openstack
/
openstack-manuals
Code Issues Proposed changes

Update Config Reference for keystone 

Updates for Liberty Release

 Main changes are oslo_messaging issue like ceilometer/nova etc.
 And Adds keystone-tokenless.xml file.

Change-Id: Ib19008917e6c214238fc397faa3ce54b53d2f7e1
This commit is contained in:
Atsushi SAKAI 2015-10-14 16:31:43 +09:00
parent 52be53d4fe
commit e9b476491f
10 changed files with 122 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/common/tables/keystone-auth_token.xml
View File

@ -149,6 +149,10 @@
<td><option>memcache_use_advanced_pool</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) (Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.</td>
</tr>
<tr>
<td><option>region_name</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) The region in which the identity server can be found.</td>
</tr>
<tr>
<td><option>revocation_cache_time</option> = <replaceable>10</replaceable></td>
<td>(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.</td>

2
doc/common/tables/keystone-federation.xml
View File

@ -39,7 +39,7 @@
</tr>
<tr>
<td><option>trusted_dashboard</option> = <replaceable>[]</replaceable></td>
<td>(MultiStrOpt) A list of trusted dashboard hosts. Before accepting a Single Sign-On request to return a token, the origin host must be a member of the trusted_dashboard list. This configuration option may be repeated for multiple values. For example: trusted_dashboard=http://acme.com trusted_dashboard=http://beta.com</td>
<td>(MultiStrOpt) A list of trusted dashboard hosts. Before accepting a Single Sign-On request to return a token, the origin host must be a member of the trusted_dashboard list. This configuration option may be repeated for multiple values. For example: trusted_dashboard=http://acme.com/auth/websso trusted_dashboard=http://beta.com/auth/websso</td>
</tr>
</tbody>
</table>

24
doc/common/tables/keystone-logging.xml
View File

@ -23,7 +23,7 @@
</tr>
<tr>
<td><option>default_log_levels</option> = <replaceable>amqp=WARN, amqplib=WARN, boto=WARN, qpid=WARN, sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO, iso8601=WARN, requests.packages.urllib3.connectionpool=WARN, urllib3.connectionpool=WARN, websocket=WARN, requests.packages.urllib3.util.retry=WARN, urllib3.util.retry=WARN, keystonemiddleware=WARN, routes.middleware=WARN, stevedore=WARN, taskflow=WARN</replaceable></td>
<td>(ListOpt) List of logger=LEVEL pairs.</td>
<td>(ListOpt) List of logger=LEVEL pairs. This option is ignored if log_config_append is set.</td>
</tr>
<tr>
<td><option>fatal_deprecations</option> = <replaceable>False</replaceable></td>
@ -39,23 +39,23 @@
</tr>
<tr>
<td><option>log_config_append</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation.</td>
<td>(StrOpt) The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, log_format).</td>
</tr>
<tr>
<td><option>log_date_format</option> = <replaceable>%Y-%m-%d %H:%M:%S</replaceable></td>
<td>(StrOpt) Format string for %%(asctime)s in log records. Default: %(default)s .</td>
<td>(StrOpt) Format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.</td>
</tr>
<tr>
<td><option>log_dir</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) (Optional) The base directory used for relative --log-file paths.</td>
<td>(StrOpt) (Optional) The base directory used for relative --log-file paths. This option is ignored if log_config_append is set.</td>
</tr>
<tr>
<td><option>log_file</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) (Optional) Name of log file to output to. If no default is set, logging will go to stdout.</td>
<td>(StrOpt) (Optional) Name of log file to output to. If no default is set, logging will go to stdout. This option is ignored if log_config_append is set.</td>
</tr>
<tr>
<td><option>log_format</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) DEPRECATED. A logging.Formatter log message format string which may use any of the available logging.LogRecord attributes. This option is deprecated. Please use logging_context_format_string and logging_default_format_string instead.</td>
<td>(StrOpt) DEPRECATED. A logging.Formatter log message format string which may use any of the available logging.LogRecord attributes. This option is deprecated. Please use logging_context_format_string and logging_default_format_string instead. This option is ignored if log_config_append is set.</td>
</tr>
<tr>
<td><option>logging_context_format_string</option> = <replaceable>%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s</replaceable></td>
@ -79,24 +79,28 @@
</tr>
<tr>
<td><option>syslog_log_facility</option> = <replaceable>LOG_USER</replaceable></td>
<td>(StrOpt) Syslog facility to receive log lines.</td>
<td>(StrOpt) Syslog facility to receive log lines. This option is ignored if log_config_append is set.</td>
</tr>
<tr>
<td><option>use_stderr</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) Log output to standard error.</td>
<td>(BoolOpt) Log output to standard error. This option is ignored if log_config_append is set.</td>
</tr>
<tr>
<td><option>use_syslog</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424.</td>
<td>(BoolOpt) Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.</td>
</tr>
<tr>
<td><option>use_syslog_rfc_format</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in Kilo, and will be removed in Mitaka, along with this option.</td>
<td>(BoolOpt) (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in Kilo, and will be removed in Mitaka, along with this option. This option is ignored if log_config_append is set.</td>
</tr>
<tr>
<td><option>verbose</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) If set to false, will disable INFO logging level, making WARNING the default.</td>
</tr>
<tr>
<td><option>watch_log_file</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) (Optional) Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log-file option is specified and Linux platform is used. This option is ignored if log_config_append is set.</td>
</tr>
</tbody>
</table>
</para>

18
doc/common/tables/keystone-redis.xml
View File

@ -15,14 +15,14 @@
</thead>
<tbody>
<tr>
<th colspan="2">[matchmaker_redis]</th>
<th colspan="2">[DEFAULT]</th>
</tr>
<tr>
<td><option>host</option> = <replaceable>127.0.0.1</replaceable></td>
<td>(StrOpt) Host to locate redis.</td>
</tr>
<tr>
<td><option>password</option> = <replaceable>None</replaceable></td>
<td><option>password</option> = <replaceable></replaceable></td>
<td>(StrOpt) Password for Redis server (optional).</td>
</tr>
<tr>
@ -30,11 +30,19 @@
<td>(IntOpt) Use this port to connect to redis host.</td>
</tr>
<tr>
<th colspan="2">[matchmaker_ring]</th>
<th colspan="2">[matchmaker_redis]</th>
</tr>
<tr>
<td><option>ringfile</option> = <replaceable>/etc/oslo/matchmaker_ring.json</replaceable></td>
<td>(StrOpt) Matchmaker ring file (JSON).</td>
<td><option>host</option> = <replaceable>127.0.0.1</replaceable></td>
<td>(StrOpt) Host to locate redis.</td>
</tr>
<tr>
<td><option>password</option> = <replaceable></replaceable></td>
<td>(StrOpt) Password for Redis server (optional).</td>
</tr>
<tr>
<td><option>port</option> = <replaceable>6379</replaceable></td>
<td>(IntOpt) Use this port to connect to redis host.</td>
</tr>
</tbody>
</table>

32
doc/common/tables/keystone-rpc.xml
View File

@ -17,14 +17,6 @@
<tr>
<th colspan="2">[DEFAULT]</th>
</tr>
<tr>
<td><option>matchmaker_heartbeat_freq</option> = <replaceable>300</replaceable></td>
<td>(IntOpt) Heartbeat frequency.</td>
</tr>
<tr>
<td><option>matchmaker_heartbeat_ttl</option> = <replaceable>600</replaceable></td>
<td>(IntOpt) Heartbeat time-to-live.</td>
</tr>
<tr>
<td><option>rpc_backend</option> = <replaceable>rabbit</replaceable></td>
<td>(StrOpt) The messaging driver to use, defaults to rabbit. Other drivers include qpid and zmq.</td>
@ -37,6 +29,10 @@
<td><option>rpc_conn_pool_size</option> = <replaceable>30</replaceable></td>
<td>(IntOpt) Size of RPC connection pool.</td>
</tr>
<tr>
<td><option>rpc_poll_timeout</option> = <replaceable>1</replaceable></td>
<td>(IntOpt) The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.</td>
</tr>
<tr>
<td><option>rpc_response_timeout</option> = <replaceable>60</replaceable></td>
<td>(IntOpt) Seconds to wait for a response from a call.</td>
@ -64,6 +60,22 @@
<td><option>idle_timeout</option> = <replaceable>0</replaceable></td>
<td>(IntOpt) Timeout for inactive connections (in seconds)</td>
</tr>
<tr>
<td><option>password</option> = <replaceable></replaceable></td>
<td>(StrOpt) Password for message broker authentication</td>
</tr>
<tr>
<td><option>sasl_config_dir</option> = <replaceable></replaceable></td>
<td>(StrOpt) Path to directory that contains the SASL configuration</td>
</tr>
<tr>
<td><option>sasl_config_name</option> = <replaceable></replaceable></td>
<td>(StrOpt) Name of configuration file (without .conf suffix)</td>
</tr>
<tr>
<td><option>sasl_mechanisms</option> = <replaceable></replaceable></td>
<td>(StrOpt) Space separated list of acceptable SASL mechanisms</td>
</tr>
<tr>
<td><option>server_request_prefix</option> = <replaceable>exclusive</replaceable></td>
<td>(StrOpt) address prefix used when sending to a specific server</td>
@ -88,6 +100,10 @@
<td><option>trace</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Debug: dump AMQP frames to stdout</td>
</tr>
<tr>
<td><option>username</option> = <replaceable></replaceable></td>
<td>(StrOpt) User name for message broker authentication</td>
</tr>
</tbody>
</table>
</para>

34
doc/common/tables/keystone-tokenless.xml Normal file
View File

@ -0,0 +1,34 @@
<?xml version='1.0' encoding='UTF-8'?>
<para xmlns="http://docbook.org/ns/docbook" version="5.0">
<!-- Warning: Do not edit this file. It is automatically
generated and your changes will be overwritten.
The tool to do so lives in openstack-doc-tools repository. -->
<table rules="all" xml:id="config_table_keystone_tokenless">
<caption>Description of Tokenless Authorization configuration options</caption>
<col width="50%"/>
<col width="50%"/>
<thead>
<tr>
<th>Configuration option = Default value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<th colspan="2">[tokenless_auth]</th>
</tr>
<tr>
<td><option>issuer_attribute</option> = <replaceable>SSL_CLIENT_I_DN</replaceable></td>
<td>(StrOpt) The issuer attribute that is served as an IdP ID for the X.509 tokenless authorization along with the protocol to look up its corresponding mapping. It is the environment variable in the WSGI environment that references to the issuer of the client certificate.</td>
</tr>
<tr>
<td><option>protocol</option> = <replaceable>x509</replaceable></td>
<td>(StrOpt) The protocol name for the X.509 tokenless authorization along with the option issuer_attribute below can look up its corresponding mapping.</td>
</tr>
<tr>
<td><option>trusted_issuer</option> = <replaceable>[]</replaceable></td>
<td>(MultiStrOpt) The list of trusted issuers to further filter the certificates that are allowed to participate in the X.509 tokenless authorization. If the option is absent then no certificates will be allowed. The naming format for the attributes of a Distinguished Name(DN) must be separated by a comma and contain no spaces. This configuration option may be repeated for multiple values. For example: trusted_issuer=CN=john,OU=keystone,O=openstack trusted_issuer=CN=mary,OU=eng,O=abc</td>
</tr>
</tbody>
</table>
</para>

18
doc/common/tables/keystone-zeromq.xml
View File

@ -17,10 +17,18 @@
<tr>
<th colspan="2">[DEFAULT]</th>
</tr>
<tr>
<td><option>rpc_zmq_all_req_rep</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) Use REQ/REP pattern for all methods CALL/CAST/FANOUT.</td>
</tr>
<tr>
<td><option>rpc_zmq_bind_address</option> = <replaceable>*</replaceable></td>
<td>(StrOpt) ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.</td>
</tr>
<tr>
<td><option>rpc_zmq_concurrency</option> = <replaceable>eventlet</replaceable></td>
<td>(StrOpt) Type of concurrency used. Either "native" or "eventlet"</td>
</tr>
<tr>
<td><option>rpc_zmq_contexts</option> = <replaceable>1</replaceable></td>
<td>(IntOpt) Number of ZeroMQ contexts, defaults to 1.</td>
@ -34,17 +42,17 @@
<td>(StrOpt) Directory for holding IPC sockets.</td>
</tr>
<tr>
<td><option>rpc_zmq_matchmaker</option> = <replaceable>local</replaceable></td>
<td><option>rpc_zmq_matchmaker</option> = <replaceable>redis</replaceable></td>
<td>(StrOpt) MatchMaker driver.</td>
</tr>
<tr>
<td><option>rpc_zmq_port</option> = <replaceable>9501</replaceable></td>
<td>(IntOpt) ZeroMQ receiver listening port.</td>
</tr>
<tr>
<td><option>rpc_zmq_topic_backlog</option> = <replaceable>None</replaceable></td>
<td>(IntOpt) Maximum number of ingress messages to locally buffer per topic. Default is unlimited.</td>
</tr>
<tr>
<td><option>zmq_use_broker</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) Shows whether zmq-messaging uses broker or not.</td>
</tr>
</tbody>
</table>
</para>

1
doc/config-reference/ch_identityconfigure.xml
View File

@ -81,6 +81,7 @@ options. For installation prerequisites and step-by-step walkthroughs, see the
<xi:include href="../common/tables/keystone-saml.xml"/>
<xi:include href="../common/tables/keystone-security.xml"/>
<xi:include href="../common/tables/keystone-token.xml"/>
<xi:include href="../common/tables/keystone-tokenless.xml"/>
<xi:include href="../common/tables/keystone-trust.xml"/>
<xi:include href="../common/tables/keystone-rpc.xml"/>

21
tools/autogenerate-config-flagmappings/keystone.flagmappings
View File

@ -8,6 +8,7 @@ default_publisher_id amqp
domain_id_immutable api
executor_thread_pool_size common
fatal_deprecations logging
host redis
instance_format logging
instance_uuid_format logging
list_limit api
@ -20,8 +21,6 @@ logging_context_format_string logging
logging_debug_format_suffix logging
logging_default_format_string logging
logging_exception_prefix logging
matchmaker_heartbeat_freq rpc
matchmaker_heartbeat_ttl rpc
max_param_size api
max_project_tree_depth api
max_token_size api
@ -31,6 +30,8 @@ memcached_servers common
notification_driver amqp
notification_format amqp
notification_topics amqp
password redis
port redis
public_endpoint api
publish_errors logging
pydev_debug_host debug
@ -38,13 +39,15 @@ pydev_debug_port debug
rpc_backend rpc
rpc_cast_timeout rpc
rpc_conn_pool_size rpc
rpc_poll_timeout rpc
rpc_response_timeout rpc
rpc_zmq_all_req_rep zeromq
rpc_zmq_bind_address zeromq
rpc_zmq_concurrency zeromq
rpc_zmq_contexts zeromq
rpc_zmq_host zeromq
rpc_zmq_ipc_dir zeromq
rpc_zmq_matchmaker zeromq
rpc_zmq_port zeromq
rpc_zmq_topic_backlog zeromq
secure_proxy_ssl_header api
standard_threads debug
@ -55,6 +58,8 @@ use_stderr logging
use_syslog logging
use_syslog_rfc_format logging
verbose logging
watch_log_file logging
zmq_use_broker zeromq
assignment/driver assignment
audit/namespace debug
auth/external auth
@ -189,6 +194,7 @@ keystone_authtoken/memcache_secret_key auth_token
keystone_authtoken/memcache_security_strategy auth_token
keystone_authtoken/memcache_use_advanced_pool auth_token
keystone_authtoken/memcached_servers common
keystone_authtoken/region_name auth_token
keystone_authtoken/revocation_cache_time auth_token
keystone_authtoken/signing_dir auth_token
keystone_authtoken/token_cache_time auth_token
@ -282,7 +288,6 @@ ldap/user_tree_dn ldap
matchmaker_redis/host redis
matchmaker_redis/password redis
matchmaker_redis/port redis
matchmaker_ring/ringfile redis
memcache/dead_retry cache
memcache/pool_connection_get_timeout cache
memcache/pool_maxsize cache
@ -300,12 +305,17 @@ oslo_messaging_amqp/broadcast_prefix rpc
oslo_messaging_amqp/container_name rpc
oslo_messaging_amqp/group_request_prefix rpc
oslo_messaging_amqp/idle_timeout rpc
oslo_messaging_amqp/password rpc
oslo_messaging_amqp/sasl_config_dir rpc
oslo_messaging_amqp/sasl_config_name rpc
oslo_messaging_amqp/sasl_mechanisms rpc
oslo_messaging_amqp/server_request_prefix rpc
oslo_messaging_amqp/ssl_ca_file rpc
oslo_messaging_amqp/ssl_cert_file rpc
oslo_messaging_amqp/ssl_key_file rpc
oslo_messaging_amqp/ssl_key_password rpc
oslo_messaging_amqp/trace rpc
oslo_messaging_amqp/username rpc
oslo_messaging_qpid/amqp_auto_delete qpid
oslo_messaging_qpid/amqp_durable_queues qpid
oslo_messaging_qpid/qpid_heartbeat qpid
@ -403,6 +413,9 @@ token/expiration token
token/hash_algorithm token
token/provider token
token/revoke_by_id token
tokenless_auth/issuer_attribute tokenless
tokenless_auth/protocol tokenless
tokenless_auth/trusted_issuer tokenless
trust/allow_redelegation trust
trust/driver trust
trust/enabled trust

1
tools/autogenerate-config-flagmappings/keystone.headers
View File

@ -17,4 +17,5 @@ role role
saml SAML
security security
token token
tokenless Tokenless Authorization
trust trust