Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [DEFAULT]
- # A "shared secret" between keystone and other openstack services
- admin_token = pass
- # The IP address of the network interface to listen on
- bind_host = 0.0.0.0
- # The port number which the public service listens on
- public_port = 5000
- # The port number which the public admin listens on
- admin_port = 35357
- # The base endpoint URLs for keystone that are advertised to clients
- # (NOTE: this does NOT affect how keystone listens for connections)
- # public_endpoint = http://localhost:%(public_port)s/
- # admin_endpoint = http://localhost:%(admin_port)s/
- # The port number which the OpenStack Compute service listens on
- compute_port = 8774
- # Path to your policy definition containing identity actions
- policy_file = policy.json
- # Rule to check if no matching policy definition is found
- # FIXME(dolph): This should really be defined as [policy] default_rule
- # policy_default_rule = admin_required
- # Role for migrating membership relationships
- # During a SQL upgrade, the following values will be used to create a new role
- # that will replace records in the user_tenant_membership table with explicit
- # role grants. After migration, the member_role_id will be used in the API
- # add_user_to_project, and member_role_name will be ignored.
- # member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
- # member_role_name = _member_
- # enforced by optional sizelimit middleware (keystone.middleware:RequestBodySizeLimiter)
- # max_request_body_size = 114688
- # limit the sizes of user & tenant ID/names
- # max_param_size = 64
- # similar to max_param_size, but provides an exception for token values
- # max_token_size = 8192
- # === Logging Options ===
- # Print debugging output
- # (includes plaintext request logging, potentially including passwords)
- debug = True
- # Print more verbose output
- verbose = True
- # Name of log file to output to. If not set, logging will go to stdout.
- log_file = keystone.log
- # The directory to keep log files in (will be prepended to --logfile)
- log_dir = /var/log/keystone
- # Use syslog for logging.
- # use_syslog = False
- # syslog facility to receive log lines
- # syslog_log_facility = LOG_USER
- # If this option is specified, the logging configuration file specified is
- # used and overrides any other logging options specified. Please see the
- # Python logging module documentation for details on logging configuration
- # files.
- # log_config = logging.conf
- # A logging.Formatter log message format string which may use any of the
- # available logging.LogRecord attributes.
- # log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
- # Format string for %(asctime)s in log records.
- # log_date_format = %Y-%m-%d %H:%M:%S
- # onready allows you to send a notification when the process is ready to serve
- # For example, to have it notify using systemd, one could set shell command:
- # onready = systemd-notify --ready
- # or a module with notify() method:
- # onready = keystone.common.systemd
- # === Notification Options ===
- # Notifications can be sent when users or projects are created, updated or
- # deleted. There are three methods of sending notifications: logging (via the
- # log_file directive), rpc (via a message queue) and no_op (no notifications
- # sent, the default)
- # notification_driver can be defined multiple times
- # Do nothing driver (the default)
- # notification_driver = keystone.openstack.common.notifier.no_op_notifier
- # Logging driver example (not enabled by default)
- # notification_driver = keystone.openstack.common.notifier.log_notifier
- # RPC driver example (not enabled by default)
- # notification_driver = keystone.openstack.common.notifier.rpc_notifier
- # Default notification level for outgoing notifications
- # default_notification_level = INFO
- # Default publisher_id for outgoing notifications; included in the payload.
- # default_publisher_id =
- # AMQP topics to publish to when using the RPC notification driver.
- # Multiple values can be specified by separating with commas.
- # The actual topic names will be %s.%(default_notification_level)s
- # notification_topics = notifications
- # === RPC Options ===
- # For Keystone, these options apply only when the RPC notification driver is
- # used.
- # The messaging module to use, defaults to kombu.
- # rpc_backend = keystone.openstack.common.rpc.impl_kombu
- # Size of RPC thread pool
- # rpc_thread_pool_size = 64
- # Size of RPC connection pool
- # rpc_conn_pool_size = 30
- # Seconds to wait for a response from call or multicall
- # rpc_response_timeout = 60
- # Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
- # rpc_cast_timeout = 30
- # Modules of exceptions that are permitted to be recreated upon receiving
- # exception data from an rpc call.
- # allowed_rpc_exception_modules = keystone.openstack.common.exception,nova.exception,cinder.exception,exceptions
- # If True, use a fake RabbitMQ provider
- # fake_rabbit = False
- # AMQP exchange to connect to if using RabbitMQ or Qpid
- # control_exchange = openstack
- [sql]
- # The SQLAlchemy connection string used to connect to the database
- connection = mysql://keystone:pass@192.168.3.100:3306/keystone
- # the timeout before idle sql connections are reaped
- #idle_timeout = 200
- [identity]
- driver = keystone.identity.backends.sql.Identity
- # This references the domain to use for all Identity API v2 requests (which are
- # not aware of domains). A domain with this ID will be created for you by
- # keystone-manage db_sync in migration 008. The domain referenced by this ID
- # cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.
- # There is nothing special about this domain, other than the fact that it must
- # exist to order to maintain support for your v2 clients.
- # default_domain_id = default
- #
- # A subset (or all) of domains can have their own identity driver, each with
- # their own partial configuration file in a domain configuration directory.
- # Only values specific to the domain need to be placed in the domain specific
- # configuration file. This feature is disabled by default; set
- # domain_specific_drivers_enabled to True to enable.
- # domain_specific_drivers_enabled = False
- # domain_config_dir = /etc/keystone/domains
- # Maximum supported length for user passwords; decrease to improve performance.
- # max_password_length = 4096
- [credential]
- driver = keystone.credential.backends.sql.Credential
- [trust]
- driver = keystone.trust.backends.sql.Trust
- # delegation and impersonation features can be optionally disabled
- # enabled = True
- [os_inherit]
- # role-assignment inheritance to projects from owning domain can be
- # optionally enabled
- # enabled = False
- [catalog]
- # dynamic, sql-based backend (supports API/CLI-based management commands)
- driver = keystone.catalog.backends.sql.Catalog
- # static, file-based backend (does *NOT* support any management commands)
- # driver = keystone.catalog.backends.templated.TemplatedCatalog
- [endpoint_filter]
- # extension for creating associations between project and endpoints in order to
- # provide a tailored catalog for project-scoped token requests.
- # driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
- # return_all_endpoints_if_no_filter = True
- [token]
- # Provides token persistence.
- driver = keystone.token.backends.sql.Token
- # Controls the token construction, validation, and revocation operations.
- # Core providers are keystone.token.providers.[pki|uuid].Provider
- # provider =
- # Amount of time a token should remain valid (in seconds)
- # expiration = 86400
- # External auth mechanisms that should add bind information to token.
- # eg kerberos, x509
- # bind =
- # Enforcement policy on tokens presented to keystone with bind information.
- # One of disabled, permissive, strict, required or a specifically required bind
- # mode e.g. kerberos or x509 to require binding to that authentication.
- # enforce_token_bind = permissive
- # Token specific caching toggle. This has no effect unless the global caching
- # option is set to True
- # caching = True
- # Token specific cache time-to-live (TTL) in seconds.
- # cache_time =
- # Revocation-List specific cache time-to-live (TTL) in seconds.
- # revocation_cache_time = 3600
- [cache]
- # Global cache functionality toggle.
- # enabled = False
- # Prefix for building the configuration dictionary for the cache region. This
- # should not need to be changed unless there is another dogpile.cache region
- # with the same configuration name
- # config_prefix = cache.keystone
- # Default TTL, in seconds, for any cached item in the dogpile.cache region.
- # This applies to any cached method that doesn't have an explicit cache
- # expiration time defined for it.
- # expiration_time = 600
- # Dogpile.cache backend module. It is recommended that Memcache
- # (dogpile.cache.memcache) or Redis (dogpile.cache.redis) be used in production
- # deployments. Small workloads (single process) like devstack can use the
- # dogpile.cache.memory backend.
- # backend = keystone.common.cache.noop
- # Arguments supplied to the backend module. Specify this option once per
- # argument to be passed to the dogpile.cache backend.
- # Example format: <argname>:<value>
- # backend_argument =
- # Proxy Classes to import that will affect the way the dogpile.cache backend
- # functions. See the dogpile.cache documentation on changing-backend-behavior.
- # Comma delimited list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2
- # proxies =
- # Use a key-mangling function (sha1) to ensure fixed length cache-keys. This
- # is toggle-able for debugging purposes, it is highly recommended to always
- # leave this set to True.
- # use_key_mangler = True
- # Extra debugging from the cache backend (cache keys, get/set/delete/etc calls)
- # This is only really useful if you need to see the specific cache-backend
- # get/set/delete calls with the keys/values. Typically this should be left
- # set to False.
- # debug_cache_backend = False
- [policy]
- driver = keystone.policy.backends.sql.Policy
- [ec2]
- driver = keystone.contrib.ec2.backends.kvs.Ec2
- [assignment]
- # driver =
- # Assignment specific caching toggle. This has no effect unless the global
- # caching option is set to True
- # caching = True
- # Assignment specific cache time-to-live (TTL) in seconds.
- # cache_time =
- [oauth1]
- # Install python-oauth2 in order to use oauth
- # driver = keystone.contrib.oauth1.backends.sql.OAuth1
- # The Identity service may include expire attributes.
- # If no such attribute is included, then the token lasts indefinitely.
- # Specify how quickly the request token will expire (in seconds)
- # request_token_duration = 28800
- # Specify how quickly the access token will expire (in seconds)
- # access_token_duration = 86400
- [ssl]
- #enable = True
- #certfile = /etc/keystone/pki/certs/ssl_cert.pem
- #keyfile = /etc/keystone/pki/private/ssl_key.pem
- #ca_certs = /etc/keystone/pki/certs/cacert.pem
- #ca_key = /etc/keystone/pki/private/cakey.pem
- #key_size = 1024
- #valid_days = 3650
- #cert_required = False
- #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
- [signing]
- # Deprecated in favor of provider in the [token] section
- # Allowed values are PKI or UUID
- #token_format =
- #certfile = /etc/keystone/pki/certs/signing_cert.pem
- #keyfile = /etc/keystone/pki/private/signing_key.pem
- #ca_certs = /etc/keystone/pki/certs/cacert.pem
- #ca_key = /etc/keystone/pki/private/cakey.pem
- #key_size = 2048
- #valid_days = 3650
- #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
- [ldap]
- # url = ldap://localhost
- # user = dc=Manager,dc=example,dc=com
- # password = None
- # suffix = cn=example,cn=com
- # use_dumb_member = False
- # allow_subtree_delete = False
- # dumb_member = cn=dumb,dc=example,dc=com
- # Maximum results per page; a value of zero ('0') disables paging (default)
- # page_size = 0
- # The LDAP dereferencing option for queries. This can be either 'never',
- # 'searching', 'always', 'finding' or 'default'. The 'default' option falls
- # back to using default dereferencing configured by your ldap.conf.
- # alias_dereferencing = default
- # The LDAP scope for queries, this can be either 'one'
- # (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree)
- # query_scope = one
- # user_tree_dn = ou=Users,dc=example,dc=com
- # user_filter =
- # user_objectclass = inetOrgPerson
- # user_id_attribute = cn
- # user_name_attribute = sn
- # user_mail_attribute = email
- # user_pass_attribute = userPassword
- # user_enabled_attribute = enabled
- # user_enabled_mask = 0
- # user_enabled_default = True
- # user_attribute_ignore = default_project_id,tenants
- # user_default_project_id_attribute =
- # user_allow_create = True
- # user_allow_update = True
- # user_allow_delete = True
- # user_enabled_emulation = False
- # user_enabled_emulation_dn =
- # tenant_tree_dn = ou=Projects,dc=example,dc=com
- # tenant_filter =
- # tenant_objectclass = groupOfNames
- # tenant_domain_id_attribute = businessCategory
- # tenant_id_attribute = cn
- # tenant_member_attribute = member
- # tenant_name_attribute = ou
- # tenant_desc_attribute = desc
- # tenant_enabled_attribute = enabled
- # tenant_attribute_ignore =
- # tenant_allow_create = True
- # tenant_allow_update = True
- # tenant_allow_delete = True
- # tenant_enabled_emulation = False
- # tenant_enabled_emulation_dn =
- # role_tree_dn = ou=Roles,dc=example,dc=com
- # role_filter =
- # role_objectclass = organizationalRole
- # role_id_attribute = cn
- # role_name_attribute = ou
- # role_member_attribute = roleOccupant
- # role_attribute_ignore =
- # role_allow_create = True
- # role_allow_update = True
- # role_allow_delete = True
- # group_tree_dn =
- # group_filter =
- # group_objectclass = groupOfNames
- # group_id_attribute = cn
- # group_name_attribute = ou
- # group_member_attribute = member
- # group_desc_attribute = desc
- # group_attribute_ignore =
- # group_allow_create = True
- # group_allow_update = True
- # group_allow_delete = True
- # ldap TLS options
- # if both tls_cacertfile and tls_cacertdir are set then
- # tls_cacertfile will be used and tls_cacertdir is ignored
- # valid options for tls_req_cert are demand, never, and allow
- # use_tls = False
- # tls_cacertfile =
- # tls_cacertdir =
- # tls_req_cert = demand
- # Additional attribute mappings can be used to map ldap attributes to internal
- # keystone attributes. This allows keystone to fulfill ldap objectclass
- # requirements. An example to map the description and gecos attributes to a
- # user's name would be:
- # user_additional_attribute_mapping = description:name, gecos:name
- #
- # domain_additional_attribute_mapping =
- # group_additional_attribute_mapping =
- # role_additional_attribute_mapping =
- # project_additional_attribute_mapping =
- # user_additional_attribute_mapping =
- [auth]
- methods = external,password,token,oauth1
- #external = keystone.auth.plugins.external.ExternalDefault
- password = keystone.auth.plugins.password.Password
- token = keystone.auth.plugins.token.Token
- oauth1 = keystone.auth.plugins.oauth1.OAuth
- [paste_deploy]
- # Name of the paste configuration file that defines the available pipelines
- config_file = keystone-paste.ini
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement