From ee1c854256e4d72fe79328bf21947e1e10148be4 Mon Sep 17 00:00:00 2001 From: Gauvain Pocentek Date: Mon, 21 Apr 2014 09:46:49 +0200 Subject: [PATCH] Update config-ref with keystone_autoken options The auth_token middleware options were not tracked yet. This patch adds the mapping information, generates the tables and include them in the config-reference. This patch also moves the api_rate_limit nova option in the api section. Closes-Bug: #1254568 Change-Id: I0e34cc8e0a56336118aa933e4018c38c9dcacf9b --- doc/common/tables/cinder-auth_token.xml | 134 ++++++++++++++++++ doc/common/tables/glance-auth_token.xml | 134 ++++++++++++++++++ doc/common/tables/heat-auth_token.xml | 134 ++++++++++++++++++ doc/common/tables/keystone-auth_token.xml | 134 ++++++++++++++++++ doc/common/tables/neutron-auth_token.xml | 134 ++++++++++++++++++ doc/common/tables/nova-api.xml | 4 + doc/common/tables/nova-auth_token.xml | 127 +++++++++++++++++ doc/common/tables/nova-authentication.xml | 4 - doc/common/tables/trove-auth_token.xml | 134 ++++++++++++++++++ .../block-storage/section_misc.xml | 1 + .../ch_databaseserviceconfigure.xml | 1 + doc/config-reference/ch_imageservice.xml | 1 + .../ch_orchestrationconfigure.xml | 1 + .../section_compute-options-reference.xml | 1 + .../section_networking-options-reference.xml | 6 + .../cinder.flagmappings | 27 ++++ .../glance.flagmappings | 27 ++++ .../heat.flagmappings | 27 ++++ .../keystone.flagmappings | 27 ++++ .../neutron.flagmappings | 27 ++++ .../nova.flagmappings | 28 +++- .../trove.flagmappings | 27 ++++ 22 files changed, 1135 insertions(+), 5 deletions(-) create mode 100644 doc/common/tables/cinder-auth_token.xml create mode 100644 doc/common/tables/glance-auth_token.xml create mode 100644 doc/common/tables/heat-auth_token.xml create mode 100644 doc/common/tables/keystone-auth_token.xml create mode 100644 doc/common/tables/neutron-auth_token.xml create mode 100644 doc/common/tables/nova-auth_token.xml create mode 100644 doc/common/tables/trove-auth_token.xml diff --git a/doc/common/tables/cinder-auth_token.xml b/doc/common/tables/cinder-auth_token.xml new file mode 100644 index 0000000000..2fce6f06da --- /dev/null +++ b/doc/common/tables/cinder-auth_token.xml @@ -0,0 +1,134 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Description of configuration options for auth_token
Configuration option = Default valueDescription
[DEFAULT]
memcached_servers = None(ListOpt) Memcached servers or None for in process cache.
[keystone_authtoken]
admin_password = None(StrOpt) Keystone account password
admin_tenant_name = admin(StrOpt) Keystone service account tenant name to validate user tokens
admin_token = None(StrOpt) Single shared secret with the Keystone configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication process.
admin_user = None(StrOpt) Keystone account username
auth_admin_prefix = (StrOpt) Prefix to prepend at the beginning of the path
auth_host = 127.0.0.1(StrOpt) Host providing the admin Identity API endpoint
auth_port = 35357(IntOpt) Port of the admin Identity API endpoint
auth_protocol = https(StrOpt) Protocol of the admin Identity API endpoint(http or https)
auth_uri = None(StrOpt) Complete public Identity API endpoint
auth_version = None(StrOpt) API version of the admin Identity API endpoint
cache = None(StrOpt) Env key for the swift cache
cafile = None(StrOpt) A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
certfile = None(StrOpt) Required if Keystone server requires client certificate
delay_auth_decision = False(BoolOpt) Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components
enforce_token_bind = permissive(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
http_connect_timeout = None(BoolOpt) Request timeout value for communicating with Identity API server.
http_request_max_retries = 3(IntOpt) How many times are we trying to reconnect when communicating with Identity API Server.
include_service_catalog = True(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
insecure = False(BoolOpt) Verify HTTPS connections.
keyfile = None(StrOpt) Required if Keystone server requires client certificate
memcache_secret_key = None(StrOpt) (optional, mandatory if memcache_security_strategy is defined) this string is used for key derivation.
memcache_security_strategy = None(StrOpt) (optional) if defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
memcached_servers = None(ListOpt) Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
revocation_cache_time = 300(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.
signing_dir = None(StrOpt) Directory used to cache files related to PKI tokens
token_cache_time = 300(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
+
diff --git a/doc/common/tables/glance-auth_token.xml b/doc/common/tables/glance-auth_token.xml new file mode 100644 index 0000000000..c901819527 --- /dev/null +++ b/doc/common/tables/glance-auth_token.xml @@ -0,0 +1,134 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Description of configuration options for auth_token
Configuration option = Default valueDescription
[DEFAULT]
memcached_servers = None(ListOpt) Memcached servers or None for in process cache.
[keystone_authtoken]
admin_password = None(StrOpt) Keystone account password
admin_tenant_name = admin(StrOpt) Keystone service account tenant name to validate user tokens
admin_token = None(StrOpt) Single shared secret with the Keystone configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication process.
admin_user = None(StrOpt) Keystone account username
auth_admin_prefix = (StrOpt) Prefix to prepend at the beginning of the path
auth_host = 127.0.0.1(StrOpt) Host providing the admin Identity API endpoint
auth_port = 35357(IntOpt) Port of the admin Identity API endpoint
auth_protocol = https(StrOpt) Protocol of the admin Identity API endpoint(http or https)
auth_uri = None(StrOpt) Complete public Identity API endpoint
auth_version = None(StrOpt) API version of the admin Identity API endpoint
cache = None(StrOpt) Env key for the swift cache
cafile = None(StrOpt) A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
certfile = None(StrOpt) Required if Keystone server requires client certificate
delay_auth_decision = False(BoolOpt) Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components
enforce_token_bind = permissive(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
http_connect_timeout = None(BoolOpt) Request timeout value for communicating with Identity API server.
http_request_max_retries = 3(IntOpt) How many times are we trying to reconnect when communicating with Identity API Server.
include_service_catalog = True(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
insecure = False(BoolOpt) Verify HTTPS connections.
keyfile = None(StrOpt) Required if Keystone server requires client certificate
memcache_secret_key = None(StrOpt) (optional, mandatory if memcache_security_strategy is defined) this string is used for key derivation.
memcache_security_strategy = None(StrOpt) (optional) if defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
memcached_servers = None(ListOpt) Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
revocation_cache_time = 300(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.
signing_dir = None(StrOpt) Directory used to cache files related to PKI tokens
token_cache_time = 300(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
+
diff --git a/doc/common/tables/heat-auth_token.xml b/doc/common/tables/heat-auth_token.xml new file mode 100644 index 0000000000..d2400ebd67 --- /dev/null +++ b/doc/common/tables/heat-auth_token.xml @@ -0,0 +1,134 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Description of configuration options for auth_token
Configuration option = Default valueDescription
[DEFAULT]
memcached_servers = None(ListOpt) Memcached servers or None for in process cache.
[keystone_authtoken]
admin_password = None(StrOpt) Keystone account password
admin_tenant_name = admin(StrOpt) Keystone service account tenant name to validate user tokens
admin_token = None(StrOpt) Single shared secret with the Keystone configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication process.
admin_user = None(StrOpt) Keystone account username
auth_admin_prefix = (StrOpt) Prefix to prepend at the beginning of the path
auth_host = 127.0.0.1(StrOpt) Host providing the admin Identity API endpoint
auth_port = 35357(IntOpt) Port of the admin Identity API endpoint
auth_protocol = https(StrOpt) Protocol of the admin Identity API endpoint(http or https)
auth_uri = None(StrOpt) Complete public Identity API endpoint
auth_version = None(StrOpt) API version of the admin Identity API endpoint
cache = None(StrOpt) Env key for the swift cache
cafile = None(StrOpt) A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
certfile = None(StrOpt) Required if Keystone server requires client certificate
delay_auth_decision = False(BoolOpt) Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components
enforce_token_bind = permissive(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
http_connect_timeout = None(BoolOpt) Request timeout value for communicating with Identity API server.
http_request_max_retries = 3(IntOpt) How many times are we trying to reconnect when communicating with Identity API Server.
include_service_catalog = True(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
insecure = False(BoolOpt) Verify HTTPS connections.
keyfile = None(StrOpt) Required if Keystone server requires client certificate
memcache_secret_key = None(StrOpt) (optional, mandatory if memcache_security_strategy is defined) this string is used for key derivation.
memcache_security_strategy = None(StrOpt) (optional) if defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
memcached_servers = None(ListOpt) Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
revocation_cache_time = 300(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.
signing_dir = None(StrOpt) Directory used to cache files related to PKI tokens
token_cache_time = 300(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
+
diff --git a/doc/common/tables/keystone-auth_token.xml b/doc/common/tables/keystone-auth_token.xml new file mode 100644 index 0000000000..093b339b97 --- /dev/null +++ b/doc/common/tables/keystone-auth_token.xml @@ -0,0 +1,134 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Description of configuration options for auth_token
Configuration option = Default valueDescription
[DEFAULT]
memcached_servers = None(ListOpt) Memcached servers or None for in process cache.
[keystone_authtoken]
admin_password = None(StrOpt) Keystone account password
admin_tenant_name = admin(StrOpt) Keystone service account tenant name to validate user tokens
admin_token = None(StrOpt) Single shared secret with the Keystone configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication process.
admin_user = None(StrOpt) Keystone account username
auth_admin_prefix = (StrOpt) Prefix to prepend at the beginning of the path
auth_host = 127.0.0.1(StrOpt) Host providing the admin Identity API endpoint
auth_port = 35357(IntOpt) Port of the admin Identity API endpoint
auth_protocol = https(StrOpt) Protocol of the admin Identity API endpoint(http or https)
auth_uri = None(StrOpt) Complete public Identity API endpoint
auth_version = None(StrOpt) API version of the admin Identity API endpoint
cache = None(StrOpt) Env key for the swift cache
cafile = None(StrOpt) A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
certfile = None(StrOpt) Required if Keystone server requires client certificate
delay_auth_decision = False(BoolOpt) Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components
enforce_token_bind = permissive(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
http_connect_timeout = None(BoolOpt) Request timeout value for communicating with Identity API server.
http_request_max_retries = 3(IntOpt) How many times are we trying to reconnect when communicating with Identity API Server.
include_service_catalog = True(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
insecure = False(BoolOpt) Verify HTTPS connections.
keyfile = None(StrOpt) Required if Keystone server requires client certificate
memcache_secret_key = None(StrOpt) (optional, mandatory if memcache_security_strategy is defined) this string is used for key derivation.
memcache_security_strategy = None(StrOpt) (optional) if defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
memcached_servers = None(ListOpt) Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
revocation_cache_time = 300(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.
signing_dir = None(StrOpt) Directory used to cache files related to PKI tokens
token_cache_time = 300(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
+
diff --git a/doc/common/tables/neutron-auth_token.xml b/doc/common/tables/neutron-auth_token.xml new file mode 100644 index 0000000000..d808a49836 --- /dev/null +++ b/doc/common/tables/neutron-auth_token.xml @@ -0,0 +1,134 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Description of configuration options for auth_token
Configuration option = Default valueDescription
[DEFAULT]
memcached_servers = None(ListOpt) Memcached servers or None for in process cache.
[keystone_authtoken]
admin_password = None(StrOpt) Keystone account password
admin_tenant_name = admin(StrOpt) Keystone service account tenant name to validate user tokens
admin_token = None(StrOpt) Single shared secret with the Keystone configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication process.
admin_user = None(StrOpt) Keystone account username
auth_admin_prefix = (StrOpt) Prefix to prepend at the beginning of the path
auth_host = 127.0.0.1(StrOpt) Host providing the admin Identity API endpoint
auth_port = 35357(IntOpt) Port of the admin Identity API endpoint
auth_protocol = https(StrOpt) Protocol of the admin Identity API endpoint(http or https)
auth_uri = None(StrOpt) Complete public Identity API endpoint
auth_version = None(StrOpt) API version of the admin Identity API endpoint
cache = None(StrOpt) Env key for the swift cache
cafile = None(StrOpt) A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
certfile = None(StrOpt) Required if Keystone server requires client certificate
delay_auth_decision = False(BoolOpt) Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components
enforce_token_bind = permissive(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
http_connect_timeout = None(BoolOpt) Request timeout value for communicating with Identity API server.
http_request_max_retries = 3(IntOpt) How many times are we trying to reconnect when communicating with Identity API Server.
include_service_catalog = True(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
insecure = False(BoolOpt) Verify HTTPS connections.
keyfile = None(StrOpt) Required if Keystone server requires client certificate
memcache_secret_key = None(StrOpt) (optional, mandatory if memcache_security_strategy is defined) this string is used for key derivation.
memcache_security_strategy = None(StrOpt) (optional) if defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
memcached_servers = None(ListOpt) Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
revocation_cache_time = 300(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.
signing_dir = None(StrOpt) Directory used to cache files related to PKI tokens
token_cache_time = 300(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
+
diff --git a/doc/common/tables/nova-api.xml b/doc/common/tables/nova-api.xml index 4941c8aa53..c48cc079d4 100644 --- a/doc/common/tables/nova-api.xml +++ b/doc/common/tables/nova-api.xml @@ -18,6 +18,10 @@ [DEFAULT] + + api_rate_limit = False + (BoolOpt) Whether to use per-user rate limiting for the api. This option is only used by v2 api. Rate limiting is removed from v3 api. + enable_new_services = True (BoolOpt) Services to be added to the available pool on create diff --git a/doc/common/tables/nova-auth_token.xml b/doc/common/tables/nova-auth_token.xml new file mode 100644 index 0000000000..20fc823fbe --- /dev/null +++ b/doc/common/tables/nova-auth_token.xml @@ -0,0 +1,127 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Description of configuration options for auth_token
Configuration option = Default valueDescription
[keystone_authtoken]
admin_password = None(StrOpt) Keystone account password
admin_tenant_name = admin(StrOpt) Keystone service account tenant name to validate user tokens
admin_token = None(StrOpt) Single shared secret with the Keystone configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication process.
admin_user = None(StrOpt) Keystone account username
auth_admin_prefix = (StrOpt) Prefix to prepend at the beginning of the path
auth_host = 127.0.0.1(StrOpt) Host providing the admin Identity API endpoint
auth_port = 35357(IntOpt) Port of the admin Identity API endpoint
auth_protocol = https(StrOpt) Protocol of the admin Identity API endpoint(http or https)
auth_uri = None(StrOpt) Complete public Identity API endpoint
auth_version = None(StrOpt) API version of the admin Identity API endpoint
cache = None(StrOpt) Env key for the swift cache
cafile = None(StrOpt) A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
certfile = None(StrOpt) Required if Keystone server requires client certificate
delay_auth_decision = False(BoolOpt) Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components
enforce_token_bind = permissive(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
http_connect_timeout = None(BoolOpt) Request timeout value for communicating with Identity API server.
http_request_max_retries = 3(IntOpt) How many times are we trying to reconnect when communicating with Identity API Server.
include_service_catalog = True(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
insecure = False(BoolOpt) Verify HTTPS connections.
keyfile = None(StrOpt) Required if Keystone server requires client certificate
memcache_secret_key = None(StrOpt) (optional, mandatory if memcache_security_strategy is defined) this string is used for key derivation.
memcache_security_strategy = None(StrOpt) (optional) if defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
memcached_servers = None(ListOpt) Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
revocation_cache_time = 300(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.
signing_dir = None(StrOpt) Directory used to cache files related to PKI tokens
token_cache_time = 300(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
+
diff --git a/doc/common/tables/nova-authentication.xml b/doc/common/tables/nova-authentication.xml index f605f05693..9094434a02 100644 --- a/doc/common/tables/nova-authentication.xml +++ b/doc/common/tables/nova-authentication.xml @@ -18,10 +18,6 @@ [DEFAULT] - - api_rate_limit = False - (BoolOpt) Whether to use per-user rate limiting for the api. This option is only used by v2 api. Rate limiting is removed from v3 api. - auth_strategy = noauth (StrOpt) The strategy to use for auth: noauth or keystone. diff --git a/doc/common/tables/trove-auth_token.xml b/doc/common/tables/trove-auth_token.xml new file mode 100644 index 0000000000..975c31a7fe --- /dev/null +++ b/doc/common/tables/trove-auth_token.xml @@ -0,0 +1,134 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Description of configuration options for auth_token
Configuration option = Default valueDescription
[DEFAULT]
memcached_servers = None(ListOpt) Memcached servers or None for in process cache.
[keystone_authtoken]
admin_password = None(StrOpt) Keystone account password
admin_tenant_name = admin(StrOpt) Keystone service account tenant name to validate user tokens
admin_token = None(StrOpt) Single shared secret with the Keystone configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication process.
admin_user = None(StrOpt) Keystone account username
auth_admin_prefix = (StrOpt) Prefix to prepend at the beginning of the path
auth_host = 127.0.0.1(StrOpt) Host providing the admin Identity API endpoint
auth_port = 35357(IntOpt) Port of the admin Identity API endpoint
auth_protocol = https(StrOpt) Protocol of the admin Identity API endpoint(http or https)
auth_uri = None(StrOpt) Complete public Identity API endpoint
auth_version = None(StrOpt) API version of the admin Identity API endpoint
cache = None(StrOpt) Env key for the swift cache
cafile = None(StrOpt) A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
certfile = None(StrOpt) Required if Keystone server requires client certificate
delay_auth_decision = False(BoolOpt) Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components
enforce_token_bind = permissive(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
http_connect_timeout = None(BoolOpt) Request timeout value for communicating with Identity API server.
http_request_max_retries = 3(IntOpt) How many times are we trying to reconnect when communicating with Identity API Server.
include_service_catalog = True(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
insecure = False(BoolOpt) Verify HTTPS connections.
keyfile = None(StrOpt) Required if Keystone server requires client certificate
memcache_secret_key = None(StrOpt) (optional, mandatory if memcache_security_strategy is defined) this string is used for key derivation.
memcache_security_strategy = None(StrOpt) (optional) if defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
memcached_servers = None(ListOpt) Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
revocation_cache_time = 300(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.
signing_dir = None(StrOpt) Directory used to cache files related to PKI tokens
token_cache_time = 300(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
+
diff --git a/doc/config-reference/block-storage/section_misc.xml b/doc/config-reference/block-storage/section_misc.xml index a8039be2a1..16d1b7da0f 100644 --- a/doc/config-reference/block-storage/section_misc.xml +++ b/doc/config-reference/block-storage/section_misc.xml @@ -10,6 +10,7 @@ cinder.conf file. + diff --git a/doc/config-reference/ch_databaseserviceconfigure.xml b/doc/config-reference/ch_databaseserviceconfigure.xml index 0e90cdb9dc..e381af52ee 100644 --- a/doc/config-reference/ch_databaseserviceconfigure.xml +++ b/doc/config-reference/ch_databaseserviceconfigure.xml @@ -16,6 +16,7 @@ Database Service configuration options. + diff --git a/doc/config-reference/ch_imageservice.xml b/doc/config-reference/ch_imageservice.xml index 1450f4cae3..d2940c0849 100644 --- a/doc/config-reference/ch_imageservice.xml +++ b/doc/config-reference/ch_imageservice.xml @@ -26,6 +26,7 @@ You can modify many options in the OpenStack Image Service. The following tables provide a comprehensive list. + diff --git a/doc/config-reference/ch_orchestrationconfigure.xml b/doc/config-reference/ch_orchestrationconfigure.xml index 7c42d43513..23126f546d 100644 --- a/doc/config-reference/ch_orchestrationconfigure.xml +++ b/doc/config-reference/ch_orchestrationconfigure.xml @@ -19,6 +19,7 @@ The following tables provide a comprehensive list of the Orchestration configuration options. + diff --git a/doc/config-reference/compute/section_compute-options-reference.xml b/doc/config-reference/compute/section_compute-options-reference.xml index 0f34a40615..4eaa77b9cc 100644 --- a/doc/config-reference/compute/section_compute-options-reference.xml +++ b/doc/config-reference/compute/section_compute-options-reference.xml @@ -10,6 +10,7 @@ + diff --git a/doc/config-reference/networking/section_networking-options-reference.xml b/doc/config-reference/networking/section_networking-options-reference.xml index 3fcf279df1..4c559ef94c 100644 --- a/doc/config-reference/networking/section_networking-options-reference.xml +++ b/doc/config-reference/networking/section_networking-options-reference.xml @@ -27,6 +27,12 @@ +
+Token authentication +Use the following options to alter token authentication settings. + +
+
Compute Use the following options to alter Compute-related settings. diff --git a/tools/autogenerate-config-flagmappings/cinder.flagmappings b/tools/autogenerate-config-flagmappings/cinder.flagmappings index 5071d33747..d976ae81cc 100644 --- a/tools/autogenerate-config-flagmappings/cinder.flagmappings +++ b/tools/autogenerate-config-flagmappings/cinder.flagmappings @@ -141,6 +141,7 @@ max_age quota max_gigabytes storage max_header_line api max_luns_per_storage_group emc +memcached_servers auth_token migration_create_volume_timeout_secs storage monkey_patch common monkey_patch_modules common @@ -411,6 +412,32 @@ fc-zone-manager/zone_driver zoning_manager fc-zone-manager/zoning_policy zoning keymgr/api_class keymgr keymgr/fixed_key keymgr +keystone_authtoken/admin_password auth_token +keystone_authtoken/admin_tenant_name auth_token +keystone_authtoken/admin_token auth_token +keystone_authtoken/admin_user auth_token +keystone_authtoken/auth_admin_prefix auth_token +keystone_authtoken/auth_host auth_token +keystone_authtoken/auth_port auth_token +keystone_authtoken/auth_protocol auth_token +keystone_authtoken/auth_uri auth_token +keystone_authtoken/auth_version auth_token +keystone_authtoken/cache auth_token +keystone_authtoken/cafile auth_token +keystone_authtoken/certfile auth_token +keystone_authtoken/delay_auth_decision auth_token +keystone_authtoken/enforce_token_bind auth_token +keystone_authtoken/http_connect_timeout auth_token +keystone_authtoken/http_request_max_retries auth_token +keystone_authtoken/include_service_catalog auth_token +keystone_authtoken/insecure auth_token +keystone_authtoken/keyfile auth_token +keystone_authtoken/memcache_secret_key auth_token +keystone_authtoken/memcache_security_strategy auth_token +keystone_authtoken/memcached_servers auth_token +keystone_authtoken/revocation_cache_time auth_token +keystone_authtoken/signing_dir auth_token +keystone_authtoken/token_cache_time auth_token matchmaker_ring/ringfile rpc ssl/ca_file ssl ssl/cert_file ssl diff --git a/tools/autogenerate-config-flagmappings/glance.flagmappings b/tools/autogenerate-config-flagmappings/glance.flagmappings index 2535fd66a9..2f5970f595 100644 --- a/tools/autogenerate-config-flagmappings/glance.flagmappings +++ b/tools/autogenerate-config-flagmappings/glance.flagmappings @@ -77,6 +77,7 @@ logging_exception_prefix logging matchmaker_heartbeat_freq matchmaker matchmaker_heartbeat_ttl matchmaker max_header_line wsgi +memcached_servers auth_token metadata_encryption_key common mongodb_store_db gridfs mongodb_store_uri gridfs @@ -212,6 +213,32 @@ database/sqlite_synchronous db database/use_db_reconnect db image_format/container_formats common image_format/disk_formats common +keystone_authtoken/admin_password auth_token +keystone_authtoken/admin_tenant_name auth_token +keystone_authtoken/admin_token auth_token +keystone_authtoken/admin_user auth_token +keystone_authtoken/auth_admin_prefix auth_token +keystone_authtoken/auth_host auth_token +keystone_authtoken/auth_port auth_token +keystone_authtoken/auth_protocol auth_token +keystone_authtoken/auth_uri auth_token +keystone_authtoken/auth_version auth_token +keystone_authtoken/cache auth_token +keystone_authtoken/cafile auth_token +keystone_authtoken/certfile auth_token +keystone_authtoken/delay_auth_decision auth_token +keystone_authtoken/enforce_token_bind auth_token +keystone_authtoken/http_connect_timeout auth_token +keystone_authtoken/http_request_max_retries auth_token +keystone_authtoken/include_service_catalog auth_token +keystone_authtoken/insecure auth_token +keystone_authtoken/keyfile auth_token +keystone_authtoken/memcache_secret_key auth_token +keystone_authtoken/memcache_security_strategy auth_token +keystone_authtoken/memcached_servers auth_token +keystone_authtoken/revocation_cache_time auth_token +keystone_authtoken/signing_dir auth_token +keystone_authtoken/token_cache_time auth_token matchmaker_ring/ringfile matchmaker paste_deploy/config_file paste paste_deploy/flavor paste diff --git a/tools/autogenerate-config-flagmappings/heat.flagmappings b/tools/autogenerate-config-flagmappings/heat.flagmappings index eca47e309f..a7ece26b2b 100644 --- a/tools/autogenerate-config-flagmappings/heat.flagmappings +++ b/tools/autogenerate-config-flagmappings/heat.flagmappings @@ -53,6 +53,7 @@ max_nested_stack_depth quota max_resources_per_stack quota max_stacks_per_tenant quota max_template_size quota +memcached_servers auth_token notification_driver amqp notification_topics amqp onready notification @@ -191,6 +192,32 @@ heat_api_cloudwatch/cert_file cloudwatch_api heat_api_cloudwatch/key_file cloudwatch_api heat_api_cloudwatch/max_header_line cloudwatch_api heat_api_cloudwatch/workers cloudwatch_api +keystone_authtoken/admin_password auth_token +keystone_authtoken/admin_tenant_name auth_token +keystone_authtoken/admin_token auth_token +keystone_authtoken/admin_user auth_token +keystone_authtoken/auth_admin_prefix auth_token +keystone_authtoken/auth_host auth_token +keystone_authtoken/auth_port auth_token +keystone_authtoken/auth_protocol auth_token +keystone_authtoken/auth_uri auth_token +keystone_authtoken/auth_version auth_token +keystone_authtoken/cache auth_token +keystone_authtoken/cafile auth_token +keystone_authtoken/certfile auth_token +keystone_authtoken/delay_auth_decision auth_token +keystone_authtoken/enforce_token_bind auth_token +keystone_authtoken/http_connect_timeout auth_token +keystone_authtoken/http_request_max_retries auth_token +keystone_authtoken/include_service_catalog auth_token +keystone_authtoken/insecure auth_token +keystone_authtoken/keyfile auth_token +keystone_authtoken/memcache_secret_key auth_token +keystone_authtoken/memcache_security_strategy auth_token +keystone_authtoken/memcached_servers auth_token +keystone_authtoken/revocation_cache_time auth_token +keystone_authtoken/signing_dir auth_token +keystone_authtoken/token_cache_time auth_token matchmaker_redis/host redis matchmaker_redis/password redis matchmaker_redis/port redis diff --git a/tools/autogenerate-config-flagmappings/keystone.flagmappings b/tools/autogenerate-config-flagmappings/keystone.flagmappings index dfee4d151c..b0c779bb1d 100644 --- a/tools/autogenerate-config-flagmappings/keystone.flagmappings +++ b/tools/autogenerate-config-flagmappings/keystone.flagmappings @@ -47,6 +47,7 @@ max_request_body_size api max_token_size api member_role_id api member_role_name api +memcached_servers auth_token notification_driver amqp notification_topics amqp onready notification @@ -154,6 +155,32 @@ identity/domain_specific_drivers_enabled identity identity/driver identity identity/list_limit identity identity/max_password_length identity +keystone_authtoken/admin_password auth_token +keystone_authtoken/admin_tenant_name auth_token +keystone_authtoken/admin_token auth_token +keystone_authtoken/admin_user auth_token +keystone_authtoken/auth_admin_prefix auth_token +keystone_authtoken/auth_host auth_token +keystone_authtoken/auth_port auth_token +keystone_authtoken/auth_protocol auth_token +keystone_authtoken/auth_uri auth_token +keystone_authtoken/auth_version auth_token +keystone_authtoken/cache auth_token +keystone_authtoken/cafile auth_token +keystone_authtoken/certfile auth_token +keystone_authtoken/delay_auth_decision auth_token +keystone_authtoken/enforce_token_bind auth_token +keystone_authtoken/http_connect_timeout auth_token +keystone_authtoken/http_request_max_retries auth_token +keystone_authtoken/include_service_catalog auth_token +keystone_authtoken/insecure auth_token +keystone_authtoken/keyfile auth_token +keystone_authtoken/memcache_secret_key auth_token +keystone_authtoken/memcache_security_strategy auth_token +keystone_authtoken/memcached_servers auth_token +keystone_authtoken/revocation_cache_time auth_token +keystone_authtoken/signing_dir auth_token +keystone_authtoken/token_cache_time auth_token kvs/backends kvs kvs/config_prefix kvs kvs/default_lock_timeout kvs diff --git a/tools/autogenerate-config-flagmappings/neutron.flagmappings b/tools/autogenerate-config-flagmappings/neutron.flagmappings index 6e396f6cd9..0321f51700 100644 --- a/tools/autogenerate-config-flagmappings/neutron.flagmappings +++ b/tools/autogenerate-config-flagmappings/neutron.flagmappings @@ -91,6 +91,7 @@ max_request_body_size api max_routes quotas max_subnet_host_routes common measure_interval metering_agent +memcached_servers auth_token meta_flavor_driver_mappings metadata metadata_backlog metadata metadata_port metadata @@ -454,6 +455,32 @@ heleoslb/sync_interval embrane_lb hyperv/force_hyperv_utils_v1 hyperv_agent ipsec/config_base_dir vpn ipsec/ipsec_status_check_interval vpn +keystone_authtoken/admin_password auth_token +keystone_authtoken/admin_tenant_name auth_token +keystone_authtoken/admin_token auth_token +keystone_authtoken/admin_user auth_token +keystone_authtoken/auth_admin_prefix auth_token +keystone_authtoken/auth_host auth_token +keystone_authtoken/auth_port auth_token +keystone_authtoken/auth_protocol auth_token +keystone_authtoken/auth_uri auth_token +keystone_authtoken/auth_version auth_token +keystone_authtoken/cache auth_token +keystone_authtoken/cafile auth_token +keystone_authtoken/certfile auth_token +keystone_authtoken/delay_auth_decision auth_token +keystone_authtoken/enforce_token_bind auth_token +keystone_authtoken/http_connect_timeout auth_token +keystone_authtoken/http_request_max_retries auth_token +keystone_authtoken/include_service_catalog auth_token +keystone_authtoken/insecure auth_token +keystone_authtoken/keyfile auth_token +keystone_authtoken/memcache_secret_key auth_token +keystone_authtoken/memcache_security_strategy auth_token +keystone_authtoken/memcached_servers auth_token +keystone_authtoken/revocation_cache_time auth_token +keystone_authtoken/signing_dir auth_token +keystone_authtoken/token_cache_time auth_token l2pop/agent_boot_time ml2_l2pop matchmaker_redis/host redis matchmaker_redis/password redis diff --git a/tools/autogenerate-config-flagmappings/nova.flagmappings b/tools/autogenerate-config-flagmappings/nova.flagmappings index 70013154cd..370dd07657 100644 --- a/tools/autogenerate-config-flagmappings/nova.flagmappings +++ b/tools/autogenerate-config-flagmappings/nova.flagmappings @@ -9,7 +9,7 @@ allowed_rpc_exception_modules testing amqp_auto_delete rpc rpc_all amqp_durable_queues rpc rpc_all api_paste_config wsgi -api_rate_limit authentication +api_rate_limit api auth_strategy authentication auto_assign_floating_ip network backdoor_port testing @@ -512,6 +512,32 @@ hyperv/vswitch_name hyperv image_file_url/filesystems glance keymgr/api_class keymgr keymgr/fixed_key keymgr +keystone_authtoken/admin_password auth_token +keystone_authtoken/admin_tenant_name auth_token +keystone_authtoken/admin_token auth_token +keystone_authtoken/admin_user auth_token +keystone_authtoken/auth_admin_prefix auth_token +keystone_authtoken/auth_host auth_token +keystone_authtoken/auth_port auth_token +keystone_authtoken/auth_protocol auth_token +keystone_authtoken/auth_uri auth_token +keystone_authtoken/auth_version auth_token +keystone_authtoken/cache auth_token +keystone_authtoken/cafile auth_token +keystone_authtoken/certfile auth_token +keystone_authtoken/delay_auth_decision auth_token +keystone_authtoken/enforce_token_bind auth_token +keystone_authtoken/http_connect_timeout auth_token +keystone_authtoken/http_request_max_retries auth_token +keystone_authtoken/include_service_catalog auth_token +keystone_authtoken/insecure auth_token +keystone_authtoken/keyfile auth_token +keystone_authtoken/memcache_secret_key auth_token +keystone_authtoken/memcache_security_strategy auth_token +keystone_authtoken/memcached_servers auth_token +keystone_authtoken/revocation_cache_time auth_token +keystone_authtoken/signing_dir auth_token +keystone_authtoken/token_cache_time auth_token libvirt/block_migration_flag hypervisor libvirt/checksum_base_images libvirt libvirt/checksum_interval_seconds libvirt diff --git a/tools/autogenerate-config-flagmappings/trove.flagmappings b/tools/autogenerate-config-flagmappings/trove.flagmappings index 04ca48e0c6..9955823b42 100644 --- a/tools/autogenerate-config-flagmappings/trove.flagmappings +++ b/tools/autogenerate-config-flagmappings/trove.flagmappings @@ -100,6 +100,7 @@ max_backups_per_user quota max_header_line api max_instances_per_user quota max_volumes_per_user quota +memcached_servers auth_token mount_options guestagent network_label_regex logging notification_driver amqp @@ -207,6 +208,32 @@ couchbase/mount_point db_couchbase couchbase/tcp_ports db_couchbase couchbase/udp_ports db_couchbase couchbase/usage_timeout db_couchbase +keystone_authtoken/admin_password auth_token +keystone_authtoken/admin_tenant_name auth_token +keystone_authtoken/admin_token auth_token +keystone_authtoken/admin_user auth_token +keystone_authtoken/auth_admin_prefix auth_token +keystone_authtoken/auth_host auth_token +keystone_authtoken/auth_port auth_token +keystone_authtoken/auth_protocol auth_token +keystone_authtoken/auth_uri auth_token +keystone_authtoken/auth_version auth_token +keystone_authtoken/cache auth_token +keystone_authtoken/cafile auth_token +keystone_authtoken/certfile auth_token +keystone_authtoken/delay_auth_decision auth_token +keystone_authtoken/enforce_token_bind auth_token +keystone_authtoken/http_connect_timeout auth_token +keystone_authtoken/http_request_max_retries auth_token +keystone_authtoken/include_service_catalog auth_token +keystone_authtoken/insecure auth_token +keystone_authtoken/keyfile auth_token +keystone_authtoken/memcache_secret_key auth_token +keystone_authtoken/memcache_security_strategy auth_token +keystone_authtoken/memcached_servers auth_token +keystone_authtoken/revocation_cache_time auth_token +keystone_authtoken/signing_dir auth_token +keystone_authtoken/token_cache_time auth_token matchmaker_redis/host redis matchmaker_redis/password redis matchmaker_redis/port redis