386 lines
12 KiB
Plaintext
386 lines
12 KiB
Plaintext
[DEFAULT]
|
|
workers = 48
|
|
# A "shared secret" between keystone and other openstack services
|
|
# admin_token = ADMIN
|
|
admin_token = <REDACTED>
|
|
|
|
# The IP address of the network interface to listen on
|
|
# bind_host = 0.0.0.0
|
|
bind_host = 0.0.0.0
|
|
|
|
# The port number which the public service listens on
|
|
# public_port = 5000
|
|
public_port = 5000
|
|
|
|
# The port number which the public admin listens on
|
|
# admin_port = 35357
|
|
admin_port = 35357
|
|
|
|
# The base endpoint URLs for keystone that are advertised to clients
|
|
# (NOTE: this does NOT affect how keystone listens for connections)
|
|
# public_endpoint = http://localhost:%(public_port)d/
|
|
# admin_endpoint = http://localhost:%(admin_port)d/
|
|
|
|
# The number of worker processes to serve the public and admin WSGI
|
|
# applications respectively.
|
|
public_workers = 24
|
|
admin_workers = 24
|
|
|
|
|
|
# The port number which the OpenStack Compute service listens on
|
|
# compute_port = 8774
|
|
compute_port = 8774
|
|
|
|
# Path to your policy definition containing identity actions
|
|
# policy_file = policy.json
|
|
|
|
# Rule to check if no matching policy definition is found
|
|
# FIXME(dolph): This should really be defined as [policy] default_rule
|
|
# policy_default_rule = admin_required
|
|
|
|
# Role for migrating membership relationships
|
|
# During a SQL upgrade, the following values will be used to create a new role
|
|
# that will replace records in the user_tenant_membership table with explicit
|
|
# role grants. After migration, the member_role_id will be used in the API
|
|
# add_user_to_project, and member_role_name will be ignored.
|
|
# member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
|
|
# member_role_name = _member_
|
|
|
|
# === Logging Options ===
|
|
# Print debugging output
|
|
# (includes plaintext request logging, potentially including passwords)
|
|
debug = False
|
|
#debug = True
|
|
|
|
# debug = True
|
|
# Print more verbose output
|
|
verbose = False
|
|
#verbose = True
|
|
|
|
# Name of log file to output to. If not set, logging will go to stdout.
|
|
log_file = keystone.log
|
|
|
|
# The directory to keep log files in (will be prepended to --logfile)
|
|
log_dir = /var/log/keystone
|
|
|
|
# Use syslog for logging.
|
|
# use_syslog = False
|
|
use_syslog = False
|
|
|
|
# syslog facility to receive log lines
|
|
# syslog_log_facility = LOG_USER
|
|
|
|
# If this option is specified, the logging configuration file specified is
|
|
# used and overrides any other logging options specified. Please see the
|
|
# Python logging module documentation for details on logging configuration
|
|
# files.
|
|
# log_config = logging.conf
|
|
|
|
# A logging.Formatter log message format string which may use any of the
|
|
# available logging.LogRecord attributes.
|
|
# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
|
|
|
|
# Format string for %(asctime)s in log records.
|
|
# log_date_format = %Y-%m-%d %H:%M:%S
|
|
|
|
# onready allows you to send a notification when the process is ready to serve
|
|
# For example, to have it notify using systemd, one could set shell command:
|
|
# onready = systemd-notify --ready
|
|
# or a module with notify() method:
|
|
# onready = keystone.common.systemd
|
|
|
|
[sql]
|
|
# The SQLAlchemy connection string used to connect to the database
|
|
# connection = sqlite:////var/lib/keystone/keystone.db
|
|
connection = mysql://keystone_admin:<REDACTED>@<CONTROLLER_IP>/keystone
|
|
# the timeout before idle sql connections are reaped
|
|
# idle_timeout = 200
|
|
idle_timeout = 200
|
|
|
|
[memcache]
|
|
servers = localhost:11211
|
|
# max_compare_and_set_retry = 16
|
|
|
|
[identity]
|
|
driver = keystone.identity.backends.sql.Identity
|
|
|
|
# This references the domain to use for all Identity API v2 requests (which are
|
|
# not aware of domains). A domain with this ID will be created for you by
|
|
# keystone-manage db_sync in migration 008. The domain referenced by this ID
|
|
# cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.
|
|
# There is nothing special about this domain, other than the fact that it must
|
|
# exist to order to maintain support for your v2 clients.
|
|
# default_domain_id = default
|
|
|
|
[trust]
|
|
driver = keystone.trust.backends.sql.Trust
|
|
|
|
# delegation and impersonation features can be optionally disabled
|
|
# enabled = True
|
|
|
|
[catalog]
|
|
# dynamic, sql-based backend (supports API/CLI-based management commands)
|
|
driver = keystone.catalog.backends.sql.Catalog
|
|
|
|
# static, file-based backend (does *NOT* support any management commands)
|
|
# driver = keystone.catalog.backends.templated.TemplatedCatalog
|
|
|
|
# template_file = default_catalog.templates
|
|
|
|
[token]
|
|
#driver = keystone.token.backends.sql.Token
|
|
driver = keystone.token.backends.memcache.Token
|
|
|
|
# Amount of time a token should remain valid (in seconds)
|
|
#expiration = 86400
|
|
# shorter expiration keeps bloat down and performance up
|
|
# 10min pre patch. 1hr post patch.
|
|
expiration = 3600
|
|
|
|
#provider=keystone.token.providers.pki.Provider
|
|
provider=keystone.token.providers.uuid.Provider
|
|
|
|
# Token specific caching toggle. This has no effect unless the global caching
|
|
# option is set to True
|
|
# caching = True
|
|
# no point to caching tokens that are only stored in memcache
|
|
caching = False
|
|
# Token specific cache time-to-live (TTL) in seconds.
|
|
# cache_time =
|
|
# Revocation-List specific cache time-to-live (TTL) in seconds.
|
|
# revocation_cache_time = 3600
|
|
|
|
|
|
[cache]
|
|
# Global cache functionality toggle.
|
|
enabled = False
|
|
# enabled = True
|
|
# Prefix for building the configuration dictionary for the cache region. This
|
|
# should not need to be changed unless there is another dogpile.cache region
|
|
# with the same configuration name
|
|
# config_prefix = cache.keystone
|
|
|
|
# Default TTL, in seconds, for any cached item in the dogpile.cache region.
|
|
# This applies to any cached method that doesn't have an explicit cache
|
|
# expiration time defined for it.
|
|
# expiration_time = 600
|
|
|
|
# Dogpile.cache backend module. It is recommended that Memcache
|
|
# (dogpile.cache.memcache) or Redis (dogpile.cache.redis) be used in production
|
|
# deployments. Small workloads (single process) like devstack can use the
|
|
# dogpile.cache.memory backend.
|
|
# backend = keystone.common.cache.noop
|
|
#backend = dogpile.cache.memcache
|
|
backend = dogpile.cache.pylibmc
|
|
# Arguments supplied to the backend module. Specify this option once per
|
|
# argument to be passed to the dogpile.cache backend.
|
|
# Example format: <argname>:<value>
|
|
# backend_argument =
|
|
backend_argument = url:127.0.0.1
|
|
|
|
# Proxy Classes to import that will affect the way the dogpile.cache backend
|
|
# functions. See the dogpile.cache documentation on changing-backend-behavior.
|
|
# Comma delimited list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2
|
|
# proxies =
|
|
|
|
# Use a key-mangling function (sha1) to ensure fixed length cache-keys. This
|
|
# is toggle-able for debugging purposes, it is highly recommended to always
|
|
# leave this set to True.
|
|
# use_key_mangler = True
|
|
|
|
# Extra debugging from the cache backend (cache keys, get/set/delete/etc calls)
|
|
# This is only really useful if you need to see the specific cache-backend
|
|
# get/set/delete calls with the keys/values. Typically this should be left
|
|
# set to False.
|
|
# debug_cache_backend = False
|
|
|
|
|
|
[policy]
|
|
driver = keystone.policy.backends.sql.Policy
|
|
|
|
[ec2]
|
|
driver = keystone.contrib.ec2.backends.sql.Ec2
|
|
|
|
[ssl]
|
|
#enable = True
|
|
#certfile = /etc/keystone/ssl/certs/keystone.pem
|
|
#keyfile = /etc/keystone/ssl/private/keystonekey.pem
|
|
#ca_certs = /etc/keystone/ssl/certs/ca.pem
|
|
#cert_required = True
|
|
|
|
[signing]
|
|
#token_format = PKI
|
|
#certfile = /etc/keystone/ssl/certs/signing_cert.pem
|
|
#keyfile = /etc/keystone/ssl/private/signing_key.pem
|
|
#ca_certs = /etc/keystone/ssl/certs/ca.pem
|
|
#key_size = 1024
|
|
#valid_days = 3650
|
|
#ca_password = None
|
|
|
|
[ldap]
|
|
# url = ldap://localhost
|
|
# user = dc=Manager,dc=example,dc=com
|
|
# password = None
|
|
# suffix = cn=example,cn=com
|
|
# use_dumb_member = False
|
|
# allow_subtree_delete = False
|
|
# dumb_member = cn=dumb,dc=example,dc=com
|
|
|
|
# Maximum results per page; a value of zero ('0') disables paging (default)
|
|
# page_size = 0
|
|
|
|
# The LDAP dereferencing option for queries. This can be either 'never',
|
|
# 'searching', 'always', 'finding' or 'default'. The 'default' option falls
|
|
# back to using default dereferencing configured by your ldap.conf.
|
|
# alias_dereferencing = default
|
|
|
|
# The LDAP scope for queries, this can be either 'one'
|
|
# (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree)
|
|
# query_scope = one
|
|
|
|
# user_tree_dn = ou=Users,dc=example,dc=com
|
|
# user_filter =
|
|
# user_objectclass = inetOrgPerson
|
|
# user_domain_id_attribute = businessCategory
|
|
# user_id_attribute = cn
|
|
# user_name_attribute = sn
|
|
# user_mail_attribute = email
|
|
# user_pass_attribute = userPassword
|
|
# user_enabled_attribute = enabled
|
|
# user_enabled_mask = 0
|
|
# user_enabled_default = True
|
|
# user_attribute_ignore = tenant_id,tenants
|
|
# user_allow_create = True
|
|
# user_allow_update = True
|
|
# user_allow_delete = True
|
|
# user_enabled_emulation = False
|
|
# user_enabled_emulation_dn =
|
|
|
|
# tenant_tree_dn = ou=Groups,dc=example,dc=com
|
|
# tenant_filter =
|
|
# tenant_objectclass = groupOfNames
|
|
# tenant_domain_id_attribute = businessCategory
|
|
# tenant_id_attribute = cn
|
|
# tenant_member_attribute = member
|
|
# tenant_name_attribute = ou
|
|
# tenant_desc_attribute = desc
|
|
# tenant_enabled_attribute = enabled
|
|
# tenant_attribute_ignore =
|
|
# tenant_allow_create = True
|
|
# tenant_allow_update = True
|
|
# tenant_allow_delete = True
|
|
# tenant_enabled_emulation = False
|
|
# tenant_enabled_emulation_dn =
|
|
|
|
# role_tree_dn = ou=Roles,dc=example,dc=com
|
|
# role_filter =
|
|
# role_objectclass = organizationalRole
|
|
# role_id_attribute = cn
|
|
# role_name_attribute = ou
|
|
# role_member_attribute = roleOccupant
|
|
# role_attribute_ignore =
|
|
# role_allow_create = True
|
|
# role_allow_update = True
|
|
# role_allow_delete = True
|
|
|
|
# group_tree_dn =
|
|
# group_filter =
|
|
# group_objectclass = groupOfNames
|
|
# group_id_attribute = cn
|
|
# group_name_attribute = ou
|
|
# group_member_attribute = member
|
|
# group_desc_attribute = desc
|
|
# group_attribute_ignore =
|
|
# group_allow_create = True
|
|
# group_allow_update = True
|
|
# group_allow_delete = True
|
|
|
|
[auth]
|
|
methods = password,token
|
|
password = keystone.auth.plugins.password.Password
|
|
token = keystone.auth.plugins.token.Token
|
|
|
|
[filter:debug]
|
|
paste.filter_factory = keystone.common.wsgi:Debug.factory
|
|
|
|
[filter:token_auth]
|
|
paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
|
|
|
|
[filter:admin_token_auth]
|
|
paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
|
|
|
|
[filter:xml_body]
|
|
paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
|
|
|
|
[filter:json_body]
|
|
paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
|
|
|
|
[filter:user_crud_extension]
|
|
paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
|
|
|
|
[filter:crud_extension]
|
|
paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
|
|
|
|
[filter:ec2_extension]
|
|
paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
|
|
|
|
[filter:s3_extension]
|
|
paste.filter_factory = keystone.contrib.s3:S3Extension.factory
|
|
|
|
[filter:url_normalize]
|
|
paste.filter_factory = keystone.middleware:NormalizingFilter.factory
|
|
|
|
[filter:sizelimit]
|
|
paste.filter_factory = keystone.middleware:RequestBodySizeLimiter.factory
|
|
|
|
[filter:stats_monitoring]
|
|
paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
|
|
|
|
[filter:stats_reporting]
|
|
paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
|
|
|
|
[filter:access_log]
|
|
paste.filter_factory = keystone.contrib.access:AccessLogMiddleware.factory
|
|
|
|
[app:public_service]
|
|
paste.app_factory = keystone.service:public_app_factory
|
|
|
|
[app:service_v3]
|
|
paste.app_factory = keystone.service:v3_app_factory
|
|
|
|
[app:admin_service]
|
|
paste.app_factory = keystone.service:admin_app_factory
|
|
|
|
[pipeline:public_api]
|
|
pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service
|
|
|
|
[pipeline:admin_api]
|
|
pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service
|
|
|
|
[pipeline:api_v3]
|
|
pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension service_v3
|
|
|
|
[app:public_version_service]
|
|
paste.app_factory = keystone.service:public_version_app_factory
|
|
|
|
[app:admin_version_service]
|
|
paste.app_factory = keystone.service:admin_version_app_factory
|
|
|
|
[pipeline:public_version_api]
|
|
pipeline = access_log sizelimit stats_monitoring url_normalize xml_body public_version_service
|
|
|
|
[pipeline:admin_version_api]
|
|
pipeline = access_log sizelimit stats_monitoring url_normalize xml_body admin_version_service
|
|
|
|
[composite:main]
|
|
use = egg:Paste#urlmap
|
|
/v2.0 = public_api
|
|
/v3 = api_v3
|
|
/ = public_version_api
|
|
|
|
[composite:admin]
|
|
use = egg:Paste#urlmap
|
|
/v2.0 = admin_api
|
|
/v3 = api_v3
|
|
/ = admin_version_api
|