Merge "[config-ref] update keystone config options for Ocata"

doc/config-reference/source/tables/keystone-api.rst

@@ -19,25 +19,23 @@
    * - **[DEFAULT]**
      -
    * - ``admin_endpoint`` = ``None``
-     - (String) The base admin endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:35357/v3/users`, then this will option will be automatically treated as `http://server:35357`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host.
+     - (URI) The base admin endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:35357/v3/users`, then this will option will be automatically treated as `http://server:35357`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host.
    * - ``admin_token`` = ``None``
      - (String) Using this feature is *NOT* recommended. Instead, use the `keystone-manage bootstrap` command. The value of this option is treated as a "shared secret" that can be used to bootstrap Keystone through the API. This "token" does not represent a user (it has no identity), and carries no explicit authorization (it effectively bypasses most authorization checks). If set to `None`, the value is ignored and the `admin_token` middleware is effectively disabled. However, to completely disable `admin_token` in production (highly recommended, as it presents a security risk), remove `AdminTokenAuthMiddleware` (the `admin_token_auth` filter) from your paste application pipelines (for example, in `keystone-paste.ini`).
-   * - ``domain_id_immutable`` = ``True``
-     - (Boolean) DEPRECATED: Set this to false if you want to enable the ability for user, group and project entities to be moved between domains by updating their `domain_id` attribute. Allowing such movement is not recommended if the scope of a domain admin is being restricted by use of an appropriate policy file (see `etc/policy.v3cloudsample.json` as an example). This feature is deprecated and will be removed in a future release, in favor of strictly immutable domain IDs. The option to set domain_id_immutable to false has been deprecated in the M release and will be removed in the O release.
    * - ``list_limit`` = ``None``
      - (Integer) The maximum number of entities that will be returned in a collection. This global limit may be then overridden for a specific driver, by specifying a list_limit in the appropriate section (for example, `[assignment]`). No limit is set by default. In larger deployments, it is recommended that you set this to a reasonable number to prevent operations like listing all users and projects from placing an unnecessary load on the system.
    * - ``max_param_size`` = ``64``
      - (Integer) Limit the sizes of user & project ID/names.
    * - ``max_project_tree_depth`` = ``5``
      - (Integer) Maximum depth of the project hierarchy, excluding the project acting as a domain at the top of the hierarchy. WARNING: Setting it to a large value may adversely impact performance.
-   * - ``max_token_size`` = ``8192``
-     - (Integer) Similar to `[DEFAULT] max_param_size`, but provides an exception for token values. With PKI / PKIZ tokens, this needs to be set close to 8192 (any higher, and other HTTP implementations may break), depending on the size of your service catalog and other factors. With Fernet tokens, this can be set as low as 255. With UUID tokens, this should be set to 32).
+   * - ``max_token_size`` = ``255``
+     - (Integer) Similar to `[DEFAULT] max_param_size`, but provides an exception for token values. With Fernet tokens, this can be set as low as 255. With UUID tokens, this should be set to 32).
    * - ``member_role_id`` = ``9fe2ff9ee4384b1894a90878d3e92bab``
      - (String) Similar to the `[DEFAULT] member_role_name` option, this represents the default role ID used to associate users with their default projects in the v2 API. This will be used as the explicit role where one is not specified by the v2 API. You do not need to set this value unless you want keystone to use an existing role with a different ID, other than the arbitrarily defined `_member_` role (in which case, you should set `[DEFAULT] member_role_name` as well).
    * - ``member_role_name`` = ``_member_``
      - (String) This is the role name used in combination with the `[DEFAULT] member_role_id` option; see that option for more detail. You do not need to set this option unless you want keystone to use an existing role (in which case, you should set `[DEFAULT] member_role_id` as well).
    * - ``public_endpoint`` = ``None``
-     - (String) The base public endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:5000/v3/users`, then this will option will be automatically treated as `http://server:5000`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host.
+     - (URI) The base public endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:5000/v3/users`, then this will option will be automatically treated as `http://server:5000`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host.
    * - ``secure_proxy_ssl_header`` = ``HTTP_X_FORWARDED_PROTO``
      - (String) DEPRECATED: The HTTP header used to determine the scheme for the original request, even if it was removed by an SSL terminating proxy. This option has been deprecated in the N release and will be removed in the P release. Use oslo.middleware.http_proxy_to_wsgi configuration instead.
    * - ``strict_password_check`` = ``False``

doc/config-reference/source/tables/keystone-common.rst

@@ -22,3 +22,57 @@
      - (Integer) Size of executor thread pool.
    * - ``insecure_debug`` = ``False``
      - (Boolean) If set to true, then the server will return information in HTTP responses that may allow an unauthenticated or authenticated user to get more information than normal, such as additional details about why authentication failed. This may be useful for debugging but is insecure.
+   * - **[healthcheck]**
+     -
+   * - ``backends`` =
+     - (List) Additional backends that can perform health checks and report that information back as part of a request.
+   * - ``detailed`` = ``False``
+     - (Boolean) Show more detailed information as part of the response
+   * - ``disable_by_file_path`` = ``None``
+     - (String) Check the presence of a file to determine if an application is running on a port. Used by DisableByFileHealthcheck plugin.
+   * - ``disable_by_file_paths`` =
+     - (List) Check the presence of a file based on a port to determine if an application is running on a port. Expects a "port:path" list of strings. Used by DisableByFilesPortsHealthcheck plugin.
+   * - ``path`` = ``/healthcheck``
+     - (String) DEPRECATED: The path to respond to healtcheck requests on.
+   * - **[profiler]**
+     -
+   * - ``connection_string`` = ``messaging://``
+     - (String) Connection string for a notifier backend. Default value is messaging:// which sets the notifier to oslo_messaging.
+
+       Examples of possible values:
+
+       * messaging://: use oslo_messaging driver for sending notifications.
+
+       * mongodb://127.0.0.1:27017 : use mongodb driver for sending notifications.
+
+       * elasticsearch://127.0.0.1:9200 : use elasticsearch driver for sending notifications.
+   * - ``enabled`` = ``False``
+     - (Boolean) Enables the profiling for all services on this node. Default value is False (fully disable the profiling feature).
+
+       Possible values:
+
+       * True: Enables the feature
+
+       * False: Disables the feature. The profiling cannot be started via this project operations. If the profiling is triggered by another project, this project part will be empty.
+   * - ``es_doc_type`` = ``notification``
+     - (String) Document type for notification indexing in elasticsearch.
+   * - ``es_scroll_size`` = ``10000``
+     - (Integer) Elasticsearch splits large requests in batches. This parameter defines maximum size of each batch (for example: es_scroll_size=10000).
+   * - ``es_scroll_time`` = ``2m``
+     - (String) This parameter is a time value parameter (for example: es_scroll_time=2m), indicating for how long the nodes that participate in the search will maintain relevant resources in order to continue and support it.
+   * - ``hmac_keys`` = ``SECRET_KEY``
+     - (String) Secret key(s) to use for encrypting context data for performance profiling. This string value should have the following format: <key1>[,<key2>,...<keyn>], where each key is some random string. A user who triggers the profiling via the REST API has to set one of these keys in the headers of the REST API call to include profiling results of this node for this particular project.
+
+       Both "enabled" flag and "hmac_keys" config options should be set to enable profiling. Also, to generate correct profiling information across all services at least one key needs to be consistent between OpenStack projects. This ensures it can be used from client side to generate the trace, containing information from all possible resources.
+   * - ``sentinel_service_name`` = ``mymaster``
+     - (String) Redissentinel uses a service name to identify a master redis service. This parameter defines the name (for example: sentinal_service_name=mymaster).
+   * - ``socket_timeout`` = ``0.1``
+     - (Floating point) Redissentinel provides a timeout option on the connections. This parameter defines that timeout (for example: socket_timeout=0.1).
+   * - ``trace_sqlalchemy`` = ``False``
+     - (Boolean) Enables SQL requests profiling in services. Default value is False (SQL requests won't be traced).
+
+       Possible values:
+
+       * True: Enables SQL requests profiling. Each SQL query will be part of the trace and can the be analyzed by how much time was spent for that.
+
+       * False: Disables SQL requests profiling. The spent time is only shown on a higher level of operations. Single SQL queries cannot be analyzed this way.

doc/config-reference/source/tables/keystone-redis.rst

@@ -29,8 +29,8 @@
    * - ``sentinel_group_name`` = ``oslo-messaging-zeromq``
      - (String) Redis replica set name.
    * - ``sentinel_hosts`` =
-     - (List) DEPRECATED: List of Redis Sentinel hosts (fault tolerance mode) e.g. [host:port, host1:port ... ] Replaced by [DEFAULT]/transport_url
+     - (List) DEPRECATED: List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port ... ] Replaced by [DEFAULT]/transport_url
    * - ``socket_timeout`` = ``10000``
-     - (Integer) Timeout in ms on blocking socket operations
+     - (Integer) Timeout in ms on blocking socket operations.
    * - ``wait_timeout`` = ``2000``
      - (Integer) Time in ms to wait between connection attempts.

tools/autogenerate-config-flagmappings/keystone.flagmappings

@@ -7,7 +7,6 @@ crypt_strength security
 debug disable
 default_log_levels disable
 default_publisher_id disable
-domain_id_immutable api
 executor_thread_pool_size common
 fatal_deprecations disable
 insecure_debug common
@@ -32,11 +31,19 @@ notification_format disable
 notification_opt_out disable
 public_endpoint api
 publish_errors disable
+rate_limit_burst disable
+rate_limit_except_level disable
+rate_limit_interval disable
+rpc_ack_timeout_base disable
+rpc_ack_timeout_multiplier disable
 rpc_backend disable
-rpc_cast_timeout disable
 rpc_conn_pool_size disable
+rpc_message_ttl disable
 rpc_poll_timeout disable
 rpc_response_timeout disable
+rpc_retry_attempts disable
+rpc_thread_pool_size disable
+rpc_use_acks disable
 rpc_zmq_bind_address disable
 rpc_zmq_bind_port_retries disable
 rpc_zmq_contexts disable
@@ -49,17 +56,25 @@ rpc_zmq_serialization disable
 rpc_zmq_topic_backlog disable
 secure_proxy_ssl_header api
 strict_password_check api
+subscribe_on disable
 syslog_log_facility disable
 transport_url disable
+use_dynamic_connections disable
 use_pub_sub disable
 use_router_proxy disable
 use_stderr disable
 use_syslog disable
 verbose disable
 watch_log_file disable
+zmq_failover_connections disable
 zmq_immediate disable
+zmq_linger disable
 zmq_target_expire disable
 zmq_target_update disable
+zmq_tcp_keepalive disable
+zmq_tcp_keepalive_cnt disable
+zmq_tcp_keepalive_idle disable
+zmq_tcp_keepalive_intvl disable
 audit/namespace debug
 cache/backend disable
 cache/backend_argument disable
@@ -106,6 +121,11 @@ database/slave_connection disable
 database/sqlite_db disable
 database/sqlite_synchronous disable
 database/use_db_reconnect disable
+healthcheck/backends common
+healthcheck/detailed common
+healthcheck/disable_by_file_path common
+healthcheck/disable_by_file_paths common
+healthcheck/path common
 keystone_authtoken/admin_password disable
 keystone_authtoken/admin_tenant_name disable
 keystone_authtoken/admin_token disable
@@ -142,6 +162,8 @@ keystone_authtoken/memcache_use_advanced_pool disable
 keystone_authtoken/memcached_servers disable
 keystone_authtoken/region_name disable
 keystone_authtoken/revocation_cache_time disable
+keystone_authtoken/service_token_roles disable
+keystone_authtoken/service_token_roles_required disable
 keystone_authtoken/signing_dir disable
 keystone_authtoken/token_cache_time disable
 matchmaker_redis/check_timeout redis
@@ -164,9 +186,11 @@ oslo_messaging_amqp/connection_retry_interval_max disable
 oslo_messaging_amqp/container_name disable
 oslo_messaging_amqp/default_notification_exchange disable
 oslo_messaging_amqp/default_notify_timeout disable
+oslo_messaging_amqp/default_reply_retry disable
 oslo_messaging_amqp/default_reply_timeout disable
 oslo_messaging_amqp/default_rpc_exchange disable
 oslo_messaging_amqp/default_send_timeout disable
+oslo_messaging_amqp/default_sender_link_timeout disable
 oslo_messaging_amqp/group_request_prefix disable
 oslo_messaging_amqp/idle_timeout disable
 oslo_messaging_amqp/link_retry_delay disable
@@ -174,6 +198,7 @@ oslo_messaging_amqp/multicast_address disable
 oslo_messaging_amqp/notify_address_prefix disable
 oslo_messaging_amqp/notify_server_credit disable
 oslo_messaging_amqp/password disable
+oslo_messaging_amqp/pre_settled disable
 oslo_messaging_amqp/reply_link_credit disable
 oslo_messaging_amqp/rpc_address_prefix disable
 oslo_messaging_amqp/rpc_server_credit disable
@@ -188,6 +213,16 @@ oslo_messaging_amqp/ssl_key_password disable
 oslo_messaging_amqp/trace disable
 oslo_messaging_amqp/unicast_address disable
 oslo_messaging_amqp/username disable
+oslo_messaging_kafka/conn_pool_min_size disable
+oslo_messaging_kafka/conn_pool_ttl disable
+oslo_messaging_kafka/consumer_group disable
+oslo_messaging_kafka/kafka_consumer_timeout disable
+oslo_messaging_kafka/kafka_default_host disable
+oslo_messaging_kafka/kafka_default_port disable
+oslo_messaging_kafka/kafka_max_fetch_bytes disable
+oslo_messaging_kafka/pool_size disable
+oslo_messaging_kafka/producer_batch_size disable
+oslo_messaging_kafka/producer_batch_timeout disable
 oslo_messaging_notifications/driver disable
 oslo_messaging_notifications/topics disable
 oslo_messaging_notifications/transport_url disable
@@ -199,6 +234,7 @@ oslo_messaging_rabbit/default_notification_exchange disable
 oslo_messaging_rabbit/default_notification_retry_attempts disable
 oslo_messaging_rabbit/default_rpc_exchange disable
 oslo_messaging_rabbit/default_rpc_retry_attempts disable
+oslo_messaging_rabbit/default_serializer_type disable
 oslo_messaging_rabbit/fake_rabbit disable
 oslo_messaging_rabbit/frame_max disable
 oslo_messaging_rabbit/heartbeat_interval disable
@@ -247,8 +283,13 @@ oslo_messaging_rabbit/socket_timeout disable
 oslo_messaging_rabbit/ssl disable
 oslo_messaging_rabbit/ssl_options disable
 oslo_messaging_rabbit/tcp_user_timeout disable
-oslo_messaging_zmq/rpc_cast_timeout disable
+oslo_messaging_zmq/rpc_ack_timeout_base disable
+oslo_messaging_zmq/rpc_ack_timeout_multiplier disable
+oslo_messaging_zmq/rpc_message_ttl disable
 oslo_messaging_zmq/rpc_poll_timeout disable
+oslo_messaging_zmq/rpc_retry_attempts disable
+oslo_messaging_zmq/rpc_thread_pool_size disable
+oslo_messaging_zmq/rpc_use_acks disable
 oslo_messaging_zmq/rpc_zmq_bind_address disable
 oslo_messaging_zmq/rpc_zmq_bind_port_retries disable
 oslo_messaging_zmq/rpc_zmq_contexts disable
@@ -259,14 +300,31 @@ oslo_messaging_zmq/rpc_zmq_max_port disable
 oslo_messaging_zmq/rpc_zmq_min_port disable
 oslo_messaging_zmq/rpc_zmq_serialization disable
 oslo_messaging_zmq/rpc_zmq_topic_backlog disable
+oslo_messaging_zmq/subscribe_on disable
+oslo_messaging_zmq/use_dynamic_connections disable
 oslo_messaging_zmq/use_pub_sub disable
 oslo_messaging_zmq/use_router_proxy disable
+oslo_messaging_zmq/zmq_failover_connections disable
 oslo_messaging_zmq/zmq_immediate disable
+oslo_messaging_zmq/zmq_linger disable
 oslo_messaging_zmq/zmq_target_expire disable
 oslo_messaging_zmq/zmq_target_update disable
+oslo_messaging_zmq/zmq_tcp_keepalive disable
+oslo_messaging_zmq/zmq_tcp_keepalive_cnt disable
+oslo_messaging_zmq/zmq_tcp_keepalive_idle disable
+oslo_messaging_zmq/zmq_tcp_keepalive_intvl disable
 oslo_middleware/enable_proxy_headers_parsing api
 oslo_middleware/max_request_body_size api
 oslo_middleware/secure_proxy_ssl_header api
 oslo_policy/policy_default_rule disable
 oslo_policy/policy_dirs disable
 oslo_policy/policy_file disable
+profiler/connection_string common
+profiler/enabled common
+profiler/es_doc_type common
+profiler/es_scroll_size common
+profiler/es_scroll_time common
+profiler/hmac_keys common
+profiler/sentinel_service_name common
+profiler/socket_timeout common
+profiler/trace_sqlalchemy common