Create a new version of paste:

[DEFAULT]
# A "shared secret" between keystone and other openstack services
admin_token = pass

# The IP address of the network interface to listen on
bind_host = 0.0.0.0

# The port number which the public service listens on
public_port = 5000

# The port number which the public admin listens on
admin_port = 35357

# The base endpoint URLs for keystone that are advertised to clients
# (NOTE: this does NOT affect how keystone listens for connections)
# public_endpoint = http://localhost:%(public_port)s/
# admin_endpoint = http://localhost:%(admin_port)s/

# The port number which the OpenStack Compute service listens on
compute_port = 8774

# Path to your policy definition containing identity actions
policy_file = policy.json

# Rule to check if no matching policy definition is found
# FIXME(dolph): This should really be defined as [policy] default_rule
# policy_default_rule = admin_required

# Role for migrating membership relationships
# During a SQL upgrade, the following values will be used to create a new role
# that will replace records in the user_tenant_membership table with explicit
# role grants.  After migration, the member_role_id will be used in the API
# add_user_to_project, and member_role_name will be ignored.
# member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
# member_role_name = _member_

# enforced by optional sizelimit middleware (keystone.middleware:RequestBodySizeLimiter)
# max_request_body_size = 114688

# limit the sizes of user & tenant ID/names
# max_param_size = 64

# similar to max_param_size, but provides an exception for token values
# max_token_size = 8192

# === Logging Options ===
# Print debugging output
# (includes plaintext request logging, potentially including passwords)
debug = True

# Print more verbose output
verbose = True

# Name of log file to output to. If not set, logging will go to stdout.
log_file = keystone.log

# The directory to keep log files in (will be prepended to --logfile)
log_dir = /var/log/keystone

# Use syslog for logging.
# use_syslog = False

# syslog facility to receive log lines
# syslog_log_facility = LOG_USER

# If this option is specified, the logging configuration file specified is
# used and overrides any other logging options specified. Please see the
# Python logging module documentation for details on logging configuration
# files.
# log_config = logging.conf

# A logging.Formatter log message format string which may use any of the
# available logging.LogRecord attributes.
# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s

# Format string for %(asctime)s in log records.
# log_date_format = %Y-%m-%d %H:%M:%S

# onready allows you to send a notification when the process is ready to serve
# For example, to have it notify using systemd, one could set shell command:
# onready = systemd-notify --ready
# or a module with notify() method:
# onready = keystone.common.systemd

# === Notification Options ===

# Notifications can be sent when users or projects are created, updated or
# deleted. There are three methods of sending notifications: logging (via the
# log_file directive), rpc (via a message queue) and no_op (no notifications
# sent, the default)

# notification_driver can be defined multiple times
# Do nothing driver (the default)
# notification_driver = keystone.openstack.common.notifier.no_op_notifier
# Logging driver example (not enabled by default)
# notification_driver = keystone.openstack.common.notifier.log_notifier
# RPC driver example (not enabled by default)
# notification_driver = keystone.openstack.common.notifier.rpc_notifier

# Default notification level for outgoing notifications
# default_notification_level = INFO

# Default publisher_id for outgoing notifications; included in the payload.
# default_publisher_id =

# AMQP topics to publish to when using the RPC notification driver.
# Multiple values can be specified by separating with commas.
# The actual topic names will be %s.%(default_notification_level)s
# notification_topics = notifications

# === RPC Options ===

# For Keystone, these options apply only when the RPC notification driver is
# used.

# The messaging module to use, defaults to kombu.
# rpc_backend = keystone.openstack.common.rpc.impl_kombu

# Size of RPC thread pool
# rpc_thread_pool_size = 64

# Size of RPC connection pool
# rpc_conn_pool_size = 30

# Seconds to wait for a response from call or multicall
# rpc_response_timeout = 60

# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
# rpc_cast_timeout = 30

# Modules of exceptions that are permitted to be recreated upon receiving
# exception data from an rpc call.
# allowed_rpc_exception_modules = keystone.openstack.common.exception,nova.exception,cinder.exception,exceptions

# If True, use a fake RabbitMQ provider
# fake_rabbit = False

# AMQP exchange to connect to if using RabbitMQ or Qpid
# control_exchange = openstack

[sql]
# The SQLAlchemy connection string used to connect to the database
connection = mysql://keystone:pass@192.168.3.100:3306/keystone
# the timeout before idle sql connections are reaped
#idle_timeout = 200

[identity]
driver = keystone.identity.backends.sql.Identity

# This references the domain to use for all Identity API v2 requests (which are
# not aware of domains). A domain with this ID will be created for you by
# keystone-manage db_sync in migration 008.  The domain referenced by this ID
# cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.
# There is nothing special about this domain, other than the fact that it must
# exist to order to maintain support for your v2 clients.
# default_domain_id = default
#
# A subset (or all) of domains can have their own identity driver, each with
# their own partial configuration file in a domain configuration directory.
# Only values specific to the domain need to be placed in the domain specific
# configuration file. This feature is disabled by default; set
# domain_specific_drivers_enabled to True to enable.
# domain_specific_drivers_enabled = False
# domain_config_dir = /etc/keystone/domains

# Maximum supported length for user passwords; decrease to improve performance.
# max_password_length = 4096

[credential]
driver = keystone.credential.backends.sql.Credential

[trust]
driver = keystone.trust.backends.sql.Trust

# delegation and impersonation features can be optionally disabled
# enabled = True

[os_inherit]
# role-assignment inheritance to projects from owning domain can be
# optionally enabled
# enabled = False

[catalog]
# dynamic, sql-based backend (supports API/CLI-based management commands)
driver = keystone.catalog.backends.sql.Catalog

# static, file-based backend (does *NOT* support any management commands)
# driver = keystone.catalog.backends.templated.TemplatedCatalog


[endpoint_filter]
# extension for creating associations between project and endpoints in order to
# provide a tailored catalog for project-scoped token requests.
# driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
# return_all_endpoints_if_no_filter = True

[token]
# Provides token persistence.
driver = keystone.token.backends.sql.Token

# Controls the token construction, validation, and revocation operations.
# Core providers are keystone.token.providers.[pki|uuid].Provider
# provider =

# Amount of time a token should remain valid (in seconds)
# expiration = 86400

# External auth mechanisms that should add bind information to token.
# eg kerberos, x509
# bind =

# Enforcement policy on tokens presented to keystone with bind information.
# One of disabled, permissive, strict, required or a specifically required bind
# mode e.g. kerberos or x509 to require binding to that authentication.
# enforce_token_bind = permissive

# Token specific caching toggle. This has no effect unless the global caching
# option is set to True
# caching = True

# Token specific cache time-to-live (TTL) in seconds.
# cache_time =

# Revocation-List specific cache time-to-live (TTL) in seconds.
# revocation_cache_time = 3600

[cache]
# Global cache functionality toggle.
# enabled = False

# Prefix for building the configuration dictionary for the cache region. This
# should not need to be changed unless there is another dogpile.cache region
# with the same configuration name
# config_prefix = cache.keystone

# Default TTL, in seconds, for any cached item in the dogpile.cache region.
# This applies to any cached method that doesn't have an explicit cache
# expiration time defined for it.
# expiration_time = 600

# Dogpile.cache backend module. It is recommended that Memcache
# (dogpile.cache.memcache) or Redis (dogpile.cache.redis) be used in production
# deployments.  Small workloads (single process) like devstack can use the
# dogpile.cache.memory backend.
# backend = keystone.common.cache.noop

# Arguments supplied to the backend module. Specify this option once per
# argument to be passed to the dogpile.cache backend.
# Example format: <argname>:<value>
# backend_argument =

# Proxy Classes to import that will affect the way the dogpile.cache backend
# functions.  See the dogpile.cache documentation on changing-backend-behavior.
# Comma delimited list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2
# proxies =

# Use a key-mangling function (sha1) to ensure fixed length cache-keys. This
# is toggle-able for debugging purposes, it is highly recommended to always
# leave this set to True.
# use_key_mangler = True

# Extra debugging from the cache backend (cache keys, get/set/delete/etc calls)
# This is only really useful if you need to see the specific cache-backend
# get/set/delete calls with the keys/values.  Typically this should be left
# set to False.
# debug_cache_backend = False

[policy]
driver = keystone.policy.backends.sql.Policy

[ec2]
driver = keystone.contrib.ec2.backends.kvs.Ec2

[assignment]
# driver =

# Assignment specific caching toggle. This has no effect unless the global
# caching option is set to True
# caching = True

# Assignment specific cache time-to-live (TTL) in seconds.
# cache_time =

[oauth1]
# Install python-oauth2 in order to use oauth
# driver = keystone.contrib.oauth1.backends.sql.OAuth1

# The Identity service may include expire attributes.
# If no such attribute is included, then the token lasts indefinitely.
# Specify how quickly the request token will expire (in seconds)
# request_token_duration = 28800
# Specify how quickly the access token will expire (in seconds)
# access_token_duration = 86400

[ssl]
#enable = True
#certfile = /etc/keystone/pki/certs/ssl_cert.pem
#keyfile = /etc/keystone/pki/private/ssl_key.pem
#ca_certs = /etc/keystone/pki/certs/cacert.pem
#ca_key = /etc/keystone/pki/private/cakey.pem
#key_size = 1024
#valid_days = 3650
#cert_required = False
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost

[signing]
# Deprecated in favor of provider in the [token] section
# Allowed values are PKI or UUID
#token_format =

#certfile = /etc/keystone/pki/certs/signing_cert.pem
#keyfile = /etc/keystone/pki/private/signing_key.pem
#ca_certs = /etc/keystone/pki/certs/cacert.pem
#ca_key = /etc/keystone/pki/private/cakey.pem
#key_size = 2048
#valid_days = 3650
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com

[ldap]
# url = ldap://localhost
# user = dc=Manager,dc=example,dc=com
# password = None
# suffix = cn=example,cn=com
# use_dumb_member = False
# allow_subtree_delete = False
# dumb_member = cn=dumb,dc=example,dc=com

# Maximum results per page; a value of zero ('0') disables paging (default)
# page_size = 0

# The LDAP dereferencing option for queries. This can be either 'never',
# 'searching', 'always', 'finding' or 'default'. The 'default' option falls
# back to using default dereferencing configured by your ldap.conf.
# alias_dereferencing = default

# The LDAP scope for queries, this can be either 'one'
# (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree)
# query_scope = one

# user_tree_dn = ou=Users,dc=example,dc=com
# user_filter =
# user_objectclass = inetOrgPerson
# user_id_attribute = cn
# user_name_attribute = sn
# user_mail_attribute = email
# user_pass_attribute = userPassword
# user_enabled_attribute = enabled
# user_enabled_mask = 0
# user_enabled_default = True
# user_attribute_ignore = default_project_id,tenants
# user_default_project_id_attribute =
# user_allow_create = True
# user_allow_update = True
# user_allow_delete = True
# user_enabled_emulation = False
# user_enabled_emulation_dn =

# tenant_tree_dn = ou=Projects,dc=example,dc=com
# tenant_filter =
# tenant_objectclass = groupOfNames
# tenant_domain_id_attribute = businessCategory
# tenant_id_attribute = cn
# tenant_member_attribute = member
# tenant_name_attribute = ou
# tenant_desc_attribute = desc
# tenant_enabled_attribute = enabled
# tenant_attribute_ignore =
# tenant_allow_create = True
# tenant_allow_update = True
# tenant_allow_delete = True
# tenant_enabled_emulation = False
# tenant_enabled_emulation_dn =

# role_tree_dn = ou=Roles,dc=example,dc=com
# role_filter =
# role_objectclass = organizationalRole
# role_id_attribute = cn
# role_name_attribute = ou
# role_member_attribute = roleOccupant
# role_attribute_ignore =
# role_allow_create = True
# role_allow_update = True
# role_allow_delete = True

# group_tree_dn =
# group_filter =
# group_objectclass = groupOfNames
# group_id_attribute = cn
# group_name_attribute = ou
# group_member_attribute = member
# group_desc_attribute = desc
# group_attribute_ignore =
# group_allow_create = True
# group_allow_update = True
# group_allow_delete = True

# ldap TLS options
# if both tls_cacertfile and tls_cacertdir are set then
# tls_cacertfile will be used and tls_cacertdir is ignored
# valid options for tls_req_cert are demand, never, and allow
# use_tls = False
# tls_cacertfile =
# tls_cacertdir =
# tls_req_cert = demand

# Additional attribute mappings can be used to map ldap attributes to internal
# keystone attributes. This allows keystone to fulfill ldap objectclass
# requirements. An example to map the description and gecos attributes to a
# user's name would be:
# user_additional_attribute_mapping = description:name, gecos:name
#
# domain_additional_attribute_mapping =
# group_additional_attribute_mapping =
# role_additional_attribute_mapping =
# project_additional_attribute_mapping =
# user_additional_attribute_mapping =

[auth]
methods = external,password,token,oauth1
#external = keystone.auth.plugins.external.ExternalDefault
password = keystone.auth.plugins.password.Password
token = keystone.auth.plugins.token.Token
oauth1 = keystone.auth.plugins.oauth1.OAuth

[paste_deploy]
# Name of the paste configuration file that defines the available pipelines
config_file = keystone-paste.ini