diff options
author | DUVAL Thomas <thomas.duval@orange.com> | 2016-06-09 09:11:50 +0200 |
---|---|---|
committer | DUVAL Thomas <thomas.duval@orange.com> | 2016-06-09 09:11:50 +0200 |
commit | 2e7b4f2027a1147ca28301e4f88adf8274b39a1f (patch) | |
tree | 8b8d94001ebe6cc34106cf813b538911a8d66d9a /keystone-moon/etc | |
parent | a33bdcb627102a01244630a54cb4b5066b385a6a (diff) |
Update Keystone core to Mitaka.
Change-Id: Ia10d6add16f4a9d25d1f42d420661c46332e69db
Diffstat (limited to 'keystone-moon/etc')
-rw-r--r-- | keystone-moon/etc/default_catalog.templates | 37 | ||||
-rw-r--r-- | keystone-moon/etc/keystone-paste.ini | 41 | ||||
-rw-r--r-- | keystone-moon/etc/keystone.conf.sample | 814 | ||||
-rw-r--r-- | keystone-moon/etc/policy.json | 18 | ||||
-rw-r--r-- | keystone-moon/etc/policy.v3cloudsample.json | 66 |
5 files changed, 560 insertions, 416 deletions
diff --git a/keystone-moon/etc/default_catalog.templates b/keystone-moon/etc/default_catalog.templates index a69b7f06..e885b52e 100644 --- a/keystone-moon/etc/default_catalog.templates +++ b/keystone-moon/etc/default_catalog.templates @@ -6,22 +6,37 @@ catalog.RegionOne.identity.internalURL = http://localhost:$(public_port)s/v2.0 catalog.RegionOne.identity.name = Identity Service # fake compute service for now to help novaclient tests work -catalog.RegionOne.compute.publicURL = http://localhost:8774/v1.1/$(tenant_id)s -catalog.RegionOne.compute.adminURL = http://localhost:8774/v1.1/$(tenant_id)s -catalog.RegionOne.compute.internalURL = http://localhost:8774/v1.1/$(tenant_id)s -catalog.RegionOne.compute.name = Compute Service +catalog.RegionOne.computev21.publicURL = http://localhost:8774/v2.1/$(tenant_id)s +catalog.RegionOne.computev21.adminURL = http://localhost:8774/v2.1/$(tenant_id)s +catalog.RegionOne.computev21.internalURL = http://localhost:8774/v2.1/$(tenant_id)s +catalog.RegionOne.computev21.name = Compute Service V2.1 -catalog.RegionOne.volume.publicURL = http://localhost:8776/v1/$(tenant_id)s -catalog.RegionOne.volume.adminURL = http://localhost:8776/v1/$(tenant_id)s -catalog.RegionOne.volume.internalURL = http://localhost:8776/v1/$(tenant_id)s -catalog.RegionOne.volume.name = Volume Service +catalog.RegionOne.volumev2.publicURL = http://localhost:8776/v2/$(tenant_id)s +catalog.RegionOne.volumev2.adminURL = http://localhost:8776/v2/$(tenant_id)s +catalog.RegionOne.volumev2.internalURL = http://localhost:8776/v2/$(tenant_id)s +catalog.RegionOne.volumev2.name = Volume Service V2 catalog.RegionOne.ec2.publicURL = http://localhost:8773/services/Cloud catalog.RegionOne.ec2.adminURL = http://localhost:8773/services/Admin catalog.RegionOne.ec2.internalURL = http://localhost:8773/services/Cloud catalog.RegionOne.ec2.name = EC2 Service -catalog.RegionOne.image.publicURL = http://localhost:9292/v1 -catalog.RegionOne.image.adminURL = http://localhost:9292/v1 -catalog.RegionOne.image.internalURL = http://localhost:9292/v1 +catalog.RegionOne.image.publicURL = http://localhost:9292 +catalog.RegionOne.image.adminURL = http://localhost:9292 +catalog.RegionOne.image.internalURL = http://localhost:9292 catalog.RegionOne.image.name = Image Service + +catalog.RegionOne.network.publicURL = http://localhost:9696 +catalog.RegionOne.network.adminURL = http://localhost:9696 +catalog.RegionOne.network.internalURL = http://localhost:9696 +catalog.RegionOne.network.name = Network Service + +catalog.RegionOne.orchestration.publicURL = http://localhost:8004/v1/$(tenant_id)s +catalog.RegionOne.orchestration.adminURL = http://localhost:8004/v1/$(tenant_id)s +catalog.RegionOne.orchestration.internalURL = http://localhost:8004/v1/$(tenant_id)s +catalog.RegionOne.orchestration.name = Orchestration Service + +catalog.RegionOne.metering.publicURL = http://localhost:8777 +catalog.RegionOne.metering.adminURL = http://localhost:8777 +catalog.RegionOne.metering.internalURL = http://localhost:8777 +catalog.RegionOne.metering.name = Telemetry Service diff --git a/keystone-moon/etc/keystone-paste.ini b/keystone-moon/etc/keystone-paste.ini index 70db3823..4f3b0a28 100644 --- a/keystone-moon/etc/keystone-paste.ini +++ b/keystone-moon/etc/keystone-paste.ini @@ -1,10 +1,10 @@ # Keystone PasteDeploy configuration file. [filter:debug] -use = egg:keystone#debug +use = egg:oslo.middleware#debug [filter:request_id] -use = egg:keystone#request_id +use = egg:oslo.middleware#request_id [filter:build_auth_context] use = egg:keystone#build_auth_context @@ -13,16 +13,16 @@ use = egg:keystone#build_auth_context use = egg:keystone#token_auth [filter:admin_token_auth] +# This is deprecated in the M release and will be removed in the O release. +# Use `keystone-manage bootstrap` and remove this from the pipelines below. use = egg:keystone#admin_token_auth [filter:json_body] use = egg:keystone#json_body -[filter:user_crud_extension] -use = egg:keystone#user_crud_extension - -[filter:crud_extension] -use = egg:keystone#crud_extension +[filter:cors] +use = egg:oslo.middleware#cors +oslo_config_project = keystone [filter:ec2_extension] use = egg:keystone#ec2_extension @@ -30,29 +30,14 @@ use = egg:keystone#ec2_extension [filter:ec2_extension_v3] use = egg:keystone#ec2_extension_v3 -[filter:federation_extension] -use = egg:keystone#federation_extension - -[filter:oauth1_extension] -use = egg:keystone#oauth1_extension - [filter:s3_extension] use = egg:keystone#s3_extension -[filter:endpoint_filter_extension] -use = egg:keystone#endpoint_filter_extension - -[filter:simple_cert_extension] -use = egg:keystone#simple_cert_extension - -[filter:revoke_extension] -use = egg:keystone#revoke_extension - [filter:url_normalize] use = egg:keystone#url_normalize [filter:sizelimit] -use = egg:keystone#sizelimit +use = egg:oslo.middleware#sizelimit [app:public_service] use = egg:keystone#public_service @@ -66,17 +51,17 @@ use = egg:keystone#admin_service [pipeline:public_api] # The last item in this pipeline must be public_service or an equivalent # application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service +pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service [pipeline:admin_api] # The last item in this pipeline must be admin_service or an equivalent # application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service +pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service [pipeline:api_v3] # The last item in this pipeline must be service_v3 or an equivalent # application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3 +pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 [app:public_version_service] use = egg:keystone#public_version_service @@ -85,10 +70,10 @@ use = egg:keystone#public_version_service use = egg:keystone#admin_version_service [pipeline:public_version_api] -pipeline = sizelimit url_normalize public_version_service +pipeline = cors sizelimit url_normalize public_version_service [pipeline:admin_version_api] -pipeline = sizelimit url_normalize admin_version_service +pipeline = cors sizelimit url_normalize admin_version_service [composite:main] use = egg:Paste#urlmap diff --git a/keystone-moon/etc/keystone.conf.sample b/keystone-moon/etc/keystone.conf.sample index 8e5ea13b..cce0876a 100644 --- a/keystone-moon/etc/keystone.conf.sample +++ b/keystone-moon/etc/keystone.conf.sample @@ -5,11 +5,12 @@ # # A "shared secret" that can be used to bootstrap Keystone. This "token" does -# not represent a user, and carries no explicit authorization. To disable in -# production (highly recommended), remove AdminTokenAuthMiddleware from your -# paste application pipelines (for example, in keystone-paste.ini). (string -# value) -#admin_token = ADMIN +# not represent a user, and carries no explicit authorization. If set to +# `None`, the value is ignored and the `admin_token` log in mechanism is +# effectively disabled. To completely disable `admin_token` in production +# (highly recommended), remove AdminTokenAuthMiddleware from your paste +# application pipelines (for example, in keystone-paste.ini). (string value) +#admin_token = <None> # The base public endpoint URL for Keystone that is advertised to clients # (NOTE: this does NOT affect how Keystone listens for connections). Defaults @@ -27,8 +28,9 @@ # found on a different server. (string value) #admin_endpoint = <None> -# Maximum depth of the project hierarchy. WARNING: setting it to a large value -# may adversely impact performance. (integer value) +# Maximum depth of the project hierarchy, excluding the project acting as a +# domain at the top of the hierarchy. WARNING: setting it to a large value may +# adversely impact performance. (integer value) #max_project_tree_depth = 5 # Limit the sizes of user & project ID/names. (integer value) @@ -64,7 +66,10 @@ # project entities to be moved between domains by updating their domain_id. # Allowing such movement is not recommended if the scope of a domain admin is # being restricted by use of an appropriate policy file (see -# policy.v3cloudsample as an example). (boolean value) +# policy.v3cloudsample as an example). This ability is deprecated and will be +# removed in a future release. (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #domain_id_immutable = true # If set to true, strict password length checking is performed for password @@ -74,9 +79,14 @@ #strict_password_check = false # The HTTP header used to determine the scheme for the original request, even -# if it was removed by an SSL terminating proxy. Typical value is -# "HTTP_X_FORWARDED_PROTO". (string value) -#secure_proxy_ssl_header = <None> +# if it was removed by an SSL terminating proxy. (string value) +#secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO + +# If set to true the server will return information in the response that may +# allow an unauthenticated or authenticated user to get more information than +# normal, such as why authentication failed. This may be useful for debugging +# but is insecure. (boolean value) +#insecure_debug = false # # From keystone.notifications @@ -92,78 +102,93 @@ # Allowed values: basic, cadf #notification_format = basic +# Define the notification options to opt-out from. The value expected is: +# identity.<resource_type>.<operation>. This field can be set multiple times in +# order to add more notifications to opt-out from. For example: +# notification_opt_out=identity.user.created +# notification_opt_out=identity.authenticate.success (multi valued) +#notification_opt_out = + # # From oslo.log # -# Print debugging output (set logging level to DEBUG instead of default INFO -# level). (boolean value) +# If set to true, the logging level will be set to DEBUG instead of the default +# INFO level. (boolean value) #debug = false -# If set to false, will disable INFO logging level, making WARNING the default. -# (boolean value) +# If set to false, the logging level will be set to WARNING instead of the +# default INFO level. (boolean value) # This option is deprecated for removal. # Its value may be silently ignored in the future. #verbose = true # The name of a logging configuration file. This file is appended to any # existing logging configuration files. For details about logging configuration -# files, see the Python logging module documentation. (string value) +# files, see the Python logging module documentation. Note that when logging +# configuration files are used then all logging configuration is set in the +# configuration file and other logging configuration options are ignored (for +# example, logging_context_format_string). (string value) # Deprecated group/name - [DEFAULT]/log_config #log_config_append = <None> -# DEPRECATED. A logging.Formatter log message format string which may use any -# of the available logging.LogRecord attributes. This option is deprecated. -# Please use logging_context_format_string and logging_default_format_string -# instead. (string value) -#log_format = <None> - -# Format string for %%(asctime)s in log records. Default: %(default)s . (string +# Defines the format string for %%(asctime)s in log records. Default: +# %(default)s . This option is ignored if log_config_append is set. (string # value) #log_date_format = %Y-%m-%d %H:%M:%S -# (Optional) Name of log file to output to. If no default is set, logging will -# go to stdout. (string value) +# (Optional) Name of log file to send logging output to. If no default is set, +# logging will go to stderr as defined by use_stderr. This option is ignored if +# log_config_append is set. (string value) # Deprecated group/name - [DEFAULT]/logfile #log_file = <None> -# (Optional) The base directory used for relative --log-file paths. (string -# value) +# (Optional) The base directory used for relative log_file paths. This option +# is ignored if log_config_append is set. (string value) # Deprecated group/name - [DEFAULT]/logdir #log_dir = <None> +# Uses logging handler designed to watch file system. When log file is moved or +# removed this handler will open a new log file with specified path +# instantaneously. It makes sense only if log_file option is specified and +# Linux platform is used. This option is ignored if log_config_append is set. +# (boolean value) +#watch_log_file = false + # Use syslog for logging. Existing syslog format is DEPRECATED and will be -# changed later to honor RFC5424. (boolean value) +# changed later to honor RFC5424. This option is ignored if log_config_append +# is set. (boolean value) #use_syslog = false -# (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, -# prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The -# format without the APP-NAME is deprecated in Kilo, and will be removed in -# Mitaka, along with this option. (boolean value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#use_syslog_rfc_format = true - -# Syslog facility to receive log lines. (string value) +# Syslog facility to receive log lines. This option is ignored if +# log_config_append is set. (string value) #syslog_log_facility = LOG_USER -# Log output to standard error. (boolean value) +# Log output to standard error. This option is ignored if log_config_append is +# set. (boolean value) #use_stderr = true # Format string to use for log messages with context. (string value) #logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s -# Format string to use for log messages without context. (string value) +# Format string to use for log messages when context is undefined. (string +# value) #logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s -# Data to append to log format when level is DEBUG. (string value) +# Additional data to append to log message when logging level for the message +# is DEBUG. (string value) #logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d # Prefix each line of exception output with this format. (string value) #logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s -# List of logger=LEVEL pairs. (list value) -#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN +# Defines the format string for %(user_identity)s that is used in +# logging_context_format_string. (string value) +#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s + +# List of package logging levels in logger=LEVEL pairs. This option is ignored +# if log_config_append is set. (list value) +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO # Enables or disables publication of error events. (boolean value) #publish_errors = false @@ -192,10 +217,11 @@ #rpc_zmq_bind_address = * # MatchMaker driver. (string value) -#rpc_zmq_matchmaker = local +# Allowed values: redis, dummy +#rpc_zmq_matchmaker = redis -# ZeroMQ receiver listening port. (integer value) -#rpc_zmq_port = 9501 +# Type of concurrency used. Either "native" or "eventlet" (string value) +#rpc_zmq_concurrency = eventlet # Number of ZeroMQ contexts, defaults to 1. (integer value) #rpc_zmq_contexts = 1 @@ -211,28 +237,42 @@ # "host" option, if running Nova. (string value) #rpc_zmq_host = localhost -# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq. -# (integer value) -#rpc_cast_timeout = 30 +# Seconds to wait before a cast expires (TTL). The default value of -1 +# specifies an infinite linger period. The value of 0 specifies no linger +# period. Pending messages shall be discarded immediately when the socket is +# closed. Only supported by impl_zmq. (integer value) +#rpc_cast_timeout = -1 -# Heartbeat frequency. (integer value) -#matchmaker_heartbeat_freq = 300 +# The default number of seconds that poll should wait. Poll raises timeout +# exception when timeout expired. (integer value) +#rpc_poll_timeout = 1 -# Heartbeat time-to-live. (integer value) -#matchmaker_heartbeat_ttl = 600 +# Expiration timeout in seconds of a name service record about existing target +# ( < 0 means no timeout). (integer value) +#zmq_target_expire = 120 + +# Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy. (boolean +# value) +#use_pub_sub = true + +# Minimal port number for random ports range. (port value) +# Minimum value: 0 +# Maximum value: 65535 +#rpc_zmq_min_port = 49152 + +# Maximal port number for random ports range. (integer value) +# Minimum value: 1 +# Maximum value: 65536 +#rpc_zmq_max_port = 65536 + +# Number of retries to find free port number before fail with ZMQBindError. +# (integer value) +#rpc_zmq_bind_port_retries = 100 # Size of executor thread pool. (integer value) # Deprecated group/name - [DEFAULT]/rpc_thread_pool_size #executor_thread_pool_size = 64 -# The Drivers(s) to handle sending notifications. Possible values are -# messaging, messagingv2, routing, log, test, noop (multi valued) -#notification_driver = - -# AMQP topic used for OpenStack notifications. (list value) -# Deprecated group/name - [rpc_notifier2]/topics -#notification_topics = notifications - # Seconds to wait for a response from a call. (integer value) #rpc_response_timeout = 60 @@ -241,7 +281,7 @@ # configuration. (string value) #transport_url = <None> -# The messaging driver to use, defaults to rabbit. Other drivers include qpid +# The messaging driver to use, defaults to rabbit. Other drivers include amqp # and zmq. (string value) #rpc_backend = rabbit @@ -261,10 +301,20 @@ # The chosen port is displayed in the service's log file. (string value) #backdoor_port = <None> +# Enable eventlet backdoor, using the provided path as a unix socket that can +# receive connections. This option is mutually exclusive with 'backdoor_port' +# in that only one should be provided. If both are provided then the existence +# of this option overrides the usage of that option. (string value) +#backdoor_socket = <None> + # Enables or disables logging values of all registered options when starting a # service (at DEBUG level). (boolean value) #log_options = true +# Specify a timeout after which a gracefully shutdown server will exit. Zero +# value means endless wait. (integer value) +#graceful_shutdown_timeout = 60 + [assignment] @@ -273,11 +323,16 @@ # # Entrypoint for the assignment backend driver in the keystone.assignment -# namespace. Supplied drivers are ldap and sql. If an assignment driver is not -# specified, the identity driver will choose the assignment driver. (string -# value) +# namespace. Only an SQL driver is supplied. If an assignment driver is not +# specified, the identity driver will choose the assignment driver (driver +# selection based on `[identity]/driver` option is deprecated and will be +# removed in the "O" release). (string value) #driver = <None> +# A list of role names which are prohibited from being an implied role. (list +# value) +#prohibited_implied_role = admin + [auth] @@ -309,13 +364,13 @@ [cache] # -# From keystone +# From oslo.cache # # Prefix for building the configuration dictionary for the cache region. This # should not need to be changed unless there is another dogpile.cache region # with the same configuration name. (string value) -#config_prefix = cache.keystone +#config_prefix = cache.oslo # Default TTL, in seconds, for any cached item in the dogpile.cache region. # This applies to any cached method that doesn't have an explicit cache @@ -323,10 +378,10 @@ #expiration_time = 600 # Dogpile.cache backend module. It is recommended that Memcache with pooling -# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in +# (oslo_cache.memcache_pool) or Redis (dogpile.cache.redis) be used in # production deployments. Small workloads (single process) like devstack can # use the dogpile.cache.memory backend. (string value) -#backend = keystone.common.cache.noop +#backend = dogpile.cache.null # Arguments supplied to the backend module. Specify this option once per # argument to be passed to the dogpile.cache backend. Example format: @@ -338,8 +393,7 @@ # (list value) #proxies = -# Global toggle for all caching using the should_cache_fn mechanism. (boolean -# value) +# Global toggle for caching. (boolean value) #enabled = false # Extra debugging from the cache backend (cache keys, get/set/delete/etc @@ -349,24 +403,24 @@ #debug_cache_backend = false # Memcache servers in the format of "host:port". (dogpile.cache.memcache and -# keystone.cache.memcache_pool backends only). (list value) +# oslo_cache.memcache_pool backends only). (list value) #memcache_servers = localhost:11211 # Number of seconds memcached server is considered dead before it is tried -# again. (dogpile.cache.memcache and keystone.cache.memcache_pool backends -# only). (integer value) +# again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only). +# (integer value) #memcache_dead_retry = 300 # Timeout in seconds for every call to a server. (dogpile.cache.memcache and -# keystone.cache.memcache_pool backends only). (integer value) +# oslo_cache.memcache_pool backends only). (integer value) #memcache_socket_timeout = 3 # Max total number of open connections to every memcached server. -# (keystone.cache.memcache_pool backend only). (integer value) +# (oslo_cache.memcache_pool backend only). (integer value) #memcache_pool_maxsize = 10 # Number of seconds a connection to memcached is held unused in the pool before -# it is closed. (keystone.cache.memcache_pool backend only). (integer value) +# it is closed. (oslo_cache.memcache_pool backend only). (integer value) #memcache_pool_unused_timeout = 60 # Number of seconds that an operation will wait to get a memcache client @@ -409,7 +463,7 @@ # # Indicate whether this resource may be shared with the domain received in the -# requests "origin" header. (string value) +# requests "origin" header. (list value) #allowed_origin = <None> # Indicate that the actual request can include user credentials (boolean value) @@ -417,17 +471,17 @@ # Indicate which headers are safe to expose to the API. Defaults to HTTP Simple # Headers. (list value) -#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma +#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token # Maximum cache age of CORS preflight requests. (integer value) #max_age = 3600 # Indicate which methods can be used during the actual request. (list value) -#allow_methods = GET,POST,PUT,DELETE,OPTIONS +#allow_methods = GET,PUT,POST,DELETE,PATCH # Indicate which header field names may be used during the actual request. # (list value) -#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma +#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name [cors.subdomain] @@ -437,7 +491,7 @@ # # Indicate whether this resource may be shared with the domain received in the -# requests "origin" header. (string value) +# requests "origin" header. (list value) #allowed_origin = <None> # Indicate that the actual request can include user credentials (boolean value) @@ -445,17 +499,17 @@ # Indicate which headers are safe to expose to the API. Defaults to HTTP Simple # Headers. (list value) -#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma +#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token # Maximum cache age of CORS preflight requests. (integer value) #max_age = 3600 # Indicate which methods can be used during the actual request. (list value) -#allow_methods = GET,POST,PUT,DELETE,OPTIONS +#allow_methods = GET,PUT,POST,DELETE,PATCH # Indicate which header field names may be used during the actual request. # (list value) -#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma +#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name [credential] @@ -534,7 +588,7 @@ # If set, use this value for max_overflow with SQLAlchemy. (integer value) # Deprecated group/name - [DEFAULT]/sql_max_overflow # Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow -#max_overflow = <None> +#max_overflow = 50 # Verbosity of SQL debugging information: 0=None, 100=Everything. (integer # value) @@ -609,6 +663,11 @@ # # Enable endpoint_policy functionality. (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: The option to enable the OS-ENDPOINT-POLICY extension has been +# deprecated in the M release and will be removed in the O release. The OS- +# ENDPOINT-POLICY extension will be enabled by default. #enabled = true # Entrypoint for the endpoint policy backend driver in the @@ -644,8 +703,8 @@ # Its value may be silently ignored in the future. #public_bind_host = 0.0.0.0 -# The port number which the public service listens on. (integer value) -# Minimum value: 1 +# The port number which the public service listens on. (port value) +# Minimum value: 0 # Maximum value: 65535 # Deprecated group/name - [DEFAULT]/public_port # This option is deprecated for removal. @@ -660,8 +719,8 @@ # Its value may be silently ignored in the future. #admin_bind_host = 0.0.0.0 -# The port number which the admin service listens on. (integer value) -# Minimum value: 1 +# The port number which the admin service listens on. (port value) +# Minimum value: 0 # Maximum value: 65535 # Deprecated group/name - [DEFAULT]/admin_port # This option is deprecated for removal. @@ -674,7 +733,7 @@ # Timeout for socket operations on a client connection. If an incoming # connection is idle for this number of seconds it will be closed. A value of -# '0' means wait forever. (integer value) +# "0" means wait forever. (integer value) #client_socket_timeout = 900 # Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e. @@ -686,7 +745,8 @@ #tcp_keepalive = false # Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only -# applies if tcp_keepalive is true. (integer value) +# applies if tcp_keepalive is true. Ignored if system does not support it. +# (integer value) # Deprecated group/name - [DEFAULT]/tcp_keepidle # This option is deprecated for removal. # Its value may be silently ignored in the future. @@ -760,8 +820,8 @@ # A list of trusted dashboard hosts. Before accepting a Single Sign-On request # to return a token, the origin host must be a member of the trusted_dashboard # list. This configuration option may be repeated for multiple values. For -# example: trusted_dashboard=http://acme.com trusted_dashboard=http://beta.com -# (multi valued) +# example: trusted_dashboard=http://acme.com/auth/websso +# trusted_dashboard=http://beta.com/auth/websso (multi valued) #trusted_dashboard = # Location of Single Sign-On callback handler, will return a token to a trusted @@ -866,7 +926,7 @@ # mapping for even the default LDAP driver. It is only safe to do this if you # do not already have assignments for users and groups from the default LDAP # domain, and it is acceptable for Keystone to provide the different IDs to -# clients than it did previously. Typically this means that the only time you +# clients than it did previously. Typically this means that the only time you # can set this value to False is when configuring a fresh installation. # (boolean value) #backward_compatible_ids = true @@ -902,7 +962,9 @@ # From keystone # -# URL for connecting to the LDAP server. (string value) +# URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified +# as a comma separated string. The first URL to successfully bind is used for +# the connection. (string value) #url = ldap://localhost # User BindDN to query the LDAP server. (string value) @@ -965,6 +1027,9 @@ # LDAP attribute mapped to user name. (string value) #user_name_attribute = sn +# LDAP attribute mapped to user description. (string value) +#user_description_attribute = description + # LDAP attribute mapped to user email. (string value) #user_mail_attribute = mail @@ -1002,12 +1067,24 @@ #user_default_project_id_attribute = <None> # Allow user creation in LDAP backend. (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Write support for Identity LDAP backends has been deprecated in the M +# release and will be removed in the O release. #user_allow_create = true # Allow user updates in LDAP backend. (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Write support for Identity LDAP backends has been deprecated in the M +# release and will be removed in the O release. #user_allow_update = true # Allow user deletion in LDAP backend. (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Write support for Identity LDAP backends has been deprecated in the M +# release and will be removed in the O release. #user_allow_delete = true # If true, Keystone uses an alternative method to determine if a user is @@ -1029,168 +1106,6 @@ # Identity API attribute. (list value) #user_additional_attribute_mapping = -# Search base for projects. Defaults to the suffix value. (string value) -# Deprecated group/name - [ldap]/tenant_tree_dn -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#project_tree_dn = <None> - -# LDAP search filter for projects. (string value) -# Deprecated group/name - [ldap]/tenant_filter -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#project_filter = <None> - -# LDAP objectclass for projects. (string value) -# Deprecated group/name - [ldap]/tenant_objectclass -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#project_objectclass = groupOfNames - -# LDAP attribute mapped to project id. (string value) -# Deprecated group/name - [ldap]/tenant_id_attribute -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#project_id_attribute = cn - -# LDAP attribute mapped to project membership for user. (string value) -# Deprecated group/name - [ldap]/tenant_member_attribute -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#project_member_attribute = member - -# LDAP attribute mapped to project name. (string value) -# Deprecated group/name - [ldap]/tenant_name_attribute -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#project_name_attribute = ou - -# LDAP attribute mapped to project description. (string value) -# Deprecated group/name - [ldap]/tenant_desc_attribute -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#project_desc_attribute = description - -# LDAP attribute mapped to project enabled. (string value) -# Deprecated group/name - [ldap]/tenant_enabled_attribute -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#project_enabled_attribute = enabled - -# LDAP attribute mapped to project domain_id. (string value) -# Deprecated group/name - [ldap]/tenant_domain_id_attribute -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#project_domain_id_attribute = businessCategory - -# List of attributes stripped off the project on update. (list value) -# Deprecated group/name - [ldap]/tenant_attribute_ignore -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#project_attribute_ignore = - -# Allow project creation in LDAP backend. (boolean value) -# Deprecated group/name - [ldap]/tenant_allow_create -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#project_allow_create = true - -# Allow project update in LDAP backend. (boolean value) -# Deprecated group/name - [ldap]/tenant_allow_update -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#project_allow_update = true - -# Allow project deletion in LDAP backend. (boolean value) -# Deprecated group/name - [ldap]/tenant_allow_delete -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#project_allow_delete = true - -# If true, Keystone uses an alternative method to determine if a project is -# enabled or not by checking if they are a member of the -# "project_enabled_emulation_dn" group. (boolean value) -# Deprecated group/name - [ldap]/tenant_enabled_emulation -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#project_enabled_emulation = false - -# DN of the group entry to hold enabled projects when using enabled emulation. -# (string value) -# Deprecated group/name - [ldap]/tenant_enabled_emulation_dn -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#project_enabled_emulation_dn = <None> - -# Use the "group_member_attribute" and "group_objectclass" settings to -# determine membership in the emulated enabled group. (boolean value) -#project_enabled_emulation_use_group_config = false - -# Additional attribute mappings for projects. Attribute mapping format is -# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry -# and user_attr is the Identity API attribute. (list value) -# Deprecated group/name - [ldap]/tenant_additional_attribute_mapping -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#project_additional_attribute_mapping = - -# Search base for roles. Defaults to the suffix value. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#role_tree_dn = <None> - -# LDAP search filter for roles. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#role_filter = <None> - -# LDAP objectclass for roles. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#role_objectclass = organizationalRole - -# LDAP attribute mapped to role id. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#role_id_attribute = cn - -# LDAP attribute mapped to role name. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#role_name_attribute = ou - -# LDAP attribute mapped to role membership. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#role_member_attribute = roleOccupant - -# List of attributes stripped off the role on update. (list value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#role_attribute_ignore = - -# Allow role creation in LDAP backend. (boolean value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#role_allow_create = true - -# Allow role update in LDAP backend. (boolean value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#role_allow_update = true - -# Allow role deletion in LDAP backend. (boolean value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#role_allow_delete = true - -# Additional attribute mappings for roles. Attribute mapping format is -# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry -# and user_attr is the Identity API attribute. (list value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#role_additional_attribute_mapping = - # Search base for groups. Defaults to the suffix value. (string value) #group_tree_dn = <None> @@ -1216,12 +1131,24 @@ #group_attribute_ignore = # Allow group creation in LDAP backend. (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Write support for Identity LDAP backends has been deprecated in the M +# release and will be removed in the O release. #group_allow_create = true # Allow group update in LDAP backend. (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Write support for Identity LDAP backends has been deprecated in the M +# release and will be removed in the O release. #group_allow_update = true # Allow group deletion in LDAP backend. (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Write support for Identity LDAP backends has been deprecated in the M +# release and will be removed in the O release. #group_allow_delete = true # Additional attribute mappings for groups. Attribute mapping format is @@ -1245,7 +1172,7 @@ #tls_req_cert = demand # Enable LDAP connection pooling. (boolean value) -#use_pool = false +#use_pool = true # Connection pool size. (integer value) #pool_size = 10 @@ -1267,7 +1194,7 @@ # Enable LDAP connection pooling for end user authentication. If use_pool is # disabled, then this setting is meaningless and is not used at all. (boolean # value) -#use_auth_pool = false +#use_auth_pool = true # End user auth connection pool size. (integer value) #auth_pool_size = 100 @@ -1275,6 +1202,11 @@ # End user auth connection lifetime in seconds. (integer value) #auth_pool_connection_lifetime = 60 +# If the members of the group objectclass are user IDs rather than DNs, set +# this to true. This is the case when using posixGroup as the group objectclass +# and OpenDirectory. (boolean value) +#group_members_are_ids = false + [matchmaker_redis] @@ -1285,22 +1217,29 @@ # Host to locate redis. (string value) #host = 127.0.0.1 -# Use this port to connect to redis host. (integer value) +# Use this port to connect to redis host. (port value) +# Minimum value: 0 +# Maximum value: 65535 #port = 6379 # Password for Redis server (optional). (string value) -#password = <None> +#password = +# List of Redis Sentinel hosts (fault tolerance mode) e.g. +# [host:port, host1:port ... ] (list value) +#sentinel_hosts = -[matchmaker_ring] +# Redis replica set name. (string value) +#sentinel_group_name = oslo-messaging-zeromq -# -# From oslo.messaging -# +# Time in ms to wait between connection attempts. (integer value) +#wait_timeout = 500 -# Matchmaker ring file (JSON). (string value) -# Deprecated group/name - [DEFAULT]/matchmaker_ringfile -#ringfile = /etc/oslo/matchmaker_ring.json +# Time in ms to wait before the transaction is killed. (integer value) +#check_timeout = 20000 + +# Timeout in ms on blocking socket operations (integer value) +#socket_timeout = 1000 [memcache] @@ -1344,7 +1283,7 @@ # From keystone # -# Entrypoint for hte OAuth backend driver in the keystone.oauth1 namespace. +# Entrypoint for the OAuth backend driver in the keystone.oauth1 namespace. # (string value) #driver = sql @@ -1362,8 +1301,15 @@ # # role-assignment inheritance to projects from owning domain or from projects -# higher in the hierarchy can be optionally enabled. (boolean value) -#enabled = false +# higher in the hierarchy can be optionally disabled. In the future, this +# option will be removed and the hierarchy will be always enabled. (boolean +# value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: The option to enable the OS-INHERIT extension has been deprecated in +# the M release and will be removed in the O release. The OS-INHERIT extension +# will be enabled by default. +#enabled = true [oslo_messaging_amqp] @@ -1416,78 +1362,47 @@ # Deprecated group/name - [amqp1]/allow_insecure_clients #allow_insecure_clients = false +# Space separated list of acceptable SASL mechanisms (string value) +# Deprecated group/name - [amqp1]/sasl_mechanisms +#sasl_mechanisms = -[oslo_messaging_qpid] - -# -# From oslo.messaging -# - -# Use durable queues in AMQP. (boolean value) -# Deprecated group/name - [DEFAULT]/amqp_durable_queues -# Deprecated group/name - [DEFAULT]/rabbit_durable_queues -#amqp_durable_queues = false - -# Auto-delete queues in AMQP. (boolean value) -# Deprecated group/name - [DEFAULT]/amqp_auto_delete -#amqp_auto_delete = false - -# Send a single AMQP reply to call message. The current behaviour since oslo- -# incubator is to send two AMQP replies - first one with the payload, a second -# one to ensure the other have finish to send the payload. We are going to -# remove it in the N release, but we must keep backward compatible at the same -# time. This option provides such compatibility - it defaults to False in -# Liberty and can be turned on for early adopters with a new installations or -# for testing. Please note, that this option will be removed in the Mitaka -# release. (boolean value) -#send_single_reply = false - -# Qpid broker hostname. (string value) -# Deprecated group/name - [DEFAULT]/qpid_hostname -#qpid_hostname = localhost +# Path to directory that contains the SASL configuration (string value) +# Deprecated group/name - [amqp1]/sasl_config_dir +#sasl_config_dir = -# Qpid broker port. (integer value) -# Deprecated group/name - [DEFAULT]/qpid_port -#qpid_port = 5672 +# Name of configuration file (without .conf suffix) (string value) +# Deprecated group/name - [amqp1]/sasl_config_name +#sasl_config_name = -# Qpid HA cluster host:port pairs. (list value) -# Deprecated group/name - [DEFAULT]/qpid_hosts -#qpid_hosts = $qpid_hostname:$qpid_port +# User name for message broker authentication (string value) +# Deprecated group/name - [amqp1]/username +#username = -# Username for Qpid connection. (string value) -# Deprecated group/name - [DEFAULT]/qpid_username -#qpid_username = +# Password for message broker authentication (string value) +# Deprecated group/name - [amqp1]/password +#password = -# Password for Qpid connection. (string value) -# Deprecated group/name - [DEFAULT]/qpid_password -#qpid_password = -# Space separated list of SASL mechanisms to use for auth. (string value) -# Deprecated group/name - [DEFAULT]/qpid_sasl_mechanisms -#qpid_sasl_mechanisms = +[oslo_messaging_notifications] -# Seconds between connection keepalive heartbeats. (integer value) -# Deprecated group/name - [DEFAULT]/qpid_heartbeat -#qpid_heartbeat = 60 - -# Transport to use, either 'tcp' or 'ssl'. (string value) -# Deprecated group/name - [DEFAULT]/qpid_protocol -#qpid_protocol = tcp +# +# From oslo.messaging +# -# Whether to disable the Nagle algorithm. (boolean value) -# Deprecated group/name - [DEFAULT]/qpid_tcp_nodelay -#qpid_tcp_nodelay = true +# The Drivers(s) to handle sending notifications. Possible values are +# messaging, messagingv2, routing, log, test, noop (multi valued) +# Deprecated group/name - [DEFAULT]/notification_driver +#driver = -# The number of prefetched messages held by receiver. (integer value) -# Deprecated group/name - [DEFAULT]/qpid_receiver_capacity -#qpid_receiver_capacity = 1 +# A URL representing the messaging driver to use for notifications. If not set, +# we fall back to the same configuration used for RPC. (string value) +# Deprecated group/name - [DEFAULT]/notification_transport_url +#transport_url = <None> -# The qpid topology version to use. Version 1 is what was originally used by -# impl_qpid. Version 2 includes some backwards-incompatible changes that allow -# broker federation to work. Users should update to version 2 when they are -# able to take everything down, as it requires a clean break. (integer value) -# Deprecated group/name - [DEFAULT]/qpid_topology_version -#qpid_topology_version = 1 +# AMQP topic used for OpenStack notifications. (list value) +# Deprecated group/name - [rpc_notifier2]/topics +# Deprecated group/name - [DEFAULT]/notification_topics +#topics = notifications [oslo_messaging_rabbit] @@ -1505,16 +1420,6 @@ # Deprecated group/name - [DEFAULT]/amqp_auto_delete #amqp_auto_delete = false -# Send a single AMQP reply to call message. The current behaviour since oslo- -# incubator is to send two AMQP replies - first one with the payload, a second -# one to ensure the other have finish to send the payload. We are going to -# remove it in the N release, but we must keep backward compatible at the same -# time. This option provides such compatibility - it defaults to False in -# Liberty and can be turned on for early adopters with a new installations or -# for testing. Please note, that this option will be removed in the Mitaka -# release. (boolean value) -#send_single_reply = false - # SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and # SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some # distributions. (string value) @@ -1538,15 +1443,28 @@ # Deprecated group/name - [DEFAULT]/kombu_reconnect_delay #kombu_reconnect_delay = 1.0 -# How long to wait before considering a reconnect attempt to have failed. This -# value should not be longer than rpc_response_timeout. (integer value) -#kombu_reconnect_timeout = 60 +# EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not +# be used. This option may notbe available in future versions. (string value) +#kombu_compression = <None> + +# How long to wait a missing client beforce abandoning to send it its replies. +# This value should not be longer than rpc_response_timeout. (integer value) +# Deprecated group/name - [DEFAULT]/kombu_reconnect_timeout +#kombu_missing_consumer_retry_timeout = 60 + +# Determines how the next RabbitMQ node is chosen in case the one we are +# currently connected to becomes unavailable. Takes effect only if more than +# one RabbitMQ node is provided in config. (string value) +# Allowed values: round-robin, shuffle +#kombu_failover_strategy = round-robin # The RabbitMQ broker address where a single node is used. (string value) # Deprecated group/name - [DEFAULT]/rabbit_host #rabbit_host = localhost -# The RabbitMQ broker port where a single node is used. (integer value) +# The RabbitMQ broker port where a single node is used. (port value) +# Minimum value: 0 +# Maximum value: 65535 # Deprecated group/name - [DEFAULT]/rabbit_port #rabbit_port = 5672 @@ -1582,16 +1500,34 @@ # Deprecated group/name - [DEFAULT]/rabbit_retry_backoff #rabbit_retry_backoff = 2 +# Maximum interval of RabbitMQ connection retries. Default is 30 seconds. +# (integer value) +#rabbit_interval_max = 30 + # Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry # count). (integer value) # Deprecated group/name - [DEFAULT]/rabbit_max_retries #rabbit_max_retries = 0 -# Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you -# must wipe the RabbitMQ database. (boolean value) +# Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this +# option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring +# is no longer controlled by the x-ha-policy argument when declaring a queue. +# If you just want to make sure that all queues (except those with auto- +# generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy +# HA '^(?!amq\.).*' '{"ha-mode": "all"}' " (boolean value) # Deprecated group/name - [DEFAULT]/rabbit_ha_queues #rabbit_ha_queues = false +# Positive integer representing duration in seconds for queue TTL (x-expires). +# Queues which are unused for the duration of the TTL are automatically +# deleted. The parameter affects only reply and fanout queues. (integer value) +# Minimum value: 1 +#rabbit_transient_queues_ttl = 1800 + +# Specifies the number of messages to prefetch. Setting to zero allows +# unlimited messages. (integer value) +#rabbit_qos_prefetch_count = 0 + # Number of seconds after which the Rabbit broker is considered down if # heartbeat's keep-alive fails (0 disable the heartbeat). EXPERIMENTAL (integer # value) @@ -1605,6 +1541,104 @@ # Deprecated group/name - [DEFAULT]/fake_rabbit #fake_rabbit = false +# Maximum number of channels to allow (integer value) +#channel_max = <None> + +# The maximum byte size for an AMQP frame (integer value) +#frame_max = <None> + +# How often to send heartbeats for consumer's connections (integer value) +#heartbeat_interval = 1 + +# Enable SSL (boolean value) +#ssl = <None> + +# Arguments passed to ssl.wrap_socket (dict value) +#ssl_options = <None> + +# Set socket timeout in seconds for connection's socket (floating point value) +#socket_timeout = 0.25 + +# Set TCP_USER_TIMEOUT in seconds for connection's socket (floating point +# value) +#tcp_user_timeout = 0.25 + +# Set delay for reconnection to some host which has connection error (floating +# point value) +#host_connection_reconnect_delay = 0.25 + +# Maximum number of connections to keep queued. (integer value) +#pool_max_size = 10 + +# Maximum number of connections to create above `pool_max_size`. (integer +# value) +#pool_max_overflow = 0 + +# Default number of seconds to wait for a connections to available (integer +# value) +#pool_timeout = 30 + +# Lifetime of a connection (since creation) in seconds or None for no +# recycling. Expired connections are closed on acquire. (integer value) +#pool_recycle = 600 + +# Threshold at which inactive (since release) connections are considered stale +# in seconds or None for no staleness. Stale connections are closed on acquire. +# (integer value) +#pool_stale = 60 + +# Persist notification messages. (boolean value) +#notification_persistence = false + +# Exchange name for for sending notifications (string value) +#default_notification_exchange = ${control_exchange}_notification + +# Max number of not acknowledged message which RabbitMQ can send to +# notification listener. (integer value) +#notification_listener_prefetch_count = 100 + +# Reconnecting retry count in case of connectivity problem during sending +# notification, -1 means infinite retry. (integer value) +#default_notification_retry_attempts = -1 + +# Reconnecting retry delay in case of connectivity problem during sending +# notification message (floating point value) +#notification_retry_delay = 0.25 + +# Time to live for rpc queues without consumers in seconds. (integer value) +#rpc_queue_expiration = 60 + +# Exchange name for sending RPC messages (string value) +#default_rpc_exchange = ${control_exchange}_rpc + +# Exchange name for receiving RPC replies (string value) +#rpc_reply_exchange = ${control_exchange}_rpc_reply + +# Max number of not acknowledged message which RabbitMQ can send to rpc +# listener. (integer value) +#rpc_listener_prefetch_count = 100 + +# Max number of not acknowledged message which RabbitMQ can send to rpc reply +# listener. (integer value) +#rpc_reply_listener_prefetch_count = 100 + +# Reconnecting retry count in case of connectivity problem during sending +# reply. -1 means infinite retry during rpc_timeout (integer value) +#rpc_reply_retry_attempts = -1 + +# Reconnecting retry delay in case of connectivity problem during sending +# reply. (floating point value) +#rpc_reply_retry_delay = 0.25 + +# Reconnecting retry count in case of connectivity problem during sending RPC +# message, -1 means infinite retry. If actual retry attempts in not 0 the rpc +# request could be processed more then one time (integer value) +#default_rpc_retry_attempts = -1 + +# Reconnecting retry delay in case of connectivity problem during sending RPC +# message (floating point value) +#rpc_retry_delay = 0.25 + [oslo_middleware] @@ -1617,13 +1651,11 @@ # Deprecated group/name - [DEFAULT]/max_request_body_size #max_request_body_size = 114688 -# -# From oslo.middleware -# - # The HTTP Header that will be used to determine what the original request # protocol scheme was, even if it was hidden by an SSL termination proxy. # (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #secure_proxy_ssl_header = X-Forwarded-Proto @@ -1647,8 +1679,6 @@ # directories to be searched. Missing or empty directories are ignored. (multi # valued) # Deprecated group/name - [DEFAULT]/policy_dirs -# This option is deprecated for removal. -# Its value may be silently ignored in the future. #policy_dirs = policy.d @@ -1685,7 +1715,7 @@ # # Entrypoint for the resource backend driver in the keystone.resource -# namespace. Supplied drivers are ldap and sql. If a resource driver is not +# namespace. Only an SQL driver is supplied. If a resource driver is not # specified, the assignment driver will choose the resource driver. (string # value) #driver = <None> @@ -1705,6 +1735,31 @@ # Deprecated group/name - [assignment]/list_limit #list_limit = <None> +# Name of the domain that owns the `admin_project_name`. Defaults to None. +# (string value) +#admin_project_domain_name = <None> + +# Special project for performing administrative operations on remote services. +# Tokens scoped to this project will contain the key/value +# `is_admin_project=true`. Defaults to None. (string value) +#admin_project_name = <None> + +# Whether the names of projects are restricted from containing url reserved +# characters. If set to new, attempts to create or update a project with a url +# unsafe name will return an error. In addition, if set to strict, attempts to +# scope a token using an unsafe project name will return an error. (string +# value) +# Allowed values: off, new, strict +#project_name_url_safe = off + +# Whether the names of domains are restricted from containing url reserved +# characters. If set to new, attempts to create or update a domain with a url +# unsafe name will return an error. In addition, if set to strict, attempts to +# scope a token using a domain name which is unsafe will return an error. +# (string value) +# Allowed values: off, new, strict +#domain_name_url_safe = off + [revoke] @@ -1831,6 +1886,17 @@ #relay_state_prefix = ss:mem: +[shadow_users] + +# +# From keystone +# + +# Entrypoint for the shadow users backend driver in the +# keystone.identity.shadow_users namespace. (string value) +#driver = sql + + [signing] # @@ -1840,28 +1906,56 @@ # Path of the certfile for token signing. For non-production environments, you # may be interested in using `keystone-manage pki_setup` to generate self- # signed certificates. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: PKI token support has been deprecated in the M release and will be +# removed in the O release. Fernet or UUID tokens are recommended. #certfile = /etc/keystone/ssl/certs/signing_cert.pem # Path of the keyfile for token signing. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: PKI token support has been deprecated in the M release and will be +# removed in the O release. Fernet or UUID tokens are recommended. #keyfile = /etc/keystone/ssl/private/signing_key.pem # Path of the CA for token signing. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: PKI token support has been deprecated in the M release and will be +# removed in the O release. Fernet or UUID tokens are recommended. #ca_certs = /etc/keystone/ssl/certs/ca.pem # Path of the CA key for token signing. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: PKI token support has been deprecated in the M release and will be +# removed in the O release. Fernet or UUID tokens are recommended. #ca_key = /etc/keystone/ssl/private/cakey.pem # Key size (in bits) for token signing cert (auto generated certificate). # (integer value) # Minimum value: 1024 +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: PKI token support has been deprecated in the M release and will be +# removed in the O release. Fernet or UUID tokens are recommended. #key_size = 2048 # Days the token signing cert is valid for (auto generated certificate). # (integer value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: PKI token support has been deprecated in the M release and will be +# removed in the O release. Fernet or UUID tokens are recommended. #valid_days = 3650 # Certificate subject (auto generated certificate) for token signing. (string # value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: PKI token support has been deprecated in the M release and will be +# removed in the O release. Fernet or UUID tokens are recommended. #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com @@ -1939,8 +2033,16 @@ # that hashlib supports. WARNING: Before changing this value, the auth_token # middleware must be configured with the hash_algorithms, otherwise token # revocation will not be processed correctly. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: PKI token support has been deprecated in the M release and will be +# removed in the O release. Fernet or UUID tokens are recommended. #hash_algorithm = md5 +# Add roles to token that are not explicitly added, but that are linked +# implicitly to other roles. (boolean value) +#infer_roles = true + [tokenless_auth] diff --git a/keystone-moon/etc/policy.json b/keystone-moon/etc/policy.json index ebb94b02..797af24d 100644 --- a/keystone-moon/etc/policy.json +++ b/keystone-moon/etc/policy.json @@ -34,7 +34,7 @@ "identity:update_domain": "rule:admin_required", "identity:delete_domain": "rule:admin_required", - "identity:get_project": "rule:admin_required", + "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s", "identity:list_projects": "rule:admin_required", "identity:list_user_projects": "rule:admin_or_owner", "identity:create_project": "rule:admin_required", @@ -75,6 +75,18 @@ "identity:create_role": "rule:admin_required", "identity:update_role": "rule:admin_required", "identity:delete_role": "rule:admin_required", + "identity:get_domain_role": "rule:admin_required", + "identity:list_domain_roles": "rule:admin_required", + "identity:create_domain_role": "rule:admin_required", + "identity:update_domain_role": "rule:admin_required", + "identity:delete_domain_role": "rule:admin_required", + + "identity:get_implied_role": "rule:admin_required ", + "identity:list_implied_roles": "rule:admin_required", + "identity:create_implied_role": "rule:admin_required", + "identity:delete_implied_role": "rule:admin_required", + "identity:list_role_inference_rules": "rule:admin_required", + "identity:check_implied_role": "rule:admin_required", "identity:check_grant": "rule:admin_required", "identity:list_grants": "rule:admin_required", @@ -82,6 +94,7 @@ "identity:revoke_grant": "rule:admin_required", "identity:list_role_assignments": "rule:admin_required", + "identity:list_role_assignments_for_tree": "rule:admin_required", "identity:get_policy": "rule:admin_required", "identity:list_policies": "rule:admin_required", @@ -180,5 +193,6 @@ "identity:create_domain_config": "rule:admin_required", "identity:get_domain_config": "rule:admin_required", "identity:update_domain_config": "rule:admin_required", - "identity:delete_domain_config": "rule:admin_required" + "identity:delete_domain_config": "rule:admin_required", + "identity:get_domain_config_default": "rule:admin_required" } diff --git a/keystone-moon/etc/policy.v3cloudsample.json b/keystone-moon/etc/policy.v3cloudsample.json index a96996c6..4ec1aa95 100644 --- a/keystone-moon/etc/policy.v3cloudsample.json +++ b/keystone-moon/etc/policy.v3cloudsample.json @@ -1,11 +1,10 @@ { "admin_required": "role:admin", - "cloud_admin": "rule:admin_required and domain_id:admin_domain_id", + "cloud_admin": "role:admin and (token.is_admin_project:True or domain_id:admin_domain_id)", "service_role": "role:service", "service_or_admin": "rule:admin_required or rule:service_role", "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s", "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner", - "admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin", "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s", "service_admin_or_owner": "rule:service_or_admin or rule:owner", @@ -17,14 +16,14 @@ "identity:update_region": "rule:cloud_admin", "identity:delete_region": "rule:cloud_admin", - "identity:get_service": "rule:admin_or_cloud_admin", - "identity:list_services": "rule:admin_or_cloud_admin", + "identity:get_service": "rule:admin_required", + "identity:list_services": "rule:admin_required", "identity:create_service": "rule:cloud_admin", "identity:update_service": "rule:cloud_admin", "identity:delete_service": "rule:cloud_admin", - "identity:get_endpoint": "rule:admin_or_cloud_admin", - "identity:list_endpoints": "rule:admin_or_cloud_admin", + "identity:get_endpoint": "rule:admin_required", + "identity:list_endpoints": "rule:admin_required", "identity:create_endpoint": "rule:cloud_admin", "identity:update_endpoint": "rule:cloud_admin", "identity:delete_endpoint": "rule:cloud_admin", @@ -37,7 +36,7 @@ "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s", "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s", - "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id", + "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s", "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id", "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id", "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id", @@ -71,28 +70,56 @@ "identity:update_credential": "rule:admin_required", "identity:delete_credential": "rule:admin_required", - "identity:ec2_get_credential": "rule:admin_or_cloud_admin or (rule:owner and user_id:%(target.credential.user_id)s)", - "identity:ec2_list_credentials": "rule:admin_or_cloud_admin or rule:owner", - "identity:ec2_create_credential": "rule:admin_or_cloud_admin or rule:owner", - "identity:ec2_delete_credential": "rule:admin_or_cloud_admin or (rule:owner and user_id:%(target.credential.user_id)s)", + "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", + "identity:ec2_list_credentials": "rule:admin_required or rule:owner", + "identity:ec2_create_credential": "rule:admin_required or rule:owner", + "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - "identity:get_role": "rule:admin_or_cloud_admin", - "identity:list_roles": "rule:admin_or_cloud_admin", + "identity:get_role": "rule:admin_required", + "identity:list_roles": "rule:admin_required", "identity:create_role": "rule:cloud_admin", "identity:update_role": "rule:cloud_admin", "identity:delete_role": "rule:cloud_admin", - "domain_admin_for_grants": "rule:admin_required and (domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s)", - "project_admin_for_grants": "rule:admin_required and project_id:%(project_id)s", + "identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles", + "identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles", + "identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role", + "identity:update_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role", + "identity:delete_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role", + "domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s", + "get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role", + "domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s", + "project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s", + "list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles", + "domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s", + "project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s", + + "identity:get_implied_role": "rule:cloud_admin", + "identity:list_implied_roles": "rule:cloud_admin", + "identity:create_implied_role": "rule:cloud_admin", + "identity:delete_implied_role": "rule:cloud_admin", + "identity:list_role_inference_rules": "rule:cloud_admin", + "identity:check_implied_role": "rule:cloud_admin", + "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", - "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", + "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants", "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", - + "domain_admin_for_grants": "rule:domain_admin_for_global_role_grants or rule:domain_admin_for_domain_role_grants", + "domain_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and rule:domain_admin_grant_match", + "domain_admin_for_domain_role_grants": "rule:admin_required and domain_id:%(target.role.domain_id)s and rule:domain_admin_grant_match", + "domain_admin_grant_match": "domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s", + "project_admin_for_grants": "rule:project_admin_for_global_role_grants or rule:project_admin_for_domain_role_grants", + "project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(project_id)s", + "project_admin_for_domain_role_grants": "rule:admin_required and project_domain_id:%(target.role.domain_id)s and project_id:%(project_id)s", + "domain_admin_for_list_grants": "rule:admin_required and rule:domain_admin_grant_match", + "project_admin_for_list_grants": "rule:admin_required and project_id:%(project_id)s", + "admin_on_domain_filter" : "rule:admin_required and domain_id:%(scope.domain.id)s", "admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s", + "admin_on_domain_of_project_filter" : "rule:admin_required and domain_id:%(target.project.domain_id)s", "identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter", - + "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter", "identity:get_policy": "rule:cloud_admin", "identity:list_policies": "rule:cloud_admin", "identity:create_policy": "rule:cloud_admin", @@ -191,5 +218,6 @@ "identity:create_domain_config": "rule:cloud_admin", "identity:get_domain_config": "rule:cloud_admin", "identity:update_domain_config": "rule:cloud_admin", - "identity:delete_domain_config": "rule:cloud_admin" + "identity:delete_domain_config": "rule:cloud_admin", + "identity:get_domain_config_default": "rule:cloud_admin" } |