2621bcb92f
The tables of modified/new/deprecated options is automatically generated using the diff_branches.py script (https://review.openstack.org/97620). This commit handles the havana->icehouse changes to be easily backported the stable/icehouse. It can be updated for each milestone to document the latest changes. Change-Id: I4821be3ce72b2ab69b81e89d5584334b77e7a098 backport: icehouse
337 lines
12 KiB
XML
337 lines
12 KiB
XML
<?xml version='1.0' encoding='UTF-8'?>
|
|
<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="keystone-conf-changes-icehouse">
|
|
<!-- Warning: Do not edit this file. It is automatically generated and your changes will be overwritten. The tool to do so lives in the openstack-doc-tools repository. -->
|
|
<title>New, updated and deprecated options for keystone</title>
|
|
<table>
|
|
<caption>New options</caption>
|
|
<col width="50%"/>
|
|
<col width="50%"/>
|
|
<thead>
|
|
<tr>
|
|
<td>Option = default value</td>
|
|
<td>(Type) Help string</td>
|
|
</tr>
|
|
</thead>
|
|
<tr>
|
|
<td>admin_bind_host = 0.0.0.0</td>
|
|
<td>(StrOpt) The IP Address of the network interface to for the admin service to listen on.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>domain_id_immutable = True</td>
|
|
<td>(BoolOpt) Set this to false if you want to enable the ability for user, group and project entities to be moved between domains by updating their domain_id. Allowing such movement is not recommended if the scope of a domain admin is being restricted by use of an appropriate policy file (see policy.v3cloudsample as an example).</td>
|
|
</tr>
|
|
<tr>
|
|
<td>host = 127.0.0.1</td>
|
|
<td>(StrOpt) Host to locate redis.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>keystone_ec2_cafile = None</td>
|
|
<td>(StrOpt) A PEM encoded certificate authority to use when verifying HTTPS connections. Defaults to the system CAs.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>keystone_ec2_certfile = None</td>
|
|
<td>(StrOpt) Client certificate key filename. Required if EC2 server requires client certificate.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>keystone_ec2_insecure = False</td>
|
|
<td>(BoolOpt) Disable SSL certificate verification.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>keystone_ec2_keyfile = None</td>
|
|
<td>(StrOpt) Required if EC2 server requires client certificate.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>keystone_ec2_url = http://localhost:5000/v2.0/ec2tokens</td>
|
|
<td>(StrOpt) URL to get token from ec2 request.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>kombu_reconnect_delay = 1.0</td>
|
|
<td>(FloatOpt) How long to wait before reconnecting in response to an AMQP consumer cancel notification.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>list_limit = None</td>
|
|
<td>(IntOpt) The maximum number of entities that will be returned in a collection can be set with list_limit, with no limit set by default. This global limit may be then overridden for a specific driver, by specifying a list_limit in the appropriate section (e.g. [assignment]).</td>
|
|
</tr>
|
|
<tr>
|
|
<td>log_config_append = None</td>
|
|
<td>(StrOpt) The name of logging configuration file. It does not disable existing loggers, but just appends specified logging configuration to any other existing logging options. Please see the Python logging module documentation for details on logging configuration files.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>password = None</td>
|
|
<td>(StrOpt) Password for Redis server (optional).</td>
|
|
</tr>
|
|
<tr>
|
|
<td>port = 6379</td>
|
|
<td>(IntOpt) Use this port to connect to redis host.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>public_bind_host = 0.0.0.0</td>
|
|
<td>(StrOpt) The IP Address of the network interface to for the public service to listen on.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>rabbit_login_method = AMQPLAIN</td>
|
|
<td>(StrOpt) the RabbitMQ login method</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tcp_keepalive = False</td>
|
|
<td>(BoolOpt) Set this to True if you want to enable TCP_KEEPALIVE on server sockets i.e. sockets used by the keystone wsgi server for client connections.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>tcp_keepidle = 600</td>
|
|
<td>(IntOpt) Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only applies if tcp_keepalive is True. Not supported on OS X.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>transport_url = None</td>
|
|
<td>(StrOpt) A URL representing the messaging driver to use and its full configuration. If not set, we fall back to the rpc_backend option and driver specific configuration.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>use_syslog_rfc_format = False</td>
|
|
<td>(BoolOpt) (Optional) Use syslog rfc5424 format for logging. If enabled, will add APP-NAME (RFC5424) before the MSG part of the syslog message. The old format without APP-NAME is deprecated in I, and will be removed in J.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>assignment/list_limit = None</td>
|
|
<td>(IntOpt) Maximum number of entities that will be returned in an assignment collection.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>audit/namespace = openstack</td>
|
|
<td>(StrOpt) namespace prefix for generated id</td>
|
|
</tr>
|
|
<tr>
|
|
<td>catalog/list_limit = None</td>
|
|
<td>(IntOpt) Maximum number of entities that will be returned in a catalog collection.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>database/db_inc_retry_interval = True</td>
|
|
<td>(BoolOpt) Whether to increase interval between db connection retries, up to db_max_retry_interval</td>
|
|
</tr>
|
|
<tr>
|
|
<td>database/db_max_retries = 20</td>
|
|
<td>(IntOpt) maximum db connection retries before error is raised. (setting -1 implies an infinite retry count)</td>
|
|
</tr>
|
|
<tr>
|
|
<td>database/db_max_retry_interval = 10</td>
|
|
<td>(IntOpt) max seconds between db connection retries, if db_inc_retry_interval is enabled</td>
|
|
</tr>
|
|
<tr>
|
|
<td>database/db_retry_interval = 1</td>
|
|
<td>(IntOpt) seconds between db connection retries</td>
|
|
</tr>
|
|
<tr>
|
|
<td>database/mysql_sql_mode = TRADITIONAL</td>
|
|
<td>(StrOpt) The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=</td>
|
|
</tr>
|
|
<tr>
|
|
<td>database/sqlite_db = keystone.sqlite</td>
|
|
<td>(StrOpt) The file name to use with SQLite</td>
|
|
</tr>
|
|
<tr>
|
|
<td>database/sqlite_synchronous = True</td>
|
|
<td>(BoolOpt) If True, SQLite uses synchronous mode</td>
|
|
</tr>
|
|
<tr>
|
|
<td>database/use_db_reconnect = False</td>
|
|
<td>(BoolOpt) Enable the experimental use of database reconnect on connection lost</td>
|
|
</tr>
|
|
<tr>
|
|
<td>federation/assertion_prefix = </td>
|
|
<td>(StrOpt) Value to be used when filtering assertion parameters from the environment.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>federation/driver = keystone.contrib.federation.backends.sql.Federation</td>
|
|
<td>(StrOpt) Keystone Federation backend driver.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>identity/list_limit = None</td>
|
|
<td>(IntOpt) Maximum number of entities that will be returned in an identity collection.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>kvs/backends = []</td>
|
|
<td>(ListOpt) Extra dogpile.cache backend modules to register with the dogpile.cache library.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>kvs/config_prefix = keystone.kvs</td>
|
|
<td>(StrOpt) Prefix for building the configuration dictionary for the KVS region. This should not need to be changed unless there is another dogpile.cache region with the same configuration name.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>kvs/default_lock_timeout = 5</td>
|
|
<td>(IntOpt) Default lock timeout for distributed locking.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>kvs/enable_key_mangler = True</td>
|
|
<td>(BoolOpt) Toggle to disable using a key-mangling function to ensure fixed length keys. This is toggle-able for debugging purposes, it is highly recommended to always leave this set to True.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ldap/chase_referrals = None</td>
|
|
<td>(BoolOpt) Override the system's default referral chasing behavior for queries.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>policy/list_limit = None</td>
|
|
<td>(IntOpt) Maximum number of entities that will be returned in a policy collection.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>revoke/caching = True</td>
|
|
<td>(BoolOpt) Toggle for revocation event cacheing. This has no effect unless global caching is enabled.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>revoke/driver = keystone.contrib.revoke.backends.kvs.Revoke</td>
|
|
<td>(StrOpt) An implementation of the backend for persisting revocation events.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>revoke/expiration_buffer = 1800</td>
|
|
<td>(IntOpt) This value (calculated in seconds) is added to token expiration before a revocation event may be removed from the backend.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>token/revoke_by_id = True</td>
|
|
<td>(BoolOpt) Revoke token by token identifier. Setting revoke_by_id to True enables various forms of enumerating tokens, e.g. `list tokens for user`. These enumerations are processed to determine the list of tokens to revoke. Only disable if you are switching to using the Revoke extension with a backend other than KVS, which stores events in memory.</td>
|
|
</tr>
|
|
</table>
|
|
<table>
|
|
<caption>New default values</caption>
|
|
<col width="33%"/>
|
|
<col width="33%"/>
|
|
<col width="33%"/>
|
|
<thead>
|
|
<tr>
|
|
<td>Option</td>
|
|
<td>Previous default value</td>
|
|
<td>New default value</td>
|
|
</tr>
|
|
</thead>
|
|
<tr>
|
|
<td>admin_endpoint</td>
|
|
<td>http://localhost:%(admin_port)s/</td>
|
|
<td>None</td>
|
|
</tr>
|
|
<tr>
|
|
<td>default_log_levels</td>
|
|
<td>amqplib=WARN, sqlalchemy=WARN, boto=WARN, suds=INFO, keystone=INFO, eventlet.wsgi.server=WARN</td>
|
|
<td>amqp=WARN, amqplib=WARN, boto=WARN, qpid=WARN, sqlalchemy=WARN, suds=INFO, iso8601=WARN, requests.packages.urllib3.connectionpool=WARN</td>
|
|
</tr>
|
|
<tr>
|
|
<td>logging_context_format_string</td>
|
|
<td>%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user)s %(tenant)s] %(instance)s%(message)s</td>
|
|
<td>%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s</td>
|
|
</tr>
|
|
<tr>
|
|
<td>public_endpoint</td>
|
|
<td>http://localhost:%(public_port)s/</td>
|
|
<td>None</td>
|
|
</tr>
|
|
<tr>
|
|
<td>rpc_zmq_matchmaker</td>
|
|
<td>keystone.openstack.common.rpc.matchmaker.MatchMakerLocalhost</td>
|
|
<td>oslo.messaging._drivers.matchmaker.MatchMakerLocalhost</td>
|
|
</tr>
|
|
<tr>
|
|
<td>auth/external</td>
|
|
<td>keystone.auth.plugins.external.ExternalDefault</td>
|
|
<td>keystone.auth.plugins.external.DefaultDomain</td>
|
|
</tr>
|
|
<tr>
|
|
<td>database/connection</td>
|
|
<td>sqlite:////home/gauvain/sources/openstack/openstack-doc-tools/autogenerate_config_docs/sources/keystone/keystone/openstack/common/db/$sqlite_db</td>
|
|
<td>None</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ldap/group_additional_attribute_mapping</td>
|
|
<td>None</td>
|
|
<td></td>
|
|
</tr>
|
|
<tr>
|
|
<td>ldap/group_attribute_ignore</td>
|
|
<td></td>
|
|
<td></td>
|
|
</tr>
|
|
<tr>
|
|
<td>ldap/role_additional_attribute_mapping</td>
|
|
<td>None</td>
|
|
<td></td>
|
|
</tr>
|
|
<tr>
|
|
<td>ldap/role_attribute_ignore</td>
|
|
<td></td>
|
|
<td></td>
|
|
</tr>
|
|
<tr>
|
|
<td>ldap/tenant_additional_attribute_mapping</td>
|
|
<td>None</td>
|
|
<td></td>
|
|
</tr>
|
|
<tr>
|
|
<td>ldap/tenant_attribute_ignore</td>
|
|
<td></td>
|
|
<td></td>
|
|
</tr>
|
|
<tr>
|
|
<td>ldap/user_additional_attribute_mapping</td>
|
|
<td>None</td>
|
|
<td></td>
|
|
</tr>
|
|
<tr>
|
|
<td>ldap/user_attribute_ignore</td>
|
|
<td>default_project_id,tenants</td>
|
|
<td>default_project_id, tenants</td>
|
|
</tr>
|
|
<tr>
|
|
<td>memcache/servers</td>
|
|
<td>localhost:11211</td>
|
|
<td>localhost:11211</td>
|
|
</tr>
|
|
<tr>
|
|
<td>paste_deploy/config_file</td>
|
|
<td>None</td>
|
|
<td>keystone-paste.ini</td>
|
|
</tr>
|
|
<tr>
|
|
<td>signing/ca_key</td>
|
|
<td>/etc/keystone/ssl/certs/cakey.pem</td>
|
|
<td>/etc/keystone/ssl/private/cakey.pem</td>
|
|
</tr>
|
|
<tr>
|
|
<td>ssl/ca_key</td>
|
|
<td>/etc/keystone/ssl/certs/cakey.pem</td>
|
|
<td>/etc/keystone/ssl/private/cakey.pem</td>
|
|
</tr>
|
|
<tr>
|
|
<td>token/expiration</td>
|
|
<td>86400</td>
|
|
<td>3600</td>
|
|
</tr>
|
|
</table>
|
|
<table>
|
|
<caption>Deprecated options</caption>
|
|
<col width="50%"/>
|
|
<col width="50%"/>
|
|
<thead>
|
|
<tr>
|
|
<td>Deprecated option</td>
|
|
<td>New Option</td>
|
|
</tr>
|
|
</thead>
|
|
<tr>
|
|
<td>bind_host</td>
|
|
<td>admin_bind_host</td>
|
|
</tr>
|
|
<tr>
|
|
<td>log_config</td>
|
|
<td>log_config_append</td>
|
|
</tr>
|
|
<tr>
|
|
<td>rpc_notifier2/topics</td>
|
|
<td>notification_topics</td>
|
|
</tr>
|
|
<tr>
|
|
<td>sql/connection</td>
|
|
<td>database/connection</td>
|
|
</tr>
|
|
<tr>
|
|
<td>sql/idle_timeout</td>
|
|
<td>database/idle_timeout</td>
|
|
</tr>
|
|
<tr>
|
|
<td>bind_host</td>
|
|
<td>public_bind_host</td>
|
|
</tr>
|
|
</table>
|
|
</section>
|