Update Keystone code from official Github repository with branch Master on 09/01/2015.

Change-Id: I0ff6099e6e2580f87f502002a998bbfe12673498

1 files changed, 395 insertions, 153 deletions

diff --git a/keystone-moon/etc/keystone.conf.sample b/keystone-moon/etc/keystone.conf.sample
index 2e062a5a..ec5a08cc 100644
--- a/keystone-moon/etc/keystone.conf.sample
+++ b/keystone-moon/etc/keystone.conf.sample
@@ -11,13 +11,6 @@
 # value)
 #admin_token = ADMIN
 
-# (Deprecated) The port which the OpenStack Compute service listens on. This
-# option was only used for string replacement in the templated catalog backend.
-# Templated catalogs should replace the "$(compute_port)s" substitution with
-# the static port of the compute service. As of Juno, this option is deprecated
-# and will be removed in the L release. (integer value)
-#compute_port = 8774
-
 # The base public endpoint URL for Keystone that is advertised to clients
 # (NOTE: this does NOT affect how Keystone listens for connections). Defaults
 # to the base host URL of the request. E.g. a request to
@@ -57,7 +50,9 @@
 
 # The value passed as the keyword "rounds" to passlib's encrypt method.
 # (integer value)
-#crypt_strength = 40000
+# Minimum value: 1000
+# Maximum value: 100000
+#crypt_strength = 10000
 
 # The maximum number of entities that will be returned in a collection, with no
 # limit set by default. This global limit may be then overridden for a specific
@@ -93,48 +88,23 @@
 # Define the notification format for Identity Service events. A "basic"
 # notification has information about the resource being operated on. A "cadf"
 # notification has the same information, as well as information about the
-# initiator of the event. Valid options are: basic and cadf (string value)
+# initiator of the event. (string value)
+# Allowed values: basic, cadf
 #notification_format = basic
 
 #
-# From keystone.openstack.common.eventlet_backdoor
-#
-
-# Enable eventlet backdoor.  Acceptable values are 0, <port>, and
-# <start>:<end>, where 0 results in listening on a random tcp port number;
-# <port> results in listening on the specified port number (and not enabling
-# backdoor if that port is in use); and <start>:<end> results in listening on
-# the smallest unused port number within the specified range of port numbers.
-# The chosen port is displayed in the service's log file. (string value)
-#backdoor_port = <None>
-
-#
-# From keystone.openstack.common.policy
-#
-
-# The JSON file that defines policies. (string value)
-#policy_file = policy.json
-
-# Default rule. Enforced when a requested rule is not found. (string value)
-#policy_default_rule = default
-
-# Directories where policy configuration files are stored. They can be relative
-# to any directory in the search path defined by the config_dir option, or
-# absolute paths. The file defined by policy_file must exist for these
-# directories to be searched. (multi valued)
-#policy_dirs = policy.d
-
-#
 # From oslo.log
 #
 
-# Print debugging output (set logging level to DEBUG instead of default WARNING
+# Print debugging output (set logging level to DEBUG instead of default INFO
 # level). (boolean value)
 #debug = false
 
-# Print more verbose output (set logging level to INFO instead of default
-# WARNING level). (boolean value)
-#verbose = false
+# If set to false, will disable INFO logging level, making WARNING the default.
+# (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#verbose = true
 
 # The name of a logging configuration file. This file is appended to any
 # existing logging configuration files. For details about logging configuration
@@ -162,15 +132,17 @@
 # Deprecated group/name - [DEFAULT]/logdir
 #log_dir = <None>
 
-# Use syslog for logging. Existing syslog format is DEPRECATED during I, and
-# will change in J to honor RFC5424. (boolean value)
+# Use syslog for logging. Existing syslog format is DEPRECATED and will be
+# changed later to honor RFC5424. (boolean value)
 #use_syslog = false
 
 # (Optional) Enables or disables syslog rfc5424 format for logging. If enabled,
 # prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The
-# format without the APP-NAME is deprecated in I, and will be removed in J.
-# (boolean value)
-#use_syslog_rfc_format = false
+# format without the APP-NAME is deprecated in Kilo, and will be removed in
+# Mitaka, along with this option. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#use_syslog_rfc_format = true
 
 # Syslog facility to receive log lines. (string value)
 #syslog_log_facility = LOG_USER
@@ -188,17 +160,14 @@
 #logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
 
 # Prefix each line of exception output with this format. (string value)
-#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s
+#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
 
 # List of logger=LEVEL pairs. (list value)
-#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN
+#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN
 
 # Enables or disables publication of error events. (boolean value)
 #publish_errors = false
 
-# Enables or disables fatal status of deprecations. (boolean value)
-#fatal_deprecations = false
-
 # The format for an instance that is passed with the log message. (string
 # value)
 #instance_format = "[instance: %(uuid)s] "
@@ -207,16 +176,23 @@
 # value)
 #instance_uuid_format = "[instance: %(uuid)s] "
 
+# Enables or disables fatal status of deprecations. (boolean value)
+#fatal_deprecations = false
+
 #
 # From oslo.messaging
 #
 
+# Size of RPC connection pool. (integer value)
+# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
+#rpc_conn_pool_size = 30
+
 # ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
 # The "host" option should point or resolve to this address. (string value)
 #rpc_zmq_bind_address = *
 
 # MatchMaker driver. (string value)
-#rpc_zmq_matchmaker = oslo_messaging._drivers.matchmaker.MatchMakerLocalhost
+#rpc_zmq_matchmaker = local
 
 # ZeroMQ receiver listening port. (integer value)
 #rpc_zmq_port = 9501
@@ -245,10 +221,12 @@
 # Heartbeat time-to-live. (integer value)
 #matchmaker_heartbeat_ttl = 600
 
-# Size of RPC thread pool. (integer value)
-#rpc_thread_pool_size = 64
+# Size of executor thread pool. (integer value)
+# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size
+#executor_thread_pool_size = 64
 
-# Driver or drivers to handle sending notifications. (multi valued)
+# The Drivers(s) to handle sending notifications. Possible values are
+# messaging, messagingv2, routing, log, test, noop (multi valued)
 #notification_driver =
 
 # AMQP topic used for OpenStack notifications. (list value)
@@ -271,6 +249,22 @@
 # exchange name specified in the transport_url option. (string value)
 #control_exchange = keystone
 
+#
+# From oslo.service.service
+#
+
+# Enable eventlet backdoor.  Acceptable values are 0, <port>, and
+# <start>:<end>, where 0 results in listening on a random tcp port number;
+# <port> results in listening on the specified port number (and not enabling
+# backdoor if that port is in use); and <start>:<end> results in listening on
+# the smallest unused port number within the specified range of port numbers.
+# The chosen port is displayed in the service's log file. (string value)
+#backdoor_port = <None>
+
+# Enables or disables logging values of all registered options when starting a
+# service (at DEBUG level). (boolean value)
+#log_options = true
+
 
 [assignment]
 
@@ -278,7 +272,10 @@
 # From keystone
 #
 
-# Assignment backend driver. (string value)
+# Entrypoint for the assignment backend driver in the keystone.assignment
+# namespace. Supplied drivers are ldap and sql. If an assignment driver is not
+# specified, the identity driver will choose the assignment driver. (string
+# value)
 #driver = <None>
 
 
@@ -288,17 +285,25 @@
 # From keystone
 #
 
-# Default auth methods. (list value)
-#methods = external,password,token
+# Allowed authentication methods. (list value)
+#methods = external,password,token,oauth1
+
+# Entrypoint for the password auth plugin module in the keystone.auth.password
+# namespace. (string value)
+#password = <None>
 
-# The password auth plugin module. (string value)
-#password = keystone.auth.plugins.password.Password
+# Entrypoint for the token auth plugin module in the keystone.auth.token
+# namespace. (string value)
+#token = <None>
 
-# The token auth plugin module. (string value)
-#token = keystone.auth.plugins.token.Token
+# Entrypoint for the external (REMOTE_USER) auth plugin module in the
+# keystone.auth.external namespace. Supplied drivers are DefaultDomain and
+# Domain. The default driver is DefaultDomain. (string value)
+#external = <None>
 
-# The external (REMOTE_USER) auth plugin module. (string value)
-#external = keystone.auth.plugins.external.DefaultDomain
+# Entrypoint for the oAuth1.0 auth plugin module in the keystone.auth.oauth1
+# namespace. (string value)
+#oauth1 = <None>
 
 
 [cache]
@@ -379,8 +384,10 @@
 # value)
 #template_file = default_catalog.templates
 
-# Catalog backend driver. (string value)
-#driver = keystone.catalog.backends.sql.Catalog
+# Entrypoint for the catalog backend driver in the keystone.catalog namespace.
+# Supplied drivers are kvs, sql, templated, and endpoint_filter.sql (string
+# value)
+#driver = sql
 
 # Toggle for catalog caching. This has no effect unless global caching is
 # enabled. (boolean value)
@@ -395,14 +402,71 @@
 #list_limit = <None>
 
 
+[cors]
+
+#
+# From oslo.middleware
+#
+
+# Indicate whether this resource may be shared with the domain received in the
+# requests "origin" header. (string value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
+# Headers. (list value)
+#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list value)
+#allow_methods = GET,POST,PUT,DELETE,OPTIONS
+
+# Indicate which header field names may be used during the actual request.
+# (list value)
+#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+
+[cors.subdomain]
+
+#
+# From oslo.middleware
+#
+
+# Indicate whether this resource may be shared with the domain received in the
+# requests "origin" header. (string value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
+# Headers. (list value)
+#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list value)
+#allow_methods = GET,POST,PUT,DELETE,OPTIONS
+
+# Indicate which header field names may be used during the actual request.
+# (list value)
+#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+
 [credential]
 
 #
 # From keystone
 #
 
-# Credential backend driver. (string value)
-#driver = keystone.credential.backends.sql.Credential
+# Entrypoint for the credential backend driver in the keystone.credential
+# namespace. (string value)
+#driver = sql
 
 
 [database]
@@ -505,14 +569,34 @@
 #db_max_retries = 20
 
 
+[domain_config]
+
+#
+# From keystone
+#
+
+# Entrypoint for the domain config backend driver in the
+# keystone.resource.domain_config namespace. (string value)
+#driver = sql
+
+# Toggle for domain config caching. This has no effect unless global caching is
+# enabled. (boolean value)
+#caching = true
+
+# TTL (in seconds) to cache domain config data. This has no effect unless
+# domain config caching is enabled. (integer value)
+#cache_time = 300
+
+
 [endpoint_filter]
 
 #
 # From keystone
 #
 
-# Endpoint Filter backend driver (string value)
-#driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
+# Entrypoint for the endpoint filter backend driver in the
+# keystone.endpoint_filter namespace. (string value)
+#driver = sql
 
 # Toggle to return all active endpoints if no filter exists. (boolean value)
 #return_all_endpoints_if_no_filter = true
@@ -524,8 +608,12 @@
 # From keystone
 #
 
-# Endpoint policy backend driver (string value)
-#driver = keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy
+# Enable endpoint_policy functionality. (boolean value)
+#enabled = true
+
+# Entrypoint for the endpoint policy backend driver in the
+# keystone.endpoint_policy namespace. (string value)
+#driver = sql
 
 
 [eventlet_server]
@@ -537,42 +625,71 @@
 # The number of worker processes to serve the public eventlet application.
 # Defaults to number of CPUs (minimum of 2). (integer value)
 # Deprecated group/name - [DEFAULT]/public_workers
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #public_workers = <None>
 
 # The number of worker processes to serve the admin eventlet application.
 # Defaults to number of CPUs (minimum of 2). (integer value)
 # Deprecated group/name - [DEFAULT]/admin_workers
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #admin_workers = <None>
 
 # The IP address of the network interface for the public service to listen on.
 # (string value)
 # Deprecated group/name - [DEFAULT]/bind_host
 # Deprecated group/name - [DEFAULT]/public_bind_host
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #public_bind_host = 0.0.0.0
 
 # The port number which the public service listens on. (integer value)
+# Minimum value: 1
+# Maximum value: 65535
 # Deprecated group/name - [DEFAULT]/public_port
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #public_port = 5000
 
 # The IP address of the network interface for the admin service to listen on.
 # (string value)
 # Deprecated group/name - [DEFAULT]/bind_host
 # Deprecated group/name - [DEFAULT]/admin_bind_host
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #admin_bind_host = 0.0.0.0
 
 # The port number which the admin service listens on. (integer value)
+# Minimum value: 1
+# Maximum value: 65535
 # Deprecated group/name - [DEFAULT]/admin_port
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #admin_port = 35357
 
+# If set to false, disables keepalives on the server; all connections will be
+# closed after serving one request. (boolean value)
+#wsgi_keep_alive = true
+
+# Timeout for socket operations on a client connection. If an incoming
+# connection is idle for this number of seconds it will be closed. A value of
+# '0' means wait forever. (integer value)
+#client_socket_timeout = 900
+
 # Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e.
 # sockets used by the Keystone wsgi server for client connections. (boolean
 # value)
 # Deprecated group/name - [DEFAULT]/tcp_keepalive
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #tcp_keepalive = false
 
 # Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only
 # applies if tcp_keepalive is true. (integer value)
 # Deprecated group/name - [DEFAULT]/tcp_keepidle
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #tcp_keepidle = 600
 
 
@@ -584,24 +701,34 @@
 
 # Toggle for SSL support on the Keystone eventlet servers. (boolean value)
 # Deprecated group/name - [ssl]/enable
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #enable = false
 
 # Path of the certfile for SSL. For non-production environments, you may be
 # interested in using `keystone-manage ssl_setup` to generate self-signed
 # certificates. (string value)
 # Deprecated group/name - [ssl]/certfile
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #certfile = /etc/keystone/ssl/certs/keystone.pem
 
 # Path of the keyfile for SSL. (string value)
 # Deprecated group/name - [ssl]/keyfile
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #keyfile = /etc/keystone/ssl/private/keystonekey.pem
 
 # Path of the CA cert file for SSL. (string value)
 # Deprecated group/name - [ssl]/ca_certs
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #ca_certs = /etc/keystone/ssl/certs/ca.pem
 
 # Require client certificate. (boolean value)
 # Deprecated group/name - [ssl]/cert_required
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #cert_required = false
 
 
@@ -611,8 +738,9 @@
 # From keystone
 #
 
-# Federation backend driver. (string value)
-#driver = keystone.contrib.federation.backends.sql.Federation
+# Entrypoint for the federation backend driver in the keystone.federation
+# namespace. (string value)
+#driver = sql
 
 # Value to be used when filtering assertion parameters from the environment.
 # (string value)
@@ -626,9 +754,7 @@
 # A domain name that is reserved to allow federated ephemeral users to have a
 # domain concept. Note that an admin will not be able to create a domain with
 # this name or update an existing domain to this name. You are not advised to
-# change this value unless you really have to. Changing this option to empty
-# string or None will not have any impact and default name will be used.
-# (string value)
+# change this value unless you really have to. (string value)
 #federated_domain_name = Federated
 
 # A list of trusted dashboard hosts. Before accepting a Single Sign-On request
@@ -685,16 +811,17 @@
 # Extract the domain specific configuration options from the resource backend
 # where they have been stored with the domain data. This feature is disabled by
 # default (in which case the domain specific options will be loaded from files
-# in the domain configuration directory); set to true to enable. This feature
-# is not yet supported. (boolean value)
+# in the domain configuration directory); set to true to enable. (boolean
+# value)
 #domain_configurations_from_database = false
 
 # Path for Keystone to locate the domain specific identity configuration files
 # if domain_specific_drivers_enabled is set to true. (string value)
 #domain_config_dir = /etc/keystone/domains
 
-# Identity backend driver. (string value)
-#driver = keystone.identity.backends.sql.Identity
+# Entrypoint for the identity backend driver in the keystone.identity
+# namespace. Supplied drivers are ldap and sql. (string value)
+#driver = sql
 
 # Toggle for identity caching. This has no effect unless global caching is
 # enabled. (boolean value)
@@ -706,6 +833,7 @@
 
 # Maximum supported length for user passwords; decrease to improve performance.
 # (integer value)
+# Maximum value: 4096
 #max_password_length = 4096
 
 # Maximum number of entities that will be returned in an identity collection.
@@ -719,13 +847,14 @@
 # From keystone
 #
 
-# Keystone Identity Mapping backend driver. (string value)
-#driver = keystone.identity.mapping_backends.sql.Mapping
+# Entrypoint for the identity mapping backend driver in the
+# keystone.identity.id_mapping namespace. (string value)
+#driver = sql
 
-# Public ID generator for user and group entities. The Keystone identity mapper
-# only supports generators that produce no more than 64 characters. (string
-# value)
-#generator = keystone.identity.id_generators.sha256.Generator
+# Entrypoint for the public ID generator for user and group entities in the
+# keystone.identity.id_generator namespace. The Keystone identity mapper only
+# supports generators that produce no more than 64 characters. (string value)
+#generator = sha256
 
 # The format of user and group IDs changed in Juno for backends that do not
 # generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the
@@ -763,7 +892,7 @@
 # always leave this set to true. (boolean value)
 #enable_key_mangler = true
 
-# Default lock timeout for distributed locking. (integer value)
+# Default lock timeout (in seconds) for distributed locking. (integer value)
 #default_lock_timeout = 5
 
 
@@ -797,18 +926,18 @@
 # your LDAP server supports subtree deletion. (boolean value)
 #allow_subtree_delete = false
 
-# The LDAP scope for queries, this can be either "one" (onelevel/singleLevel)
-# or "sub" (subtree/wholeSubtree). (string value)
+# The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub"
+# represents subtree/wholeSubtree options. (string value)
+# Allowed values: one, sub
 #query_scope = one
 
 # Maximum results per page; a value of zero ("0") disables paging. (integer
 # value)
 #page_size = 0
 
-# The LDAP dereferencing option for queries. This can be either "never",
-# "searching", "always", "finding" or "default". The "default" option falls
-# back to using default dereferencing configured by your ldap.conf. (string
-# value)
+# The LDAP dereferencing option for queries. The "default" option falls back to
+# using default dereferencing configured by your ldap.conf. (string value)
+# Allowed values: never, searching, always, finding, default
 #alias_dereferencing = default
 
 # Sets the LDAP debugging level for LDAP calls. A value of 0 means that
@@ -820,7 +949,7 @@
 # value)
 #chase_referrals = <None>
 
-# Search base for users. (string value)
+# Search base for users. Defaults to the suffix value. (string value)
 #user_tree_dn = <None>
 
 # LDAP search filter for users. (string value)
@@ -867,7 +996,7 @@
 #user_enabled_default = True
 
 # List of attributes stripped off the user on update. (list value)
-#user_attribute_ignore = default_project_id,tenants
+#user_attribute_ignore = default_project_id
 
 # LDAP attribute mapped to default_project_id for users. (string value)
 #user_default_project_id_attribute = <None>
@@ -896,111 +1025,165 @@
 # Identity API attribute. (list value)
 #user_additional_attribute_mapping =
 
-# Search base for projects (string value)
+# Search base for projects. Defaults to the suffix value. (string value)
 # Deprecated group/name - [ldap]/tenant_tree_dn
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #project_tree_dn = <None>
 
 # LDAP search filter for projects. (string value)
 # Deprecated group/name - [ldap]/tenant_filter
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #project_filter = <None>
 
 # LDAP objectclass for projects. (string value)
 # Deprecated group/name - [ldap]/tenant_objectclass
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #project_objectclass = groupOfNames
 
 # LDAP attribute mapped to project id. (string value)
 # Deprecated group/name - [ldap]/tenant_id_attribute
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #project_id_attribute = cn
 
 # LDAP attribute mapped to project membership for user. (string value)
 # Deprecated group/name - [ldap]/tenant_member_attribute
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #project_member_attribute = member
 
 # LDAP attribute mapped to project name. (string value)
 # Deprecated group/name - [ldap]/tenant_name_attribute
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #project_name_attribute = ou
 
 # LDAP attribute mapped to project description. (string value)
 # Deprecated group/name - [ldap]/tenant_desc_attribute
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #project_desc_attribute = description
 
 # LDAP attribute mapped to project enabled. (string value)
 # Deprecated group/name - [ldap]/tenant_enabled_attribute
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #project_enabled_attribute = enabled
 
 # LDAP attribute mapped to project domain_id. (string value)
 # Deprecated group/name - [ldap]/tenant_domain_id_attribute
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #project_domain_id_attribute = businessCategory
 
 # List of attributes stripped off the project on update. (list value)
 # Deprecated group/name - [ldap]/tenant_attribute_ignore
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #project_attribute_ignore =
 
 # Allow project creation in LDAP backend. (boolean value)
 # Deprecated group/name - [ldap]/tenant_allow_create
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #project_allow_create = true
 
 # Allow project update in LDAP backend. (boolean value)
 # Deprecated group/name - [ldap]/tenant_allow_update
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #project_allow_update = true
 
 # Allow project deletion in LDAP backend. (boolean value)
 # Deprecated group/name - [ldap]/tenant_allow_delete
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #project_allow_delete = true
 
 # If true, Keystone uses an alternative method to determine if a project is
 # enabled or not by checking if they are a member of the
 # "project_enabled_emulation_dn" group. (boolean value)
 # Deprecated group/name - [ldap]/tenant_enabled_emulation
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #project_enabled_emulation = false
 
 # DN of the group entry to hold enabled projects when using enabled emulation.
 # (string value)
 # Deprecated group/name - [ldap]/tenant_enabled_emulation_dn
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #project_enabled_emulation_dn = <None>
 
 # Additional attribute mappings for projects. Attribute mapping format is
 # <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
 # and user_attr is the Identity API attribute. (list value)
 # Deprecated group/name - [ldap]/tenant_additional_attribute_mapping
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #project_additional_attribute_mapping =
 
-# Search base for roles. (string value)
+# Search base for roles. Defaults to the suffix value. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #role_tree_dn = <None>
 
 # LDAP search filter for roles. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #role_filter = <None>
 
 # LDAP objectclass for roles. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #role_objectclass = organizationalRole
 
 # LDAP attribute mapped to role id. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #role_id_attribute = cn
 
 # LDAP attribute mapped to role name. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #role_name_attribute = ou
 
 # LDAP attribute mapped to role membership. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #role_member_attribute = roleOccupant
 
 # List of attributes stripped off the role on update. (list value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #role_attribute_ignore =
 
 # Allow role creation in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #role_allow_create = true
 
 # Allow role update in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #role_allow_update = true
 
 # Allow role deletion in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #role_allow_delete = true
 
 # Additional attribute mappings for roles. Attribute mapping format is
 # <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
 # and user_attr is the Identity API attribute. (list value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
 #role_additional_attribute_mapping =
 
-# Search base for groups. (string value)
+# Search base for groups. Defaults to the suffix value. (string value)
 #group_tree_dn = <None>
 
 # LDAP search filter for groups. (string value)
@@ -1048,7 +1231,9 @@
 # Enable TLS for communicating with LDAP servers. (boolean value)
 #use_tls = false
 
-# Valid options for tls_req_cert are demand, never, and allow. (string value)
+# Specifies what checks to perform on client certificates in an incoming TLS
+# session. (string value)
+# Allowed values: demand, never, allow
 #tls_req_cert = demand
 
 # Enable LDAP connection pooling. (boolean value)
@@ -1151,8 +1336,9 @@
 # From keystone
 #
 
-# Credential backend driver. (string value)
-#driver = keystone.contrib.oauth1.backends.sql.OAuth1
+# Entrypoint for hte OAuth backend driver in the keystone.oauth1 namespace.
+# (string value)
+#driver = sql
 
 # Duration (in seconds) for the OAuth Request Token. (integer value)
 #request_token_duration = 28800
@@ -1202,7 +1388,7 @@
 # Deprecated group/name - [amqp1]/trace
 #trace = false
 
-# CA certificate PEM file for verifing server certificate (string value)
+# CA certificate PEM file to verify server certificate (string value)
 # Deprecated group/name - [amqp1]/ssl_ca_file
 #ssl_ca_file =
 
@@ -1230,6 +1416,7 @@
 #
 
 # Use durable queues in AMQP. (boolean value)
+# Deprecated group/name - [DEFAULT]/amqp_durable_queues
 # Deprecated group/name - [DEFAULT]/rabbit_durable_queues
 #amqp_durable_queues = false
 
@@ -1237,9 +1424,15 @@
 # Deprecated group/name - [DEFAULT]/amqp_auto_delete
 #amqp_auto_delete = false
 
-# Size of RPC connection pool. (integer value)
-# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
-#rpc_conn_pool_size = 30
+# Send a single AMQP reply to call message. The current behaviour since oslo-
+# incubator is to send two AMQP replies - first one with the payload, a second
+# one to ensure the other have finish to send the payload. We are going to
+# remove it in the N release, but we must keep backward compatible at the same
+# time. This option provides such compatibility - it defaults to False in
+# Liberty and can be turned on for early adopters with a new installations or
+# for testing. Please note, that this option will be removed in the Mitaka
+# release. (boolean value)
+#send_single_reply = false
 
 # Qpid broker hostname. (string value)
 # Deprecated group/name - [DEFAULT]/qpid_hostname
@@ -1296,6 +1489,7 @@
 #
 
 # Use durable queues in AMQP. (boolean value)
+# Deprecated group/name - [DEFAULT]/amqp_durable_queues
 # Deprecated group/name - [DEFAULT]/rabbit_durable_queues
 #amqp_durable_queues = false
 
@@ -1303,9 +1497,15 @@
 # Deprecated group/name - [DEFAULT]/amqp_auto_delete
 #amqp_auto_delete = false
 
-# Size of RPC connection pool. (integer value)
-# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
-#rpc_conn_pool_size = 30
+# Send a single AMQP reply to call message. The current behaviour since oslo-
+# incubator is to send two AMQP replies - first one with the payload, a second
+# one to ensure the other have finish to send the payload. We are going to
+# remove it in the N release, but we must keep backward compatible at the same
+# time. This option provides such compatibility - it defaults to False in
+# Liberty and can be turned on for early adopters with a new installations or
+# for testing. Please note, that this option will be removed in the Mitaka
+# release. (boolean value)
+#send_single_reply = false
 
 # SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and
 # SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some
@@ -1330,6 +1530,10 @@
 # Deprecated group/name - [DEFAULT]/kombu_reconnect_delay
 #kombu_reconnect_delay = 1.0
 
+# How long to wait before considering a reconnect attempt to have failed. This
+# value should not be longer than rpc_response_timeout. (integer value)
+#kombu_reconnect_timeout = 60
+
 # The RabbitMQ broker address where a single node is used. (string value)
 # Deprecated group/name - [DEFAULT]/rabbit_host
 #rabbit_host = localhost
@@ -1380,6 +1584,15 @@
 # Deprecated group/name - [DEFAULT]/rabbit_ha_queues
 #rabbit_ha_queues = false
 
+# Number of seconds after which the Rabbit broker is considered down if
+# heartbeat's keep-alive fails (0 disable the heartbeat). EXPERIMENTAL (integer
+# value)
+#heartbeat_timeout_threshold = 60
+
+# How often times during the heartbeat_timeout_threshold we check the
+# heartbeat. (integer value)
+#heartbeat_rate = 2
+
 # Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value)
 # Deprecated group/name - [DEFAULT]/fake_rabbit
 #fake_rabbit = false
@@ -1396,6 +1609,40 @@
 # Deprecated group/name - [DEFAULT]/max_request_body_size
 #max_request_body_size = 114688
 
+#
+# From oslo.middleware
+#
+
+# The HTTP Header that will be used to determine what the original request
+# protocol scheme was, even if it was hidden by an SSL termination proxy.
+# (string value)
+#secure_proxy_ssl_header = X-Forwarded-Proto
+
+
+[oslo_policy]
+
+#
+# From oslo.policy
+#
+
+# The JSON file that defines policies. (string value)
+# Deprecated group/name - [DEFAULT]/policy_file
+#policy_file = policy.json
+
+# Default rule. Enforced when a requested rule is not found. (string value)
+# Deprecated group/name - [DEFAULT]/policy_default_rule
+#policy_default_rule = default
+
+# Directories where policy configuration files are stored. They can be relative
+# to any directory in the search path defined by the config_dir option, or
+# absolute paths. The file defined by policy_file must exist for these
+# directories to be searched.  Missing or empty directories are ignored. (multi
+# valued)
+# Deprecated group/name - [DEFAULT]/policy_dirs
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#policy_dirs = policy.d
+
 
 [paste_deploy]
 
@@ -1414,8 +1661,9 @@
 # From keystone
 #
 
-# Policy backend driver. (string value)
-#driver = keystone.policy.backends.sql.Policy
+# Entrypoint for the policy backend driver in the keystone.policy namespace.
+# Supplied drivers are rules and sql. (string value)
+#driver = sql
 
 # Maximum number of entities that will be returned in a policy collection.
 # (integer value)
@@ -1428,8 +1676,10 @@
 # From keystone
 #
 
-# Resource backend driver. If a resource driver is not specified, the
-# assignment driver will choose the resource driver. (string value)
+# Entrypoint for the resource backend driver in the keystone.resource
+# namespace. Supplied drivers are ldap and sql. If a resource driver is not
+# specified, the assignment driver will choose the resource driver. (string
+# value)
 #driver = <None>
 
 # Toggle for resource caching. This has no effect unless global caching is
@@ -1454,9 +1704,10 @@
 # From keystone
 #
 
-# An implementation of the backend for persisting revocation events. (string
-# value)
-#driver = keystone.contrib.revoke.backends.sql.Revoke
+# Entrypoint for an implementation of the backend for persisting revocation
+# events in the keystone.revoke namespace. Supplied drivers are kvs and sql.
+# (string value)
+#driver = sql
 
 # This value (calculated in seconds) is added to token expiration before a
 # revocation event may be removed from the backend. (integer value)
@@ -1466,6 +1717,12 @@
 # is enabled. (boolean value)
 #caching = true
 
+# Time to cache the revocation list and the revocation events (in seconds).
+# This has no effect unless global and token caching are enabled. (integer
+# value)
+# Deprecated group/name - [token]/revocation_cache_time
+#cache_time = 3600
+
 
 [role]
 
@@ -1473,7 +1730,8 @@
 # From keystone
 #
 
-# Role backend driver. (string value)
+# Entrypoint for the role backend driver in the keystone.role namespace.
+# Supplied drivers are ldap and sql. (string value)
 #driver = <None>
 
 # Toggle for role caching. This has no effect unless global caching is enabled.
@@ -1551,14 +1809,19 @@
 # Telephone number of contact person. (string value)
 #idp_contact_telephone = <None>
 
-# Contact type. Allowed values are: technical, support, administrative billing,
-# and other (string value)
+# The contact type describing the main point of contact for the identity
+# provider. (string value)
+# Allowed values: technical, support, administrative, billing, other
 #idp_contact_type = other
 
 # Path to the Identity Provider Metadata file. This file should be generated
 # with the keystone-manage saml_idp_metadata command. (string value)
 #idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml
 
+# The prefix to use for the RelayState SAML attribute, used when generating ECP
+# wrapped assertions. (string value)
+#relay_state_prefix = ss:mem:
+
 
 [signing]
 
@@ -1582,6 +1845,7 @@
 
 # Key size (in bits) for token signing cert (auto generated certificate).
 # (integer value)
+# Minimum value: 1024
 #key_size = 2048
 
 # Days the token signing cert is valid for (auto generated certificate).
@@ -1603,6 +1867,7 @@
 #ca_key = /etc/keystone/ssl/private/cakey.pem
 
 # SSL key length (in bits) (auto generated certificate). (integer value)
+# Minimum value: 1024
 #key_size = 1024
 
 # Days the certificate is valid for once signed (auto generated certificate).
@@ -1632,23 +1897,20 @@
 # Amount of time a token should remain valid (in seconds). (integer value)
 #expiration = 3600
 
-# Controls the token construction, validation, and revocation operations. Core
-# providers are "keystone.token.providers.[fernet|pkiz|pki|uuid].Provider". The
-# default provider is uuid. (string value)
-#provider = keystone.token.providers.uuid.Provider
+# Controls the token construction, validation, and revocation operations.
+# Entrypoint in the keystone.token.provider namespace. Core providers are
+# [fernet|pkiz|pki|uuid]. (string value)
+#provider = uuid
 
-# Token persistence backend driver. (string value)
-#driver = keystone.token.persistence.backends.sql.Token
+# Entrypoint for the token persistence backend driver in the
+# keystone.token.persistence namespace. Supplied drivers are kvs, memcache,
+# memcache_pool, and sql. (string value)
+#driver = sql
 
 # Toggle for token system caching. This has no effect unless global caching is
 # enabled. (boolean value)
 #caching = true
 
-# Time to cache the revocation list and the revocation events if revoke
-# extension is enabled (in seconds). This has no effect unless global and token
-# caching are enabled. (integer value)
-#revocation_cache_time = 3600
-
 # Time to cache tokens (in seconds). This has no effect unless global and token
 # caching are enabled. (integer value)
 #cache_time = <None>
@@ -1688,26 +1950,6 @@
 # Maximum depth of trust redelegation. (integer value)
 #max_redelegation_count = 3
 
-# Trust backend driver. (string value)
-#driver = keystone.trust.backends.sql.Trust
-
-
-[moon]
-
-# Authorisation backend driver. (string value)
-#authz_driver = keystone.contrib.moon.backends.flat.SuperExtensionConnector
-
-# Moon Log driver. (string value)
-#log_driver = keystone.contrib.moon.backends.flat.LogConnector
-
-# IntraExtension backend driver. (string value)
-#intraextension_driver = keystone.contrib.moon.backends.sql.IntraExtensionConnector
-
-# Tenant backend driver. (string value)
-#tenant_driver = keystone.contrib.moon.backends.sql.TenantConnector
-
-# Local directory where all policies are stored. (string value)
-#policy_directory = /etc/keystone/policies
-
-# Local directory where SuperExtension configuration is stored. (string value)
-#root_policy_directory = /etc/keystone/policies/policy_root
+# Entrypoint for the trust backend driver in the keystone.trust namespace.
+# (string value)
+#driver = sql