Update Config Reference for keystone
Updates for Liberty Release Main changes are oslo_messaging issue like ceilometer/nova etc. And Adds keystone-tokenless.xml file. Change-Id: Ib19008917e6c214238fc397faa3ce54b53d2f7e1
This commit is contained in:
parent
52be53d4fe
commit
e9b476491f
@ -149,6 +149,10 @@
|
||||
<td><option>memcache_use_advanced_pool</option> = <replaceable>False</replaceable></td>
|
||||
<td>(BoolOpt) (Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>region_name</option> = <replaceable>None</replaceable></td>
|
||||
<td>(StrOpt) The region in which the identity server can be found.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>revocation_cache_time</option> = <replaceable>10</replaceable></td>
|
||||
<td>(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.</td>
|
||||
|
@ -39,7 +39,7 @@
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>trusted_dashboard</option> = <replaceable>[]</replaceable></td>
|
||||
<td>(MultiStrOpt) A list of trusted dashboard hosts. Before accepting a Single Sign-On request to return a token, the origin host must be a member of the trusted_dashboard list. This configuration option may be repeated for multiple values. For example: trusted_dashboard=http://acme.com trusted_dashboard=http://beta.com</td>
|
||||
<td>(MultiStrOpt) A list of trusted dashboard hosts. Before accepting a Single Sign-On request to return a token, the origin host must be a member of the trusted_dashboard list. This configuration option may be repeated for multiple values. For example: trusted_dashboard=http://acme.com/auth/websso trusted_dashboard=http://beta.com/auth/websso</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
@ -23,7 +23,7 @@
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>default_log_levels</option> = <replaceable>amqp=WARN, amqplib=WARN, boto=WARN, qpid=WARN, sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO, iso8601=WARN, requests.packages.urllib3.connectionpool=WARN, urllib3.connectionpool=WARN, websocket=WARN, requests.packages.urllib3.util.retry=WARN, urllib3.util.retry=WARN, keystonemiddleware=WARN, routes.middleware=WARN, stevedore=WARN, taskflow=WARN</replaceable></td>
|
||||
<td>(ListOpt) List of logger=LEVEL pairs.</td>
|
||||
<td>(ListOpt) List of logger=LEVEL pairs. This option is ignored if log_config_append is set.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>fatal_deprecations</option> = <replaceable>False</replaceable></td>
|
||||
@ -39,23 +39,23 @@
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>log_config_append</option> = <replaceable>None</replaceable></td>
|
||||
<td>(StrOpt) The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation.</td>
|
||||
<td>(StrOpt) The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, log_format).</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>log_date_format</option> = <replaceable>%Y-%m-%d %H:%M:%S</replaceable></td>
|
||||
<td>(StrOpt) Format string for %%(asctime)s in log records. Default: %(default)s .</td>
|
||||
<td>(StrOpt) Format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>log_dir</option> = <replaceable>None</replaceable></td>
|
||||
<td>(StrOpt) (Optional) The base directory used for relative --log-file paths.</td>
|
||||
<td>(StrOpt) (Optional) The base directory used for relative --log-file paths. This option is ignored if log_config_append is set.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>log_file</option> = <replaceable>None</replaceable></td>
|
||||
<td>(StrOpt) (Optional) Name of log file to output to. If no default is set, logging will go to stdout.</td>
|
||||
<td>(StrOpt) (Optional) Name of log file to output to. If no default is set, logging will go to stdout. This option is ignored if log_config_append is set.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>log_format</option> = <replaceable>None</replaceable></td>
|
||||
<td>(StrOpt) DEPRECATED. A logging.Formatter log message format string which may use any of the available logging.LogRecord attributes. This option is deprecated. Please use logging_context_format_string and logging_default_format_string instead.</td>
|
||||
<td>(StrOpt) DEPRECATED. A logging.Formatter log message format string which may use any of the available logging.LogRecord attributes. This option is deprecated. Please use logging_context_format_string and logging_default_format_string instead. This option is ignored if log_config_append is set.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>logging_context_format_string</option> = <replaceable>%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s</replaceable></td>
|
||||
@ -79,24 +79,28 @@
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>syslog_log_facility</option> = <replaceable>LOG_USER</replaceable></td>
|
||||
<td>(StrOpt) Syslog facility to receive log lines.</td>
|
||||
<td>(StrOpt) Syslog facility to receive log lines. This option is ignored if log_config_append is set.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>use_stderr</option> = <replaceable>True</replaceable></td>
|
||||
<td>(BoolOpt) Log output to standard error.</td>
|
||||
<td>(BoolOpt) Log output to standard error. This option is ignored if log_config_append is set.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>use_syslog</option> = <replaceable>False</replaceable></td>
|
||||
<td>(BoolOpt) Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424.</td>
|
||||
<td>(BoolOpt) Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>use_syslog_rfc_format</option> = <replaceable>True</replaceable></td>
|
||||
<td>(BoolOpt) (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in Kilo, and will be removed in Mitaka, along with this option.</td>
|
||||
<td>(BoolOpt) (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in Kilo, and will be removed in Mitaka, along with this option. This option is ignored if log_config_append is set.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>verbose</option> = <replaceable>True</replaceable></td>
|
||||
<td>(BoolOpt) If set to false, will disable INFO logging level, making WARNING the default.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>watch_log_file</option> = <replaceable>False</replaceable></td>
|
||||
<td>(BoolOpt) (Optional) Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log-file option is specified and Linux platform is used. This option is ignored if log_config_append is set.</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</para>
|
||||
|
@ -15,14 +15,14 @@
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<th colspan="2">[matchmaker_redis]</th>
|
||||
<th colspan="2">[DEFAULT]</th>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>host</option> = <replaceable>127.0.0.1</replaceable></td>
|
||||
<td>(StrOpt) Host to locate redis.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>password</option> = <replaceable>None</replaceable></td>
|
||||
<td><option>password</option> = <replaceable></replaceable></td>
|
||||
<td>(StrOpt) Password for Redis server (optional).</td>
|
||||
</tr>
|
||||
<tr>
|
||||
@ -30,11 +30,19 @@
|
||||
<td>(IntOpt) Use this port to connect to redis host.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th colspan="2">[matchmaker_ring]</th>
|
||||
<th colspan="2">[matchmaker_redis]</th>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>ringfile</option> = <replaceable>/etc/oslo/matchmaker_ring.json</replaceable></td>
|
||||
<td>(StrOpt) Matchmaker ring file (JSON).</td>
|
||||
<td><option>host</option> = <replaceable>127.0.0.1</replaceable></td>
|
||||
<td>(StrOpt) Host to locate redis.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>password</option> = <replaceable></replaceable></td>
|
||||
<td>(StrOpt) Password for Redis server (optional).</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>port</option> = <replaceable>6379</replaceable></td>
|
||||
<td>(IntOpt) Use this port to connect to redis host.</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
@ -17,14 +17,6 @@
|
||||
<tr>
|
||||
<th colspan="2">[DEFAULT]</th>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>matchmaker_heartbeat_freq</option> = <replaceable>300</replaceable></td>
|
||||
<td>(IntOpt) Heartbeat frequency.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>matchmaker_heartbeat_ttl</option> = <replaceable>600</replaceable></td>
|
||||
<td>(IntOpt) Heartbeat time-to-live.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>rpc_backend</option> = <replaceable>rabbit</replaceable></td>
|
||||
<td>(StrOpt) The messaging driver to use, defaults to rabbit. Other drivers include qpid and zmq.</td>
|
||||
@ -37,6 +29,10 @@
|
||||
<td><option>rpc_conn_pool_size</option> = <replaceable>30</replaceable></td>
|
||||
<td>(IntOpt) Size of RPC connection pool.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>rpc_poll_timeout</option> = <replaceable>1</replaceable></td>
|
||||
<td>(IntOpt) The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>rpc_response_timeout</option> = <replaceable>60</replaceable></td>
|
||||
<td>(IntOpt) Seconds to wait for a response from a call.</td>
|
||||
@ -64,6 +60,22 @@
|
||||
<td><option>idle_timeout</option> = <replaceable>0</replaceable></td>
|
||||
<td>(IntOpt) Timeout for inactive connections (in seconds)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>password</option> = <replaceable></replaceable></td>
|
||||
<td>(StrOpt) Password for message broker authentication</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>sasl_config_dir</option> = <replaceable></replaceable></td>
|
||||
<td>(StrOpt) Path to directory that contains the SASL configuration</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>sasl_config_name</option> = <replaceable></replaceable></td>
|
||||
<td>(StrOpt) Name of configuration file (without .conf suffix)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>sasl_mechanisms</option> = <replaceable></replaceable></td>
|
||||
<td>(StrOpt) Space separated list of acceptable SASL mechanisms</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>server_request_prefix</option> = <replaceable>exclusive</replaceable></td>
|
||||
<td>(StrOpt) address prefix used when sending to a specific server</td>
|
||||
@ -88,6 +100,10 @@
|
||||
<td><option>trace</option> = <replaceable>False</replaceable></td>
|
||||
<td>(BoolOpt) Debug: dump AMQP frames to stdout</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>username</option> = <replaceable></replaceable></td>
|
||||
<td>(StrOpt) User name for message broker authentication</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</para>
|
||||
|
34
doc/common/tables/keystone-tokenless.xml
Normal file
34
doc/common/tables/keystone-tokenless.xml
Normal file
@ -0,0 +1,34 @@
|
||||
<?xml version='1.0' encoding='UTF-8'?>
|
||||
<para xmlns="http://docbook.org/ns/docbook" version="5.0">
|
||||
<!-- Warning: Do not edit this file. It is automatically
|
||||
generated and your changes will be overwritten.
|
||||
The tool to do so lives in openstack-doc-tools repository. -->
|
||||
<table rules="all" xml:id="config_table_keystone_tokenless">
|
||||
<caption>Description of Tokenless Authorization configuration options</caption>
|
||||
<col width="50%"/>
|
||||
<col width="50%"/>
|
||||
<thead>
|
||||
<tr>
|
||||
<th>Configuration option = Default value</th>
|
||||
<th>Description</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<th colspan="2">[tokenless_auth]</th>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>issuer_attribute</option> = <replaceable>SSL_CLIENT_I_DN</replaceable></td>
|
||||
<td>(StrOpt) The issuer attribute that is served as an IdP ID for the X.509 tokenless authorization along with the protocol to look up its corresponding mapping. It is the environment variable in the WSGI environment that references to the issuer of the client certificate.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>protocol</option> = <replaceable>x509</replaceable></td>
|
||||
<td>(StrOpt) The protocol name for the X.509 tokenless authorization along with the option issuer_attribute below can look up its corresponding mapping.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>trusted_issuer</option> = <replaceable>[]</replaceable></td>
|
||||
<td>(MultiStrOpt) The list of trusted issuers to further filter the certificates that are allowed to participate in the X.509 tokenless authorization. If the option is absent then no certificates will be allowed. The naming format for the attributes of a Distinguished Name(DN) must be separated by a comma and contain no spaces. This configuration option may be repeated for multiple values. For example: trusted_issuer=CN=john,OU=keystone,O=openstack trusted_issuer=CN=mary,OU=eng,O=abc</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</para>
|
@ -17,10 +17,18 @@
|
||||
<tr>
|
||||
<th colspan="2">[DEFAULT]</th>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>rpc_zmq_all_req_rep</option> = <replaceable>True</replaceable></td>
|
||||
<td>(BoolOpt) Use REQ/REP pattern for all methods CALL/CAST/FANOUT.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>rpc_zmq_bind_address</option> = <replaceable>*</replaceable></td>
|
||||
<td>(StrOpt) ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>rpc_zmq_concurrency</option> = <replaceable>eventlet</replaceable></td>
|
||||
<td>(StrOpt) Type of concurrency used. Either "native" or "eventlet"</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>rpc_zmq_contexts</option> = <replaceable>1</replaceable></td>
|
||||
<td>(IntOpt) Number of ZeroMQ contexts, defaults to 1.</td>
|
||||
@ -34,17 +42,17 @@
|
||||
<td>(StrOpt) Directory for holding IPC sockets.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>rpc_zmq_matchmaker</option> = <replaceable>local</replaceable></td>
|
||||
<td><option>rpc_zmq_matchmaker</option> = <replaceable>redis</replaceable></td>
|
||||
<td>(StrOpt) MatchMaker driver.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>rpc_zmq_port</option> = <replaceable>9501</replaceable></td>
|
||||
<td>(IntOpt) ZeroMQ receiver listening port.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>rpc_zmq_topic_backlog</option> = <replaceable>None</replaceable></td>
|
||||
<td>(IntOpt) Maximum number of ingress messages to locally buffer per topic. Default is unlimited.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><option>zmq_use_broker</option> = <replaceable>True</replaceable></td>
|
||||
<td>(BoolOpt) Shows whether zmq-messaging uses broker or not.</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</para>
|
||||
|
@ -81,6 +81,7 @@ options. For installation prerequisites and step-by-step walkthroughs, see the
|
||||
<xi:include href="../common/tables/keystone-saml.xml"/>
|
||||
<xi:include href="../common/tables/keystone-security.xml"/>
|
||||
<xi:include href="../common/tables/keystone-token.xml"/>
|
||||
<xi:include href="../common/tables/keystone-tokenless.xml"/>
|
||||
<xi:include href="../common/tables/keystone-trust.xml"/>
|
||||
|
||||
<xi:include href="../common/tables/keystone-rpc.xml"/>
|
||||
|
@ -8,6 +8,7 @@ default_publisher_id amqp
|
||||
domain_id_immutable api
|
||||
executor_thread_pool_size common
|
||||
fatal_deprecations logging
|
||||
host redis
|
||||
instance_format logging
|
||||
instance_uuid_format logging
|
||||
list_limit api
|
||||
@ -20,8 +21,6 @@ logging_context_format_string logging
|
||||
logging_debug_format_suffix logging
|
||||
logging_default_format_string logging
|
||||
logging_exception_prefix logging
|
||||
matchmaker_heartbeat_freq rpc
|
||||
matchmaker_heartbeat_ttl rpc
|
||||
max_param_size api
|
||||
max_project_tree_depth api
|
||||
max_token_size api
|
||||
@ -31,6 +30,8 @@ memcached_servers common
|
||||
notification_driver amqp
|
||||
notification_format amqp
|
||||
notification_topics amqp
|
||||
password redis
|
||||
port redis
|
||||
public_endpoint api
|
||||
publish_errors logging
|
||||
pydev_debug_host debug
|
||||
@ -38,13 +39,15 @@ pydev_debug_port debug
|
||||
rpc_backend rpc
|
||||
rpc_cast_timeout rpc
|
||||
rpc_conn_pool_size rpc
|
||||
rpc_poll_timeout rpc
|
||||
rpc_response_timeout rpc
|
||||
rpc_zmq_all_req_rep zeromq
|
||||
rpc_zmq_bind_address zeromq
|
||||
rpc_zmq_concurrency zeromq
|
||||
rpc_zmq_contexts zeromq
|
||||
rpc_zmq_host zeromq
|
||||
rpc_zmq_ipc_dir zeromq
|
||||
rpc_zmq_matchmaker zeromq
|
||||
rpc_zmq_port zeromq
|
||||
rpc_zmq_topic_backlog zeromq
|
||||
secure_proxy_ssl_header api
|
||||
standard_threads debug
|
||||
@ -55,6 +58,8 @@ use_stderr logging
|
||||
use_syslog logging
|
||||
use_syslog_rfc_format logging
|
||||
verbose logging
|
||||
watch_log_file logging
|
||||
zmq_use_broker zeromq
|
||||
assignment/driver assignment
|
||||
audit/namespace debug
|
||||
auth/external auth
|
||||
@ -189,6 +194,7 @@ keystone_authtoken/memcache_secret_key auth_token
|
||||
keystone_authtoken/memcache_security_strategy auth_token
|
||||
keystone_authtoken/memcache_use_advanced_pool auth_token
|
||||
keystone_authtoken/memcached_servers common
|
||||
keystone_authtoken/region_name auth_token
|
||||
keystone_authtoken/revocation_cache_time auth_token
|
||||
keystone_authtoken/signing_dir auth_token
|
||||
keystone_authtoken/token_cache_time auth_token
|
||||
@ -282,7 +288,6 @@ ldap/user_tree_dn ldap
|
||||
matchmaker_redis/host redis
|
||||
matchmaker_redis/password redis
|
||||
matchmaker_redis/port redis
|
||||
matchmaker_ring/ringfile redis
|
||||
memcache/dead_retry cache
|
||||
memcache/pool_connection_get_timeout cache
|
||||
memcache/pool_maxsize cache
|
||||
@ -300,12 +305,17 @@ oslo_messaging_amqp/broadcast_prefix rpc
|
||||
oslo_messaging_amqp/container_name rpc
|
||||
oslo_messaging_amqp/group_request_prefix rpc
|
||||
oslo_messaging_amqp/idle_timeout rpc
|
||||
oslo_messaging_amqp/password rpc
|
||||
oslo_messaging_amqp/sasl_config_dir rpc
|
||||
oslo_messaging_amqp/sasl_config_name rpc
|
||||
oslo_messaging_amqp/sasl_mechanisms rpc
|
||||
oslo_messaging_amqp/server_request_prefix rpc
|
||||
oslo_messaging_amqp/ssl_ca_file rpc
|
||||
oslo_messaging_amqp/ssl_cert_file rpc
|
||||
oslo_messaging_amqp/ssl_key_file rpc
|
||||
oslo_messaging_amqp/ssl_key_password rpc
|
||||
oslo_messaging_amqp/trace rpc
|
||||
oslo_messaging_amqp/username rpc
|
||||
oslo_messaging_qpid/amqp_auto_delete qpid
|
||||
oslo_messaging_qpid/amqp_durable_queues qpid
|
||||
oslo_messaging_qpid/qpid_heartbeat qpid
|
||||
@ -403,6 +413,9 @@ token/expiration token
|
||||
token/hash_algorithm token
|
||||
token/provider token
|
||||
token/revoke_by_id token
|
||||
tokenless_auth/issuer_attribute tokenless
|
||||
tokenless_auth/protocol tokenless
|
||||
tokenless_auth/trusted_issuer tokenless
|
||||
trust/allow_redelegation trust
|
||||
trust/driver trust
|
||||
trust/enabled trust
|
||||
|
@ -17,4 +17,5 @@ role role
|
||||
saml SAML
|
||||
security security
|
||||
token token
|
||||
tokenless Tokenless Authorization
|
||||
trust trust
|
||||
|
Loading…
Reference in New Issue
Block a user