Keystone conf

1. [DEFAULT]
2. # A "shared secret" between keystone and other openstack services
3. admin_token = pass
4.  
5. # The IP address of the network interface to listen on
6. bind_host = 0.0.0.0
7.  
8. # The port number which the public service listens on
9. public_port = 5000
10.  
11. # The port number which the public admin listens on
12. admin_port = 35357
13.  
14. # The base endpoint URLs for keystone that are advertised to clients
15. # (NOTE: this does NOT affect how keystone listens for connections)
16. # public_endpoint = http://localhost:%(public_port)s/
17. # admin_endpoint = http://localhost:%(admin_port)s/
18.  
19. # The port number which the OpenStack Compute service listens on
20. compute_port = 8774
21.  
22. # Path to your policy definition containing identity actions
23. policy_file = policy.json
24.  
25. # Rule to check if no matching policy definition is found
26. # FIXME(dolph): This should really be defined as [policy] default_rule
27. # policy_default_rule = admin_required
28.  
29. # Role for migrating membership relationships
30. # During a SQL upgrade, the following values will be used to create a new role
31. # that will replace records in the user_tenant_membership table with explicit
32. # role grants. After migration, the member_role_id will be used in the API
33. # add_user_to_project, and member_role_name will be ignored.
34. # member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
35. # member_role_name = _member_
36.  
37. # enforced by optional sizelimit middleware (keystone.middleware:RequestBodySizeLimiter)
38. # max_request_body_size = 114688
39.  
40. # limit the sizes of user & tenant ID/names
41. # max_param_size = 64
42.  
43. # similar to max_param_size, but provides an exception for token values
44. # max_token_size = 8192
45.  
46. # === Logging Options ===
47. # Print debugging output
48. # (includes plaintext request logging, potentially including passwords)
49. debug = True
50.  
51. # Print more verbose output
52. verbose = True
53.  
54. # Name of log file to output to. If not set, logging will go to stdout.
55. log_file = keystone.log
56.  
57. # The directory to keep log files in (will be prepended to --logfile)
58. log_dir = /var/log/keystone
59.  
60. # Use syslog for logging.
61. # use_syslog = False
62.  
63. # syslog facility to receive log lines
64. # syslog_log_facility = LOG_USER
65.  
66. # If this option is specified, the logging configuration file specified is
67. # used and overrides any other logging options specified. Please see the
68. # Python logging module documentation for details on logging configuration
69. # files.
70. # log_config = logging.conf
71.  
72. # A logging.Formatter log message format string which may use any of the
73. # available logging.LogRecord attributes.
74. # log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
75.  
76. # Format string for %(asctime)s in log records.
77. # log_date_format = %Y-%m-%d %H:%M:%S
78.  
79. # onready allows you to send a notification when the process is ready to serve
80. # For example, to have it notify using systemd, one could set shell command:
81. # onready = systemd-notify --ready
82. # or a module with notify() method:
83. # onready = keystone.common.systemd
84.  
85. # === Notification Options ===
86.  
87. # Notifications can be sent when users or projects are created, updated or
88. # deleted. There are three methods of sending notifications: logging (via the
89. # log_file directive), rpc (via a message queue) and no_op (no notifications
90. # sent, the default)
91.  
92. # notification_driver can be defined multiple times
93. # Do nothing driver (the default)
94. # notification_driver = keystone.openstack.common.notifier.no_op_notifier
95. # Logging driver example (not enabled by default)
96. # notification_driver = keystone.openstack.common.notifier.log_notifier
97. # RPC driver example (not enabled by default)
98. # notification_driver = keystone.openstack.common.notifier.rpc_notifier
99.  
100. # Default notification level for outgoing notifications
101. # default_notification_level = INFO
102.  
103. # Default publisher_id for outgoing notifications; included in the payload.
104. # default_publisher_id =
105.  
106. # AMQP topics to publish to when using the RPC notification driver.
107. # Multiple values can be specified by separating with commas.
108. # The actual topic names will be %s.%(default_notification_level)s
109. # notification_topics = notifications
110.  
111. # === RPC Options ===
112.  
113. # For Keystone, these options apply only when the RPC notification driver is
114. # used.
115.  
116. # The messaging module to use, defaults to kombu.
117. # rpc_backend = keystone.openstack.common.rpc.impl_kombu
118.  
119. # Size of RPC thread pool
120. # rpc_thread_pool_size = 64
121.  
122. # Size of RPC connection pool
123. # rpc_conn_pool_size = 30
124.  
125. # Seconds to wait for a response from call or multicall
126. # rpc_response_timeout = 60
127.  
128. # Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
129. # rpc_cast_timeout = 30
130.  
131. # Modules of exceptions that are permitted to be recreated upon receiving
132. # exception data from an rpc call.
133. # allowed_rpc_exception_modules = keystone.openstack.common.exception,nova.exception,cinder.exception,exceptions
134.  
135. # If True, use a fake RabbitMQ provider
136. # fake_rabbit = False
137.  
138. # AMQP exchange to connect to if using RabbitMQ or Qpid
139. # control_exchange = openstack
140.  
141. [sql]
142. # The SQLAlchemy connection string used to connect to the database
143. connection = mysql://keystone:pass@192.168.3.100:3306/keystone
144. # the timeout before idle sql connections are reaped
145. #idle_timeout = 200
146.  
147. [identity]
148. driver = keystone.identity.backends.sql.Identity
149.  
150. # This references the domain to use for all Identity API v2 requests (which are
151. # not aware of domains). A domain with this ID will be created for you by
152. # keystone-manage db_sync in migration 008. The domain referenced by this ID
153. # cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.
154. # There is nothing special about this domain, other than the fact that it must
155. # exist to order to maintain support for your v2 clients.
156. # default_domain_id = default
157. #
158. # A subset (or all) of domains can have their own identity driver, each with
159. # their own partial configuration file in a domain configuration directory.
160. # Only values specific to the domain need to be placed in the domain specific
161. # configuration file. This feature is disabled by default; set
162. # domain_specific_drivers_enabled to True to enable.
163. # domain_specific_drivers_enabled = False
164. # domain_config_dir = /etc/keystone/domains
165.  
166. # Maximum supported length for user passwords; decrease to improve performance.
167. # max_password_length = 4096
168.  
169. [credential]
170. driver = keystone.credential.backends.sql.Credential
171.  
172. [trust]
173. driver = keystone.trust.backends.sql.Trust
174.  
175. # delegation and impersonation features can be optionally disabled
176. # enabled = True
177.  
178. [os_inherit]
179. # role-assignment inheritance to projects from owning domain can be
180. # optionally enabled
181. # enabled = False
182.  
183. [catalog]
184. # dynamic, sql-based backend (supports API/CLI-based management commands)
185. driver = keystone.catalog.backends.sql.Catalog
186.  
187. # static, file-based backend (does *NOT* support any management commands)
188. # driver = keystone.catalog.backends.templated.TemplatedCatalog
189.  
190.  
191. [endpoint_filter]
192. # extension for creating associations between project and endpoints in order to
193. # provide a tailored catalog for project-scoped token requests.
194. # driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
195. # return_all_endpoints_if_no_filter = True
196.  
197. [token]
198. # Provides token persistence.
199. driver = keystone.token.backends.sql.Token
200.  
201. # Controls the token construction, validation, and revocation operations.
202. # Core providers are keystone.token.providers.[pki|uuid].Provider
203. # provider =
204.  
205. # Amount of time a token should remain valid (in seconds)
206. # expiration = 86400
207.  
208. # External auth mechanisms that should add bind information to token.
209. # eg kerberos, x509
210. # bind =
211.  
212. # Enforcement policy on tokens presented to keystone with bind information.
213. # One of disabled, permissive, strict, required or a specifically required bind
214. # mode e.g. kerberos or x509 to require binding to that authentication.
215. # enforce_token_bind = permissive
216.  
217. # Token specific caching toggle. This has no effect unless the global caching
218. # option is set to True
219. # caching = True
220.  
221. # Token specific cache time-to-live (TTL) in seconds.
222. # cache_time =
223.  
224. # Revocation-List specific cache time-to-live (TTL) in seconds.
225. # revocation_cache_time = 3600
226.  
227. [cache]
228. # Global cache functionality toggle.
229. # enabled = False
230.  
231. # Prefix for building the configuration dictionary for the cache region. This
232. # should not need to be changed unless there is another dogpile.cache region
233. # with the same configuration name
234. # config_prefix = cache.keystone
235.  
236. # Default TTL, in seconds, for any cached item in the dogpile.cache region.
237. # This applies to any cached method that doesn't have an explicit cache
238. # expiration time defined for it.
239. # expiration_time = 600
240.  
241. # Dogpile.cache backend module. It is recommended that Memcache
242. # (dogpile.cache.memcache) or Redis (dogpile.cache.redis) be used in production
243. # deployments. Small workloads (single process) like devstack can use the
244. # dogpile.cache.memory backend.
245. # backend = keystone.common.cache.noop
246.  
247. # Arguments supplied to the backend module. Specify this option once per
248. # argument to be passed to the dogpile.cache backend.
249. # Example format: <argname>:<value>
250. # backend_argument =
251.  
252. # Proxy Classes to import that will affect the way the dogpile.cache backend
253. # functions. See the dogpile.cache documentation on changing-backend-behavior.
254. # Comma delimited list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2
255. # proxies =
256.  
257. # Use a key-mangling function (sha1) to ensure fixed length cache-keys. This
258. # is toggle-able for debugging purposes, it is highly recommended to always
259. # leave this set to True.
260. # use_key_mangler = True
261.  
262. # Extra debugging from the cache backend (cache keys, get/set/delete/etc calls)
263. # This is only really useful if you need to see the specific cache-backend
264. # get/set/delete calls with the keys/values. Typically this should be left
265. # set to False.
266. # debug_cache_backend = False
267.  
268. [policy]
269. driver = keystone.policy.backends.sql.Policy
270.  
271. [ec2]
272. driver = keystone.contrib.ec2.backends.kvs.Ec2
273.  
274. [assignment]
275. # driver =
276.  
277. # Assignment specific caching toggle. This has no effect unless the global
278. # caching option is set to True
279. # caching = True
280.  
281. # Assignment specific cache time-to-live (TTL) in seconds.
282. # cache_time =
283.  
284. [oauth1]
285. # Install python-oauth2 in order to use oauth
286. # driver = keystone.contrib.oauth1.backends.sql.OAuth1
287.  
288. # The Identity service may include expire attributes.
289. # If no such attribute is included, then the token lasts indefinitely.
290. # Specify how quickly the request token will expire (in seconds)
291. # request_token_duration = 28800
292. # Specify how quickly the access token will expire (in seconds)
293. # access_token_duration = 86400
294.  
295. [ssl]
296. #enable = True
297. #certfile = /etc/keystone/pki/certs/ssl_cert.pem
298. #keyfile = /etc/keystone/pki/private/ssl_key.pem
299. #ca_certs = /etc/keystone/pki/certs/cacert.pem
300. #ca_key = /etc/keystone/pki/private/cakey.pem
301. #key_size = 1024
302. #valid_days = 3650
303. #cert_required = False
304. #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
305.  
306. [signing]
307. # Deprecated in favor of provider in the [token] section
308. # Allowed values are PKI or UUID
309. #token_format =
310.  
311. #certfile = /etc/keystone/pki/certs/signing_cert.pem
312. #keyfile = /etc/keystone/pki/private/signing_key.pem
313. #ca_certs = /etc/keystone/pki/certs/cacert.pem
314. #ca_key = /etc/keystone/pki/private/cakey.pem
315. #key_size = 2048
316. #valid_days = 3650
317. #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
318.  
319. [ldap]
320. # url = ldap://localhost
321. # user = dc=Manager,dc=example,dc=com
322. # password = None
323. # suffix = cn=example,cn=com
324. # use_dumb_member = False
325. # allow_subtree_delete = False
326. # dumb_member = cn=dumb,dc=example,dc=com
327.  
328. # Maximum results per page; a value of zero ('0') disables paging (default)
329. # page_size = 0
330.  
331. # The LDAP dereferencing option for queries. This can be either 'never',
332. # 'searching', 'always', 'finding' or 'default'. The 'default' option falls
333. # back to using default dereferencing configured by your ldap.conf.
334. # alias_dereferencing = default
335.  
336. # The LDAP scope for queries, this can be either 'one'
337. # (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree)
338. # query_scope = one
339.  
340. # user_tree_dn = ou=Users,dc=example,dc=com
341. # user_filter =
342. # user_objectclass = inetOrgPerson
343. # user_id_attribute = cn
344. # user_name_attribute = sn
345. # user_mail_attribute = email
346. # user_pass_attribute = userPassword
347. # user_enabled_attribute = enabled
348. # user_enabled_mask = 0
349. # user_enabled_default = True
350. # user_attribute_ignore = default_project_id,tenants
351. # user_default_project_id_attribute =
352. # user_allow_create = True
353. # user_allow_update = True
354. # user_allow_delete = True
355. # user_enabled_emulation = False
356. # user_enabled_emulation_dn =
357.  
358. # tenant_tree_dn = ou=Projects,dc=example,dc=com
359. # tenant_filter =
360. # tenant_objectclass = groupOfNames
361. # tenant_domain_id_attribute = businessCategory
362. # tenant_id_attribute = cn
363. # tenant_member_attribute = member
364. # tenant_name_attribute = ou
365. # tenant_desc_attribute = desc
366. # tenant_enabled_attribute = enabled
367. # tenant_attribute_ignore =
368. # tenant_allow_create = True
369. # tenant_allow_update = True
370. # tenant_allow_delete = True
371. # tenant_enabled_emulation = False
372. # tenant_enabled_emulation_dn =
373.  
374. # role_tree_dn = ou=Roles,dc=example,dc=com
375. # role_filter =
376. # role_objectclass = organizationalRole
377. # role_id_attribute = cn
378. # role_name_attribute = ou
379. # role_member_attribute = roleOccupant
380. # role_attribute_ignore =
381. # role_allow_create = True
382. # role_allow_update = True
383. # role_allow_delete = True
384.  
385. # group_tree_dn =
386. # group_filter =
387. # group_objectclass = groupOfNames
388. # group_id_attribute = cn
389. # group_name_attribute = ou
390. # group_member_attribute = member
391. # group_desc_attribute = desc
392. # group_attribute_ignore =
393. # group_allow_create = True
394. # group_allow_update = True
395. # group_allow_delete = True
396.  
397. # ldap TLS options
398. # if both tls_cacertfile and tls_cacertdir are set then
399. # tls_cacertfile will be used and tls_cacertdir is ignored
400. # valid options for tls_req_cert are demand, never, and allow
401. # use_tls = False
402. # tls_cacertfile =
403. # tls_cacertdir =
404. # tls_req_cert = demand
405.  
406. # Additional attribute mappings can be used to map ldap attributes to internal
407. # keystone attributes. This allows keystone to fulfill ldap objectclass
408. # requirements. An example to map the description and gecos attributes to a
409. # user's name would be:
410. # user_additional_attribute_mapping = description:name, gecos:name
411. #
412. # domain_additional_attribute_mapping =
413. # group_additional_attribute_mapping =
414. # role_additional_attribute_mapping =
415. # project_additional_attribute_mapping =
416. # user_additional_attribute_mapping =
417.  
418. [auth]
419. methods = external,password,token,oauth1
420. #external = keystone.auth.plugins.external.ExternalDefault
421. password = keystone.auth.plugins.password.Password
422. token = keystone.auth.plugins.token.Token
423. oauth1 = keystone.auth.plugins.oauth1.OAuth
424.  
425. [paste_deploy]
426. # Name of the paste configuration file that defines the available pipelines
427. config_file = keystone-paste.ini