k27URWBi

1[stack@os11 devstack]$ cat /etc/keystone/keystone.conf
2[DEFAULT]
3max_token_size = 16384
4logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s
5debug = True
6admin_endpoint = http://10.1.190.11/identity_v2_admin
7public_endpoint = http://10.1.190.11/identity
8transport_url = rabbit://stackrabbit:ashish@10.1.190.11:5672/
9
10#
11# From keystone
12#
13
14# Using this feature is *NOT* recommended. Instead, use the `keystone-manage
15# bootstrap` command. The value of this option is treated as a "shared secret"
16# that can be used to bootstrap Keystone through the API. This "token" does not
17# represent a user (it has no identity), and carries no explicit authorization
18# (it effectively bypasses most authorization checks). If set to `None`, the
19# value is ignored and the `admin_token` middleware is effectively disabled.
20# However, to completely disable `admin_token` in production (highly
21# recommended, as it presents a security risk), remove
22# `AdminTokenAuthMiddleware` (the `admin_token_auth` filter) from your paste
23# application pipelines (for example, in `keystone-paste.ini`). (string value)
24#admin_token = <None>
25
26# The base public endpoint URL for Keystone that is advertised to clients
27# (NOTE: this does NOT affect how Keystone listens for connections). Defaults
28# to the base host URL of the request. For example, if keystone receives a
29# request to `http://server:5000/v3/users`, then this will option will be
30# automatically treated as `http://server:5000`. You should only need to set
31# option if either the value of the base URL contains a path that keystone does
32# not automatically infer (`/prefix/v3`), or if the endpoint should be found on
33# a different host. (string value)
34#public_endpoint = <None>
35
36# The base admin endpoint URL for Keystone that is advertised to clients (NOTE:
37# this does NOT affect how Keystone listens for connections). Defaults to the
38# base host URL of the request. For example, if keystone receives a request to
39# `http://server:35357/v3/users`, then this will option will be automatically
40# treated as `http://server:35357`. You should only need to set option if
41# either the value of the base URL contains a path that keystone does not
42# automatically infer (`/prefix/v3`), or if the endpoint should be found on a
43# different host. (string value)
44#admin_endpoint = <None>
45
46# Maximum depth of the project hierarchy, excluding the project acting as a
47# domain at the top of the hierarchy. WARNING: Setting it to a large value may
48# adversely impact performance. (integer value)
49#max_project_tree_depth = 5
50
51# Limit the sizes of user & project ID/names. (integer value)
52#max_param_size = 64
53
54# Similar to `[DEFAULT] max_param_size`, but provides an exception for token
55# values. With PKI / PKIZ tokens, this needs to be set close to 8192 (any
56# higher, and other HTTP implementations may break), depending on the size of
57# your service catalog and other factors. With Fernet tokens, this can be set
58# as low as 255. With UUID tokens, this should be set to 32). (integer value)
59#max_token_size = 8192
60
61# Similar to the `[DEFAULT] member_role_name` option, this represents the
62# default role ID used to associate users with their default projects in the v2
63# API. This will be used as the explicit role where one is not specified by the
64# v2 API. You do not need to set this value unless you want keystone to use an
65# existing role with a different ID, other than the arbitrarily defined
66# `_member_` role (in which case, you should set `[DEFAULT] member_role_name`
67# as well). (string value)
68#member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
69
70# This is the role name used in combination with the `[DEFAULT] member_role_id`
71# option; see that option for more detail. You do not need to set this option
72# unless you want keystone to use an existing role (in which case, you should
73# set `[DEFAULT] member_role_id` as well). (string value)
74#member_role_name = _member_
75
76# The value passed as the keyword "rounds" to passlib's encrypt method. This
77# option represents a trade off between security and performance. Higher values
78# lead to slower performance, but higher security. Changing this option will
79# only affect newly created passwords as existing password hashes already have
80# a fixed number of rounds applied, so it is safe to tune this option in a
81# running cluster. For more information, see
82# https://pythonhosted.org/passlib/password_hash_api.html#choosing-the-right-
83# rounds-value (integer value)
84# Minimum value: 1000
85# Maximum value: 100000
86#crypt_strength = 10000
87
88# The maximum number of entities that will be returned in a collection. This
89# global limit may be then overridden for a specific driver, by specifying a
90# list_limit in the appropriate section (for example, `[assignment]`). No limit
91# is set by default. In larger deployments, it is recommended that you set this
92# to a reasonable number to prevent operations like listing all users and
93# projects from placing an unnecessary load on the system. (integer value)
94#list_limit = <None>
95
96# DEPRECATED: Set this to false if you want to enable the ability for user,
97# group and project entities to be moved between domains by updating their
98# `domain_id` attribute. Allowing such movement is not recommended if the scope
99# of a domain admin is being restricted by use of an appropriate policy file
100# (see `etc/policy.v3cloudsample.json` as an example). This feature is
101# deprecated and will be removed in a future release, in favor of strictly
102# immutable domain IDs. (boolean value)
103# This option is deprecated for removal since M.
104# Its value may be silently ignored in the future.
105# Reason: The option to set domain_id_immutable to false has been deprecated in
106# the M release and will be removed in the O release.
107#domain_id_immutable = true
108
109# If set to true, strict password length checking is performed for password
110# manipulation. If a password exceeds the maximum length, the operation will
111# fail with an HTTP 403 Forbidden error. If set to false, passwords are
112# automatically truncated to the maximum length. (boolean value)
113#strict_password_check = false
114
115# DEPRECATED: The HTTP header used to determine the scheme for the original
116# request, even if it was removed by an SSL terminating proxy. (string value)
117# This option is deprecated for removal since N.
118# Its value may be silently ignored in the future.
119# Reason: This option has been deprecated in the N release and will be removed
120# in the P release. Use oslo.middleware.http_proxy_to_wsgi configuration
121# instead.
122#secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO
123
124# If set to true, then the server will return information in HTTP responses
125# that may allow an unauthenticated or authenticated user to get more
126# information than normal, such as additional details about why authentication
127# failed. This may be useful for debugging but is insecure. (boolean value)
128#insecure_debug = false
129
130# Default `publisher_id` for outgoing notifications. If left undefined,
131# Keystone will default to using the server's host name. (string value)
132#default_publisher_id = <None>
133
134# Define the notification format for identity service events. A `basic`
135# notification only has information about the resource being operated on. A
136# `cadf` notification has the same information, as well as information about
137# the initiator of the event. The `cadf` option is entirely backwards
138# compatible with the `basic` option, but is fully CADF-compliant, and is
139# recommended for auditing use cases. (string value)
140# Allowed values: basic, cadf
141#notification_format = basic
142
143# If left undefined, keystone will emit notifications for all types of events.
144# You can reduce the number of notifications keystone emits by using this
145# option to enumerate notification topics that should be suppressed. Values are
146# expected to be in the form `identity.<resource_type>.<operation>`. This field
147# can be set multiple times in order to opt-out of multiple notification
148# topics. For example: notification_opt_out=identity.user.create
149# notification_opt_out=identity.authenticate.success (multi valued)
150#notification_opt_out =
151
152#
153# From oslo.log
154#
155
156# If set to true, the logging level will be set to DEBUG instead of the default
157# INFO level. (boolean value)
158# Note: This option can be changed without restarting.
159#debug = false
160
161# DEPRECATED: If set to false, the logging level will be set to WARNING instead
162# of the default INFO level. (boolean value)
163# This option is deprecated for removal.
164# Its value may be silently ignored in the future.
165#verbose = true
166
167# The name of a logging configuration file. This file is appended to any
168# existing logging configuration files. For details about logging configuration
169# files, see the Python logging module documentation. Note that when logging
170# configuration files are used then all logging configuration is set in the
171# configuration file and other logging configuration options are ignored (for
172# example, logging_context_format_string). (string value)
173# Note: This option can be changed without restarting.
174# Deprecated group/name - [DEFAULT]/log_config
175#log_config_append = <None>
176
177# Defines the format string for %%(asctime)s in log records. Default:
178# %(default)s . This option is ignored if log_config_append is set. (string
179# value)
180#log_date_format = %Y-%m-%d %H:%M:%S
181
182# (Optional) Name of log file to send logging output to. If no default is set,
183# logging will go to stderr as defined by use_stderr. This option is ignored if
184# log_config_append is set. (string value)
185# Deprecated group/name - [DEFAULT]/logfile
186#log_file = <None>
187
188# (Optional) The base directory used for relative log_file  paths. This option
189# is ignored if log_config_append is set. (string value)
190# Deprecated group/name - [DEFAULT]/logdir
191#log_dir = <None>
192
193# Uses logging handler designed to watch file system. When log file is moved or
194# removed this handler will open a new log file with specified path
195# instantaneously. It makes sense only if log_file option is specified and
196# Linux platform is used. This option is ignored if log_config_append is set.
197# (boolean value)
198#watch_log_file = false
199
200# Use syslog for logging. Existing syslog format is DEPRECATED and will be
201# changed later to honor RFC5424. This option is ignored if log_config_append
202# is set. (boolean value)
203#use_syslog = false
204
205# Syslog facility to receive log lines. This option is ignored if
206# log_config_append is set. (string value)
207#syslog_log_facility = LOG_USER
208
209# Log output to standard error. This option is ignored if log_config_append is
210# set. (boolean value)
211#use_stderr = true
212
213# Format string to use for log messages with context. (string value)
214#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
215
216# Format string to use for log messages when context is undefined. (string
217# value)
218#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
219
220# Additional data to append to log message when logging level for the message
221# is DEBUG. (string value)
222#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
223
224# Prefix each line of exception output with this format. (string value)
225#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
226
227# Defines the format string for %(user_identity)s that is used in
228# logging_context_format_string. (string value)
229#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s
230
231# List of package logging levels in logger=LEVEL pairs. This option is ignored
232# if log_config_append is set. (list value)
233#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO
234
235# Enables or disables publication of error events. (boolean value)
236#publish_errors = false
237
238# The format for an instance that is passed with the log message. (string
239# value)
240#instance_format = "[instance: %(uuid)s] "
241
242# The format for an instance UUID that is passed with the log message. (string
243# value)
244#instance_uuid_format = "[instance: %(uuid)s] "
245
246# Enables or disables fatal status of deprecations. (boolean value)
247#fatal_deprecations = false
248
249#
250# From oslo.messaging
251#
252
253# Size of RPC connection pool. (integer value)
254# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
255#rpc_conn_pool_size = 30
256
257# The pool size limit for connections expiration policy (integer value)
258#conn_pool_min_size = 2
259
260# The time-to-live in sec of idle connections in the pool (integer value)
261#conn_pool_ttl = 1200
262
263# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
264# The "host" option should point or resolve to this address. (string value)
265# Deprecated group/name - [DEFAULT]/rpc_zmq_bind_address
266#rpc_zmq_bind_address = *
267
268# MatchMaker driver. (string value)
269# Allowed values: redis, dummy
270# Deprecated group/name - [DEFAULT]/rpc_zmq_matchmaker
271#rpc_zmq_matchmaker = redis
272
273# Number of ZeroMQ contexts, defaults to 1. (integer value)
274# Deprecated group/name - [DEFAULT]/rpc_zmq_contexts
275#rpc_zmq_contexts = 1
276
277# Maximum number of ingress messages to locally buffer per topic. Default is
278# unlimited. (integer value)
279# Deprecated group/name - [DEFAULT]/rpc_zmq_topic_backlog
280#rpc_zmq_topic_backlog = <None>
281
282# Directory for holding IPC sockets. (string value)
283# Deprecated group/name - [DEFAULT]/rpc_zmq_ipc_dir
284#rpc_zmq_ipc_dir = /var/run/openstack
285
286# Name of this node. Must be a valid hostname, FQDN, or IP address. Must match
287# "host" option, if running Nova. (string value)
288# Deprecated group/name - [DEFAULT]/rpc_zmq_host
289#rpc_zmq_host = localhost
290
291# Seconds to wait before a cast expires (TTL). The default value of -1
292# specifies an infinite linger period. The value of 0 specifies no linger
293# period. Pending messages shall be discarded immediately when the socket is
294# closed. Only supported by impl_zmq. (integer value)
295# Deprecated group/name - [DEFAULT]/rpc_cast_timeout
296#rpc_cast_timeout = -1
297
298# The default number of seconds that poll should wait. Poll raises timeout
299# exception when timeout expired. (integer value)
300# Deprecated group/name - [DEFAULT]/rpc_poll_timeout
301#rpc_poll_timeout = 1
302
303# Expiration timeout in seconds of a name service record about existing target
304# ( < 0 means no timeout). (integer value)
305# Deprecated group/name - [DEFAULT]/zmq_target_expire
306#zmq_target_expire = 300
307
308# Update period in seconds of a name service record about existing target.
309# (integer value)
310# Deprecated group/name - [DEFAULT]/zmq_target_update
311#zmq_target_update = 180
312
313# Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy. (boolean
314# value)
315# Deprecated group/name - [DEFAULT]/use_pub_sub
316#use_pub_sub = true
317
318# Use ROUTER remote proxy. (boolean value)
319# Deprecated group/name - [DEFAULT]/use_router_proxy
320#use_router_proxy = true
321
322# Minimal port number for random ports range. (port value)
323# Minimum value: 0
324# Maximum value: 65535
325# Deprecated group/name - [DEFAULT]/rpc_zmq_min_port
326#rpc_zmq_min_port = 49153
327
328# Maximal port number for random ports range. (integer value)
329# Minimum value: 1
330# Maximum value: 65536
331# Deprecated group/name - [DEFAULT]/rpc_zmq_max_port
332#rpc_zmq_max_port = 65536
333
334# Number of retries to find free port number before fail with ZMQBindError.
335# (integer value)
336# Deprecated group/name - [DEFAULT]/rpc_zmq_bind_port_retries
337#rpc_zmq_bind_port_retries = 100
338
339# Default serialization mechanism for serializing/deserializing
340# outgoing/incoming messages (string value)
341# Allowed values: json, msgpack
342# Deprecated group/name - [DEFAULT]/rpc_zmq_serialization
343#rpc_zmq_serialization = json
344
345# This option configures round-robin mode in zmq socket. True means not keeping
346# a queue when server side disconnects. False means to keep queue and messages
347# even if server is disconnected, when the server appears we send all
348# accumulated messages to it. (boolean value)
349#zmq_immediate = false
350
351# Size of executor thread pool. (integer value)
352# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size
353#executor_thread_pool_size = 64
354
355# Seconds to wait for a response from a call. (integer value)
356#rpc_response_timeout = 60
357
358# A URL representing the messaging driver to use and its full configuration.
359# (string value)
360#transport_url = <None>
361
362# DEPRECATED: The messaging driver to use, defaults to rabbit. Other drivers
363# include amqp and zmq. (string value)
364# This option is deprecated for removal.
365# Its value may be silently ignored in the future.
366# Reason: Replaced by [DEFAULT]/transport_url
367#rpc_backend = rabbit
368
369# The default exchange under which topics are scoped. May be overridden by an
370# exchange name specified in the transport_url option. (string value)
371#control_exchange = keystone
372
373
374[assignment]
375driver = sql
376
377#
378# From keystone
379#
380
381# Entry point for the assignment backend driver (where role assignments are
382# stored) in the `keystone.assignment` namespace. Only a SQL driver is supplied
383# by keystone itself. If an assignment driver is not specified, the identity
384# driver will choose the assignment driver based on the deprecated
385# `[identity]/driver` option (the behavior will be removed in the "O" release).
386# Unless you are writing proprietary drivers for keystone, you do not need to
387# set this option. (string value)
388#driver = <None>
389
390# A list of role names which are prohibited from being an implied role. (list
391# value)
392#prohibited_implied_role = admin
393
394
395[auth]
396
397#
398# From keystone
399#
400
401# Allowed authentication methods. (list value)
402#methods = external,password,token,oauth1
403
404# Entry point for the password auth plugin module in the
405# `keystone.auth.password` namespace. You do not need to set this unless you
406# are overriding keystone's own password authentication plugin. (string value)
407#password = <None>
408
409# Entry point for the token auth plugin module in the `keystone.auth.token`
410# namespace. You do not need to set this unless you are overriding keystone's
411# own token authentication plugin. (string value)
412#token = <None>
413
414# Entry point for the external (`REMOTE_USER`) auth plugin module in the
415# `keystone.auth.external` namespace. Supplied drivers are `DefaultDomain` and
416# `Domain`. The default driver is `DefaultDomain`, which assumes that all users
417# identified by the username specified to keystone in the `REMOTE_USER`
418# variable exist within the context of the default domain. The `Domain` option
419# expects an additional environment variable be presented to keystone,
420# `REMOTE_DOMAIN`, containing the domain name of the `REMOTE_USER` (if
421# `REMOTE_DOMAIN` is not set, then the default domain will be used instead).
422# You do not need to set this unless you are taking advantage of "external
423# authentication", where the application server (such as Apache) is handling
424# authentication instead of keystone. (string value)
425#external = <None>
426
427# Entry point for the OAuth 1.0a auth plugin module in the
428# `keystone.auth.oauth1` namespace. You do not need to set this unless you are
429# overriding keystone's own `oauth1` authentication plugin. (string value)
430#oauth1 = <None>
431
432
433[cache]
434memcache_servers = localhost:11211
435backend = oslo_cache.memcache_pool
436enabled = True
437
438#
439# From oslo.cache
440#
441
442# Prefix for building the configuration dictionary for the cache region. This
443# should not need to be changed unless there is another dogpile.cache region
444# with the same configuration name. (string value)
445#config_prefix = cache.oslo
446
447# Default TTL, in seconds, for any cached item in the dogpile.cache region.
448# This applies to any cached method that doesn't have an explicit cache
449# expiration time defined for it. (integer value)
450#expiration_time = 600
451
452# Dogpile.cache backend module. It is recommended that Memcache or Redis
453# (dogpile.cache.redis) be used in production deployments. For eventlet-based
454# or highly threaded servers, Memcache with pooling (oslo_cache.memcache_pool)
455# is recommended. For low thread servers, dogpile.cache.memcached is
456# recommended. Test environments with a single instance of the server can use
457# the dogpile.cache.memory backend. (string value)
458#backend = dogpile.cache.null
459
460# Arguments supplied to the backend module. Specify this option once per
461# argument to be passed to the dogpile.cache backend. Example format:
462# "<argname>:<value>". (multi valued)
463#backend_argument =
464
465# Proxy classes to import that will affect the way the dogpile.cache backend
466# functions. See the dogpile.cache documentation on changing-backend-behavior.
467# (list value)
468#proxies =
469
470# Global toggle for caching. (boolean value)
471#enabled = true
472
473# Extra debugging from the cache backend (cache keys, get/set/delete/etc
474# calls). This is only really useful if you need to see the specific cache-
475# backend get/set/delete calls with the keys/values.  Typically this should be
476# left set to false. (boolean value)
477#debug_cache_backend = false
478
479# Memcache servers in the format of "host:port". (dogpile.cache.memcache and
480# oslo_cache.memcache_pool backends only). (list value)
481#memcache_servers = localhost:11211
482
483# Number of seconds memcached server is considered dead before it is tried
484# again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
485# (integer value)
486#memcache_dead_retry = 300
487
488# Timeout in seconds for every call to a server. (dogpile.cache.memcache and
489# oslo_cache.memcache_pool backends only). (integer value)
490#memcache_socket_timeout = 3
491
492# Max total number of open connections to every memcached server.
493# (oslo_cache.memcache_pool backend only). (integer value)
494#memcache_pool_maxsize = 10
495
496# Number of seconds a connection to memcached is held unused in the pool before
497# it is closed. (oslo_cache.memcache_pool backend only). (integer value)
498#memcache_pool_unused_timeout = 60
499
500# Number of seconds that an operation will wait to get a memcache client
501# connection. (integer value)
502#memcache_pool_connection_get_timeout = 10
503
504
505[catalog]
506
507#
508# From keystone
509#
510
511# Absolute path to the file used for the templated catalog backend. This option
512# is only used if the `[catalog] driver` is set to `templated`. (string value)
513#template_file = default_catalog.templates
514
515# Entry point for the catalog driver in the `keystone.catalog` namespace.
516# Keystone provides a `sql` option (which supports basic CRUD operations
517# through SQL), a `templated` option (which loads the catalog from a templated
518# catalog file on disk), and a `endpoint_filter.sql` option (which supports
519# arbitrary service catalogs per project). (string value)
520#driver = sql
521
522# Toggle for catalog caching. This has no effect unless global caching is
523# enabled. In a typical deployment, there is no reason to disable this.
524# (boolean value)
525#caching = true
526
527# Time to cache catalog data (in seconds). This has no effect unless global and
528# catalog caching are both enabled. Catalog data (services, endpoints, etc.)
529# typically does not change frequently, and so a longer duration than the
530# global default may be desirable. (integer value)
531#cache_time = <None>
532
533# Maximum number of entities that will be returned in a catalog collection.
534# There is typically no reason to set this, as it would be unusual for a
535# deployment to have enough services or endpoints to exceed a reasonable limit.
536# (integer value)
537#list_limit = <None>
538
539
540[cors]
541
542#
543# From oslo.middleware
544#
545
546# Indicate whether this resource may be shared with the domain received in the
547# requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing
548# slash. Example: https://horizon.example.com (list value)
549#allowed_origin = <None>
550
551# Indicate that the actual request can include user credentials (boolean value)
552#allow_credentials = true
553
554# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
555# Headers. (list value)
556#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
557
558# Maximum cache age of CORS preflight requests. (integer value)
559#max_age = 3600
560
561# Indicate which methods can be used during the actual request. (list value)
562#allow_methods = GET,PUT,POST,DELETE,PATCH
563
564# Indicate which header field names may be used during the actual request.
565# (list value)
566#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name
567
568
569[cors.subdomain]
570
571#
572# From oslo.middleware
573#
574
575# Indicate whether this resource may be shared with the domain received in the
576# requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing
577# slash. Example: https://horizon.example.com (list value)
578#allowed_origin = <None>
579
580# Indicate that the actual request can include user credentials (boolean value)
581#allow_credentials = true
582
583# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
584# Headers. (list value)
585#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
586
587# Maximum cache age of CORS preflight requests. (integer value)
588#max_age = 3600
589
590# Indicate which methods can be used during the actual request. (list value)
591#allow_methods = GET,PUT,POST,DELETE,PATCH
592
593# Indicate which header field names may be used during the actual request.
594# (list value)
595#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name
596
597
598[credential]
599key_repository = /etc/keystone/credential-keys/
600
601#
602# From keystone
603#
604
605# Entry point for the credential backend driver in the `keystone.credential`
606# namespace. Keystone only provides a `sql` driver, so there's no reason to
607# change this unless you are providing a custom entry point. (string value)
608#driver = sql
609
610# Entry point for credential encryption and decryption operations in the
611# `keystone.credential.provider` namespace. Keystone only provides a `fernet`
612# driver, so there's no reason to change this unless you are providing a custom
613# entry point to encrypt and decrypt credentials. (string value)
614#provider = fernet
615
616# Directory containing Fernet keys used to encrypt and decrypt credentials
617# stored in the credential backend. Fernet keys used to encrypt credentials
618# have no relationship to Fernet keys used to encrypt Fernet tokens. Both sets
619# of keys should be managed separately and require different rotation policies.
620# Do not share this repository with the repository used to manage keys for
621# Fernet tokens. (string value)
622#key_repository = /etc/keystone/credential-keys/
623
624
625[database]
626connection = mysql+pymysql://root:ashish@127.0.0.1/keystone?charset=utf8
627
628#
629# From oslo.db
630#
631
632# DEPRECATED: The file name to use with SQLite. (string value)
633# Deprecated group/name - [DEFAULT]/sqlite_db
634# This option is deprecated for removal.
635# Its value may be silently ignored in the future.
636# Reason: Should use config option connection or slave_connection to connect
637# the database.
638#sqlite_db = oslo.sqlite
639
640# If True, SQLite uses synchronous mode. (boolean value)
641# Deprecated group/name - [DEFAULT]/sqlite_synchronous
642#sqlite_synchronous = true
643
644# The back end to use for the database. (string value)
645# Deprecated group/name - [DEFAULT]/db_backend
646#backend = sqlalchemy
647
648# The SQLAlchemy connection string to use to connect to the database. (string
649# value)
650# Deprecated group/name - [DEFAULT]/sql_connection
651# Deprecated group/name - [DATABASE]/sql_connection
652# Deprecated group/name - [sql]/connection
653#connection = <None>
654
655# The SQLAlchemy connection string to use to connect to the slave database.
656# (string value)
657#slave_connection = <None>
658
659# The SQL mode to be used for MySQL sessions. This option, including the
660# default, overrides any server-set SQL mode. To use whatever SQL mode is set
661# by the server configuration, set this to no value. Example: mysql_sql_mode=
662# (string value)
663#mysql_sql_mode = TRADITIONAL
664
665# Timeout before idle SQL connections are reaped. (integer value)
666# Deprecated group/name - [DEFAULT]/sql_idle_timeout
667# Deprecated group/name - [DATABASE]/sql_idle_timeout
668# Deprecated group/name - [sql]/idle_timeout
669#idle_timeout = 3600
670
671# Minimum number of SQL connections to keep open in a pool. (integer value)
672# Deprecated group/name - [DEFAULT]/sql_min_pool_size
673# Deprecated group/name - [DATABASE]/sql_min_pool_size
674#min_pool_size = 1
675
676# Maximum number of SQL connections to keep open in a pool. Setting a value of
677# 0 indicates no limit. (integer value)
678# Deprecated group/name - [DEFAULT]/sql_max_pool_size
679# Deprecated group/name - [DATABASE]/sql_max_pool_size
680#max_pool_size = 5
681
682# Maximum number of database connection retries during startup. Set to -1 to
683# specify an infinite retry count. (integer value)
684# Deprecated group/name - [DEFAULT]/sql_max_retries
685# Deprecated group/name - [DATABASE]/sql_max_retries
686#max_retries = 10
687
688# Interval between retries of opening a SQL connection. (integer value)
689# Deprecated group/name - [DEFAULT]/sql_retry_interval
690# Deprecated group/name - [DATABASE]/reconnect_interval
691#retry_interval = 10
692
693# If set, use this value for max_overflow with SQLAlchemy. (integer value)
694# Deprecated group/name - [DEFAULT]/sql_max_overflow
695# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
696#max_overflow = 50
697
698# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer
699# value)
700# Minimum value: 0
701# Maximum value: 100
702# Deprecated group/name - [DEFAULT]/sql_connection_debug
703#connection_debug = 0
704
705# Add Python stack traces to SQL as comment strings. (boolean value)
706# Deprecated group/name - [DEFAULT]/sql_connection_trace
707#connection_trace = false
708
709# If set, use this value for pool_timeout with SQLAlchemy. (integer value)
710# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout
711#pool_timeout = <None>
712
713# Enable the experimental use of database reconnect on connection lost.
714# (boolean value)
715#use_db_reconnect = false
716
717# Seconds between retries of a database transaction. (integer value)
718#db_retry_interval = 1
719
720# If True, increases the interval between retries of a database operation up to
721# db_max_retry_interval. (boolean value)
722#db_inc_retry_interval = true
723
724# If db_inc_retry_interval is set, the maximum seconds between retries of a
725# database operation. (integer value)
726#db_max_retry_interval = 10
727
728# Maximum retries in case of connection error or deadlock error before error is
729# raised. Set to -1 to specify an infinite retry count. (integer value)
730#db_max_retries = 20
731
732
733[domain_config]
734
735#
736# From keystone
737#
738
739# Entry point for the domain-specific configuration driver in the
740# `keystone.resource.domain_config` namespace. Only a `sql` option is provided
741# by keystone, so there is no reason to set this unless you are providing a
742# custom entry point. (string value)
743#driver = sql
744
745# Toggle for caching of the domain-specific configuration backend. This has no
746# effect unless global caching is enabled. There is normally no reason to
747# disable this. (boolean value)
748#caching = true
749
750# Time-to-live (TTL, in seconds) to cache domain-specific configuration data.
751# This has no effect unless `[domain_config] caching` is enabled. (integer
752# value)
753#cache_time = 300
754
755
756[endpoint_filter]
757
758#
759# From keystone
760#
761
762# Entry point for the endpoint filter driver in the `keystone.endpoint_filter`
763# namespace. Only a `sql` option is provided by keystone, so there is no reason
764# to set this unless you are providing a custom entry point. (string value)
765#driver = sql
766
767# This controls keystone's behavior if the configured endpoint filters do not
768# result in any endpoints for a user + project pair (and therefore a
769# potentially empty service catalog). If set to true, keystone will return the
770# entire service catalog. If set to false, keystone will return an empty
771# service catalog. (boolean value)
772#return_all_endpoints_if_no_filter = true
773
774
775[endpoint_policy]
776
777#
778# From keystone
779#
780
781# DEPRECATED: Enable endpoint-policy functionality, which allows policies to be
782# associated with either specific endpoints, or endpoints of a given service
783# type. (boolean value)
784# This option is deprecated for removal since M.
785# Its value may be silently ignored in the future.
786# Reason: The option to enable the OS-ENDPOINT-POLICY API extension has been
787# deprecated in the M release and will be removed in the O release. The OS-
788# ENDPOINT-POLICY API extension will be enabled by default.
789#enabled = true
790
791# Entry point for the endpoint policy driver in the `keystone.endpoint_policy`
792# namespace. Only a `sql` driver is provided by keystone, so there is no reason
793# to set this unless you are providing a custom entry point. (string value)
794#driver = sql
795
796
797[eventlet_server]
798
799#
800# From keystone
801#
802
803# DEPRECATED: The IP address of the network interface for the public service to
804# listen on. (string value)
805# Deprecated group/name - [DEFAULT]/bind_host
806# Deprecated group/name - [DEFAULT]/public_bind_host
807# This option is deprecated for removal since K.
808# Its value may be silently ignored in the future.
809# Reason: Support for running keystone under eventlet has been removed in the
810# Newton release. These options remain for backwards compatibility because they
811# are used for URL substitutions.
812#public_bind_host = 0.0.0.0
813
814# DEPRECATED: The port number for the public service to listen on. (port value)
815# Minimum value: 0
816# Maximum value: 65535
817# Deprecated group/name - [DEFAULT]/public_port
818# This option is deprecated for removal since K.
819# Its value may be silently ignored in the future.
820# Reason: Support for running keystone under eventlet has been removed in the
821# Newton release. These options remain for backwards compatibility because they
822# are used for URL substitutions.
823#public_port = 5000
824
825# DEPRECATED: The IP address of the network interface for the admin service to
826# listen on. (string value)
827# Deprecated group/name - [DEFAULT]/bind_host
828# Deprecated group/name - [DEFAULT]/admin_bind_host
829# This option is deprecated for removal since K.
830# Its value may be silently ignored in the future.
831# Reason: Support for running keystone under eventlet has been removed in the
832# Newton release. These options remain for backwards compatibility because they
833# are used for URL substitutions.
834#admin_bind_host = 0.0.0.0
835
836# DEPRECATED: The port number for the admin service to listen on. (port value)
837# Minimum value: 0
838# Maximum value: 65535
839# Deprecated group/name - [DEFAULT]/admin_port
840# This option is deprecated for removal since K.
841# Its value may be silently ignored in the future.
842# Reason: Support for running keystone under eventlet has been removed in the
843# Newton release. These options remain for backwards compatibility because they
844# are used for URL substitutions.
845#admin_port = 35357
846
847
848[federation]
849
850#
851# From keystone
852#
853
854# Entry point for the federation backend driver in the `keystone.federation`
855# namespace. Keystone only provides a `sql` driver, so there is no reason to
856# set this option unless you are providing a custom entry point. (string value)
857#driver = sql
858
859# Prefix to use when filtering environment variable names for federated
860# assertions. Matched variables are passed into the federated mapping engine.
861# (string value)
862#assertion_prefix =
863
864# Value to be used to obtain the entity ID of the Identity Provider from the
865# environment. For `mod_shib`, this would be `Shib-Identity-Provider`. For For
866# `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`,
867# this could be `MELLON_IDP`. (string value)
868#remote_id_attribute = <None>
869
870# An arbitrary domain name that is reserved to allow federated ephemeral users
871# to have a domain concept. Note that an admin will not be able to create a
872# domain with this name or update an existing domain to this name. You are not
873# advised to change this value unless you really have to. (string value)
874#federated_domain_name = Federated
875
876# A list of trusted dashboard hosts. Before accepting a Single Sign-On request
877# to return a token, the origin host must be a member of this list. This
878# configuration option may be repeated for multiple values. You must set this
879# in order to use web-based SSO flows. For example:
880# trusted_dashboard=https://acme.example.com/auth/websso
881# trusted_dashboard=https://beta.example.com/auth/websso (multi valued)
882#trusted_dashboard =
883
884# Absolute path to an HTML file used as a Single Sign-On callback handler. This
885# page is expected to redirect the user from keystone back to a trusted
886# dashboard host, by form encoding a token in a POST request. Keystone's
887# default value should be sufficient for most deployments. (string value)
888#sso_callback_template = /etc/keystone/sso_callback_template.html
889
890# Toggle for federation caching. This has no effect unless global caching is
891# enabled. There is typically no reason to disable this. (boolean value)
892#caching = true
893
894
895[fernet_tokens]
896key_repository = /etc/keystone/fernet-keys/
897
898#
899# From keystone
900#
901
902# Directory containing Fernet token keys. This directory must exist before
903# using `keystone-manage fernet_setup` for the first time, must be writable by
904# the user running `keystone-manage fernet_setup` or `keystone-manage
905# fernet_rotate`, and of course must be readable by keystone's server process.
906# The repository may contain keys in one of three states: a single staged key
907# (always index 0) used for token validation, a single primary key (always the
908# highest index) used for token creation and validation, and any number of
909# secondary keys (all other index values) used for token validation. With
910# multiple keystone nodes, each node must share the same key repository
911# contents, with the exception of the staged key (index 0). It is safe to run
912# `keystone-manage fernet_rotate` once on any one node to promote a staged key
913# (index 0) to be the new primary (incremented from the previous highest
914# index), and produce a new staged key (a new key with index 0); the resulting
915# repository can then be atomically replicated to other nodes without any risk
916# of race conditions (for example, it is safe to run `keystone-manage
917# fernet_rotate` on host A, wait any amount of time, create a tarball of the
918# directory on host A, unpack it on host B to a temporary location, and
919# atomically move (`mv`) the directory into place on host B). Running
920# `keystone-manage fernet_rotate` *twice* on a key repository without syncing
921# other nodes will result in tokens that can not be validated by all nodes.
922# (string value)
923#key_repository = /etc/keystone/fernet-keys/
924
925# This controls how many keys are held in rotation by `keystone-manage
926# fernet_rotate` before they are discarded. The default value of 3 means that
927# keystone will maintain one staged key (always index 0), one primary key (the
928# highest numerical index), and one secondary key (every other index).
929# Increasing this value means that additional secondary keys will be kept in
930# the rotation. (integer value)
931# Minimum value: 1
932#max_active_keys = 3
933
934
935[identity]
936driver = sql
937
938#
939# From keystone
940#
941
942# This references the domain to use for all Identity API v2 requests (which are
943# not aware of domains). A domain with this ID can optionally be created for
944# you by `keystone-manage bootstrap`. The domain referenced by this ID cannot
945# be deleted on the v3 API, to prevent accidentally breaking the v2 API. There
946# is nothing special about this domain, other than the fact that it must exist
947# to order to maintain support for your v2 clients. There is typically no
948# reason to change this value. (string value)
949#default_domain_id = default
950
951# A subset (or all) of domains can have their own identity driver, each with
952# their own partial configuration options, stored in either the resource
953# backend or in a file in a domain configuration directory (depending on the
954# setting of `[identity] domain_configurations_from_database`). Only values
955# specific to the domain need to be specified in this manner. This feature is
956# disabled by default, but may be enabled by default in a future release; set
957# to true to enable. (boolean value)
958#domain_specific_drivers_enabled = false
959
960# By default, domain-specific configuration data is read from files in the
961# directory identified by `[identity] domain_config_dir`. Enabling this
962# configuration option allows you to instead manage domain-specific
963# configurations through the API, which are then persisted in the backend
964# (typically, a SQL database), rather than using configuration files on disk.
965# (boolean value)
966#domain_configurations_from_database = false
967
968# Absolute path where keystone should locate domain-specific `[identity]`
969# configuration files. This option has no effect unless `[identity]
970# domain_specific_drivers_enabled` is set to true. There is typically no reason
971# to change this value. (string value)
972#domain_config_dir = /etc/keystone/domains
973
974# Entry point for the identity backend driver in the `keystone.identity`
975# namespace. Keystone provides a `sql` and `ldap` driver. This option is also
976# used as the default driver selection (along with the other configuration
977# variables in this section) in the event that `[identity]
978# domain_specific_drivers_enabled` is enabled, but no applicable domain-
979# specific configuration is defined for the domain in question. Unless your
980# deployment primarily relies on `ldap` AND is not using domain-specific
981# configuration, you should typically leave this set to `sql`. (string value)
982#driver = sql
983
984# Toggle for identity caching. This has no effect unless global caching is
985# enabled. There is typically no reason to disable this. (boolean value)
986#caching = true
987
988# Time to cache identity data (in seconds). This has no effect unless global
989# and identity caching are enabled. (integer value)
990#cache_time = 600
991
992# Maximum allowed length for user passwords. Decrease this value to improve
993# performance. Changing this value does not effect existing passwords. (integer
994# value)
995# Maximum value: 4096
996#max_password_length = 4096
997
998# Maximum number of entities that will be returned in an identity collection.
999# (integer value)
1000#list_limit = <None>
1001
1002
1003[identity_mapping]
1004
1005#
1006# From keystone
1007#
1008
1009# Entry point for the identity mapping backend driver in the
1010# `keystone.identity.id_mapping` namespace. Keystone only provides a `sql`
1011# driver, so there is no reason to change this unless you are providing a
1012# custom entry point. (string value)
1013#driver = sql
1014
1015# Entry point for the public ID generator for user and group entities in the
1016# `keystone.identity.id_generator` namespace. The Keystone identity mapper only
1017# supports generators that produce 64 bytes or less. Keystone only provides a
1018# `sha256` entry point, so there is no reason to change this value unless
1019# you're providing a custom entry point. (string value)
1020#generator = sha256
1021
1022# The format of user and group IDs changed in Juno for backends that do not
1023# generate UUIDs (for example, LDAP), with keystone providing a hash mapping to
1024# the underlying attribute in LDAP. By default this mapping is disabled, which
1025# ensures that existing IDs will not change. Even when the mapping is enabled
1026# by using domain-specific drivers (`[identity]
1027# domain_specific_drivers_enabled`), any users and groups from the default
1028# domain being handled by LDAP will still not be mapped to ensure their IDs
1029# remain backward compatible. Setting this value to false will enable the new
1030# mapping for all backends, including the default LDAP driver. It is only
1031# guaranteed to be safe to enable this option if you do not already have
1032# assignments for users and groups from the default LDAP domain, and you
1033# consider it to be acceptable for Keystone to provide the different IDs to
1034# clients than it did previously (existing IDs in the API will suddenly
1035# change). Typically this means that the only time you can set this value to
1036# false is when configuring a fresh installation, although that is the
1037# recommended value. (boolean value)
1038#backward_compatible_ids = true
1039
1040
1041[kvs]
1042
1043#
1044# From keystone
1045#
1046
1047# Extra `dogpile.cache` backend modules to register with the `dogpile.cache`
1048# library. It is not necessary to set this value unless you are providing a
1049# custom KVS backend beyond what `dogpile.cache` already supports. (list value)
1050#backends =
1051
1052# Prefix for building the configuration dictionary for the KVS region. This
1053# should not need to be changed unless there is another `dogpile.cache` region
1054# with the same configuration name. (string value)
1055#config_prefix = keystone.kvs
1056
1057# Set to false to disable using a key-mangling function, which ensures fixed-
1058# length keys are used in the KVS store. This is configurable for debugging
1059# purposes, and it is therefore highly recommended to always leave this set to
1060# true. (boolean value)
1061#enable_key_mangler = true
1062
1063# Number of seconds after acquiring a distributed lock that the backend should
1064# consider the lock to be expired. This option should be tuned relative to the
1065# longest amount of time that it takes to perform a successful operation. If
1066# this value is set too low, then a cluster will end up performing work
1067# redundantly. If this value is set too high, then a cluster will not be able
1068# to efficiently recover and retry after a failed operation. A non-zero value
1069# is recommended if the backend supports lock timeouts, as zero prevents locks
1070# from expiring altogether. (integer value)
1071# Minimum value: 0
1072#default_lock_timeout = 5
1073
1074
1075[ldap]
1076
1077#
1078# From keystone
1079#
1080
1081# URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified
1082# as a comma separated string. The first URL to successfully bind is used for
1083# the connection. (string value)
1084#url = ldap://localhost
1085
1086# The user name of the administrator bind DN to use when querying the LDAP
1087# server, if your LDAP server requires it. (string value)
1088#user = <None>
1089
1090# The password of the administrator bind DN to use when querying the LDAP
1091# server, if your LDAP server requires it. (string value)
1092#password = <None>
1093
1094# The default LDAP server suffix to use, if a DN is not defined via either
1095# `[ldap] user_tree_dn` or `[ldap] group_tree_dn`. (string value)
1096#suffix = cn=example,cn=com
1097
1098# DEPRECATED: If true, keystone will add a dummy member based on the `[ldap]
1099# dumb_member` option when creating new groups. This is required if the object
1100# class for groups requires the `member` attribute. This option is only used
1101# for write operations. (boolean value)
1102# This option is deprecated for removal since M.
1103# Its value may be silently ignored in the future.
1104# Reason: Write support for the LDAP identity backend has been deprecated in
1105# the Mitaka release and will be removed in the Ocata release.
1106#use_dumb_member = false
1107
1108# DEPRECATED: DN of the "dummy member" to use when `[ldap] use_dumb_member` is
1109# enabled. This option is only used for write operations. (string value)
1110# This option is deprecated for removal since M.
1111# Its value may be silently ignored in the future.
1112# Reason: Write support for the LDAP identity backend has been deprecated in
1113# the Mitaka release and will be removed in the Ocata release.
1114#dumb_member = cn=dumb,dc=nonexistent
1115
1116# DEPRECATED: Delete subtrees using the subtree delete control. Only enable
1117# this option if your LDAP server supports subtree deletion. This option is
1118# only used for write operations. (boolean value)
1119# This option is deprecated for removal since M.
1120# Its value may be silently ignored in the future.
1121# Reason: Write support for the LDAP identity backend has been deprecated in
1122# the Mitaka release and will be removed in the Ocata release.
1123#allow_subtree_delete = false
1124
1125# The search scope which defines how deep to search within the search base. A
1126# value of `one` (representing `oneLevel` or `singleLevel`) indicates a search
1127# of objects immediately below to the base object, but does not include the
1128# base object itself. A value of `sub` (representing `subtree` or
1129# `wholeSubtree`) indicates a search of both the base object itself and the
1130# entire subtree below it. (string value)
1131# Allowed values: one, sub
1132#query_scope = one
1133
1134# Defines the maximum number of results per page that keystone should request
1135# from the LDAP server when listing objects. A value of zero (`0`) disables
1136# paging. (integer value)
1137# Minimum value: 0
1138#page_size = 0
1139
1140# The LDAP dereferencing option to use for queries involving aliases. A value
1141# of `default` falls back to using default dereferencing behavior configured by
1142# your `ldap.conf`. A value of `never` prevents aliases from being dereferenced
1143# at all. A value of `searching` dereferences aliases only after name
1144# resolution. A value of `finding` dereferences aliases only during name
1145# resolution. A value of `always` dereferences aliases in all cases. (string
1146# value)
1147# Allowed values: never, searching, always, finding, default
1148#alias_dereferencing = default
1149
1150# Sets the LDAP debugging level for LDAP calls. A value of 0 means that
1151# debugging is not enabled. This value is a bitmask, consult your LDAP
1152# documentation for possible values. (integer value)
1153# Minimum value: -1
1154#debug_level = <None>
1155
1156# Sets keystone's referral chasing behavior across directory partitions. If
1157# left unset, the system's default behavior will be used. (boolean value)
1158#chase_referrals = <None>
1159
1160# The search base to use for users. Defaults to the `[ldap] suffix` value.
1161# (string value)
1162#user_tree_dn = <None>
1163
1164# The LDAP search filter to use for users. (string value)
1165#user_filter = <None>
1166
1167# The LDAP object class to use for users. (string value)
1168#user_objectclass = inetOrgPerson
1169
1170# The LDAP attribute mapped to user IDs in keystone. This must NOT be a
1171# multivalued attribute. User IDs are expected to be globally unique across
1172# keystone domains and URL-safe. (string value)
1173#user_id_attribute = cn
1174
1175# The LDAP attribute mapped to user names in keystone. User names are expected
1176# to be unique only within a keystone domain and are not expected to be URL-
1177# safe. (string value)
1178#user_name_attribute = sn
1179
1180# The LDAP attribute mapped to user descriptions in keystone. (string value)
1181#user_description_attribute = description
1182
1183# The LDAP attribute mapped to user emails in keystone. (string value)
1184#user_mail_attribute = mail
1185
1186# The LDAP attribute mapped to user passwords in keystone. (string value)
1187#user_pass_attribute = userPassword
1188
1189# The LDAP attribute mapped to the user enabled attribute in keystone. If
1190# setting this option to `userAccountControl`, then you may be interested in
1191# setting `[ldap] user_enabled_mask` and `[ldap] user_enabled_default` as well.
1192# (string value)
1193#user_enabled_attribute = enabled
1194
1195# Logically negate the boolean value of the enabled attribute obtained from the
1196# LDAP server. Some LDAP servers use a boolean lock attribute where "true"
1197# means an account is disabled. Setting `[ldap] user_enabled_invert = true`
1198# will allow these lock attributes to be used. This option will have no effect
1199# if either the `[ldap] user_enabled_mask` or `[ldap] user_enabled_emulation`
1200# options are in use. (boolean value)
1201#user_enabled_invert = false
1202
1203# Bitmask integer to select which bit indicates the enabled value if the LDAP
1204# server represents "enabled" as a bit on an integer rather than as a discrete
1205# boolean. A value of `0` indicates that the mask is not used. If this is not
1206# set to `0` the typical value is `2`. This is typically used when `[ldap]
1207# user_enabled_attribute = userAccountControl`. Setting this option causes
1208# keystone to ignore the value of `[ldap] user_enabled_invert`. (integer value)
1209# Minimum value: 0
1210#user_enabled_mask = 0
1211
1212# The default value to enable users. This should match an appropriate integer
1213# value if the LDAP server uses non-boolean (bitmask) values to indicate if a
1214# user is enabled or disabled. If this is not set to `True`, then the typical
1215# value is `512`. This is typically used when `[ldap] user_enabled_attribute =
1216# userAccountControl`. (string value)
1217#user_enabled_default = True
1218
1219# DEPRECATED: List of user attributes to ignore on create and update. This is
1220# only used for write operations. (list value)
1221# This option is deprecated for removal since M.
1222# Its value may be silently ignored in the future.
1223# Reason: Write support for the LDAP identity backend has been deprecated in
1224# the Mitaka release and will be removed in the Ocata release.
1225#user_attribute_ignore = default_project_id
1226
1227# The LDAP attribute mapped to a user's default_project_id in keystone. This is
1228# most commonly used when keystone has write access to LDAP. (string value)
1229#user_default_project_id_attribute = <None>
1230
1231# DEPRECATED: If enabled, keystone is allowed to create users in the LDAP
1232# server. (boolean value)
1233# This option is deprecated for removal since M.
1234# Its value may be silently ignored in the future.
1235# Reason: Write support for the LDAP identity backend has been deprecated in
1236# the Mitaka release and will be removed in the Ocata release.
1237#user_allow_create = true
1238
1239# DEPRECATED: If enabled, keystone is allowed to update users in the LDAP
1240# server. (boolean value)
1241# This option is deprecated for removal since M.
1242# Its value may be silently ignored in the future.
1243# Reason: Write support for the LDAP identity backend has been deprecated in
1244# the Mitaka release and will be removed in the Ocata release.
1245#user_allow_update = true
1246
1247# DEPRECATED: If enabled, keystone is allowed to delete users in the LDAP
1248# server. (boolean value)
1249# This option is deprecated for removal since M.
1250# Its value may be silently ignored in the future.
1251# Reason: Write support for the LDAP identity backend has been deprecated in
1252# the Mitaka release and will be removed in the Ocata release.
1253#user_allow_delete = true
1254
1255# If enabled, keystone uses an alternative method to determine if a user is
1256# enabled or not by checking if they are a member of the group defined by the
1257# `[ldap] user_enabled_emulation_dn` option. Enabling this option causes
1258# keystone to ignore the value of `[ldap] user_enabled_invert`. (boolean value)
1259#user_enabled_emulation = false
1260
1261# DN of the group entry to hold enabled users when using enabled emulation.
1262# Setting this option has no effect unless `[ldap] user_enabled_emulation` is
1263# also enabled. (string value)
1264#user_enabled_emulation_dn = <None>
1265
1266# Use the `[ldap] group_member_attribute` and `[ldap] group_objectclass`
1267# settings to determine membership in the emulated enabled group. Enabling this
1268# option has no effect unless `[ldap] user_enabled_emulation` is also enabled.
1269# (boolean value)
1270#user_enabled_emulation_use_group_config = false
1271
1272# A list of LDAP attribute to keystone user attribute pairs used for mapping
1273# additional attributes to users in keystone. The expected format is
1274# `<ldap_attr>:<user_attr>`, where `ldap_attr` is the attribute in the LDAP
1275# object and `user_attr` is the attribute which should appear in the identity
1276# API. (list value)
1277#user_additional_attribute_mapping =
1278
1279# The search base to use for groups. Defaults to the `[ldap] suffix` value.
1280# (string value)
1281#group_tree_dn = <None>
1282
1283# The LDAP search filter to use for groups. (string value)
1284#group_filter = <None>
1285
1286# The LDAP object class to use for groups. If setting this option to
1287# `posixGroup`, you may also be interested in enabling the `[ldap]
1288# group_members_are_ids` option. (string value)
1289#group_objectclass = groupOfNames
1290
1291# The LDAP attribute mapped to group IDs in keystone. This must NOT be a
1292# multivalued attribute. Group IDs are expected to be globally unique across
1293# keystone domains and URL-safe. (string value)
1294#group_id_attribute = cn
1295
1296# The LDAP attribute mapped to group names in keystone. Group names are
1297# expected to be unique only within a keystone domain and are not expected to
1298# be URL-safe. (string value)
1299#group_name_attribute = ou
1300
1301# The LDAP attribute used to indicate that a user is a member of the group.
1302# (string value)
1303#group_member_attribute = member
1304
1305# Enable this option if the members of the group object class are keystone user
1306# IDs rather than LDAP DNs. This is the case when using `posixGroup` as the
1307# group object class in Open Directory. (boolean value)
1308#group_members_are_ids = false
1309
1310# The LDAP attribute mapped to group descriptions in keystone. (string value)
1311#group_desc_attribute = description
1312
1313# DEPRECATED: List of group attributes to ignore on create and update. This is
1314# only used for write operations. (list value)
1315# This option is deprecated for removal since M.
1316# Its value may be silently ignored in the future.
1317# Reason: Write support for the LDAP identity backend has been deprecated in
1318# the Mitaka release and will be removed in the Ocata release.
1319#group_attribute_ignore =
1320
1321# DEPRECATED: If enabled, keystone is allowed to create groups in the LDAP
1322# server. (boolean value)
1323# This option is deprecated for removal since M.
1324# Its value may be silently ignored in the future.
1325# Reason: Write support for the LDAP identity backend has been deprecated in
1326# the Mitaka release and will be removed in the Ocata release.
1327#group_allow_create = true
1328
1329# DEPRECATED: If enabled, keystone is allowed to update groups in the LDAP
1330# server. (boolean value)
1331# This option is deprecated for removal since M.
1332# Its value may be silently ignored in the future.
1333# Reason: Write support for the LDAP identity backend has been deprecated in
1334# the Mitaka release and will be removed in the Ocata release.
1335#group_allow_update = true
1336
1337# DEPRECATED: If enabled, keystone is allowed to delete groups in the LDAP
1338# server. (boolean value)
1339# This option is deprecated for removal since M.
1340# Its value may be silently ignored in the future.
1341# Reason: Write support for the LDAP identity backend has been deprecated in
1342# the Mitaka release and will be removed in the Ocata release.
1343#group_allow_delete = true
1344
1345# A list of LDAP attribute to keystone group attribute pairs used for mapping
1346# additional attributes to groups in keystone. The expected format is
1347# `<ldap_attr>:<group_attr>`, where `ldap_attr` is the attribute in the LDAP
1348# object and `group_attr` is the attribute which should appear in the identity
1349# API. (list value)
1350#group_additional_attribute_mapping =
1351
1352# An absolute path to a CA certificate file to use when communicating with LDAP
1353# servers. This option will take precedence over `[ldap] tls_cacertdir`, so
1354# there is no reason to set both. (string value)
1355#tls_cacertfile = <None>
1356
1357# An absolute path to a CA certificate directory to use when communicating with
1358# LDAP servers. There is no reason to set this option if you've also set
1359# `[ldap] tls_cacertfile`. (string value)
1360#tls_cacertdir = <None>
1361
1362# Enable TLS when communicating with LDAP servers. You should also set the
1363# `[ldap] tls_cacertfile` and `[ldap] tls_cacertdir` options when using this
1364# option. Do not set this option if you are using LDAP over SSL (LDAPS) instead
1365# of TLS. (boolean value)
1366#use_tls = false
1367
1368# Specifies which checks to perform against client certificates on incoming TLS
1369# sessions. If set to `demand`, then a certificate will always be requested and
1370# required from the LDAP server. If set to `allow`, then a certificate will
1371# always be requested but not required from the LDAP server. If set to `never`,
1372# then a certificate will never be requested. (string value)
1373# Allowed values: demand, never, allow
1374#tls_req_cert = demand
1375
1376# Enable LDAP connection pooling for queries to the LDAP server. There is
1377# typically no reason to disable this. (boolean value)
1378#use_pool = true
1379
1380# The size of the LDAP connection pool. This option has no effect unless
1381# `[ldap] use_pool` is also enabled. (integer value)
1382# Minimum value: 1
1383#pool_size = 10
1384
1385# The maximum number of times to attempt reconnecting to the LDAP server before
1386# aborting. A value of zero prevents retries. This option has no effect unless
1387# `[ldap] use_pool` is also enabled. (integer value)
1388# Minimum value: 0
1389#pool_retry_max = 3
1390
1391# The number of seconds to wait before attempting to reconnect to the LDAP
1392# server. This option has no effect unless `[ldap] use_pool` is also enabled.
1393# (floating point value)
1394#pool_retry_delay = 0.1
1395
1396# The connection timeout to use with the LDAP server. A value of `-1` means
1397# that connections will never timeout. This option has no effect unless `[ldap]
1398# use_pool` is also enabled. (integer value)
1399# Minimum value: -1
1400#pool_connection_timeout = -1
1401
1402# The maximum connection lifetime to the LDAP server in seconds. When this
1403# lifetime is exceeded, the connection will be unbound and removed from the
1404# connection pool. This option has no effect unless `[ldap] use_pool` is also
1405# enabled. (integer value)
1406# Minimum value: 1
1407#pool_connection_lifetime = 600
1408
1409# Enable LDAP connection pooling for end user authentication. There is
1410# typically no reason to disable this. (boolean value)
1411#use_auth_pool = true
1412
1413# The size of the connection pool to use for end user authentication. This
1414# option has no effect unless `[ldap] use_auth_pool` is also enabled. (integer
1415# value)
1416# Minimum value: 1
1417#auth_pool_size = 100
1418
1419# The maximum end user authentication connection lifetime to the LDAP server in
1420# seconds. When this lifetime is exceeded, the connection will be unbound and
1421# removed from the connection pool. This option has no effect unless `[ldap]
1422# use_auth_pool` is also enabled. (integer value)
1423# Minimum value: 1
1424#auth_pool_connection_lifetime = 60
1425
1426
1427[matchmaker_redis]
1428
1429#
1430# From oslo.messaging
1431#
1432
1433# DEPRECATED: Host to locate redis. (string value)
1434# This option is deprecated for removal.
1435# Its value may be silently ignored in the future.
1436# Reason: Replaced by [DEFAULT]/transport_url
1437#host = 127.0.0.1
1438
1439# DEPRECATED: Use this port to connect to redis host. (port value)
1440# Minimum value: 0
1441# Maximum value: 65535
1442# This option is deprecated for removal.
1443# Its value may be silently ignored in the future.
1444# Reason: Replaced by [DEFAULT]/transport_url
1445#port = 6379
1446
1447# DEPRECATED: Password for Redis server (optional). (string value)
1448# This option is deprecated for removal.
1449# Its value may be silently ignored in the future.
1450# Reason: Replaced by [DEFAULT]/transport_url
1451#password =
1452
1453# DEPRECATED: List of Redis Sentinel hosts (fault tolerance mode) e.g.
1454# [host:port, host1:port ... ] (list value)
1455# This option is deprecated for removal.
1456# Its value may be silently ignored in the future.
1457# Reason: Replaced by [DEFAULT]/transport_url
1458#sentinel_hosts =
1459
1460# Redis replica set name. (string value)
1461#sentinel_group_name = oslo-messaging-zeromq
1462
1463# Time in ms to wait between connection attempts. (integer value)
1464#wait_timeout = 2000
1465
1466# Time in ms to wait before the transaction is killed. (integer value)
1467#check_timeout = 20000
1468
1469# Timeout in ms on blocking socket operations (integer value)
1470#socket_timeout = 10000
1471
1472
1473[memcache]
1474
1475#
1476# From keystone
1477#
1478
1479# Comma-separated list of memcached servers in the format of
1480# `host:port,host:port` that keystone should use for the `memcache` token
1481# persistence provider and other memcache-backed KVS drivers. This
1482# configuration value is NOT used for intermediary caching between keystone and
1483# other backends, such as SQL and LDAP (for that, see the `[cache]` section).
1484# Multiple keystone servers in the same deployment should use the same set of
1485# memcached servers to ensure that data (such as UUID tokens) created by one
1486# node is available to the others. (list value)
1487#servers = localhost:11211
1488
1489# Number of seconds memcached server is considered dead before it is tried
1490# again. This is used by the key value store system (including, the `memcache`
1491# and `memcache_pool` options for the `[token] driver` persistence backend).
1492# (integer value)
1493#dead_retry = 300
1494
1495# Timeout in seconds for every call to a server. This is used by the key value
1496# store system (including, the `memcache` and `memcache_pool` options for the
1497# `[token] driver` persistence backend). (integer value)
1498#socket_timeout = 3
1499
1500# Max total number of open connections to every memcached server. This is used
1501# by the key value store system (including, the `memcache` and `memcache_pool`
1502# options for the `[token] driver` persistence backend). (integer value)
1503#pool_maxsize = 10
1504
1505# Number of seconds a connection to memcached is held unused in the pool before
1506# it is closed. This is used by the key value store system (including, the
1507# `memcache` and `memcache_pool` options for the `[token] driver` persistence
1508# backend). (integer value)
1509#pool_unused_timeout = 60
1510
1511# Number of seconds that an operation will wait to get a memcache client
1512# connection. This is used by the key value store system (including, the
1513# `memcache` and `memcache_pool` options for the `[token] driver` persistence
1514# backend). (integer value)
1515#pool_connection_get_timeout = 10
1516
1517
1518[oauth1]
1519
1520#
1521# From keystone
1522#
1523
1524# Entry point for the OAuth backend driver in the `keystone.oauth1` namespace.
1525# Typically, there is no reason to set this option unless you are providing a
1526# custom entry point. (string value)
1527#driver = sql
1528
1529# Number of seconds for the OAuth Request Token to remain valid after being
1530# created. This is the amount of time the user has to authorize the token.
1531# Setting this option to zero means that request tokens will last forever.
1532# (integer value)
1533# Minimum value: 0
1534#request_token_duration = 28800
1535
1536# Number of seconds for the OAuth Access Token to remain valid after being
1537# created. This is the amount of time the consumer has to interact with the
1538# service provider (which is typically keystone). Setting this option to zero
1539# means that access tokens will last forever. (integer value)
1540# Minimum value: 0
1541#access_token_duration = 86400
1542
1543
1544[os_inherit]
1545
1546#
1547# From keystone
1548#
1549
1550# DEPRECATED: This allows domain-based role assignments to be inherited to
1551# projects owned by that domain, or from parent projects to child projects.
1552# (boolean value)
1553# This option is deprecated for removal since M.
1554# Its value may be silently ignored in the future.
1555# Reason: The option to disable the OS-INHERIT functionality has been
1556# deprecated in the Mitaka release and will be removed in the Ocata release.
1557# Starting in the Ocata release, OS-INHERIT functionality will always be
1558# enabled.
1559#enabled = true
1560
1561
1562[oslo_messaging_amqp]
1563
1564#
1565# From oslo.messaging
1566#
1567
1568# Name for the AMQP container. must be globally unique. Defaults to a generated
1569# UUID (string value)
1570# Deprecated group/name - [amqp1]/container_name
1571#container_name = <None>
1572
1573# Timeout for inactive connections (in seconds) (integer value)
1574# Deprecated group/name - [amqp1]/idle_timeout
1575#idle_timeout = 0
1576
1577# Debug: dump AMQP frames to stdout (boolean value)
1578# Deprecated group/name - [amqp1]/trace
1579#trace = false
1580
1581# CA certificate PEM file to verify server certificate (string value)
1582# Deprecated group/name - [amqp1]/ssl_ca_file
1583#ssl_ca_file =
1584
1585# Identifying certificate PEM file to present to clients (string value)
1586# Deprecated group/name - [amqp1]/ssl_cert_file
1587#ssl_cert_file =
1588
1589# Private key PEM file used to sign cert_file certificate (string value)
1590# Deprecated group/name - [amqp1]/ssl_key_file
1591#ssl_key_file =
1592
1593# Password for decrypting ssl_key_file (if encrypted) (string value)
1594# Deprecated group/name - [amqp1]/ssl_key_password
1595#ssl_key_password = <None>
1596
1597# Accept clients using either SSL or plain TCP (boolean value)
1598# Deprecated group/name - [amqp1]/allow_insecure_clients
1599#allow_insecure_clients = false
1600
1601# Space separated list of acceptable SASL mechanisms (string value)
1602# Deprecated group/name - [amqp1]/sasl_mechanisms
1603#sasl_mechanisms =
1604
1605# Path to directory that contains the SASL configuration (string value)
1606# Deprecated group/name - [amqp1]/sasl_config_dir
1607#sasl_config_dir =
1608
1609# Name of configuration file (without .conf suffix) (string value)
1610# Deprecated group/name - [amqp1]/sasl_config_name
1611#sasl_config_name =
1612
1613# User name for message broker authentication (string value)
1614# Deprecated group/name - [amqp1]/username
1615#username =
1616
1617# Password for message broker authentication (string value)
1618# Deprecated group/name - [amqp1]/password
1619#password =
1620
1621# Seconds to pause before attempting to re-connect. (integer value)
1622# Minimum value: 1
1623#connection_retry_interval = 1
1624
1625# Increase the connection_retry_interval by this many seconds after each
1626# unsuccessful failover attempt. (integer value)
1627# Minimum value: 0
1628#connection_retry_backoff = 2
1629
1630# Maximum limit for connection_retry_interval + connection_retry_backoff
1631# (integer value)
1632# Minimum value: 1
1633#connection_retry_interval_max = 30
1634
1635# Time to pause between re-connecting an AMQP 1.0 link that failed due to a
1636# recoverable error. (integer value)
1637# Minimum value: 1
1638#link_retry_delay = 10
1639
1640# The deadline for an rpc reply message delivery. Only used when caller does
1641# not provide a timeout expiry. (integer value)
1642# Minimum value: 5
1643#default_reply_timeout = 30
1644
1645# The deadline for an rpc cast or call message delivery. Only used when caller
1646# does not provide a timeout expiry. (integer value)
1647# Minimum value: 5
1648#default_send_timeout = 30
1649
1650# The deadline for a sent notification message delivery. Only used when caller
1651# does not provide a timeout expiry. (integer value)
1652# Minimum value: 5
1653#default_notify_timeout = 30
1654
1655# Indicates the addressing mode used by the driver.
1656# Permitted values:
1657# 'legacy'   - use legacy non-routable addressing
1658# 'routable' - use routable addresses
1659# 'dynamic'  - use legacy addresses if the message bus does not support routing
1660# otherwise use routable addressing (string value)
1661#addressing_mode = dynamic
1662
1663# address prefix used when sending to a specific server (string value)
1664# Deprecated group/name - [amqp1]/server_request_prefix
1665#server_request_prefix = exclusive
1666
1667# address prefix used when broadcasting to all servers (string value)
1668# Deprecated group/name - [amqp1]/broadcast_prefix
1669#broadcast_prefix = broadcast
1670
1671# address prefix when sending to any server in group (string value)
1672# Deprecated group/name - [amqp1]/group_request_prefix
1673#group_request_prefix = unicast
1674
1675# Address prefix for all generated RPC addresses (string value)
1676#rpc_address_prefix = openstack.org/om/rpc
1677
1678# Address prefix for all generated Notification addresses (string value)
1679#notify_address_prefix = openstack.org/om/notify
1680
1681# Appended to the address prefix when sending a fanout message. Used by the
1682# message bus to identify fanout messages. (string value)
1683#multicast_address = multicast
1684
1685# Appended to the address prefix when sending to a particular RPC/Notification
1686# server. Used by the message bus to identify messages sent to a single
1687# destination. (string value)
1688#unicast_address = unicast
1689
1690# Appended to the address prefix when sending to a group of consumers. Used by
1691# the message bus to identify messages that should be delivered in a round-
1692# robin fashion across consumers. (string value)
1693#anycast_address = anycast
1694
1695# Exchange name used in notification addresses.
1696# Exchange name resolution precedence:
1697# Target.exchange if set
1698# else default_notification_exchange if set
1699# else control_exchange if set
1700# else 'notify' (string value)
1701#default_notification_exchange = <None>
1702
1703# Exchange name used in RPC addresses.
1704# Exchange name resolution precedence:
1705# Target.exchange if set
1706# else default_rpc_exchange if set
1707# else control_exchange if set
1708# else 'rpc' (string value)
1709#default_rpc_exchange = <None>
1710
1711# Window size for incoming RPC Reply messages. (integer value)
1712# Minimum value: 1
1713#reply_link_credit = 200
1714
1715# Window size for incoming RPC Request messages (integer value)
1716# Minimum value: 1
1717#rpc_server_credit = 100
1718
1719# Window size for incoming Notification messages (integer value)
1720# Minimum value: 1
1721#notify_server_credit = 100
1722
1723
1724[oslo_messaging_notifications]
1725
1726#
1727# From oslo.messaging
1728#
1729
1730# The Drivers(s) to handle sending notifications. Possible values are
1731# messaging, messagingv2, routing, log, test, noop (multi valued)
1732# Deprecated group/name - [DEFAULT]/notification_driver
1733#driver =
1734
1735# A URL representing the messaging driver to use for notifications. If not set,
1736# we fall back to the same configuration used for RPC. (string value)
1737# Deprecated group/name - [DEFAULT]/notification_transport_url
1738#transport_url = <None>
1739
1740# AMQP topic used for OpenStack notifications. (list value)
1741# Deprecated group/name - [rpc_notifier2]/topics
1742# Deprecated group/name - [DEFAULT]/notification_topics
1743#topics = notifications
1744
1745
1746[oslo_messaging_rabbit]
1747
1748#
1749# From oslo.messaging
1750#
1751
1752# Use durable queues in AMQP. (boolean value)
1753# Deprecated group/name - [DEFAULT]/amqp_durable_queues
1754# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
1755#amqp_durable_queues = false
1756
1757# Auto-delete queues in AMQP. (boolean value)
1758# Deprecated group/name - [DEFAULT]/amqp_auto_delete
1759#amqp_auto_delete = false
1760
1761# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and
1762# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some
1763# distributions. (string value)
1764# Deprecated group/name - [DEFAULT]/kombu_ssl_version
1765#kombu_ssl_version =
1766
1767# SSL key file (valid only if SSL enabled). (string value)
1768# Deprecated group/name - [DEFAULT]/kombu_ssl_keyfile
1769#kombu_ssl_keyfile =
1770
1771# SSL cert file (valid only if SSL enabled). (string value)
1772# Deprecated group/name - [DEFAULT]/kombu_ssl_certfile
1773#kombu_ssl_certfile =
1774
1775# SSL certification authority file (valid only if SSL enabled). (string value)
1776# Deprecated group/name - [DEFAULT]/kombu_ssl_ca_certs
1777#kombu_ssl_ca_certs =
1778
1779# How long to wait before reconnecting in response to an AMQP consumer cancel
1780# notification. (floating point value)
1781# Deprecated group/name - [DEFAULT]/kombu_reconnect_delay
1782#kombu_reconnect_delay = 1.0
1783
1784# EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not
1785# be used. This option may not be available in future versions. (string value)
1786#kombu_compression = <None>
1787
1788# How long to wait a missing client before abandoning to send it its replies.
1789# This value should not be longer than rpc_response_timeout. (integer value)
1790# Deprecated group/name - [oslo_messaging_rabbit]/kombu_reconnect_timeout
1791#kombu_missing_consumer_retry_timeout = 60
1792
1793# Determines how the next RabbitMQ node is chosen in case the one we are
1794# currently connected to becomes unavailable. Takes effect only if more than
1795# one RabbitMQ node is provided in config. (string value)
1796# Allowed values: round-robin, shuffle
1797#kombu_failover_strategy = round-robin
1798
1799# DEPRECATED: The RabbitMQ broker address where a single node is used. (string
1800# value)
1801# Deprecated group/name - [DEFAULT]/rabbit_host
1802# This option is deprecated for removal.
1803# Its value may be silently ignored in the future.
1804# Reason: Replaced by [DEFAULT]/transport_url
1805#rabbit_host = localhost
1806
1807# DEPRECATED: The RabbitMQ broker port where a single node is used. (port
1808# value)
1809# Minimum value: 0
1810# Maximum value: 65535
1811# Deprecated group/name - [DEFAULT]/rabbit_port
1812# This option is deprecated for removal.
1813# Its value may be silently ignored in the future.
1814# Reason: Replaced by [DEFAULT]/transport_url
1815#rabbit_port = 5672
1816
1817# DEPRECATED: RabbitMQ HA cluster host:port pairs. (list value)
1818# Deprecated group/name - [DEFAULT]/rabbit_hosts
1819# This option is deprecated for removal.
1820# Its value may be silently ignored in the future.
1821# Reason: Replaced by [DEFAULT]/transport_url
1822#rabbit_hosts = $rabbit_host:$rabbit_port
1823
1824# Connect over SSL for RabbitMQ. (boolean value)
1825# Deprecated group/name - [DEFAULT]/rabbit_use_ssl
1826#rabbit_use_ssl = false
1827
1828# DEPRECATED: The RabbitMQ userid. (string value)
1829# Deprecated group/name - [DEFAULT]/rabbit_userid
1830# This option is deprecated for removal.
1831# Its value may be silently ignored in the future.
1832# Reason: Replaced by [DEFAULT]/transport_url
1833#rabbit_userid = guest
1834
1835# DEPRECATED: The RabbitMQ password. (string value)
1836# Deprecated group/name - [DEFAULT]/rabbit_password
1837# This option is deprecated for removal.
1838# Its value may be silently ignored in the future.
1839# Reason: Replaced by [DEFAULT]/transport_url
1840#rabbit_password = guest
1841
1842# The RabbitMQ login method. (string value)
1843# Deprecated group/name - [DEFAULT]/rabbit_login_method
1844#rabbit_login_method = AMQPLAIN
1845
1846# DEPRECATED: The RabbitMQ virtual host. (string value)
1847# Deprecated group/name - [DEFAULT]/rabbit_virtual_host
1848# This option is deprecated for removal.
1849# Its value may be silently ignored in the future.
1850# Reason: Replaced by [DEFAULT]/transport_url
1851#rabbit_virtual_host = /
1852
1853# How frequently to retry connecting with RabbitMQ. (integer value)
1854#rabbit_retry_interval = 1
1855
1856# How long to backoff for between retries when connecting to RabbitMQ. (integer
1857# value)
1858# Deprecated group/name - [DEFAULT]/rabbit_retry_backoff
1859#rabbit_retry_backoff = 2
1860
1861# Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
1862# (integer value)
1863#rabbit_interval_max = 30
1864
1865# DEPRECATED: Maximum number of RabbitMQ connection retries. Default is 0
1866# (infinite retry count). (integer value)
1867# Deprecated group/name - [DEFAULT]/rabbit_max_retries
1868# This option is deprecated for removal.
1869# Its value may be silently ignored in the future.
1870#rabbit_max_retries = 0
1871
1872# Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this
1873# option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring
1874# is no longer controlled by the x-ha-policy argument when declaring a queue.
1875# If you just want to make sure that all queues (except  those with auto-
1876# generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy
1877# HA '^(?!amq\.).*' '{"ha-mode": "all"}' " (boolean value)
1878# Deprecated group/name - [DEFAULT]/rabbit_ha_queues
1879#rabbit_ha_queues = false
1880
1881# Positive integer representing duration in seconds for queue TTL (x-expires).
1882# Queues which are unused for the duration of the TTL are automatically
1883# deleted. The parameter affects only reply and fanout queues. (integer value)
1884# Minimum value: 1
1885#rabbit_transient_queues_ttl = 1800
1886
1887# Specifies the number of messages to prefetch. Setting to zero allows
1888# unlimited messages. (integer value)
1889#rabbit_qos_prefetch_count = 0
1890
1891# Number of seconds after which the Rabbit broker is considered down if
1892# heartbeat's keep-alive fails (0 disable the heartbeat). EXPERIMENTAL (integer
1893# value)
1894#heartbeat_timeout_threshold = 60
1895
1896# How often times during the heartbeat_timeout_threshold we check the
1897# heartbeat. (integer value)
1898#heartbeat_rate = 2
1899
1900# Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value)
1901# Deprecated group/name - [DEFAULT]/fake_rabbit
1902#fake_rabbit = false
1903
1904# Maximum number of channels to allow (integer value)
1905#channel_max = <None>
1906
1907# The maximum byte size for an AMQP frame (integer value)
1908#frame_max = <None>
1909
1910# How often to send heartbeats for consumer's connections (integer value)
1911#heartbeat_interval = 3
1912
1913# Enable SSL (boolean value)
1914#ssl = <None>
1915
1916# Arguments passed to ssl.wrap_socket (dict value)
1917#ssl_options = <None>
1918
1919# Set socket timeout in seconds for connection's socket (floating point value)
1920#socket_timeout = 0.25
1921
1922# Set TCP_USER_TIMEOUT in seconds for connection's socket (floating point
1923# value)
1924#tcp_user_timeout = 0.25
1925
1926# Set delay for reconnection to some host which has connection error (floating
1927# point value)
1928#host_connection_reconnect_delay = 0.25
1929
1930# Connection factory implementation (string value)
1931# Allowed values: new, single, read_write
1932#connection_factory = single
1933
1934# Maximum number of connections to keep queued. (integer value)
1935#pool_max_size = 30
1936
1937# Maximum number of connections to create above `pool_max_size`. (integer
1938# value)
1939#pool_max_overflow = 0
1940
1941# Default number of seconds to wait for a connections to available (integer
1942# value)
1943#pool_timeout = 30
1944
1945# Lifetime of a connection (since creation) in seconds or None for no
1946# recycling. Expired connections are closed on acquire. (integer value)
1947#pool_recycle = 600
1948
1949# Threshold at which inactive (since release) connections are considered stale
1950# in seconds or None for no staleness. Stale connections are closed on acquire.
1951# (integer value)
1952#pool_stale = 60
1953
1954# Persist notification messages. (boolean value)
1955#notification_persistence = false
1956
1957# Exchange name for sending notifications (string value)
1958#default_notification_exchange = ${control_exchange}_notification
1959
1960# Max number of not acknowledged message which RabbitMQ can send to
1961# notification listener. (integer value)
1962#notification_listener_prefetch_count = 100
1963
1964# Reconnecting retry count in case of connectivity problem during sending
1965# notification, -1 means infinite retry. (integer value)
1966#default_notification_retry_attempts = -1
1967
1968# Reconnecting retry delay in case of connectivity problem during sending
1969# notification message (floating point value)
1970#notification_retry_delay = 0.25
1971
1972# Time to live for rpc queues without consumers in seconds. (integer value)
1973#rpc_queue_expiration = 60
1974
1975# Exchange name for sending RPC messages (string value)
1976#default_rpc_exchange = ${control_exchange}_rpc
1977
1978# Exchange name for receiving RPC replies (string value)
1979#rpc_reply_exchange = ${control_exchange}_rpc_reply
1980
1981# Max number of not acknowledged message which RabbitMQ can send to rpc
1982# listener. (integer value)
1983#rpc_listener_prefetch_count = 100
1984
1985# Max number of not acknowledged message which RabbitMQ can send to rpc reply
1986# listener. (integer value)
1987#rpc_reply_listener_prefetch_count = 100
1988
1989# Reconnecting retry count in case of connectivity problem during sending
1990# reply. -1 means infinite retry during rpc_timeout (integer value)
1991#rpc_reply_retry_attempts = -1
1992
1993# Reconnecting retry delay in case of connectivity problem during sending
1994# reply. (floating point value)
1995#rpc_reply_retry_delay = 0.25
1996
1997# Reconnecting retry count in case of connectivity problem during sending RPC
1998# message, -1 means infinite retry. If actual retry attempts in not 0 the rpc
1999# request could be processed more then one time (integer value)
2000#default_rpc_retry_attempts = -1
2001
2002# Reconnecting retry delay in case of connectivity problem during sending RPC
2003# message (floating point value)
2004#rpc_retry_delay = 0.25
2005
2006
2007[oslo_messaging_zmq]
2008
2009#
2010# From oslo.messaging
2011#
2012
2013# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
2014# The "host" option should point or resolve to this address. (string value)
2015# Deprecated group/name - [DEFAULT]/rpc_zmq_bind_address
2016#rpc_zmq_bind_address = *
2017
2018# MatchMaker driver. (string value)
2019# Allowed values: redis, dummy
2020# Deprecated group/name - [DEFAULT]/rpc_zmq_matchmaker
2021#rpc_zmq_matchmaker = redis
2022
2023# Number of ZeroMQ contexts, defaults to 1. (integer value)
2024# Deprecated group/name - [DEFAULT]/rpc_zmq_contexts
2025#rpc_zmq_contexts = 1
2026
2027# Maximum number of ingress messages to locally buffer per topic. Default is
2028# unlimited. (integer value)
2029# Deprecated group/name - [DEFAULT]/rpc_zmq_topic_backlog
2030#rpc_zmq_topic_backlog = <None>
2031
2032# Directory for holding IPC sockets. (string value)
2033# Deprecated group/name - [DEFAULT]/rpc_zmq_ipc_dir
2034#rpc_zmq_ipc_dir = /var/run/openstack
2035
2036# Name of this node. Must be a valid hostname, FQDN, or IP address. Must match
2037# "host" option, if running Nova. (string value)
2038# Deprecated group/name - [DEFAULT]/rpc_zmq_host
2039#rpc_zmq_host = localhost
2040
2041# Seconds to wait before a cast expires (TTL). The default value of -1
2042# specifies an infinite linger period. The value of 0 specifies no linger
2043# period. Pending messages shall be discarded immediately when the socket is
2044# closed. Only supported by impl_zmq. (integer value)
2045# Deprecated group/name - [DEFAULT]/rpc_cast_timeout
2046#rpc_cast_timeout = -1
2047
2048# The default number of seconds that poll should wait. Poll raises timeout
2049# exception when timeout expired. (integer value)
2050# Deprecated group/name - [DEFAULT]/rpc_poll_timeout
2051#rpc_poll_timeout = 1
2052
2053# Expiration timeout in seconds of a name service record about existing target
2054# ( < 0 means no timeout). (integer value)
2055# Deprecated group/name - [DEFAULT]/zmq_target_expire
2056#zmq_target_expire = 300
2057
2058# Update period in seconds of a name service record about existing target.
2059# (integer value)
2060# Deprecated group/name - [DEFAULT]/zmq_target_update
2061#zmq_target_update = 180
2062
2063# Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy. (boolean
2064# value)
2065# Deprecated group/name - [DEFAULT]/use_pub_sub
2066#use_pub_sub = true
2067
2068# Use ROUTER remote proxy. (boolean value)
2069# Deprecated group/name - [DEFAULT]/use_router_proxy
2070#use_router_proxy = true
2071
2072# Minimal port number for random ports range. (port value)
2073# Minimum value: 0
2074# Maximum value: 65535
2075# Deprecated group/name - [DEFAULT]/rpc_zmq_min_port
2076#rpc_zmq_min_port = 49153
2077
2078# Maximal port number for random ports range. (integer value)
2079# Minimum value: 1
2080# Maximum value: 65536
2081# Deprecated group/name - [DEFAULT]/rpc_zmq_max_port
2082#rpc_zmq_max_port = 65536
2083
2084# Number of retries to find free port number before fail with ZMQBindError.
2085# (integer value)
2086# Deprecated group/name - [DEFAULT]/rpc_zmq_bind_port_retries
2087#rpc_zmq_bind_port_retries = 100
2088
2089# Default serialization mechanism for serializing/deserializing
2090# outgoing/incoming messages (string value)
2091# Allowed values: json, msgpack
2092# Deprecated group/name - [DEFAULT]/rpc_zmq_serialization
2093#rpc_zmq_serialization = json
2094
2095# This option configures round-robin mode in zmq socket. True means not keeping
2096# a queue when server side disconnects. False means to keep queue and messages
2097# even if server is disconnected, when the server appears we send all
2098# accumulated messages to it. (boolean value)
2099#zmq_immediate = false
2100
2101
2102[oslo_middleware]
2103
2104#
2105# From oslo.middleware
2106#
2107
2108# The maximum body size for each  request, in bytes. (integer value)
2109# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
2110# Deprecated group/name - [DEFAULT]/max_request_body_size
2111#max_request_body_size = 114688
2112
2113# DEPRECATED: The HTTP Header that will be used to determine what the original
2114# request protocol scheme was, even if it was hidden by a SSL termination
2115# proxy. (string value)
2116# This option is deprecated for removal.
2117# Its value may be silently ignored in the future.
2118#secure_proxy_ssl_header = X-Forwarded-Proto
2119
2120# Whether the application is behind a proxy or not. This determines if the
2121# middleware should parse the headers or not. (boolean value)
2122#enable_proxy_headers_parsing = false
2123
2124
2125[oslo_policy]
2126
2127#
2128# From oslo.policy
2129#
2130
2131# The JSON file that defines policies. (string value)
2132# Deprecated group/name - [DEFAULT]/policy_file
2133#policy_file = policy.json
2134
2135# Default rule. Enforced when a requested rule is not found. (string value)
2136# Deprecated group/name - [DEFAULT]/policy_default_rule
2137#policy_default_rule = default
2138
2139# Directories where policy configuration files are stored. They can be relative
2140# to any directory in the search path defined by the config_dir option, or
2141# absolute paths. The file defined by policy_file must exist for these
2142# directories to be searched.  Missing or empty directories are ignored. (multi
2143# valued)
2144# Deprecated group/name - [DEFAULT]/policy_dirs
2145#policy_dirs = policy.d
2146
2147
2148[paste_deploy]
2149config_file = /etc/keystone/keystone-paste.ini
2150
2151#
2152# From keystone
2153#
2154
2155# Name of (or absolute path to) the Paste Deploy configuration file that
2156# composes middleware and the keystone application itself into actual WSGI
2157# entry points. See http://pythonpaste.org/deploy/ for additional documentation
2158# on the file's format. (string value)
2159#config_file = keystone-paste.ini
2160
2161
2162[policy]
2163
2164#
2165# From keystone
2166#
2167
2168# Entry point for the policy backend driver in the `keystone.policy` namespace.
2169# Supplied drivers are `rules` (which does not support any CRUD operations for
2170# the v3 policy API) and `sql`. Typically, there is no reason to set this
2171# option unless you are providing a custom entry point. (string value)
2172#driver = sql
2173
2174# Maximum number of entities that will be returned in a policy collection.
2175# (integer value)
2176#list_limit = <None>
2177
2178
2179[profiler]
2180
2181#
2182# From osprofiler
2183#
2184
2185#
2186# Enables the profiling for all services on this node. Default value is False
2187# (fully disable the profiling feature).
2188#
2189# Possible values:
2190#
2191# * True: Enables the feature
2192# * False: Disables the feature. The profiling cannot be started via this
2193# project
2194# operations. If the profiling is triggered by another project, this project
2195# part
2196# will be empty.
2197#  (boolean value)
2198# Deprecated group/name - [profiler]/profiler_enabled
2199#enabled = false
2200
2201#
2202# Enables SQL requests profiling in services. Default value is False (SQL
2203# requests won't be traced).
2204#
2205# Possible values:
2206#
2207# * True: Enables SQL requests profiling. Each SQL query will be part of the
2208# trace and can the be analyzed by how much time was spent for that.
2209# * False: Disables SQL requests profiling. The spent time is only shown on a
2210# higher level of operations. Single SQL queries cannot be analyzed this
2211# way.
2212#  (boolean value)
2213#trace_sqlalchemy = false
2214
2215#
2216# Secret key(s) to use for encrypting context data for performance profiling.
2217# This string value should have the following format:
2218# <key1>[,<key2>,...<keyn>],
2219# where each key is some random string. A user who triggers the profiling via
2220# the REST API has to set one of these keys in the headers of the REST API call
2221# to include profiling results of this node for this particular project.
2222#
2223# Both "enabled" flag and "hmac_keys" config options should be set to enable
2224# profiling. Also, to generate correct profiling information across all
2225# services
2226# at least one key needs to be consistent between OpenStack projects. This
2227# ensures it can be used from client side to generate the trace, containing
2228# information from all possible resources. (string value)
2229#hmac_keys = SECRET_KEY
2230
2231#
2232# Connection string for a notifier backend. Default value is messaging:// which
2233# sets the notifier to oslo_messaging.
2234#
2235# Examples of possible values:
2236#
2237# * messaging://: use oslo_messaging driver for sending notifications.
2238#  (string value)
2239#connection_string = messaging://
2240
2241
2242[resource]
2243admin_project_name = admin
2244admin_project_domain_name = Default
2245driver = sql
2246
2247#
2248# From keystone
2249#
2250
2251# Entry point for the resource driver in the `keystone.resource` namespace.
2252# Only a `sql` driver is supplied by keystone. If a resource driver is not
2253# specified, the assignment driver will choose the resource driver to maintain
2254# backwards compatibility with older configuration files. (string value)
2255#driver = <None>
2256
2257# Toggle for resource caching. This has no effect unless global caching is
2258# enabled. (boolean value)
2259# Deprecated group/name - [assignment]/caching
2260#caching = true
2261
2262# Time to cache resource data in seconds. This has no effect unless global
2263# caching is enabled. (integer value)
2264# Deprecated group/name - [assignment]/cache_time
2265#cache_time = <None>
2266
2267# Maximum number of entities that will be returned in a resource collection.
2268# (integer value)
2269# Deprecated group/name - [assignment]/list_limit
2270#list_limit = <None>
2271
2272# Name of the domain that owns the `admin_project_name`. If left unset, then
2273# there is no admin project. `[resource] admin_project_name` must also be set
2274# to use this option. (string value)
2275#admin_project_domain_name = <None>
2276
2277# This is a special project which represents cloud-level administrator
2278# privileges across services. Tokens scoped to this project will contain a true
2279# `is_admin_project` attribute to indicate to policy systems that the role
2280# assignments on that specific project should apply equally across every
2281# project. If left unset, then there is no admin project, and thus no explicit
2282# means of cross-project role assignments. `[resource]
2283# admin_project_domain_name` must also be set to use this option. (string
2284# value)
2285#admin_project_name = <None>
2286
2287# This controls whether the names of projects are restricted from containing
2288# URL-reserved characters. If set to `new`, attempts to create or update a
2289# project with a URL-unsafe name will fail. If set to `strict`, attempts to
2290# scope a token with a URL-unsafe project name will fail, thereby forcing all
2291# project names to be updated to be URL-safe. (string value)
2292# Allowed values: off, new, strict
2293#project_name_url_safe = off
2294
2295# This controls whether the names of domains are restricted from containing
2296# URL-reserved characters. If set to `new`, attempts to create or update a
2297# domain with a URL-unsafe name will fail. If set to `strict`, attempts to
2298# scope a token with a URL-unsafe domain name will fail, thereby forcing all
2299# domain names to be updated to be URL-safe. (string value)
2300# Allowed values: off, new, strict
2301#domain_name_url_safe = off
2302
2303
2304[revoke]
2305
2306#
2307# From keystone
2308#
2309
2310# Entry point for the token revocation backend driver in the `keystone.revoke`
2311# namespace. Keystone only provides a `sql` driver, so there is no reason to
2312# set this option unless you are providing a custom entry point. (string value)
2313#driver = sql
2314
2315# The number of seconds after a token has expired before a corresponding
2316# revocation event may be purged from the backend. (integer value)
2317# Minimum value: 0
2318#expiration_buffer = 1800
2319
2320# Toggle for revocation event caching. This has no effect unless global caching
2321# is enabled. (boolean value)
2322#caching = true
2323
2324# Time to cache the revocation list and the revocation events (in seconds).
2325# This has no effect unless global and `[revoke] caching` are both enabled.
2326# (integer value)
2327# Deprecated group/name - [token]/revocation_cache_time
2328#cache_time = 3600
2329
2330
2331[role]
2332driver = sql
2333
2334#
2335# From keystone
2336#
2337
2338# Entry point for the role backend driver in the `keystone.role` namespace.
2339# Keystone only provides a `sql` driver, so there's no reason to change this
2340# unless you are providing a custom entry point. (string value)
2341#driver = <None>
2342
2343# Toggle for role caching. This has no effect unless global caching is enabled.
2344# In a typical deployment, there is no reason to disable this. (boolean value)
2345#caching = true
2346
2347# Time to cache role data, in seconds. This has no effect unless both global
2348# caching and `[role] caching` are enabled. (integer value)
2349#cache_time = <None>
2350
2351# Maximum number of entities that will be returned in a role collection. This
2352# may be useful to tune if you have a large number of discrete roles in your
2353# deployment. (integer value)
2354#list_limit = <None>
2355
2356
2357[saml]
2358
2359#
2360# From keystone
2361#
2362
2363# Determines the lifetime for any SAML assertions generated by keystone, using
2364# `NotOnOrAfter` attributes. (integer value)
2365#assertion_expiration_time = 3600
2366
2367# Name of, or absolute path to, the binary to be used for XML signing. Although
2368# only the XML Security Library (`xmlsec1`) is supported, it may have a non-
2369# standard name or path on your system. If keystone cannot find the binary
2370# itself, you may need to install the appropriate package, use this option to
2371# specify an absolute path, or adjust keystone's PATH environment variable.
2372# (string value)
2373#xmlsec1_binary = xmlsec1
2374
2375# Absolute path to the public certificate file to use for SAML signing. The
2376# value cannot contain a comma (`,`). (string value)
2377#certfile = /etc/keystone/ssl/certs/signing_cert.pem
2378
2379# Absolute path to the private key file to use for SAML signing. The value
2380# cannot contain a comma (`,`). (string value)
2381#keyfile = /etc/keystone/ssl/private/signing_key.pem
2382
2383# This is the unique entity identifier of the identity provider (keystone) to
2384# use when generating SAML assertions. This value is required to generate
2385# identity provider metadata and must be a URI (a URL is recommended). For
2386# example: `https://keystone.example.com/v3/OS-FEDERATION/saml2/idp`. (uri
2387# value)
2388#idp_entity_id = <None>
2389
2390# This is the single sign-on (SSO) service location of the identity provider
2391# which accepts HTTP POST requests. A value is required to generate identity
2392# provider metadata. For example: `https://keystone.example.com/v3/OS-
2393# FEDERATION/saml2/sso`. (uri value)
2394#idp_sso_endpoint = <None>
2395
2396# This is the language used by the identity provider's organization. (string
2397# value)
2398#idp_lang = en
2399
2400# This is the name of the identity provider's organization. (string value)
2401#idp_organization_name = SAML Identity Provider
2402
2403# This is the name of the identity provider's organization to be displayed.
2404# (string value)
2405#idp_organization_display_name = OpenStack SAML Identity Provider
2406
2407# This is the URL of the identity provider's organization. The URL referenced
2408# here should be useful to humans. (uri value)
2409#idp_organization_url = https://example.com/
2410
2411# This is the company name of the identity provider's contact person. (string
2412# value)
2413#idp_contact_company = Example, Inc.
2414
2415# This is the given name of the identity provider's contact person. (string
2416# value)
2417#idp_contact_name = SAML Identity Provider Support
2418
2419# This is the surname of the identity provider's contact person. (string value)
2420#idp_contact_surname = Support
2421
2422# This is the email address of the identity provider's contact person. (string
2423# value)
2424#idp_contact_email = support@example.com
2425
2426# This is the telephone number of the identity provider's contact person.
2427# (string value)
2428#idp_contact_telephone = +1 800 555 0100
2429
2430# This is the type of contact that best describes the identity provider's
2431# contact person. (string value)
2432# Allowed values: technical, support, administrative, billing, other
2433#idp_contact_type = other
2434
2435# Absolute path to the identity provider metadata file. This file should be
2436# generated with the `keystone-manage saml_idp_metadata` command. There is
2437# typically no reason to change this value. (string value)
2438#idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml
2439
2440# The prefix of the RelayState SAML attribute to use when generating enhanced
2441# client and proxy (ECP) assertions. In a typical deployment, there is no
2442# reason to change this value. (string value)
2443#relay_state_prefix = ss:mem:
2444
2445
2446[security_compliance]
2447
2448#
2449# From keystone
2450#
2451
2452# The maximum number of days a user can go without authenticating before being
2453# considered "inactive" and automatically disabled (locked). This feature is
2454# disabled by default; set any value to enable it. This feature depends on the
2455# `sql` backend for the `[identity] driver`. When a user exceeds this threshold
2456# and is considered "inactive", the user's `enabled` attribute in the HTTP API
2457# may not match the value of the user's `enabled` column in the user table.
2458# (integer value)
2459# Minimum value: 1
2460#disable_user_account_days_inactive = <None>
2461
2462# The maximum number of times that a user can fail to authenticate before the
2463# user account is locked for the number of seconds specified by
2464# `[security_compliance] lockout_duration`. This feature is disabled by
2465# default. If this feature is enabled and `[security_compliance]
2466# lockout_duration` is not set, then users may be locked out indefinitely until
2467# the user is explicitly enabled via the API. This feature depends on the `sql`
2468# backend for the `[identity] driver`. (integer value)
2469# Minimum value: 1
2470#lockout_failure_attempts = <None>
2471
2472# The number of seconds a user account will be locked when the maximum number
2473# of failed authentication attempts (as specified by `[security_compliance]
2474# lockout_failure_attempts`) is exceeded. Setting this option will have no
2475# effect unless you also set `[security_compliance] lockout_failure_attempts`
2476# to a non-zero value. This feature depends on the `sql` backend for the
2477# `[identity] driver`. (integer value)
2478# Minimum value: 1
2479#lockout_duration = 1800
2480
2481# The number of days for which a password will be considered valid before
2482# requiring it to be changed. This feature is disabled by default. If enabled,
2483# new password changes will have an expiration date, however existing passwords
2484# would not be impacted. This feature depends on the `sql` backend for the
2485# `[identity] driver`. (integer value)
2486# Minimum value: 1
2487#password_expires_days = <None>
2488
2489# Comma separated list of user IDs to be ignored when checking if a password is
2490# expired. Passwords for users in this list will not expire. This feature will
2491# only be enabled if `[security_compliance] password_expires_days` is set.
2492# (list value)
2493#password_expires_ignore_user_ids =
2494
2495# This controls the number of previous user password iterations to keep in
2496# history, in order to enforce that newly created passwords are unique. Setting
2497# the value to one (the default) disables this feature. Thus, to enable this
2498# feature, values must be greater than 1. This feature depends on the `sql`
2499# backend for the `[identity] driver`. (integer value)
2500# Minimum value: 1
2501#unique_last_password_count = 1
2502
2503# The number of days that a password must be used before the user can change
2504# it. This prevents users from changing their passwords immediately in order to
2505# wipe out their password history and reuse an old password. This feature does
2506# not prevent administrators from manually resetting passwords. It is disabled
2507# by default and allows for immediate password changes. This feature depends on
2508# the `sql` backend for the `[identity] driver`. Note: If
2509# `[security_compliance] password_expires_days` is set, then the value for this
2510# option should be less than the `password_expires_days`. (integer value)
2511# Minimum value: 0
2512#minimum_password_age = 0
2513
2514# The regular expression used to validate password strength requirements. By
2515# default, the regular expression will match any password. The following is an
2516# example of a pattern which requires at least 1 letter, 1 digit, and have a
2517# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature
2518# depends on the `sql` backend for the `[identity] driver`. (string value)
2519#password_regex = <None>
2520
2521# Describe your password regular expression here in language for humans. If a
2522# password fails to match the regular expression, the contents of this
2523# configuration variable will be returned to users to explain why their
2524# requested password was insufficient. (string value)
2525#password_regex_description = <None>
2526
2527
2528[shadow_users]
2529
2530#
2531# From keystone
2532#
2533
2534# Entry point for the shadow users backend driver in the
2535# `keystone.identity.shadow_users` namespace. This driver is used for
2536# persisting local user references to externally-managed identities (via
2537# federation, LDAP, etc). Keystone only provides a `sql` driver, so there is no
2538# reason to change this option unless you are providing a custom entry point.
2539# (string value)
2540#driver = sql
2541
2542
2543[signing]
2544
2545#
2546# From keystone
2547#
2548
2549# DEPRECATED: Absolute path to the public certificate file to use for signing
2550# PKI and PKIZ tokens. Set this together with `[signing] keyfile`. For non-
2551# production environments, you may be interested in using `keystone-manage
2552# pki_setup` to generate self-signed certificates. There is no reason to set
2553# this option unless you are using either a `pki` or `pkiz` `[token] provider`.
2554# (string value)
2555# This option is deprecated for removal since M.
2556# Its value may be silently ignored in the future.
2557# Reason: PKI token support has been deprecated in the M release and will be
2558# removed in the O release. Fernet or UUID tokens are recommended.
2559#certfile = /etc/keystone/ssl/certs/signing_cert.pem
2560
2561# DEPRECATED: Absolute path to the private key file to use for signing PKI and
2562# PKIZ tokens. Set this together with `[signing] certfile`. There is no reason
2563# to set this option unless you are using either a `pki` or `pkiz` `[token]
2564# provider`. (string value)
2565# This option is deprecated for removal since M.
2566# Its value may be silently ignored in the future.
2567# Reason: PKI token support has been deprecated in the M release and will be
2568# removed in the O release. Fernet or UUID tokens are recommended.
2569#keyfile = /etc/keystone/ssl/private/signing_key.pem
2570
2571# DEPRECATED: Absolute path to the public certificate authority (CA) file to
2572# use when creating self-signed certificates with `keystone-manage pki_setup`.
2573# Set this together with `[signing] ca_key`. There is no reason to set this
2574# option unless you are using a `pki` or `pkiz` `[token] provider` value in a
2575# non-production environment. Use a `[signing] certfile` issued from a trusted
2576# certificate authority instead. (string value)
2577# This option is deprecated for removal since M.
2578# Its value may be silently ignored in the future.
2579# Reason: PKI token support has been deprecated in the M release and will be
2580# removed in the O release. Fernet or UUID tokens are recommended.
2581#ca_certs = /etc/keystone/ssl/certs/ca.pem
2582
2583# DEPRECATED: Absolute path to the private certificate authority (CA) key file
2584# to use when creating self-signed certificates with `keystone-manage
2585# pki_setup`. Set this together with `[signing] ca_certs`. There is no reason
2586# to set this option unless you are using a `pki` or `pkiz` `[token] provider`
2587# value in a non-production environment. Use a `[signing] certfile` issued from
2588# a trusted certificate authority instead. (string value)
2589# This option is deprecated for removal since M.
2590# Its value may be silently ignored in the future.
2591# Reason: PKI token support has been deprecated in the M release and will be
2592# removed in the O release. Fernet or UUID tokens are recommended.
2593#ca_key = /etc/keystone/ssl/private/cakey.pem
2594
2595# DEPRECATED: Key size (in bits) to use when generating a self-signed token
2596# signing certificate. There is no reason to set this option unless you are
2597# using a `pki` or `pkiz` `[token] provider` value in a non-production
2598# environment. Use a `[signing] certfile` issued from a trusted certificate
2599# authority instead. (integer value)
2600# Minimum value: 1024
2601# This option is deprecated for removal since M.
2602# Its value may be silently ignored in the future.
2603# Reason: PKI token support has been deprecated in the M release and will be
2604# removed in the O release. Fernet or UUID tokens are recommended.
2605#key_size = 2048
2606
2607# DEPRECATED: The validity period (in days) to use when generating a self-
2608# signed token signing certificate. There is no reason to set this option
2609# unless you are using a `pki` or `pkiz` `[token] provider` value in a non-
2610# production environment. Use a `[signing] certfile` issued from a trusted
2611# certificate authority instead. (integer value)
2612# This option is deprecated for removal since M.
2613# Its value may be silently ignored in the future.
2614# Reason: PKI token support has been deprecated in the M release and will be
2615# removed in the O release. Fernet or UUID tokens are recommended.
2616#valid_days = 3650
2617
2618# DEPRECATED: The certificate subject to use when generating a self-signed
2619# token signing certificate. There is no reason to set this option unless you
2620# are using a `pki` or `pkiz` `[token] provider` value in a non-production
2621# environment. Use a `[signing] certfile` issued from a trusted certificate
2622# authority instead. (string value)
2623# This option is deprecated for removal since M.
2624# Its value may be silently ignored in the future.
2625# Reason: PKI token support has been deprecated in the M release and will be
2626# removed in the O release. Fernet or UUID tokens are recommended.
2627#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
2628
2629
2630[token]
2631driver = sql
2632
2633#
2634# From keystone
2635#
2636
2637# This is a list of external authentication mechanisms which should add token
2638# binding metadata to tokens, such as `kerberos` or `x509`. Binding metadata is
2639# enforced according to the `[token] enforce_token_bind` option. (list value)
2640#bind =
2641
2642# This controls the token binding enforcement policy on tokens presented to
2643# keystone with token binding metadata (as specified by the `[token] bind`
2644# option). `disabled` completely bypasses token binding validation.
2645# `permissive` and `strict` do not require tokens to have binding metadata (but
2646# will validate it if present), whereas `required` will always demand tokens to
2647# having binding metadata. `permissive` will allow unsupported binding metadata
2648# to pass through without validation (usually to be validated at another time
2649# by another component), whereas `strict` and `required` will demand that the
2650# included binding metadata be supported by keystone. (string value)
2651# Allowed values: disabled, permissive, strict, required
2652#enforce_token_bind = permissive
2653
2654# The amount of time that a token should remain valid (in seconds). Drastically
2655# reducing this value may break "long-running" operations that involve multiple
2656# services to coordinate together, and will force users to authenticate with
2657# keystone more frequently. Drastically increasing this value will increase
2658# load on the `[token] driver`, as more tokens will be simultaneously valid.
2659# Keystone tokens are also bearer tokens, so a shorter duration will also
2660# reduce the potential security impact of a compromised token. (integer value)
2661# Minimum value: 0
2662# Maximum value: 9223372036854775807
2663#expiration = 3600
2664
2665# Entry point for the token provider in the `keystone.token.provider`
2666# namespace. The token provider controls the token construction, validation,
2667# and revocation operations. Keystone includes `fernet`, `pkiz`, `pki`, and
2668# `uuid` token providers. `uuid` tokens must be persisted (using the backend
2669# specified in the `[token] driver` option), but do not require any extra
2670# configuration or setup. `fernet` tokens do not need to be persisted at all,
2671# but require that you run `keystone-manage fernet_setup` (also see the
2672# `keystone-manage fernet_rotate` command). `pki` and `pkiz` tokens can be
2673# validated offline, without making HTTP calls to keystone, but require that
2674# certificates be installed and distributed to facilitate signing tokens and
2675# later validating those signatures. (string value)
2676#provider = uuid
2677
2678# Entry point for the token persistence backend driver in the
2679# `keystone.token.persistence` namespace. Keystone provides `kvs`, `memcache`,
2680# `memcache_pool`, and `sql` drivers. The `kvs` backend depends on the
2681# configuration in the `[kvs]` section. The `memcache` and `memcache_pool`
2682# options depend on the configuration in the `[memcache]` section. The `sql`
2683# option (default) depends on the options in your `[database]` section. If
2684# you're using the `fernet` `[token] provider`, this backend will not be
2685# utilized to persist tokens at all. (string value)
2686#driver = sql
2687
2688# Toggle for caching token creation and validation data. This has no effect
2689# unless global caching is enabled. (boolean value)
2690#caching = true
2691
2692# The number of seconds to cache token creation and validation data. This has
2693# no effect unless both global and `[token] caching` are enabled. (integer
2694# value)
2695# Minimum value: 0
2696# Maximum value: 9223372036854775807
2697#cache_time = <None>
2698
2699# This toggles support for revoking individual tokens by the token identifier
2700# and thus various token enumeration operations (such as listing all tokens
2701# issued to a specific user). These operations are used to determine the list
2702# of tokens to consider revoked. Do not disable this option if you're using the
2703# `kvs` `[revoke] driver`. (boolean value)
2704#revoke_by_id = true
2705
2706# This toggles whether scoped tokens may be be re-scoped to a new project or
2707# domain, thereby preventing users from exchanging a scoped token (including
2708# those with a default project scope) for any other token. This forces users to
2709# either authenticate for unscoped tokens (and later exchange that unscoped
2710# token for tokens with a more specific scope) or to provide their credentials
2711# in every request for a scoped token to avoid re-scoping altogether. (boolean
2712# value)
2713#allow_rescope_scoped_token = true
2714
2715# DEPRECATED: This controls the hash algorithm to use to uniquely identify PKI
2716# tokens without having to transmit the entire token to keystone (which may be
2717# several kilobytes). This can be set to any algorithm that hashlib supports.
2718# WARNING: Before changing this value, the `auth_token` middleware protecting
2719# all other services must be configured with the set of hash algorithms to
2720# expect from keystone (both your old and new value for this option), otherwise
2721# token revocation will not be processed correctly. (string value)
2722# Allowed values: md5, sha1, sha224, sha256, sha384, sha512
2723# This option is deprecated for removal since M.
2724# Its value may be silently ignored in the future.
2725# Reason: PKI token support has been deprecated in the M release and will be
2726# removed in the O release. Fernet or UUID tokens are recommended.
2727#hash_algorithm = md5
2728
2729# This controls whether roles should be included with tokens that are not
2730# directly assigned to the token's scope, but are instead linked implicitly to
2731# other role assignments. (boolean value)
2732#infer_roles = true
2733
2734# Enable storing issued token data to token validation cache so that first
2735# token validation doesn't actually cause full validation cycle. (boolean
2736# value)
2737#cache_on_issue = false
2738
2739
2740[tokenless_auth]
2741
2742#
2743# From keystone
2744#
2745
2746# The list of distinguished names which identify trusted issuers of client
2747# certificates allowed to use X.509 tokenless authorization. If the option is
2748# absent then no certificates will be allowed. The format for the values of a
2749# distinguished name (DN) must be separated by a comma and contain no spaces.
2750# Furthermore, because an individual DN may contain commas, this configuration
2751# option may be repeated multiple times to represent multiple values. For
2752# example, keystone.conf would include two consecutive lines in order to trust
2753# two different DNs, such as `trusted_issuer = CN=john,OU=keystone,O=openstack`
2754# and `trusted_issuer = CN=mary,OU=eng,O=abc`. (multi valued)
2755#trusted_issuer =
2756
2757# The federated protocol ID used to represent X.509 tokenless authorization.
2758# This is used in combination with the value of `[tokenless_auth]
2759# issuer_attribute` to find a corresponding federated mapping. In a typical
2760# deployment, there is no reason to change this value. (string value)
2761#protocol = x509
2762
2763# The name of the WSGI environment variable used to pass the issuer of the
2764# client certificate to keystone. This attribute is used as an identity
2765# provider ID for the X.509 tokenless authorization along with the protocol to
2766# look up its corresponding mapping. In a typical deployment, there is no
2767# reason to change this value. (string value)
2768#issuer_attribute = SSL_CLIENT_I_DN
2769
2770
2771[trust]
2772
2773#
2774# From keystone
2775#
2776
2777# Delegation and impersonation features using trusts can be optionally
2778# disabled. (boolean value)
2779#enabled = true
2780
2781# Allows authorization to be redelegated from one user to another, effectively
2782# chaining trusts together. When disabled, the `remaining_uses` attribute of a
2783# trust is constrained to be zero. (boolean value)
2784#allow_redelegation = false
2785
2786# Maximum number of times that authorization can be redelegated from one user
2787# to another in a chain of trusts. This number may be reduced further for a
2788# specific trust. (integer value)
2789#max_redelegation_count = 3
2790
2791# Entry point for the trust backend driver in the `keystone.trust` namespace.
2792# Keystone only provides a `sql` driver, so there is no reason to change this
2793# unless you are providing a custom entry point. (string value)
2794#driver = sql