From 310033209ae88b596b3cebb83092b05a7b7c1e79 Mon Sep 17 00:00:00 2001 From: KATO Tomoyuki Date: Mon, 13 Feb 2017 17:17:57 +0900 Subject: [PATCH] [config-ref] update keystone config options for Ocata Change-Id: I5e69def1e88780119084276b1aceb2d8d3af7b0c --- .../source/tables/keystone-api.rst | 10 ++- .../source/tables/keystone-common.rst | 54 ++++++++++++++++ .../source/tables/keystone-redis.rst | 4 +- .../keystone.flagmappings | 64 ++++++++++++++++++- 4 files changed, 121 insertions(+), 11 deletions(-) diff --git a/doc/config-reference/source/tables/keystone-api.rst b/doc/config-reference/source/tables/keystone-api.rst index 11b41ad843..ce72aeec77 100644 --- a/doc/config-reference/source/tables/keystone-api.rst +++ b/doc/config-reference/source/tables/keystone-api.rst @@ -19,25 +19,23 @@ * - **[DEFAULT]** - * - ``admin_endpoint`` = ``None`` - - (String) The base admin endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:35357/v3/users`, then this will option will be automatically treated as `http://server:35357`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host. + - (URI) The base admin endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:35357/v3/users`, then this will option will be automatically treated as `http://server:35357`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host. * - ``admin_token`` = ``None`` - (String) Using this feature is *NOT* recommended. Instead, use the `keystone-manage bootstrap` command. The value of this option is treated as a "shared secret" that can be used to bootstrap Keystone through the API. This "token" does not represent a user (it has no identity), and carries no explicit authorization (it effectively bypasses most authorization checks). If set to `None`, the value is ignored and the `admin_token` middleware is effectively disabled. However, to completely disable `admin_token` in production (highly recommended, as it presents a security risk), remove `AdminTokenAuthMiddleware` (the `admin_token_auth` filter) from your paste application pipelines (for example, in `keystone-paste.ini`). - * - ``domain_id_immutable`` = ``True`` - - (Boolean) DEPRECATED: Set this to false if you want to enable the ability for user, group and project entities to be moved between domains by updating their `domain_id` attribute. Allowing such movement is not recommended if the scope of a domain admin is being restricted by use of an appropriate policy file (see `etc/policy.v3cloudsample.json` as an example). This feature is deprecated and will be removed in a future release, in favor of strictly immutable domain IDs. The option to set domain_id_immutable to false has been deprecated in the M release and will be removed in the O release. * - ``list_limit`` = ``None`` - (Integer) The maximum number of entities that will be returned in a collection. This global limit may be then overridden for a specific driver, by specifying a list_limit in the appropriate section (for example, `[assignment]`). No limit is set by default. In larger deployments, it is recommended that you set this to a reasonable number to prevent operations like listing all users and projects from placing an unnecessary load on the system. * - ``max_param_size`` = ``64`` - (Integer) Limit the sizes of user & project ID/names. * - ``max_project_tree_depth`` = ``5`` - (Integer) Maximum depth of the project hierarchy, excluding the project acting as a domain at the top of the hierarchy. WARNING: Setting it to a large value may adversely impact performance. - * - ``max_token_size`` = ``8192`` - - (Integer) Similar to `[DEFAULT] max_param_size`, but provides an exception for token values. With PKI / PKIZ tokens, this needs to be set close to 8192 (any higher, and other HTTP implementations may break), depending on the size of your service catalog and other factors. With Fernet tokens, this can be set as low as 255. With UUID tokens, this should be set to 32). + * - ``max_token_size`` = ``255`` + - (Integer) Similar to `[DEFAULT] max_param_size`, but provides an exception for token values. With Fernet tokens, this can be set as low as 255. With UUID tokens, this should be set to 32). * - ``member_role_id`` = ``9fe2ff9ee4384b1894a90878d3e92bab`` - (String) Similar to the `[DEFAULT] member_role_name` option, this represents the default role ID used to associate users with their default projects in the v2 API. This will be used as the explicit role where one is not specified by the v2 API. You do not need to set this value unless you want keystone to use an existing role with a different ID, other than the arbitrarily defined `_member_` role (in which case, you should set `[DEFAULT] member_role_name` as well). * - ``member_role_name`` = ``_member_`` - (String) This is the role name used in combination with the `[DEFAULT] member_role_id` option; see that option for more detail. You do not need to set this option unless you want keystone to use an existing role (in which case, you should set `[DEFAULT] member_role_id` as well). * - ``public_endpoint`` = ``None`` - - (String) The base public endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:5000/v3/users`, then this will option will be automatically treated as `http://server:5000`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host. + - (URI) The base public endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:5000/v3/users`, then this will option will be automatically treated as `http://server:5000`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host. * - ``secure_proxy_ssl_header`` = ``HTTP_X_FORWARDED_PROTO`` - (String) DEPRECATED: The HTTP header used to determine the scheme for the original request, even if it was removed by an SSL terminating proxy. This option has been deprecated in the N release and will be removed in the P release. Use oslo.middleware.http_proxy_to_wsgi configuration instead. * - ``strict_password_check`` = ``False`` diff --git a/doc/config-reference/source/tables/keystone-common.rst b/doc/config-reference/source/tables/keystone-common.rst index 194c17af7b..1a017484a9 100644 --- a/doc/config-reference/source/tables/keystone-common.rst +++ b/doc/config-reference/source/tables/keystone-common.rst @@ -22,3 +22,57 @@ - (Integer) Size of executor thread pool. * - ``insecure_debug`` = ``False`` - (Boolean) If set to true, then the server will return information in HTTP responses that may allow an unauthenticated or authenticated user to get more information than normal, such as additional details about why authentication failed. This may be useful for debugging but is insecure. + * - **[healthcheck]** + - + * - ``backends`` = + - (List) Additional backends that can perform health checks and report that information back as part of a request. + * - ``detailed`` = ``False`` + - (Boolean) Show more detailed information as part of the response + * - ``disable_by_file_path`` = ``None`` + - (String) Check the presence of a file to determine if an application is running on a port. Used by DisableByFileHealthcheck plugin. + * - ``disable_by_file_paths`` = + - (List) Check the presence of a file based on a port to determine if an application is running on a port. Expects a "port:path" list of strings. Used by DisableByFilesPortsHealthcheck plugin. + * - ``path`` = ``/healthcheck`` + - (String) DEPRECATED: The path to respond to healtcheck requests on. + * - **[profiler]** + - + * - ``connection_string`` = ``messaging://`` + - (String) Connection string for a notifier backend. Default value is messaging:// which sets the notifier to oslo_messaging. + + Examples of possible values: + + * messaging://: use oslo_messaging driver for sending notifications. + + * mongodb://127.0.0.1:27017 : use mongodb driver for sending notifications. + + * elasticsearch://127.0.0.1:9200 : use elasticsearch driver for sending notifications. + * - ``enabled`` = ``False`` + - (Boolean) Enables the profiling for all services on this node. Default value is False (fully disable the profiling feature). + + Possible values: + + * True: Enables the feature + + * False: Disables the feature. The profiling cannot be started via this project operations. If the profiling is triggered by another project, this project part will be empty. + * - ``es_doc_type`` = ``notification`` + - (String) Document type for notification indexing in elasticsearch. + * - ``es_scroll_size`` = ``10000`` + - (Integer) Elasticsearch splits large requests in batches. This parameter defines maximum size of each batch (for example: es_scroll_size=10000). + * - ``es_scroll_time`` = ``2m`` + - (String) This parameter is a time value parameter (for example: es_scroll_time=2m), indicating for how long the nodes that participate in the search will maintain relevant resources in order to continue and support it. + * - ``hmac_keys`` = ``SECRET_KEY`` + - (String) Secret key(s) to use for encrypting context data for performance profiling. This string value should have the following format: [,,...], where each key is some random string. A user who triggers the profiling via the REST API has to set one of these keys in the headers of the REST API call to include profiling results of this node for this particular project. + + Both "enabled" flag and "hmac_keys" config options should be set to enable profiling. Also, to generate correct profiling information across all services at least one key needs to be consistent between OpenStack projects. This ensures it can be used from client side to generate the trace, containing information from all possible resources. + * - ``sentinel_service_name`` = ``mymaster`` + - (String) Redissentinel uses a service name to identify a master redis service. This parameter defines the name (for example: sentinal_service_name=mymaster). + * - ``socket_timeout`` = ``0.1`` + - (Floating point) Redissentinel provides a timeout option on the connections. This parameter defines that timeout (for example: socket_timeout=0.1). + * - ``trace_sqlalchemy`` = ``False`` + - (Boolean) Enables SQL requests profiling in services. Default value is False (SQL requests won't be traced). + + Possible values: + + * True: Enables SQL requests profiling. Each SQL query will be part of the trace and can the be analyzed by how much time was spent for that. + + * False: Disables SQL requests profiling. The spent time is only shown on a higher level of operations. Single SQL queries cannot be analyzed this way. diff --git a/doc/config-reference/source/tables/keystone-redis.rst b/doc/config-reference/source/tables/keystone-redis.rst index bab45c78d0..fe13b38663 100644 --- a/doc/config-reference/source/tables/keystone-redis.rst +++ b/doc/config-reference/source/tables/keystone-redis.rst @@ -29,8 +29,8 @@ * - ``sentinel_group_name`` = ``oslo-messaging-zeromq`` - (String) Redis replica set name. * - ``sentinel_hosts`` = - - (List) DEPRECATED: List of Redis Sentinel hosts (fault tolerance mode) e.g. [host:port, host1:port ... ] Replaced by [DEFAULT]/transport_url + - (List) DEPRECATED: List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port ... ] Replaced by [DEFAULT]/transport_url * - ``socket_timeout`` = ``10000`` - - (Integer) Timeout in ms on blocking socket operations + - (Integer) Timeout in ms on blocking socket operations. * - ``wait_timeout`` = ``2000`` - (Integer) Time in ms to wait between connection attempts. diff --git a/tools/autogenerate-config-flagmappings/keystone.flagmappings b/tools/autogenerate-config-flagmappings/keystone.flagmappings index bfcafa8e84..d47a51c5d7 100644 --- a/tools/autogenerate-config-flagmappings/keystone.flagmappings +++ b/tools/autogenerate-config-flagmappings/keystone.flagmappings @@ -7,7 +7,6 @@ crypt_strength security debug disable default_log_levels disable default_publisher_id disable -domain_id_immutable api executor_thread_pool_size common fatal_deprecations disable insecure_debug common @@ -32,11 +31,19 @@ notification_format disable notification_opt_out disable public_endpoint api publish_errors disable +rate_limit_burst disable +rate_limit_except_level disable +rate_limit_interval disable +rpc_ack_timeout_base disable +rpc_ack_timeout_multiplier disable rpc_backend disable -rpc_cast_timeout disable rpc_conn_pool_size disable +rpc_message_ttl disable rpc_poll_timeout disable rpc_response_timeout disable +rpc_retry_attempts disable +rpc_thread_pool_size disable +rpc_use_acks disable rpc_zmq_bind_address disable rpc_zmq_bind_port_retries disable rpc_zmq_contexts disable @@ -49,17 +56,25 @@ rpc_zmq_serialization disable rpc_zmq_topic_backlog disable secure_proxy_ssl_header api strict_password_check api +subscribe_on disable syslog_log_facility disable transport_url disable +use_dynamic_connections disable use_pub_sub disable use_router_proxy disable use_stderr disable use_syslog disable verbose disable watch_log_file disable +zmq_failover_connections disable zmq_immediate disable +zmq_linger disable zmq_target_expire disable zmq_target_update disable +zmq_tcp_keepalive disable +zmq_tcp_keepalive_cnt disable +zmq_tcp_keepalive_idle disable +zmq_tcp_keepalive_intvl disable audit/namespace debug cache/backend disable cache/backend_argument disable @@ -106,6 +121,11 @@ database/slave_connection disable database/sqlite_db disable database/sqlite_synchronous disable database/use_db_reconnect disable +healthcheck/backends common +healthcheck/detailed common +healthcheck/disable_by_file_path common +healthcheck/disable_by_file_paths common +healthcheck/path common keystone_authtoken/admin_password disable keystone_authtoken/admin_tenant_name disable keystone_authtoken/admin_token disable @@ -142,6 +162,8 @@ keystone_authtoken/memcache_use_advanced_pool disable keystone_authtoken/memcached_servers disable keystone_authtoken/region_name disable keystone_authtoken/revocation_cache_time disable +keystone_authtoken/service_token_roles disable +keystone_authtoken/service_token_roles_required disable keystone_authtoken/signing_dir disable keystone_authtoken/token_cache_time disable matchmaker_redis/check_timeout redis @@ -164,9 +186,11 @@ oslo_messaging_amqp/connection_retry_interval_max disable oslo_messaging_amqp/container_name disable oslo_messaging_amqp/default_notification_exchange disable oslo_messaging_amqp/default_notify_timeout disable +oslo_messaging_amqp/default_reply_retry disable oslo_messaging_amqp/default_reply_timeout disable oslo_messaging_amqp/default_rpc_exchange disable oslo_messaging_amqp/default_send_timeout disable +oslo_messaging_amqp/default_sender_link_timeout disable oslo_messaging_amqp/group_request_prefix disable oslo_messaging_amqp/idle_timeout disable oslo_messaging_amqp/link_retry_delay disable @@ -174,6 +198,7 @@ oslo_messaging_amqp/multicast_address disable oslo_messaging_amqp/notify_address_prefix disable oslo_messaging_amqp/notify_server_credit disable oslo_messaging_amqp/password disable +oslo_messaging_amqp/pre_settled disable oslo_messaging_amqp/reply_link_credit disable oslo_messaging_amqp/rpc_address_prefix disable oslo_messaging_amqp/rpc_server_credit disable @@ -188,6 +213,16 @@ oslo_messaging_amqp/ssl_key_password disable oslo_messaging_amqp/trace disable oslo_messaging_amqp/unicast_address disable oslo_messaging_amqp/username disable +oslo_messaging_kafka/conn_pool_min_size disable +oslo_messaging_kafka/conn_pool_ttl disable +oslo_messaging_kafka/consumer_group disable +oslo_messaging_kafka/kafka_consumer_timeout disable +oslo_messaging_kafka/kafka_default_host disable +oslo_messaging_kafka/kafka_default_port disable +oslo_messaging_kafka/kafka_max_fetch_bytes disable +oslo_messaging_kafka/pool_size disable +oslo_messaging_kafka/producer_batch_size disable +oslo_messaging_kafka/producer_batch_timeout disable oslo_messaging_notifications/driver disable oslo_messaging_notifications/topics disable oslo_messaging_notifications/transport_url disable @@ -199,6 +234,7 @@ oslo_messaging_rabbit/default_notification_exchange disable oslo_messaging_rabbit/default_notification_retry_attempts disable oslo_messaging_rabbit/default_rpc_exchange disable oslo_messaging_rabbit/default_rpc_retry_attempts disable +oslo_messaging_rabbit/default_serializer_type disable oslo_messaging_rabbit/fake_rabbit disable oslo_messaging_rabbit/frame_max disable oslo_messaging_rabbit/heartbeat_interval disable @@ -247,8 +283,13 @@ oslo_messaging_rabbit/socket_timeout disable oslo_messaging_rabbit/ssl disable oslo_messaging_rabbit/ssl_options disable oslo_messaging_rabbit/tcp_user_timeout disable -oslo_messaging_zmq/rpc_cast_timeout disable +oslo_messaging_zmq/rpc_ack_timeout_base disable +oslo_messaging_zmq/rpc_ack_timeout_multiplier disable +oslo_messaging_zmq/rpc_message_ttl disable oslo_messaging_zmq/rpc_poll_timeout disable +oslo_messaging_zmq/rpc_retry_attempts disable +oslo_messaging_zmq/rpc_thread_pool_size disable +oslo_messaging_zmq/rpc_use_acks disable oslo_messaging_zmq/rpc_zmq_bind_address disable oslo_messaging_zmq/rpc_zmq_bind_port_retries disable oslo_messaging_zmq/rpc_zmq_contexts disable @@ -259,14 +300,31 @@ oslo_messaging_zmq/rpc_zmq_max_port disable oslo_messaging_zmq/rpc_zmq_min_port disable oslo_messaging_zmq/rpc_zmq_serialization disable oslo_messaging_zmq/rpc_zmq_topic_backlog disable +oslo_messaging_zmq/subscribe_on disable +oslo_messaging_zmq/use_dynamic_connections disable oslo_messaging_zmq/use_pub_sub disable oslo_messaging_zmq/use_router_proxy disable +oslo_messaging_zmq/zmq_failover_connections disable oslo_messaging_zmq/zmq_immediate disable +oslo_messaging_zmq/zmq_linger disable oslo_messaging_zmq/zmq_target_expire disable oslo_messaging_zmq/zmq_target_update disable +oslo_messaging_zmq/zmq_tcp_keepalive disable +oslo_messaging_zmq/zmq_tcp_keepalive_cnt disable +oslo_messaging_zmq/zmq_tcp_keepalive_idle disable +oslo_messaging_zmq/zmq_tcp_keepalive_intvl disable oslo_middleware/enable_proxy_headers_parsing api oslo_middleware/max_request_body_size api oslo_middleware/secure_proxy_ssl_header api oslo_policy/policy_default_rule disable oslo_policy/policy_dirs disable oslo_policy/policy_file disable +profiler/connection_string common +profiler/enabled common +profiler/es_doc_type common +profiler/es_scroll_size common +profiler/es_scroll_time common +profiler/hmac_keys common +profiler/sentinel_service_name common +profiler/socket_timeout common +profiler/trace_sqlalchemy common