openstack-manuals/doc/config-reference/conf-changes/keystone.xml

<?xml version='1.0' encoding='UTF-8'?>
<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="keystone-conf-changes-liberty">
  <!-- Warning: Do not edit this file. It is automatically generated and your changes will be overwritten. The tool to do so lives in the openstack-doc-tools repository. -->
  <title>New, updated and deprecated options in Liberty for OpenStack Identity</title>
  <table>
    <caption>New options</caption>
    <col width="50%"/>
    <col width="50%"/>
    <thead>
      <tr>
        <td>Option = default value</td>
        <td>(Type) Help string</td>
      </tr>
    </thead>
    <tr>
      <td>[DEFAULT] executor_thread_pool_size = 64</td>
      <td>(IntOpt) Size of executor thread pool.</td>
    </tr>
    <tr>
      <td>[DEFAULT] rpc_conn_pool_size = 30</td>
      <td>(IntOpt) Size of RPC connection pool.</td>
    </tr>
    <tr>
      <td>[cors] allow_credentials = True</td>
      <td>(BoolOpt) Indicate that the actual request can include user credentials</td>
    </tr>
    <tr>
      <td>[cors] allow_headers = Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma</td>
      <td>(ListOpt) Indicate which header field names may be used during the actual request.</td>
    </tr>
    <tr>
      <td>[cors] allow_methods = GET, POST, PUT, DELETE, OPTIONS</td>
      <td>(ListOpt) Indicate which methods can be used during the actual request.</td>
    </tr>
    <tr>
      <td>[cors] allowed_origin = None</td>
      <td>(StrOpt) Indicate whether this resource may be shared with the domain received in the requests "origin" header.</td>
    </tr>
    <tr>
      <td>[cors] expose_headers = Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma</td>
      <td>(ListOpt) Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.</td>
    </tr>
    <tr>
      <td>[cors] max_age = 3600</td>
      <td>(IntOpt) Maximum cache age of CORS preflight requests.</td>
    </tr>
    <tr>
      <td>[cors.subdomain] allow_credentials = True</td>
      <td>(BoolOpt) Indicate that the actual request can include user credentials</td>
    </tr>
    <tr>
      <td>[cors.subdomain] allow_headers = Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma</td>
      <td>(ListOpt) Indicate which header field names may be used during the actual request.</td>
    </tr>
    <tr>
      <td>[cors.subdomain] allow_methods = GET, POST, PUT, DELETE, OPTIONS</td>
      <td>(ListOpt) Indicate which methods can be used during the actual request.</td>
    </tr>
    <tr>
      <td>[cors.subdomain] allowed_origin = None</td>
      <td>(StrOpt) Indicate whether this resource may be shared with the domain received in the requests "origin" header.</td>
    </tr>
    <tr>
      <td>[cors.subdomain] expose_headers = Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma</td>
      <td>(ListOpt) Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.</td>
    </tr>
    <tr>
      <td>[cors.subdomain] max_age = 3600</td>
      <td>(IntOpt) Maximum cache age of CORS preflight requests.</td>
    </tr>
    <tr>
      <td>[endpoint_policy] enabled = True</td>
      <td>(BoolOpt) Enable endpoint_policy functionality.</td>
    </tr>
    <tr>
      <td>[oslo_messaging_qpid] send_single_reply = False</td>
      <td>(BoolOpt) Send a single AMQP reply to call message. The current behaviour since oslo-incubator is to send two AMQP replies - first one with the payload, a second one to ensure the other have finish to send the payload. We are going to remove it in the N release, but we must keep backward compatible at the same time. This option provides such compatibility - it defaults to False in Liberty and can be turned on for early adopters with a new installations or for testing. Please note, that this option will be removed in M release.</td>
    </tr>
    <tr>
      <td>[oslo_messaging_rabbit] kombu_reconnect_timeout = 60</td>
      <td>(IntOpt) How long to wait before considering a reconnect attempt to have failed. This value should not be longer than rpc_response_timeout.</td>
    </tr>
    <tr>
      <td>[oslo_messaging_rabbit] send_single_reply = False</td>
      <td>(BoolOpt) Send a single AMQP reply to call message. The current behaviour since oslo-incubator is to send two AMQP replies - first one with the payload, a second one to ensure the other have finish to send the payload. We are going to remove it in the N release, but we must keep backward compatible at the same time. This option provides such compatibility - it defaults to False in Liberty and can be turned on for early adopters with a new installations or for testing. Please note, that this option will be removed in M release.</td>
    </tr>
    <tr>
      <td>[oslo_middleware] secure_proxy_ssl_header = X-Forwarded-Proto</td>
      <td>(StrOpt) The HTTP Header that will be used to determine what the original request protocol scheme was, even if it was hidden by an SSL termination proxy.</td>
    </tr>
  </table>
  <table>
    <caption>New default values</caption>
    <col width="33%"/>
    <col width="33%"/>
    <col width="33%"/>
    <thead>
      <tr>
        <td>Option</td>
        <td>Previous default value</td>
        <td>New default value</td>
      </tr>
    </thead>
    <tr>
      <td>[DEFAULT] crypt_strength</td>
      <td>40000</td>
      <td>10000</td>
    </tr>
    <tr>
      <td>[DEFAULT] default_log_levels</td>
      <td>amqp=WARN, amqplib=WARN, boto=WARN, qpid=WARN, sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO, iso8601=WARN, requests.packages.urllib3.connectionpool=WARN, urllib3.connectionpool=WARN, websocket=WARN, requests.packages.urllib3.util.retry=WARN, urllib3.util.retry=WARN, keystonemiddleware=WARN, routes.middleware=WARN, stevedore=WARN</td>
      <td>amqp=WARN, amqplib=WARN, boto=WARN, qpid=WARN, sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO, iso8601=WARN, requests.packages.urllib3.connectionpool=WARN, urllib3.connectionpool=WARN, websocket=WARN, requests.packages.urllib3.util.retry=WARN, urllib3.util.retry=WARN, keystonemiddleware=WARN, routes.middleware=WARN, stevedore=WARN, taskflow=WARN</td>
    </tr>
    <tr>
      <td>[DEFAULT] logging_exception_prefix</td>
      <td>%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s</td>
      <td>%(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s</td>
    </tr>
    <tr>
      <td>[DEFAULT] use_syslog_rfc_format</td>
      <td>False</td>
      <td>True</td>
    </tr>
    <tr>
      <td>[DEFAULT] verbose</td>
      <td>False</td>
      <td>True</td>
    </tr>
    <tr>
      <td>[auth] external</td>
      <td>keystone.auth.plugins.external.DefaultDomain</td>
      <td>None</td>
    </tr>
    <tr>
      <td>[auth] oauth1</td>
      <td>keystone.auth.plugins.oauth1.OAuth</td>
      <td>None</td>
    </tr>
    <tr>
      <td>[auth] password</td>
      <td>keystone.auth.plugins.password.Password</td>
      <td>None</td>
    </tr>
    <tr>
      <td>[auth] token</td>
      <td>keystone.auth.plugins.token.Token</td>
      <td>None</td>
    </tr>
    <tr>
      <td>[catalog] driver</td>
      <td>keystone.catalog.backends.sql.Catalog</td>
      <td>sql</td>
    </tr>
    <tr>
      <td>[credential] driver</td>
      <td>keystone.credential.backends.sql.Credential</td>
      <td>sql</td>
    </tr>
    <tr>
      <td>[domain_config] driver</td>
      <td>keystone.resource.config_backends.sql.DomainConfig</td>
      <td>sql</td>
    </tr>
    <tr>
      <td>[endpoint_filter] driver</td>
      <td>keystone.contrib.endpoint_filter.backends.sql.EndpointFilter</td>
      <td>sql</td>
    </tr>
    <tr>
      <td>[endpoint_policy] driver</td>
      <td>keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy</td>
      <td>sql</td>
    </tr>
    <tr>
      <td>[federation] driver</td>
      <td>keystone.contrib.federation.backends.sql.Federation</td>
      <td>sql</td>
    </tr>
    <tr>
      <td>[identity] driver</td>
      <td>keystone.identity.backends.sql.Identity</td>
      <td>sql</td>
    </tr>
    <tr>
      <td>[identity_mapping] driver</td>
      <td>keystone.identity.mapping_backends.sql.Mapping</td>
      <td>sql</td>
    </tr>
    <tr>
      <td>[identity_mapping] generator</td>
      <td>keystone.identity.id_generators.sha256.Generator</td>
      <td>sha256</td>
    </tr>
    <tr>
      <td>[oauth1] driver</td>
      <td>keystone.contrib.oauth1.backends.sql.OAuth1</td>
      <td>sql</td>
    </tr>
    <tr>
      <td>[oslo_messaging_rabbit] heartbeat_timeout_threshold</td>
      <td>0</td>
      <td>60</td>
    </tr>
    <tr>
      <td>[policy] driver</td>
      <td>keystone.policy.backends.sql.Policy</td>
      <td>sql</td>
    </tr>
    <tr>
      <td>[revoke] driver</td>
      <td>keystone.contrib.revoke.backends.sql.Revoke</td>
      <td>sql</td>
    </tr>
    <tr>
      <td>[token] driver</td>
      <td>keystone.token.persistence.backends.sql.Token</td>
      <td>sql</td>
    </tr>
    <tr>
      <td>[token] provider</td>
      <td>keystone.token.providers.uuid.Provider</td>
      <td>uuid</td>
    </tr>
    <tr>
      <td>[trust] driver</td>
      <td>keystone.trust.backends.sql.Trust</td>
      <td>sql</td>
    </tr>
  </table>
  <table>
    <caption>Deprecated options</caption>
    <col width="50%"/>
    <col width="50%"/>
    <thead>
      <tr>
        <td>Deprecated option</td>
        <td>New Option</td>
      </tr>
    </thead>
    <tr>
      <td>[DEFAULT] use_syslog</td>
      <td>None</td>
    </tr>
    <tr>
      <td>[DEFAULT] log_format</td>
      <td>None</td>
    </tr>
    <tr>
      <td>[DEFAULT] rpc_thread_pool_size</td>
      <td>[DEFAULT] executor_thread_pool_size</td>
    </tr>
  </table>
</section>