openstack-manuals/doc/config-reference/identity/section_keystone-sample-conf-files.xml

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
  xmlns:xi="http://www.w3.org/2001/XInclude"
  xmlns:xlink="http://www.w3.org/1999/xlink"
  version="5.0"
  xml:id="sample-configuration-files">
    <title>Identity service sample configuration files</title>
    <para>You can find the files described in this section in the
            <systemitem>/etc/keystone</systemitem> directory.</para>
    <section xml:id="section_keystone.conf">
        <title>keystone.conf</title>
        <para>Use the <filename>keystone.conf</filename> file to
            configure most Identity service options:</para>
        <programlisting language="ini"><xi:include parse="text" href="https://git.openstack.org/cgit/openstack/keystone/plain/etc/keystone.conf.sample?h=stable/kilo"/>
                </programlisting>
    </section>
    <section xml:id="section_keystone-paste.ini">
        <title>keystone-paste.ini</title>
        <para>Use the <filename>keystone-paste.ini</filename> file to
            configure the Web Service Gateway Interface (WSGI)
            middleware pipeline for the Identity service.</para>
        <programlisting language="ini"><xi:include parse="text" href="https://git.openstack.org/cgit/openstack/keystone/plain/etc/keystone-paste.ini?h=stable/kilo"/>
             </programlisting>
    </section>
    <section xml:id="section_keystone-logging.conf">
        <title>logging.conf</title>
        <para>You can specify a special logging configuration file in
            the <filename>keystone.conf</filename> configuration file.
            For example,
                <filename>/etc/keystone/logging.conf</filename>.</para>
        <para>For details, see the (<link
                xlink:href="http://docs.python.org/2/howto/logging.html#configuring-logging"
                >Python logging module documentation</link>).</para>
        <programlisting language="ini"><xi:include parse="text" href="https://git.openstack.org/cgit/openstack/keystone/plain/etc/logging.conf.sample?h=stable/kilo"/>
             </programlisting>
    </section>
    <section xml:id="section_keystone-policy.json">
        <title>policy.json</title>
        <para>Use the <filename>policy.json</filename> file to define
            additional access controls that apply to the Identity
            service.</para>
        <programlisting language="json"><xi:include parse="text" href="https://git.openstack.org/cgit/openstack/keystone/plain/etc/policy.json?h=stable/kilo"/></programlisting>
    </section>
    <section xml:id="section_keystone-domain-configs">
        <title>Domain-specific configuration</title>
        <para>Identity enables you to configure domain-specific
            authentication drivers which allows a domain to have its
            own LDAP or SQL server.</para>
        <section xml:id="section_keystone-domain-configs-enable">
            <title>Enable domain-specific drivers</title>
          <para>By default, the option to configure domain-specific
            drivers is disabled. To enable domain-specific drivers,
            set these options in the <filename>keystone.conf</filename>
            file:</para>
        <programlisting language="ini">[identity]
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains</programlisting>
        <para>When you enable domain-specific drivers, Identity looks
            in the <option>domain_config_dir</option> directory for
            configuration files that are named as
            <filename>keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>.
            Any domain without a domain-specific configuration
            file uses options in the primary configuration file.</para>
         </section>
         <section xml:id="section_keystone-domain-config-options">
            <title>Domain-specific configuration file options</title>
          <para>Any options that you define in the domain-specific
            configuration file override options in the primary
            configuration file for the specified domain.</para>
          <para>Domains configured for the service user or project
            use the Identity API v3 to retrieve the service token.</para>
          <para>To configure the domain for the service user, set the
            following options in the [DEFAULT] section of the
            <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
            file:</para>
          <programlisting>admin_user_domain_id = <replaceable>USER_DOMAIN_ID</replaceable>
admin_user_domain_name = <replaceable>USER_DOMAIN_NAME</replaceable></programlisting>
          <para>Replace <replaceable>USER_DOMAIN_ID</replaceable> with
            the Identity service account user domain ID, and
            <replaceable>USER_DOMAIN_NAME</replaceable> with the Identity
            service account user domain name.</para>
          <para>To configure the domain for the project, set the
            following options in the [DEFAULT] section of the
            <filename>/etc/keystone/domains/keystone.<replaceable>DOMAIN_NAME</replaceable>.conf</filename>
            file:</para>
          <programlisting>admin_project_domain_id = <replaceable>PROJECT_DOMAIN_ID</replaceable>
admin_project_domain_name = <replaceable>PROJECT_DOMAIN_NAME</replaceable></programlisting>
          <para>Replace <replaceable>PROJECT_DOMAIN_ID</replaceable> with
            the Identity service account project domain ID, and
            <replaceable>PROJECT_DOMAIN_NAME</replaceable> with the
            Identity service account project domain name.</para>
        </section>
    </section>
</section>