openstack-manuals/doc/common/tables/keystone-api.xml
Gauvain Pocentek a6d957b61e [config-ref] Updated options for keystone
Change-Id: Ia878d852d1b7ccde4be3c7618dd1607eec3d7af9
2015-07-15 06:39:27 +02:00

173 lines
9.9 KiB
XML

<?xml version='1.0' encoding='UTF-8'?>
<para xmlns="http://docbook.org/ns/docbook" version="5.0">
<!-- Warning: Do not edit this file. It is automatically
generated and your changes will be overwritten.
The tool to do so lives in openstack-doc-tools repository. -->
<table rules="all" xml:id="config_table_keystone_api">
<caption>Description of API configuration options</caption>
<col width="50%"/>
<col width="50%"/>
<thead>
<tr>
<th>Configuration option = Default value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<th colspan="2">[DEFAULT]</th>
</tr>
<tr>
<td><option>admin_endpoint</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) The base admin endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. E.g. a request to http://server:35357/v3/users will default to http://server:35357. You should only need to set this value if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be found on a different server.</td>
</tr>
<tr>
<td><option>admin_token</option> = <replaceable>ADMIN</replaceable></td>
<td>(StrOpt) A "shared secret" that can be used to bootstrap Keystone. This "token" does not represent a user, and carries no explicit authorization. To disable in production (highly recommended), remove AdminTokenAuthMiddleware from your paste application pipelines (for example, in keystone-paste.ini).</td>
</tr>
<tr>
<td><option>domain_id_immutable</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) Set this to false if you want to enable the ability for user, group and project entities to be moved between domains by updating their domain_id. Allowing such movement is not recommended if the scope of a domain admin is being restricted by use of an appropriate policy file (see policy.v3cloudsample as an example).</td>
</tr>
<tr>
<td><option>list_limit</option> = <replaceable>None</replaceable></td>
<td>(IntOpt) The maximum number of entities that will be returned in a collection, with no limit set by default. This global limit may be then overridden for a specific driver, by specifying a list_limit in the appropriate section (e.g. [assignment]).</td>
</tr>
<tr>
<td><option>max_param_size</option> = <replaceable>64</replaceable></td>
<td>(IntOpt) Limit the sizes of user &amp; project ID/names.</td>
</tr>
<tr>
<td><option>max_project_tree_depth</option> = <replaceable>5</replaceable></td>
<td>(IntOpt) Maximum depth of the project hierarchy. WARNING: setting it to a large value may adversely impact performance.</td>
</tr>
<tr>
<td><option>max_token_size</option> = <replaceable>8192</replaceable></td>
<td>(IntOpt) Similar to max_param_size, but provides an exception for token values.</td>
</tr>
<tr>
<td><option>member_role_id</option> = <replaceable>9fe2ff9ee4384b1894a90878d3e92bab</replaceable></td>
<td>(StrOpt) Similar to the member_role_name option, this represents the default role ID used to associate users with their default projects in the v2 API. This will be used as the explicit role where one is not specified by the v2 API.</td>
</tr>
<tr>
<td><option>member_role_name</option> = <replaceable>_member_</replaceable></td>
<td>(StrOpt) This is the role name used in combination with the member_role_id option; see that option for more detail.</td>
</tr>
<tr>
<td><option>public_endpoint</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) The base public endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. E.g. a request to http://server:5000/v3/users will default to http://server:5000. You should only need to set this value if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be found on a different server.</td>
</tr>
<tr>
<td><option>secure_proxy_ssl_header</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) The HTTP header used to determine the scheme for the original request, even if it was removed by an SSL terminating proxy. Typical value is "HTTP_X_FORWARDED_PROTO".</td>
</tr>
<tr>
<td><option>strict_password_check</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) If set to true, strict password length checking is performed for password manipulation. If a password exceeds the maximum length, the operation will fail with an HTTP 403 Forbidden error. If set to false, passwords are automatically truncated to the maximum length.</td>
</tr>
<tr>
<th colspan="2">[endpoint_filter]</th>
</tr>
<tr>
<td><option>driver</option> = <replaceable>sql</replaceable></td>
<td>(StrOpt) Entrypoint for the endpoint filter backend driver in the keystone.endpoint_filter namespace.</td>
</tr>
<tr>
<td><option>return_all_endpoints_if_no_filter</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) Toggle to return all active endpoints if no filter exists.</td>
</tr>
<tr>
<th colspan="2">[endpoint_policy]</th>
</tr>
<tr>
<td><option>driver</option> = <replaceable>sql</replaceable></td>
<td>(StrOpt) Entrypoint for the endpoint policy backend driver in the keystone.endpoint_policy namespace.</td>
</tr>
<tr>
<td><option>enabled</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) Enable endpoint_policy functionality.</td>
</tr>
<tr>
<th colspan="2">[eventlet_server]</th>
</tr>
<tr>
<td><option>admin_bind_host</option> = <replaceable>0.0.0.0</replaceable></td>
<td>(StrOpt) The IP address of the network interface for the admin service to listen on.</td>
</tr>
<tr>
<td><option>admin_port</option> = <replaceable>35357</replaceable></td>
<td>(IntOpt) The port number which the admin service listens on.</td>
</tr>
<tr>
<td><option>admin_workers</option> = <replaceable>None</replaceable></td>
<td>(IntOpt) The number of worker processes to serve the admin eventlet application. Defaults to number of CPUs (minimum of 2).</td>
</tr>
<tr>
<td><option>client_socket_timeout</option> = <replaceable>900</replaceable></td>
<td>(IntOpt) Timeout for socket operations on a client connection. If an incoming connection is idle for this number of seconds it will be closed. A value of '0' means wait forever.</td>
</tr>
<tr>
<td><option>public_bind_host</option> = <replaceable>0.0.0.0</replaceable></td>
<td>(StrOpt) The IP address of the network interface for the public service to listen on.</td>
</tr>
<tr>
<td><option>public_port</option> = <replaceable>5000</replaceable></td>
<td>(IntOpt) The port number which the public service listens on.</td>
</tr>
<tr>
<td><option>public_workers</option> = <replaceable>None</replaceable></td>
<td>(IntOpt) The number of worker processes to serve the public eventlet application. Defaults to number of CPUs (minimum of 2).</td>
</tr>
<tr>
<td><option>tcp_keepalive</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e. sockets used by the Keystone wsgi server for client connections.</td>
</tr>
<tr>
<td><option>tcp_keepidle</option> = <replaceable>600</replaceable></td>
<td>(IntOpt) Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only applies if tcp_keepalive is true.</td>
</tr>
<tr>
<td><option>wsgi_keep_alive</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) If set to false, disables keepalives on the server; all connections will be closed after serving one request.</td>
</tr>
<tr>
<th colspan="2">[oslo_middleware]</th>
</tr>
<tr>
<td><option>max_request_body_size</option> = <replaceable>114688</replaceable></td>
<td>(IntOpt) The maximum body size for each request, in bytes.</td>
</tr>
<tr>
<td><option>secure_proxy_ssl_header</option> = <replaceable>X-Forwarded-Proto</replaceable></td>
<td>(StrOpt) The HTTP Header that will be used to determine what the original request protocol scheme was, even if it was hidden by an SSL termination proxy.</td>
</tr>
<tr>
<th colspan="2">[paste_deploy]</th>
</tr>
<tr>
<td><option>config_file</option> = <replaceable>keystone-paste.ini</replaceable></td>
<td>(StrOpt) Name of the paste configuration file that defines the available pipelines.</td>
</tr>
<tr>
<th colspan="2">[resource]</th>
</tr>
<tr>
<td><option>cache_time</option> = <replaceable>None</replaceable></td>
<td>(IntOpt) TTL (in seconds) to cache resource data. This has no effect unless global caching is enabled.</td>
</tr>
<tr>
<td><option>caching</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) Toggle for resource caching. This has no effect unless global caching is enabled.</td>
</tr>
<tr>
<td><option>driver</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) Entrypoint for the resource backend driver in the keystone.resource namespace. If a resource driver is not specified, the assignment driver will choose the resource driver.</td>
</tr>
<tr>
<td><option>list_limit</option> = <replaceable>None</replaceable></td>
<td>(IntOpt) Maximum number of entities that will be returned in a resource collection.</td>
</tr>
</tbody>
</table>
</para>