini`).
* - ``domain_id_immutable`` = ``True``
- (Boolean) DEPRECATED: Set this to false if you want to enable the ability for user, group and project entities to be moved between domains by updating their domain_id. Allowing such movement is not recommended if the scope of a domain admin is being restricted by use of an appropriate policy file (see policy.v3cloudsample as an example). This ability is deprecated and will be removed in a future release.
- (Boolean) DEPRECATED: Set this to false if you want to enable the ability for user, group and project entities to be moved between domains by updating their `domain_id` attribute. Allowing such movement is not recommended if the scope of a domain admin is being restricted by use of an appropriate policy file (see `etc/policy.v3cloudsample.json` as an example). This feature is deprecated and will be removed in a future release, in favor of strictly immutable domain IDs. The option to set domain_id_immutable to false has been deprecated in the M release and will be removed in the O release.
* - ``list_limit`` = ``None``
- (Integer) The maximum number of entities that will be returned in a collection, with no limit set by default. This global limit may be then overridden for a specific driver, by specifying a list_limit in the appropriate section (e.g. [assignment]).
- (Integer) The maximum number of entities that will be returned in a collection. This global limit may be then overridden for a specific driver, by specifying a list_limit in the appropriate section (for example, `[assignment]`). No limit is set by default. In larger deployments, it is recommended that you set this to a reasonable number to prevent operations like listing all users and projects from placing an unnecessary load on the system.
* - ``max_param_size`` = ``64``
- (Integer) Limit the sizes of user & project ID/names.
* - ``max_project_tree_depth`` = ``5``
- (Integer) Maximum depth of the project hierarchy, excluding the project acting as a domain at the top of the hierarchy. WARNING: setting it to a large value may adversely impact performance.
- (Integer) Maximum depth of the project hierarchy, excluding the project acting as a domain at the top of the hierarchy. WARNING: Setting it to a large value may adversely impact performance.
* - ``max_token_size`` = ``8192``
- (Integer) Similar to max_param_size, but provides an exception for token values.
- (Integer) Similar to `[DEFAULT] max_param_size`, but provides an exception for token values. With PKI / PKIZ tokens, this needs to be set close to 8192 (any higher, and other HTTP implementations may break), depending on the size of your service catalog and other factors. With Fernet tokens, this can be set as low as 255. With UUID tokens, this should be set to 32).
* - ``member_role_id`` = ``9fe2ff9ee4384b1894a90878d3e92bab``
- (String) Similar to the member_role_name option, this represents the default role ID used to associate users with their default projects in the v2 API. This will be used as the explicit role where one is not specified by the v2 API.
- (String) Similar to the `[DEFAULT] member_role_name` option, this represents the default role ID used to associate users with their default projects in the v2 API. This will be used as the explicit role where one is not specified by the v2 API. You do not need to set this value unless you want keystone to use an existing role with a different ID, other than the arbitrarily defined `_member_` role (in which case, you should set `[DEFAULT] member_role_name` as well).
* - ``member_role_name`` = ``_member_``
- (String) This is the role name used in combination with the member_role_id option; see that option for more detail.
- (String) This is the role name used in combination with the `[DEFAULT] member_role_id` option; see that option for more detail. You do not need to set this option unless you want keystone to use an existing role (in which case, you should set `[DEFAULT] member_role_id` as well).
* - ``public_endpoint`` = ``None``
- (String) The base public endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. E.g. a request to http://server:5000/v3/users will default to http://server:5000. You should only need to set this value if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be found on a different server.
- (String) The base public endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:5000/v3/users`, then this will option will be automatically treated as `http://server:5000`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host.
* - ``secure_proxy_ssl_header`` = ``HTTP_X_FORWARDED_PROTO``
- (String) The HTTP header used to determine the scheme for the original request, even if it was removed by an SSL terminating proxy.
- (String) DEPRECATED: The HTTP header used to determine the scheme for the original request, even if it was removed by an SSL terminating proxy. This option has been deprecated in the N release and will be removed in the P release. Use oslo.middleware.http_proxy_to_wsgi configuration instead.
* - ``strict_password_check`` = ``False``
- (Boolean) If set to true, strict password length checking is performed for password manipulation. If a password exceeds the maximum length, the operation will fail with an HTTP 403 Forbidden error. If set to false, passwords are automatically truncated to the maximum length.
* - **[endpoint_filter]**
-
* - ``driver`` = ``sql``
- (String) Entrypoint for the endpoint filter backend driver in the keystone.endpoint_filter namespace.
* - ``return_all_endpoints_if_no_filter`` = ``True``
- (Boolean) Toggle to return all active endpoints if no filter exists.
* - **[endpoint_policy]**
-
* - ``driver`` = ``sql``
- (String) Entrypoint for the endpoint policy backend driver in the keystone.endpoint_policy namespace.
* - ``enabled`` = ``True``
- (Boolean) DEPRECATED: Enable endpoint_policy functionality. The option to enable the OS-ENDPOINT-POLICY extension has been deprecated in the M release and will be removed in the O release. The OS-ENDPOINT-POLICY extension will be enabled by default.
* - **[eventlet_server]**
-
* - ``admin_bind_host`` = ``0.0.0.0``
- (String) DEPRECATED: The IP address of the network interface for the admin service to listen on.
* - ``admin_port`` = ``35357``
- (Port number) DEPRECATED: The port number which the admin service listens on.
* - ``admin_workers`` = ``None``
- (Integer) DEPRECATED: The number of worker processes to serve the admin eventlet application. Defaults to number of CPUs (minimum of 2).
* - ``client_socket_timeout`` = ``900``
- (Integer) Timeout for socket operations on a client connection. If an incoming connection is idle for this number of seconds it will be closed. A value of "0" means wait forever.
* - ``public_bind_host`` = ``0.0.0.0``
- (String) DEPRECATED: The IP address of the network interface for the public service to listen on.
* - ``public_port`` = ``5000``
- (Port number) DEPRECATED: The port number which the public service listens on.
* - ``public_workers`` = ``None``
- (Integer) DEPRECATED: The number of worker processes to serve the public eventlet application. Defaults to number of CPUs (minimum of 2).
* - ``tcp_keepalive`` = ``False``
- (Boolean) DEPRECATED: Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e. sockets used by the Keystone wsgi server for client connections.
* - ``tcp_keepidle`` = ``600``
- (Integer) DEPRECATED: Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only applies if tcp_keepalive is true. Ignored if system does not support it.
* - ``wsgi_keep_alive`` = ``True``
- (Boolean) If set to false, disables keepalives on the server; all connections will be closed after serving one request.
* - **[oslo_middleware]**
-
* - ``enable_proxy_headers_parsing`` = ``False``
- (Boolean) Whether the application is behind a proxy or not. This determines if the middleware should parse the headers or not.
* - ``max_request_body_size`` = ``114688``
- (Integer) The maximum body size for each request, in bytes.
* - ``secure_proxy_ssl_header`` = ``X-Forwarded-Proto``
- (String) DEPRECATED: The HTTP Header that will be used to determine what the original request protocol scheme was, even if it was hidden by an SSL termination proxy.
* - **[paste_deploy]**
-
* - ``config_file`` = ``keystone-paste.ini``
- (String) Name of the paste configuration file that defines the available pipelines.
* - **[resource]**
-
* - ``admin_project_domain_name`` = ``None``
- (String) Name of the domain that owns the `admin_project_name`. Defaults to None.
* - ``admin_project_name`` = ``None``
- (String) Special project for performing administrative operations on remote services. Tokens scoped to this project will contain the key/value `is_admin_project=true`. Defaults to None.
* - ``cache_time`` = ``None``
- (Integer) TTL (in seconds) to cache resource data. This has no effect unless global caching is enabled.
* - ``caching`` = ``True``
- (Boolean) Toggle for resource caching. This has no effect unless global caching is enabled.
* - ``domain_name_url_safe`` = ``off``
- (String) Whether the names of domains are restricted from containing url reserved characters. If set to new, attempts to create or update a domain with a url unsafe name will return an error. In addition, if set to strict, attempts to scope a token using a domain name which is unsafe will return an error.
* - ``driver`` = ``None``
- (String) Entrypoint for the resource backend driver in the keystone.resource namespace. Only an SQL driver is supplied. If a resource driver is not specified, the assignment driver will choose the resource driver.
* - ``list_limit`` = ``None``
- (Integer) Maximum number of entities that will be returned in a resource collection.
* - ``project_name_url_safe`` = ``off``
- (String) Whether the names of projects are restricted from containing url reserved characters. If set to new, attempts to create or update a project with a url unsafe name will return an error. In addition, if set to strict, attempts to scope a token using an unsafe project name will return an error.
* - **[shadow_users]**
-
* - ``driver`` = ``sql``
- (String) Entrypoint for the shadow users backend driver in the keystone.identity.shadow_users namespace.
- (String) DEPRECATED: The HTTP Header that will be used to determine what the original request protocol scheme was, even if it was hidden by a SSL termination proxy.

4
doc/config-reference/source/tables/keystone-common.rst
View File

@ -21,9 +21,7 @@
* - ``executor_thread_pool_size`` = ``64``
- (Integer) Size of executor thread pool.
* - ``insecure_debug`` = ``False``
- (Boolean) If set to true the server will return information in the response that may allow an unauthenticated or authenticated user to get more information than normal, such as why authentication failed. This may be useful for debugging but is insecure.
* - ``memcached_servers`` = ``None``
- (List) Memcached servers or None for in process cache.
- (Boolean) If set to true, then the server will return information in HTTP responses that may allow an unauthenticated or authenticated user to get more information than normal, such as additional details about why authentication failed. This may be useful for debugging but is insecure.
* - **[oslo_concurrency]**
-
* - ``disable_process_locking`` = ``False``

8
doc/config-reference/source/tables/keystone-debug.rst
View File

@ -16,14 +16,6 @@
* - Configuration option = Default value
- Description
* - **[DEFAULT]**
-
* - ``pydev_debug_host`` = ``None``
- (String) Host to connect to for remote debugger.
* - ``pydev_debug_port`` = ``None``
- (Port number) Port to connect to for remote debugger.
* - ``standard_threads`` = ``False``
- (Boolean) Do not monkey-patch threading system modules.
* - **[audit]**
-
* - ``namespace`` = ``openstack``

24
doc/config-reference/source/tables/keystone-rabbitmq.rst
View File

@ -24,8 +24,10 @@
- (Boolean) Use durable queues in AMQP.
* - ``channel_max`` = ``None``
- (Integer) Maximum number of channels to allow
* - ``connection_factory`` = ``single``
- (String) Connection factory implementation
* - ``default_notification_exchange`` = ``${control_exchange}_notification``
- (String) Exchange name for for sending notifications
- (String) Exchange name for sending notifications
* - ``default_notification_retry_attempts`` = ``-1``
- (Integer) Reconnecting retry count in case of connectivity problem during sending notification, -1 means infinite retry.
* - ``default_rpc_exchange`` = ``${control_exchange}_rpc``
@ -36,7 +38,7 @@
- (Boolean) Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake
* - ``frame_max`` = ``None``
- (Integer) The maximum byte size for an AMQP frame
* - ``heartbeat_interval`` = ``1``
* - ``heartbeat_interval`` = ``3``
- (Integer) How often to send heartbeats for consumer's connections
* - ``heartbeat_rate`` = ``2``
- (Integer) How often times during the heartbeat_timeout_threshold we check the heartbeat.
@ -45,7 +47,7 @@
* - ``host_connection_reconnect_delay`` = ``0.25``
- (Floating point) Set delay for reconnection to some host which has connection error
* - ``kombu_compression`` = ``None``
- (String) EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may notbe available in future versions.
- (String) EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.
* - ``kombu_failover_strategy`` = ``round-robin``
- (String) Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.
* - ``kombu_missing_consumer_retry_timeout`` = ``60``
@ -68,7 +70,7 @@
- (Floating point) Reconnecting retry delay in case of connectivity problem during sending notification message
* - ``pool_max_overflow`` = ``0``
- (Integer) Maximum number of connections to create above `pool_max_size`.
* - ``pool_max_size`` = ``10``
* - ``pool_max_size`` = ``30``
- (Integer) Maximum number of connections to keep queued.
* - ``pool_recycle`` = ``600``
- (Integer) Lifetime of a connection (since creation) in seconds or None for no recycling. Expired connections are closed on acquire.
@ -79,19 +81,19 @@
* - ``rabbit_ha_queues`` = ``False``
- (Boolean) Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA '^(?!amq\.).*' '{"ha-mode": "all"}' "
* - ``rabbit_host`` = ``localhost``
- (String) The RabbitMQ broker address where a single node is used.
- (String) DEPRECATED: The RabbitMQ broker address where a single node is used. Replaced by [DEFAULT]/transport_url
* - ``rabbit_hosts`` = ``$rabbit_host:$rabbit_port``
- (List) RabbitMQ HA cluster host:port pairs.
- (List) DEPRECATED: RabbitMQ HA cluster host:port pairs. Replaced by [DEFAULT]/transport_url
* - ``rabbit_interval_max`` = ``30``
- (Integer) Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
* - ``rabbit_login_method`` = ``AMQPLAIN``
- (String) The RabbitMQ login method.
* - ``rabbit_max_retries`` = ``0``
- (Integer) Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).
- (Integer) DEPRECATED: Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).
* - ``rabbit_password`` = ``guest``
- (String) The RabbitMQ password.
- (String) DEPRECATED: The RabbitMQ password. Replaced by [DEFAULT]/transport_url
* - ``rabbit_port`` = ``5672``
- (Port number) The RabbitMQ broker port where a single node is used.
- (Port number) DEPRECATED: The RabbitMQ broker port where a single node is used. Replaced by [DEFAULT]/transport_url
* - ``rabbit_qos_prefetch_count`` = ``0``
- (Integer) Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.
* - ``rabbit_retry_backoff`` = ``2``
@ -103,9 +105,9 @@
* - ``rabbit_use_ssl`` = ``False``
- (Boolean) Connect over SSL for RabbitMQ.
* - ``rabbit_userid`` = ``guest``
- (String) The RabbitMQ userid.
- (String) DEPRECATED: The RabbitMQ userid. Replaced by [DEFAULT]/transport_url
* - ``rabbit_virtual_host`` = ``/``
- (String) The RabbitMQ virtual host.
- (String) DEPRECATED: The RabbitMQ virtual host. Replaced by [DEFAULT]/transport_url
* - ``rpc_listener_prefetch_count`` = ``100``
- (Integer) Max number of not acknowledged message which RabbitMQ can send to rpc listener.
* - ``rpc_queue_expiration`` = ``60``

12
doc/config-reference/source/tables/keystone-redis.rst
View File

@ -21,16 +21,16 @@
* - ``check_timeout`` = ``20000``
- (Integer) Time in ms to wait before the transaction is killed.
* - ``host`` = ``127.0.0.1``
- (String) Host to locate redis.
- (String) DEPRECATED: Host to locate redis. Replaced by [DEFAULT]/transport_url
* - ``password`` =
- (String) Password for Redis server (optional).
- (String) DEPRECATED: Password for Redis server (optional). Replaced by [DEFAULT]/transport_url
* - ``port`` = ``6379``
- (Port number) Use this port to connect to redis host.
- (Port number) DEPRECATED: Use this port to connect to redis host. Replaced by [DEFAULT]/transport_url
* - ``sentinel_group_name`` = ``oslo-messaging-zeromq``
- (String) Redis replica set name.
* - ``sentinel_hosts`` =
- (List) List of Redis Sentinel hosts (fault tolerance mode) e.g. [host:port, host1:port ... ]
* - ``socket_timeout`` = ``1000``
- (List) DEPRECATED: List of Redis Sentinel hosts (fault tolerance mode) e.g. [host:port, host1:port ... ] Replaced by [DEFAULT]/transport_url
* - ``socket_timeout`` = ``10000``
- (Integer) Timeout in ms on blocking socket operations
* - ``wait_timeout`` = ``500``
* - ``wait_timeout`` = ``2000``
- (Integer) Time in ms to wait between connection attempts.

40
doc/config-reference/source/tables/keystone-rpc.rst
View File

@ -19,7 +19,7 @@
* - **[DEFAULT]**
-
* - ``rpc_backend`` = ``rabbit``
- (String) The messaging driver to use, defaults to rabbit. Other drivers include amqp and zmq.
- (String) DEPRECATED: The messaging driver to use, defaults to rabbit. Other drivers include amqp and zmq. Replaced by [DEFAULT]/transport_url
* - ``rpc_cast_timeout`` = ``-1``
- (Integer) Seconds to wait before a cast expires (TTL). The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Only supported by impl_zmq.
* - ``rpc_conn_pool_size`` = ``30``
@ -30,18 +30,52 @@
- (Integer) Seconds to wait for a response from a call.
* - **[oslo_messaging_amqp]**
-
* - ``addressing_mode`` = ``dynamic``
- (String) Indicates the addressing mode used by the driver. Permitted values: 'legacy' - use legacy non-routable addressing 'routable' - use routable addresses 'dynamic' - use legacy addresses if the message bus does not support routing otherwise use routable addressing
* - ``allow_insecure_clients`` = ``False``
- (Boolean) Accept clients using either SSL or plain TCP
* - ``anycast_address`` = ``anycast``
- (String) Appended to the address prefix when sending to a group of consumers. Used by the message bus to identify messages that should be delivered in a round-robin fashion across consumers.
* - ``broadcast_prefix`` = ``broadcast``
- (String) address prefix used when broadcasting to all servers
* - ``connection_retry_backoff`` = ``2``
- (Integer) Increase the connection_retry_interval by this many seconds after each unsuccessful failover attempt.
* - ``connection_retry_interval`` = ``1``
- (Integer) Seconds to pause before attempting to re-connect.
* - ``connection_retry_interval_max`` = ``30``
- (Integer) Maximum limit for connection_retry_interval + connection_retry_backoff
* - ``container_name`` = ``None``
- (String) Name for the AMQP container
- (String) Name for the AMQP container. must be globally unique. Defaults to a generated UUID
* - ``default_notification_exchange`` = ``None``
- (String) Exchange name used in notification addresses. Exchange name resolution precedence: Target.exchange if set else default_notification_exchange if set else control_exchange if set else 'notify'
* - ``default_notify_timeout`` = ``30``
- (Integer) The deadline for a sent notification message delivery. Only used when caller does not provide a timeout expiry.
* - ``default_reply_timeout`` = ``30``
- (Integer) The deadline for an rpc reply message delivery. Only used when caller does not provide a timeout expiry.
* - ``default_rpc_exchange`` = ``None``
- (String) Exchange name used in RPC addresses. Exchange name resolution precedence: Target.exchange if set else default_rpc_exchange if set else control_exchange if set else 'rpc'
* - ``default_send_timeout`` = ``30``
- (Integer) The deadline for an rpc cast or call message delivery. Only used when caller does not provide a timeout expiry.
* - ``group_request_prefix`` = ``unicast``
- (String) address prefix when sending to any server in group
* - ``idle_timeout`` = ``0``
- (Integer) Timeout for inactive connections (in seconds)
* - ``link_retry_delay`` = ``10``
- (Integer) Time to pause between re-connecting an AMQP 1.0 link that failed due to a recoverable error.
* - ``multicast_address`` = ``multicast``
- (String) Appended to the address prefix when sending a fanout message. Used by the message bus to identify fanout messages.
* - ``notify_address_prefix`` = ``openstack.org/om/notify``
- (String) Address prefix for all generated Notification addresses
* - ``notify_server_credit`` = ``100``
- (Integer) Window size for incoming Notification messages
* - ``password`` =
- (String) Password for message broker authentication
* - ``reply_link_credit`` = ``200``
- (Integer) Window size for incoming RPC Reply messages.
* - ``rpc_address_prefix`` = ``openstack.org/om/rpc``
- (String) Address prefix for all generated RPC addresses
* - ``rpc_server_credit`` = ``100``
- (Integer) Window size for incoming RPC Request messages
* - ``sasl_config_dir`` =
- (String) Path to directory that contains the SASL configuration
* - ``sasl_config_name`` =
@ -60,6 +94,8 @@
- (String) Password for decrypting ssl_key_file (if encrypted)
* - ``trace`` = ``False``
- (Boolean) Debug: dump AMQP frames to stdout
* - ``unicast_address`` = ``unicast``
- (String) Appended to the address prefix when sending to a particular RPC/Notification server. Used by the message bus to identify messages sent to a single destination.
* - ``username`` =
- (String) User name for message broker authentication
* - **[oslo_messaging_notifications]**

2
doc/config-reference/source/tables/keystone-security.rst
View File

@ -19,4 +19,4 @@
* - **[DEFAULT]**
-
* - ``crypt_strength`` = ``10000``
- (Integer) The value passed as the keyword "rounds" to passlib's encrypt method.
- (Integer) The value passed as the keyword "rounds" to passlib's encrypt method. This option represents a trade off between security and performance. Higher values lead to slower performance, but higher security. Changing this option will only affect newly created passwords as existing password hashes already have a fixed number of rounds applied, so it is safe to tune this option in a running cluster. For more information, see https://pythonhosted.org/passlib/password_hash_api.html#choosing-the-right-rounds-value

48
doc/config-reference/source/tables/keystone-zeromq.rst
View File

@ -22,8 +22,6 @@
- (String) ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
* - ``rpc_zmq_bind_port_retries`` = ``100``
- (Integer) Number of retries to find free port number before fail with ZMQBindError.
* - ``rpc_zmq_concurrency`` = ``eventlet``
- (String) Type of concurrency used. Either "native" or "eventlet"
* - ``rpc_zmq_contexts`` = ``1``
- (Integer) Number of ZeroMQ contexts, defaults to 1.
* - ``rpc_zmq_host`` = ``localhost``
@ -34,11 +32,53 @@
- (String) MatchMaker driver.
* - ``rpc_zmq_max_port`` = ``65536``
- (Integer) Maximal port number for random ports range.
* - ``rpc_zmq_min_port`` = ``49152``
* - ``rpc_zmq_min_port`` = ``49153``
- (Port number) Minimal port number for random ports range.
* - ``rpc_zmq_serialization`` = ``json``
- (String) Default serialization mechanism for serializing/deserializing outgoing/incoming messages
* - ``rpc_zmq_topic_backlog`` = ``None``
- (Integer) Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
* - ``use_pub_sub`` = ``True``
- (Boolean) Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
* - ``zmq_target_expire`` = ``120``
* - ``zmq_immediate`` = ``False``
- (Boolean) This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
* - ``zmq_target_expire`` = ``300``
- (Integer) Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
* - ``zmq_target_update`` = ``180``
- (Integer) Update period in seconds of a name service record about existing target.
* - **[oslo_messaging_zmq]**
-
* - ``rpc_cast_timeout`` = ``-1``
- (Integer) Seconds to wait before a cast expires (TTL). The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Only supported by impl_zmq.
* - ``rpc_poll_timeout`` = ``1``
- (Integer) The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
* - ``rpc_zmq_bind_address`` = ``*``
- (String) ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
* - ``rpc_zmq_bind_port_retries`` = ``100``
- (Integer) Number of retries to find free port number before fail with ZMQBindError.
* - ``rpc_zmq_contexts`` = ``1``
- (Integer) Number of ZeroMQ contexts, defaults to 1.
* - ``rpc_zmq_host`` = ``localhost``
- (String) Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
* - ``rpc_zmq_ipc_dir`` = ``/var/run/openstack``
- (String) Directory for holding IPC sockets.
* - ``rpc_zmq_matchmaker`` = ``redis``
- (String) MatchMaker driver.
* - ``rpc_zmq_max_port`` = ``65536``
- (Integer) Maximal port number for random ports range.
* - ``rpc_zmq_min_port`` = ``49153``
- (Port number) Minimal port number for random ports range.
* - ``rpc_zmq_serialization`` = ``json``
- (String) Default serialization mechanism for serializing/deserializing outgoing/incoming messages
* - ``rpc_zmq_topic_backlog`` = ``None``
- (Integer) Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
* - ``use_pub_sub`` = ``True``
- (Boolean) Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
* - ``use_router_proxy`` = ``True``
- (Boolean) Use ROUTER remote proxy.
* - ``zmq_immediate`` = ``False``
- (Boolean) This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
* - ``zmq_target_expire`` = ``300``
- (Integer) Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
* - ``zmq_target_update`` = ``180``
- (Integer) Update period in seconds of a name service record about existing target.

243
tools/autogenerate-config-flagmappings/keystone.flagmappings
View File

@ -1,5 +1,7 @@
admin_endpoint api
admin_token api
conn_pool_min_size disable
conn_pool_ttl disable
control_exchange amqp
crypt_strength security
debug disable
@ -26,13 +28,10 @@ max_project_tree_depth api
max_token_size api
member_role_id api
member_role_name api
memcached_servers common
notification_format amqp
notification_opt_out amqp
public_endpoint api
publish_errors disable
pydev_debug_host debug
pydev_debug_port debug
rpc_backend rpc
rpc_cast_timeout rpc
rpc_conn_pool_size rpc
@ -40,33 +39,28 @@ rpc_poll_timeout rpc
rpc_response_timeout rpc
rpc_zmq_bind_address zeromq
rpc_zmq_bind_port_retries zeromq
rpc_zmq_concurrency zeromq
rpc_zmq_contexts zeromq
rpc_zmq_host zeromq
rpc_zmq_ipc_dir zeromq
rpc_zmq_matchmaker zeromq
rpc_zmq_max_port zeromq
rpc_zmq_min_port zeromq
rpc_zmq_serialization zeromq
rpc_zmq_topic_backlog zeromq
secure_proxy_ssl_header api
standard_threads debug
strict_password_check api
syslog_log_facility disable
transport_url amqp
use_pub_sub zeromq
use_router_proxy disable
use_stderr disable
use_syslog disable
verbose disable
watch_log_file disable
zmq_immediate zeromq
zmq_target_expire zeromq
assignment/driver assignment
assignment/prohibited_implied_role assignment
zmq_target_update zeromq
audit/namespace debug
auth/external auth
auth/methods auth
auth/oauth1 auth
auth/password auth
auth/token auth
cache/backend disable
cache/backend_argument disable
cache/config_prefix disable
@ -80,11 +74,6 @@ cache/memcache_pool_unused_timeout disable
cache/memcache_servers disable
cache/memcache_socket_timeout disable
cache/proxies disable
catalog/cache_time catalog
catalog/caching catalog
catalog/driver catalog
catalog/list_limit catalog
catalog/template_file catalog
cors/allow_credentials disable
cors/allow_headers disable
cors/allow_methods disable
@ -97,7 +86,6 @@ cors.subdomain/allow_methods disable
cors.subdomain/allowed_origin disable
cors.subdomain/expose_headers disable
cors.subdomain/max_age disable
credential/driver credential
database/backend disable
database/connection disable
database/connection_debug disable
@ -118,48 +106,6 @@ database/slave_connection disable
database/sqlite_db disable
database/sqlite_synchronous disable
database/use_db_reconnect disable
domain_config/cache_time domain
domain_config/caching domain
domain_config/driver domain
endpoint_filter/driver api
endpoint_filter/return_all_endpoints_if_no_filter api
endpoint_policy/driver api
endpoint_policy/enabled api
eventlet_server/admin_bind_host api
eventlet_server/admin_port api
eventlet_server/admin_workers api
eventlet_server/client_socket_timeout api
eventlet_server/public_bind_host api
eventlet_server/public_port api
eventlet_server/public_workers api
eventlet_server/tcp_keepalive api
eventlet_server/tcp_keepidle api
eventlet_server/wsgi_keep_alive api
eventlet_server_ssl/ca_certs ca
eventlet_server_ssl/cert_required ca
eventlet_server_ssl/certfile ca
eventlet_server_ssl/enable ca
eventlet_server_ssl/keyfile ca
federation/assertion_prefix federation
federation/driver federation
federation/federated_domain_name federation
federation/remote_id_attribute federation
federation/sso_callback_template federation
federation/trusted_dashboard federation
fernet_tokens/key_repository fernet_tokens
fernet_tokens/max_active_keys fernet_tokens
identity/cache_time identity
identity/caching identity
identity/default_domain_id identity
identity/domain_config_dir identity
identity/domain_configurations_from_database identity
identity/domain_specific_drivers_enabled identity
identity/driver identity
identity/list_limit identity
identity/max_password_length identity
identity_mapping/backward_compatible_ids mapping
identity_mapping/driver mapping
identity_mapping/generator mapping
keystone_authtoken/admin_password disable
keystone_authtoken/admin_tenant_name disable
keystone_authtoken/admin_token disable
@ -198,69 +144,6 @@ keystone_authtoken/region_name disable
keystone_authtoken/revocation_cache_time disable
keystone_authtoken/signing_dir disable
keystone_authtoken/token_cache_time disable
kvs/backends kvs
kvs/config_prefix kvs
kvs/default_lock_timeout kvs
kvs/enable_key_mangler kvs
ldap/alias_dereferencing ldap
ldap/allow_subtree_delete ldap
ldap/auth_pool_connection_lifetime ldap
ldap/auth_pool_size ldap
ldap/chase_referrals ldap
ldap/debug_level ldap
ldap/dumb_member ldap
ldap/group_additional_attribute_mapping ldap
ldap/group_allow_create ldap
ldap/group_allow_delete ldap
ldap/group_allow_update ldap
ldap/group_attribute_ignore ldap
ldap/group_desc_attribute ldap
ldap/group_filter ldap
ldap/group_id_attribute ldap
ldap/group_member_attribute ldap
ldap/group_members_are_ids ldap
ldap/group_name_attribute ldap
ldap/group_objectclass ldap
ldap/group_tree_dn ldap
ldap/page_size ldap
ldap/password ldap
ldap/pool_connection_lifetime ldap
ldap/pool_connection_timeout ldap
ldap/pool_retry_delay ldap
ldap/pool_retry_max ldap
ldap/pool_size ldap
ldap/query_scope ldap
ldap/suffix ldap
ldap/tls_cacertdir ldap
ldap/tls_cacertfile ldap
ldap/tls_req_cert ldap
ldap/url ldap
ldap/use_auth_pool ldap
ldap/use_dumb_member ldap
ldap/use_pool ldap
ldap/use_tls ldap
ldap/user ldap
ldap/user_additional_attribute_mapping ldap
ldap/user_allow_create ldap
ldap/user_allow_delete ldap
ldap/user_allow_update ldap
ldap/user_attribute_ignore ldap
ldap/user_default_project_id_attribute ldap
ldap/user_description_attribute ldap
ldap/user_enabled_attribute ldap
ldap/user_enabled_default ldap
ldap/user_enabled_emulation ldap
ldap/user_enabled_emulation_dn ldap
ldap/user_enabled_emulation_use_group_config ldap
ldap/user_enabled_invert ldap
ldap/user_enabled_mask ldap
ldap/user_filter ldap
ldap/user_id_attribute ldap
ldap/user_mail_attribute ldap
ldap/user_name_attribute ldap
ldap/user_objectclass ldap
ldap/user_pass_attribute ldap
ldap/user_tree_dn ldap
matchmaker_redis/check_timeout redis
matchmaker_redis/host redis
matchmaker_redis/password redis
@ -269,24 +152,31 @@ matchmaker_redis/sentinel_group_name redis
matchmaker_redis/sentinel_hosts redis
matchmaker_redis/socket_timeout redis
matchmaker_redis/wait_timeout redis
memcache/dead_retry cache
memcache/pool_connection_get_timeout cache
memcache/pool_maxsize cache
memcache/pool_unused_timeout cache
memcache/servers memcache
memcache/socket_timeout memcache
oauth1/access_token_duration oauth
oauth1/driver oauth
oauth1/request_token_duration oauth
os_inherit/enabled os_inherit
oslo_concurrency/disable_process_locking common
oslo_concurrency/lock_path common
oslo_messaging_amqp/addressing_mode rpc
oslo_messaging_amqp/allow_insecure_clients rpc
oslo_messaging_amqp/anycast_address rpc
oslo_messaging_amqp/broadcast_prefix rpc
oslo_messaging_amqp/connection_retry_backoff rpc
oslo_messaging_amqp/connection_retry_interval rpc
oslo_messaging_amqp/connection_retry_interval_max rpc
oslo_messaging_amqp/container_name rpc
oslo_messaging_amqp/default_notification_exchange rpc
oslo_messaging_amqp/default_notify_timeout rpc
oslo_messaging_amqp/default_reply_timeout rpc
oslo_messaging_amqp/default_rpc_exchange rpc
oslo_messaging_amqp/default_send_timeout rpc
oslo_messaging_amqp/group_request_prefix rpc
oslo_messaging_amqp/idle_timeout rpc
oslo_messaging_amqp/link_retry_delay rpc
oslo_messaging_amqp/multicast_address rpc
oslo_messaging_amqp/notify_address_prefix rpc
oslo_messaging_amqp/notify_server_credit rpc
oslo_messaging_amqp/password rpc
oslo_messaging_amqp/reply_link_credit rpc
oslo_messaging_amqp/rpc_address_prefix rpc
oslo_messaging_amqp/rpc_server_credit rpc
oslo_messaging_amqp/sasl_config_dir rpc
oslo_messaging_amqp/sasl_config_name rpc
oslo_messaging_amqp/sasl_mechanisms rpc
@ -296,6 +186,7 @@ oslo_messaging_amqp/ssl_cert_file rpc
oslo_messaging_amqp/ssl_key_file rpc
oslo_messaging_amqp/ssl_key_password rpc
oslo_messaging_amqp/trace rpc
oslo_messaging_amqp/unicast_address rpc
oslo_messaging_amqp/username rpc
oslo_messaging_notifications/driver rpc
oslo_messaging_notifications/topics rpc
@ -303,6 +194,7 @@ oslo_messaging_notifications/transport_url rpc
oslo_messaging_rabbit/amqp_auto_delete rabbitmq
oslo_messaging_rabbit/amqp_durable_queues rabbitmq
oslo_messaging_rabbit/channel_max rabbitmq
oslo_messaging_rabbit/connection_factory rabbitmq
oslo_messaging_rabbit/default_notification_exchange rabbitmq
oslo_messaging_rabbit/default_notification_retry_attempts rabbitmq
oslo_messaging_rabbit/default_rpc_exchange rabbitmq
@ -355,75 +247,26 @@ oslo_messaging_rabbit/socket_timeout rabbitmq
oslo_messaging_rabbit/ssl rabbitmq
oslo_messaging_rabbit/ssl_options rabbitmq
oslo_messaging_rabbit/tcp_user_timeout rabbitmq
oslo_messaging_zmq/rpc_cast_timeout zeromq
oslo_messaging_zmq/rpc_poll_timeout zeromq
oslo_messaging_zmq/rpc_zmq_bind_address zeromq
oslo_messaging_zmq/rpc_zmq_bind_port_retries zeromq
oslo_messaging_zmq/rpc_zmq_contexts zeromq
oslo_messaging_zmq/rpc_zmq_host zeromq
oslo_messaging_zmq/rpc_zmq_ipc_dir zeromq
oslo_messaging_zmq/rpc_zmq_matchmaker zeromq
oslo_messaging_zmq/rpc_zmq_max_port zeromq
oslo_messaging_zmq/rpc_zmq_min_port zeromq
oslo_messaging_zmq/rpc_zmq_serialization zeromq
oslo_messaging_zmq/rpc_zmq_topic_backlog zeromq
oslo_messaging_zmq/use_pub_sub zeromq
oslo_messaging_zmq/use_router_proxy zeromq
oslo_messaging_zmq/zmq_immediate zeromq
oslo_messaging_zmq/zmq_target_expire zeromq
oslo_messaging_zmq/zmq_target_update zeromq
oslo_middleware/enable_proxy_headers_parsing api
oslo_middleware/max_request_body_size api
oslo_middleware/secure_proxy_ssl_header api
oslo_policy/policy_default_rule disable
oslo_policy/policy_dirs disable
oslo_policy/policy_file disable
paste_deploy/config_file api
policy/driver policy
policy/list_limit policy
resource/admin_project_domain_name api
resource/admin_project_name api
resource/cache_time api
resource/caching api
resource/domain_name_url_safe api
resource/driver api
resource/list_limit api
resource/project_name_url_safe api
revoke/cache_time revoke
revoke/caching revoke
revoke/driver revoke
revoke/expiration_buffer revoke
role/cache_time role
role/caching role
role/driver role
role/list_limit role
saml/assertion_expiration_time saml
saml/certfile saml
saml/idp_contact_company saml
saml/idp_contact_email saml
saml/idp_contact_name saml
saml/idp_contact_surname saml
saml/idp_contact_telephone saml
saml/idp_contact_type saml
saml/idp_entity_id saml
saml/idp_lang saml
saml/idp_metadata_path saml
saml/idp_organization_display_name saml
saml/idp_organization_name saml
saml/idp_organization_url saml
saml/idp_sso_endpoint saml
saml/keyfile saml
saml/relay_state_prefix saml
saml/xmlsec1_binary saml
shadow_users/driver api
signing/ca_certs ca
signing/ca_key ca
signing/cert_subject ca
signing/certfile ca
signing/key_size ca
signing/keyfile ca
signing/valid_days ca
ssl/ca_key ca
ssl/cert_subject ca
ssl/key_size ca
ssl/valid_days ca
token/allow_rescope_scoped_token token
token/bind token
token/cache_time token
token/caching token
token/driver token
token/enforce_token_bind token
token/expiration token
token/hash_algorithm token
token/infer_roles token
token/provider token
token/revoke_by_id token
tokenless_auth/issuer_attribute tokenless
tokenless_auth/protocol tokenless
tokenless_auth/trusted_issuer tokenless
trust/allow_redelegation trust
trust/driver trust
trust/enabled trust
trust/max_redelegation_count trust