summaryrefslogtreecommitdiffstats
path: root/keystone-moon/etc/keystone.conf.sample
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/etc/keystone.conf.sample')
-rw-r--r--keystone-moon/etc/keystone.conf.sample551
1 files changed, 395 insertions, 156 deletions
diff --git a/keystone-moon/etc/keystone.conf.sample b/keystone-moon/etc/keystone.conf.sample
index b3c741c8..ec5a08cc 100644
--- a/keystone-moon/etc/keystone.conf.sample
+++ b/keystone-moon/etc/keystone.conf.sample
@@ -11,13 +11,6 @@
# value)
#admin_token = ADMIN
-# (Deprecated) The port which the OpenStack Compute service listens on. This
-# option was only used for string replacement in the templated catalog backend.
-# Templated catalogs should replace the "$(compute_port)s" substitution with
-# the static port of the compute service. As of Juno, this option is deprecated
-# and will be removed in the L release. (integer value)
-#compute_port = 8774
-
# The base public endpoint URL for Keystone that is advertised to clients
# (NOTE: this does NOT affect how Keystone listens for connections). Defaults
# to the base host URL of the request. E.g. a request to
@@ -57,7 +50,9 @@
# The value passed as the keyword "rounds" to passlib's encrypt method.
# (integer value)
-#crypt_strength = 40000
+# Minimum value: 1000
+# Maximum value: 100000
+#crypt_strength = 10000
# The maximum number of entities that will be returned in a collection, with no
# limit set by default. This global limit may be then overridden for a specific
@@ -93,48 +88,23 @@
# Define the notification format for Identity Service events. A "basic"
# notification has information about the resource being operated on. A "cadf"
# notification has the same information, as well as information about the
-# initiator of the event. Valid options are: basic and cadf (string value)
+# initiator of the event. (string value)
+# Allowed values: basic, cadf
#notification_format = basic
#
-# From keystone.openstack.common.eventlet_backdoor
-#
-
-# Enable eventlet backdoor. Acceptable values are 0, <port>, and
-# <start>:<end>, where 0 results in listening on a random tcp port number;
-# <port> results in listening on the specified port number (and not enabling
-# backdoor if that port is in use); and <start>:<end> results in listening on
-# the smallest unused port number within the specified range of port numbers.
-# The chosen port is displayed in the service's log file. (string value)
-#backdoor_port = <None>
-
-#
-# From keystone.openstack.common.policy
-#
-
-# The JSON file that defines policies. (string value)
-#policy_file = policy.json
-
-# Default rule. Enforced when a requested rule is not found. (string value)
-#policy_default_rule = default
-
-# Directories where policy configuration files are stored. They can be relative
-# to any directory in the search path defined by the config_dir option, or
-# absolute paths. The file defined by policy_file must exist for these
-# directories to be searched. (multi valued)
-#policy_dirs = policy.d
-
-#
# From oslo.log
#
-# Print debugging output (set logging level to DEBUG instead of default WARNING
+# Print debugging output (set logging level to DEBUG instead of default INFO
# level). (boolean value)
#debug = false
-# Print more verbose output (set logging level to INFO instead of default
-# WARNING level). (boolean value)
-#verbose = false
+# If set to false, will disable INFO logging level, making WARNING the default.
+# (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#verbose = true
# The name of a logging configuration file. This file is appended to any
# existing logging configuration files. For details about logging configuration
@@ -162,15 +132,17 @@
# Deprecated group/name - [DEFAULT]/logdir
#log_dir = <None>
-# Use syslog for logging. Existing syslog format is DEPRECATED during I, and
-# will change in J to honor RFC5424. (boolean value)
+# Use syslog for logging. Existing syslog format is DEPRECATED and will be
+# changed later to honor RFC5424. (boolean value)
#use_syslog = false
# (Optional) Enables or disables syslog rfc5424 format for logging. If enabled,
# prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The
-# format without the APP-NAME is deprecated in I, and will be removed in J.
-# (boolean value)
-#use_syslog_rfc_format = false
+# format without the APP-NAME is deprecated in Kilo, and will be removed in
+# Mitaka, along with this option. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#use_syslog_rfc_format = true
# Syslog facility to receive log lines. (string value)
#syslog_log_facility = LOG_USER
@@ -188,17 +160,14 @@
#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
# Prefix each line of exception output with this format. (string value)
-#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s
+#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
# List of logger=LEVEL pairs. (list value)
-#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN
+#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN
# Enables or disables publication of error events. (boolean value)
#publish_errors = false
-# Enables or disables fatal status of deprecations. (boolean value)
-#fatal_deprecations = false
-
# The format for an instance that is passed with the log message. (string
# value)
#instance_format = "[instance: %(uuid)s] "
@@ -207,16 +176,23 @@
# value)
#instance_uuid_format = "[instance: %(uuid)s] "
+# Enables or disables fatal status of deprecations. (boolean value)
+#fatal_deprecations = false
+
#
# From oslo.messaging
#
+# Size of RPC connection pool. (integer value)
+# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
+#rpc_conn_pool_size = 30
+
# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
# The "host" option should point or resolve to this address. (string value)
#rpc_zmq_bind_address = *
# MatchMaker driver. (string value)
-#rpc_zmq_matchmaker = oslo_messaging._drivers.matchmaker.MatchMakerLocalhost
+#rpc_zmq_matchmaker = local
# ZeroMQ receiver listening port. (integer value)
#rpc_zmq_port = 9501
@@ -245,10 +221,12 @@
# Heartbeat time-to-live. (integer value)
#matchmaker_heartbeat_ttl = 600
-# Size of RPC thread pool. (integer value)
-#rpc_thread_pool_size = 64
+# Size of executor thread pool. (integer value)
+# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size
+#executor_thread_pool_size = 64
-# Driver or drivers to handle sending notifications. (multi valued)
+# The Drivers(s) to handle sending notifications. Possible values are
+# messaging, messagingv2, routing, log, test, noop (multi valued)
#notification_driver =
# AMQP topic used for OpenStack notifications. (list value)
@@ -271,6 +249,22 @@
# exchange name specified in the transport_url option. (string value)
#control_exchange = keystone
+#
+# From oslo.service.service
+#
+
+# Enable eventlet backdoor. Acceptable values are 0, <port>, and
+# <start>:<end>, where 0 results in listening on a random tcp port number;
+# <port> results in listening on the specified port number (and not enabling
+# backdoor if that port is in use); and <start>:<end> results in listening on
+# the smallest unused port number within the specified range of port numbers.
+# The chosen port is displayed in the service's log file. (string value)
+#backdoor_port = <None>
+
+# Enables or disables logging values of all registered options when starting a
+# service (at DEBUG level). (boolean value)
+#log_options = true
+
[assignment]
@@ -278,7 +272,10 @@
# From keystone
#
-# Assignment backend driver. (string value)
+# Entrypoint for the assignment backend driver in the keystone.assignment
+# namespace. Supplied drivers are ldap and sql. If an assignment driver is not
+# specified, the identity driver will choose the assignment driver. (string
+# value)
#driver = <None>
@@ -288,17 +285,25 @@
# From keystone
#
-# Default auth methods. (list value)
-#methods = external,password,token
+# Allowed authentication methods. (list value)
+#methods = external,password,token,oauth1
+
+# Entrypoint for the password auth plugin module in the keystone.auth.password
+# namespace. (string value)
+#password = <None>
-# The password auth plugin module. (string value)
-#password = keystone.auth.plugins.password.Password
+# Entrypoint for the token auth plugin module in the keystone.auth.token
+# namespace. (string value)
+#token = <None>
-# The token auth plugin module. (string value)
-#token = keystone.auth.plugins.token.Token
+# Entrypoint for the external (REMOTE_USER) auth plugin module in the
+# keystone.auth.external namespace. Supplied drivers are DefaultDomain and
+# Domain. The default driver is DefaultDomain. (string value)
+#external = <None>
-# The external (REMOTE_USER) auth plugin module. (string value)
-#external = keystone.auth.plugins.external.DefaultDomain
+# Entrypoint for the oAuth1.0 auth plugin module in the keystone.auth.oauth1
+# namespace. (string value)
+#oauth1 = <None>
[cache]
@@ -379,8 +384,10 @@
# value)
#template_file = default_catalog.templates
-# Catalog backend driver. (string value)
-#driver = keystone.catalog.backends.sql.Catalog
+# Entrypoint for the catalog backend driver in the keystone.catalog namespace.
+# Supplied drivers are kvs, sql, templated, and endpoint_filter.sql (string
+# value)
+#driver = sql
# Toggle for catalog caching. This has no effect unless global caching is
# enabled. (boolean value)
@@ -395,14 +402,71 @@
#list_limit = <None>
+[cors]
+
+#
+# From oslo.middleware
+#
+
+# Indicate whether this resource may be shared with the domain received in the
+# requests "origin" header. (string value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
+# Headers. (list value)
+#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list value)
+#allow_methods = GET,POST,PUT,DELETE,OPTIONS
+
+# Indicate which header field names may be used during the actual request.
+# (list value)
+#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+
+[cors.subdomain]
+
+#
+# From oslo.middleware
+#
+
+# Indicate whether this resource may be shared with the domain received in the
+# requests "origin" header. (string value)
+#allowed_origin = <None>
+
+# Indicate that the actual request can include user credentials (boolean value)
+#allow_credentials = true
+
+# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
+# Headers. (list value)
+#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+# Maximum cache age of CORS preflight requests. (integer value)
+#max_age = 3600
+
+# Indicate which methods can be used during the actual request. (list value)
+#allow_methods = GET,POST,PUT,DELETE,OPTIONS
+
+# Indicate which header field names may be used during the actual request.
+# (list value)
+#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+
[credential]
#
# From keystone
#
-# Credential backend driver. (string value)
-#driver = keystone.credential.backends.sql.Credential
+# Entrypoint for the credential backend driver in the keystone.credential
+# namespace. (string value)
+#driver = sql
[database]
@@ -505,14 +569,34 @@
#db_max_retries = 20
+[domain_config]
+
+#
+# From keystone
+#
+
+# Entrypoint for the domain config backend driver in the
+# keystone.resource.domain_config namespace. (string value)
+#driver = sql
+
+# Toggle for domain config caching. This has no effect unless global caching is
+# enabled. (boolean value)
+#caching = true
+
+# TTL (in seconds) to cache domain config data. This has no effect unless
+# domain config caching is enabled. (integer value)
+#cache_time = 300
+
+
[endpoint_filter]
#
# From keystone
#
-# Endpoint Filter backend driver (string value)
-#driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
+# Entrypoint for the endpoint filter backend driver in the
+# keystone.endpoint_filter namespace. (string value)
+#driver = sql
# Toggle to return all active endpoints if no filter exists. (boolean value)
#return_all_endpoints_if_no_filter = true
@@ -524,8 +608,12 @@
# From keystone
#
-# Endpoint policy backend driver (string value)
-#driver = keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy
+# Enable endpoint_policy functionality. (boolean value)
+#enabled = true
+
+# Entrypoint for the endpoint policy backend driver in the
+# keystone.endpoint_policy namespace. (string value)
+#driver = sql
[eventlet_server]
@@ -537,42 +625,71 @@
# The number of worker processes to serve the public eventlet application.
# Defaults to number of CPUs (minimum of 2). (integer value)
# Deprecated group/name - [DEFAULT]/public_workers
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#public_workers = <None>
# The number of worker processes to serve the admin eventlet application.
# Defaults to number of CPUs (minimum of 2). (integer value)
# Deprecated group/name - [DEFAULT]/admin_workers
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#admin_workers = <None>
# The IP address of the network interface for the public service to listen on.
# (string value)
# Deprecated group/name - [DEFAULT]/bind_host
# Deprecated group/name - [DEFAULT]/public_bind_host
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#public_bind_host = 0.0.0.0
# The port number which the public service listens on. (integer value)
+# Minimum value: 1
+# Maximum value: 65535
# Deprecated group/name - [DEFAULT]/public_port
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#public_port = 5000
# The IP address of the network interface for the admin service to listen on.
# (string value)
# Deprecated group/name - [DEFAULT]/bind_host
# Deprecated group/name - [DEFAULT]/admin_bind_host
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#admin_bind_host = 0.0.0.0
# The port number which the admin service listens on. (integer value)
+# Minimum value: 1
+# Maximum value: 65535
# Deprecated group/name - [DEFAULT]/admin_port
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#admin_port = 35357
+# If set to false, disables keepalives on the server; all connections will be
+# closed after serving one request. (boolean value)
+#wsgi_keep_alive = true
+
+# Timeout for socket operations on a client connection. If an incoming
+# connection is idle for this number of seconds it will be closed. A value of
+# '0' means wait forever. (integer value)
+#client_socket_timeout = 900
+
# Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e.
# sockets used by the Keystone wsgi server for client connections. (boolean
# value)
# Deprecated group/name - [DEFAULT]/tcp_keepalive
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#tcp_keepalive = false
# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only
# applies if tcp_keepalive is true. (integer value)
# Deprecated group/name - [DEFAULT]/tcp_keepidle
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#tcp_keepidle = 600
@@ -584,24 +701,34 @@
# Toggle for SSL support on the Keystone eventlet servers. (boolean value)
# Deprecated group/name - [ssl]/enable
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#enable = false
# Path of the certfile for SSL. For non-production environments, you may be
# interested in using `keystone-manage ssl_setup` to generate self-signed
# certificates. (string value)
# Deprecated group/name - [ssl]/certfile
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#certfile = /etc/keystone/ssl/certs/keystone.pem
# Path of the keyfile for SSL. (string value)
# Deprecated group/name - [ssl]/keyfile
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#keyfile = /etc/keystone/ssl/private/keystonekey.pem
# Path of the CA cert file for SSL. (string value)
# Deprecated group/name - [ssl]/ca_certs
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#ca_certs = /etc/keystone/ssl/certs/ca.pem
# Require client certificate. (boolean value)
# Deprecated group/name - [ssl]/cert_required
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#cert_required = false
@@ -611,8 +738,9 @@
# From keystone
#
-# Federation backend driver. (string value)
-#driver = keystone.contrib.federation.backends.sql.Federation
+# Entrypoint for the federation backend driver in the keystone.federation
+# namespace. (string value)
+#driver = sql
# Value to be used when filtering assertion parameters from the environment.
# (string value)
@@ -626,9 +754,7 @@
# A domain name that is reserved to allow federated ephemeral users to have a
# domain concept. Note that an admin will not be able to create a domain with
# this name or update an existing domain to this name. You are not advised to
-# change this value unless you really have to. Changing this option to empty
-# string or None will not have any impact and default name will be used.
-# (string value)
+# change this value unless you really have to. (string value)
#federated_domain_name = Federated
# A list of trusted dashboard hosts. Before accepting a Single Sign-On request
@@ -685,16 +811,17 @@
# Extract the domain specific configuration options from the resource backend
# where they have been stored with the domain data. This feature is disabled by
# default (in which case the domain specific options will be loaded from files
-# in the domain configuration directory); set to true to enable. This feature
-# is not yet supported. (boolean value)
+# in the domain configuration directory); set to true to enable. (boolean
+# value)
#domain_configurations_from_database = false
# Path for Keystone to locate the domain specific identity configuration files
# if domain_specific_drivers_enabled is set to true. (string value)
#domain_config_dir = /etc/keystone/domains
-# Identity backend driver. (string value)
-#driver = keystone.identity.backends.sql.Identity
+# Entrypoint for the identity backend driver in the keystone.identity
+# namespace. Supplied drivers are ldap and sql. (string value)
+#driver = sql
# Toggle for identity caching. This has no effect unless global caching is
# enabled. (boolean value)
@@ -706,6 +833,7 @@
# Maximum supported length for user passwords; decrease to improve performance.
# (integer value)
+# Maximum value: 4096
#max_password_length = 4096
# Maximum number of entities that will be returned in an identity collection.
@@ -719,13 +847,14 @@
# From keystone
#
-# Keystone Identity Mapping backend driver. (string value)
-#driver = keystone.identity.mapping_backends.sql.Mapping
+# Entrypoint for the identity mapping backend driver in the
+# keystone.identity.id_mapping namespace. (string value)
+#driver = sql
-# Public ID generator for user and group entities. The Keystone identity mapper
-# only supports generators that produce no more than 64 characters. (string
-# value)
-#generator = keystone.identity.id_generators.sha256.Generator
+# Entrypoint for the public ID generator for user and group entities in the
+# keystone.identity.id_generator namespace. The Keystone identity mapper only
+# supports generators that produce no more than 64 characters. (string value)
+#generator = sha256
# The format of user and group IDs changed in Juno for backends that do not
# generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the
@@ -763,7 +892,7 @@
# always leave this set to true. (boolean value)
#enable_key_mangler = true
-# Default lock timeout for distributed locking. (integer value)
+# Default lock timeout (in seconds) for distributed locking. (integer value)
#default_lock_timeout = 5
@@ -797,18 +926,18 @@
# your LDAP server supports subtree deletion. (boolean value)
#allow_subtree_delete = false
-# The LDAP scope for queries, this can be either "one" (onelevel/singleLevel)
-# or "sub" (subtree/wholeSubtree). (string value)
+# The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub"
+# represents subtree/wholeSubtree options. (string value)
+# Allowed values: one, sub
#query_scope = one
# Maximum results per page; a value of zero ("0") disables paging. (integer
# value)
#page_size = 0
-# The LDAP dereferencing option for queries. This can be either "never",
-# "searching", "always", "finding" or "default". The "default" option falls
-# back to using default dereferencing configured by your ldap.conf. (string
-# value)
+# The LDAP dereferencing option for queries. The "default" option falls back to
+# using default dereferencing configured by your ldap.conf. (string value)
+# Allowed values: never, searching, always, finding, default
#alias_dereferencing = default
# Sets the LDAP debugging level for LDAP calls. A value of 0 means that
@@ -820,7 +949,7 @@
# value)
#chase_referrals = <None>
-# Search base for users. (string value)
+# Search base for users. Defaults to the suffix value. (string value)
#user_tree_dn = <None>
# LDAP search filter for users. (string value)
@@ -867,7 +996,7 @@
#user_enabled_default = True
# List of attributes stripped off the user on update. (list value)
-#user_attribute_ignore = default_project_id,tenants
+#user_attribute_ignore = default_project_id
# LDAP attribute mapped to default_project_id for users. (string value)
#user_default_project_id_attribute = <None>
@@ -896,111 +1025,165 @@
# Identity API attribute. (list value)
#user_additional_attribute_mapping =
-# Search base for projects (string value)
+# Search base for projects. Defaults to the suffix value. (string value)
# Deprecated group/name - [ldap]/tenant_tree_dn
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#project_tree_dn = <None>
# LDAP search filter for projects. (string value)
# Deprecated group/name - [ldap]/tenant_filter
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#project_filter = <None>
# LDAP objectclass for projects. (string value)
# Deprecated group/name - [ldap]/tenant_objectclass
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#project_objectclass = groupOfNames
# LDAP attribute mapped to project id. (string value)
# Deprecated group/name - [ldap]/tenant_id_attribute
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#project_id_attribute = cn
# LDAP attribute mapped to project membership for user. (string value)
# Deprecated group/name - [ldap]/tenant_member_attribute
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#project_member_attribute = member
# LDAP attribute mapped to project name. (string value)
# Deprecated group/name - [ldap]/tenant_name_attribute
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#project_name_attribute = ou
# LDAP attribute mapped to project description. (string value)
# Deprecated group/name - [ldap]/tenant_desc_attribute
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#project_desc_attribute = description
# LDAP attribute mapped to project enabled. (string value)
# Deprecated group/name - [ldap]/tenant_enabled_attribute
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#project_enabled_attribute = enabled
# LDAP attribute mapped to project domain_id. (string value)
# Deprecated group/name - [ldap]/tenant_domain_id_attribute
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#project_domain_id_attribute = businessCategory
# List of attributes stripped off the project on update. (list value)
# Deprecated group/name - [ldap]/tenant_attribute_ignore
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#project_attribute_ignore =
# Allow project creation in LDAP backend. (boolean value)
# Deprecated group/name - [ldap]/tenant_allow_create
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#project_allow_create = true
# Allow project update in LDAP backend. (boolean value)
# Deprecated group/name - [ldap]/tenant_allow_update
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#project_allow_update = true
# Allow project deletion in LDAP backend. (boolean value)
# Deprecated group/name - [ldap]/tenant_allow_delete
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#project_allow_delete = true
# If true, Keystone uses an alternative method to determine if a project is
# enabled or not by checking if they are a member of the
# "project_enabled_emulation_dn" group. (boolean value)
# Deprecated group/name - [ldap]/tenant_enabled_emulation
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#project_enabled_emulation = false
# DN of the group entry to hold enabled projects when using enabled emulation.
# (string value)
# Deprecated group/name - [ldap]/tenant_enabled_emulation_dn
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#project_enabled_emulation_dn = <None>
# Additional attribute mappings for projects. Attribute mapping format is
# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
# and user_attr is the Identity API attribute. (list value)
# Deprecated group/name - [ldap]/tenant_additional_attribute_mapping
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#project_additional_attribute_mapping =
-# Search base for roles. (string value)
+# Search base for roles. Defaults to the suffix value. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#role_tree_dn = <None>
# LDAP search filter for roles. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#role_filter = <None>
# LDAP objectclass for roles. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#role_objectclass = organizationalRole
# LDAP attribute mapped to role id. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#role_id_attribute = cn
# LDAP attribute mapped to role name. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#role_name_attribute = ou
# LDAP attribute mapped to role membership. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#role_member_attribute = roleOccupant
# List of attributes stripped off the role on update. (list value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#role_attribute_ignore =
# Allow role creation in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#role_allow_create = true
# Allow role update in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#role_allow_update = true
# Allow role deletion in LDAP backend. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#role_allow_delete = true
# Additional attribute mappings for roles. Attribute mapping format is
# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry
# and user_attr is the Identity API attribute. (list value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
#role_additional_attribute_mapping =
-# Search base for groups. (string value)
+# Search base for groups. Defaults to the suffix value. (string value)
#group_tree_dn = <None>
# LDAP search filter for groups. (string value)
@@ -1048,7 +1231,9 @@
# Enable TLS for communicating with LDAP servers. (boolean value)
#use_tls = false
-# Valid options for tls_req_cert are demand, never, and allow. (string value)
+# Specifies what checks to perform on client certificates in an incoming TLS
+# session. (string value)
+# Allowed values: demand, never, allow
#tls_req_cert = demand
# Enable LDAP connection pooling. (boolean value)
@@ -1151,8 +1336,9 @@
# From keystone
#
-# Credential backend driver. (string value)
-#driver = keystone.contrib.oauth1.backends.sql.OAuth1
+# Entrypoint for hte OAuth backend driver in the keystone.oauth1 namespace.
+# (string value)
+#driver = sql
# Duration (in seconds) for the OAuth Request Token. (integer value)
#request_token_duration = 28800
@@ -1202,7 +1388,7 @@
# Deprecated group/name - [amqp1]/trace
#trace = false
-# CA certificate PEM file for verifing server certificate (string value)
+# CA certificate PEM file to verify server certificate (string value)
# Deprecated group/name - [amqp1]/ssl_ca_file
#ssl_ca_file =
@@ -1230,6 +1416,7 @@
#
# Use durable queues in AMQP. (boolean value)
+# Deprecated group/name - [DEFAULT]/amqp_durable_queues
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues = false
@@ -1237,9 +1424,15 @@
# Deprecated group/name - [DEFAULT]/amqp_auto_delete
#amqp_auto_delete = false
-# Size of RPC connection pool. (integer value)
-# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
-#rpc_conn_pool_size = 30
+# Send a single AMQP reply to call message. The current behaviour since oslo-
+# incubator is to send two AMQP replies - first one with the payload, a second
+# one to ensure the other have finish to send the payload. We are going to
+# remove it in the N release, but we must keep backward compatible at the same
+# time. This option provides such compatibility - it defaults to False in
+# Liberty and can be turned on for early adopters with a new installations or
+# for testing. Please note, that this option will be removed in the Mitaka
+# release. (boolean value)
+#send_single_reply = false
# Qpid broker hostname. (string value)
# Deprecated group/name - [DEFAULT]/qpid_hostname
@@ -1296,6 +1489,7 @@
#
# Use durable queues in AMQP. (boolean value)
+# Deprecated group/name - [DEFAULT]/amqp_durable_queues
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues = false
@@ -1303,9 +1497,15 @@
# Deprecated group/name - [DEFAULT]/amqp_auto_delete
#amqp_auto_delete = false
-# Size of RPC connection pool. (integer value)
-# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
-#rpc_conn_pool_size = 30
+# Send a single AMQP reply to call message. The current behaviour since oslo-
+# incubator is to send two AMQP replies - first one with the payload, a second
+# one to ensure the other have finish to send the payload. We are going to
+# remove it in the N release, but we must keep backward compatible at the same
+# time. This option provides such compatibility - it defaults to False in
+# Liberty and can be turned on for early adopters with a new installations or
+# for testing. Please note, that this option will be removed in the Mitaka
+# release. (boolean value)
+#send_single_reply = false
# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and
# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some
@@ -1330,6 +1530,10 @@
# Deprecated group/name - [DEFAULT]/kombu_reconnect_delay
#kombu_reconnect_delay = 1.0
+# How long to wait before considering a reconnect attempt to have failed. This
+# value should not be longer than rpc_response_timeout. (integer value)
+#kombu_reconnect_timeout = 60
+
# The RabbitMQ broker address where a single node is used. (string value)
# Deprecated group/name - [DEFAULT]/rabbit_host
#rabbit_host = localhost
@@ -1380,6 +1584,15 @@
# Deprecated group/name - [DEFAULT]/rabbit_ha_queues
#rabbit_ha_queues = false
+# Number of seconds after which the Rabbit broker is considered down if
+# heartbeat's keep-alive fails (0 disable the heartbeat). EXPERIMENTAL (integer
+# value)
+#heartbeat_timeout_threshold = 60
+
+# How often times during the heartbeat_timeout_threshold we check the
+# heartbeat. (integer value)
+#heartbeat_rate = 2
+
# Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value)
# Deprecated group/name - [DEFAULT]/fake_rabbit
#fake_rabbit = false
@@ -1396,6 +1609,40 @@
# Deprecated group/name - [DEFAULT]/max_request_body_size
#max_request_body_size = 114688
+#
+# From oslo.middleware
+#
+
+# The HTTP Header that will be used to determine what the original request
+# protocol scheme was, even if it was hidden by an SSL termination proxy.
+# (string value)
+#secure_proxy_ssl_header = X-Forwarded-Proto
+
+
+[oslo_policy]
+
+#
+# From oslo.policy
+#
+
+# The JSON file that defines policies. (string value)
+# Deprecated group/name - [DEFAULT]/policy_file
+#policy_file = policy.json
+
+# Default rule. Enforced when a requested rule is not found. (string value)
+# Deprecated group/name - [DEFAULT]/policy_default_rule
+#policy_default_rule = default
+
+# Directories where policy configuration files are stored. They can be relative
+# to any directory in the search path defined by the config_dir option, or
+# absolute paths. The file defined by policy_file must exist for these
+# directories to be searched. Missing or empty directories are ignored. (multi
+# valued)
+# Deprecated group/name - [DEFAULT]/policy_dirs
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+#policy_dirs = policy.d
+
[paste_deploy]
@@ -1414,8 +1661,9 @@
# From keystone
#
-# Policy backend driver. (string value)
-#driver = keystone.policy.backends.sql.Policy
+# Entrypoint for the policy backend driver in the keystone.policy namespace.
+# Supplied drivers are rules and sql. (string value)
+#driver = sql
# Maximum number of entities that will be returned in a policy collection.
# (integer value)
@@ -1428,8 +1676,10 @@
# From keystone
#
-# Resource backend driver. If a resource driver is not specified, the
-# assignment driver will choose the resource driver. (string value)
+# Entrypoint for the resource backend driver in the keystone.resource
+# namespace. Supplied drivers are ldap and sql. If a resource driver is not
+# specified, the assignment driver will choose the resource driver. (string
+# value)
#driver = <None>
# Toggle for resource caching. This has no effect unless global caching is
@@ -1454,9 +1704,10 @@
# From keystone
#
-# An implementation of the backend for persisting revocation events. (string
-# value)
-#driver = keystone.contrib.revoke.backends.sql.Revoke
+# Entrypoint for an implementation of the backend for persisting revocation
+# events in the keystone.revoke namespace. Supplied drivers are kvs and sql.
+# (string value)
+#driver = sql
# This value (calculated in seconds) is added to token expiration before a
# revocation event may be removed from the backend. (integer value)
@@ -1466,6 +1717,12 @@
# is enabled. (boolean value)
#caching = true
+# Time to cache the revocation list and the revocation events (in seconds).
+# This has no effect unless global and token caching are enabled. (integer
+# value)
+# Deprecated group/name - [token]/revocation_cache_time
+#cache_time = 3600
+
[role]
@@ -1473,7 +1730,8 @@
# From keystone
#
-# Role backend driver. (string value)
+# Entrypoint for the role backend driver in the keystone.role namespace.
+# Supplied drivers are ldap and sql. (string value)
#driver = <None>
# Toggle for role caching. This has no effect unless global caching is enabled.
@@ -1551,14 +1809,19 @@
# Telephone number of contact person. (string value)
#idp_contact_telephone = <None>
-# Contact type. Allowed values are: technical, support, administrative billing,
-# and other (string value)
+# The contact type describing the main point of contact for the identity
+# provider. (string value)
+# Allowed values: technical, support, administrative, billing, other
#idp_contact_type = other
# Path to the Identity Provider Metadata file. This file should be generated
# with the keystone-manage saml_idp_metadata command. (string value)
#idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml
+# The prefix to use for the RelayState SAML attribute, used when generating ECP
+# wrapped assertions. (string value)
+#relay_state_prefix = ss:mem:
+
[signing]
@@ -1582,6 +1845,7 @@
# Key size (in bits) for token signing cert (auto generated certificate).
# (integer value)
+# Minimum value: 1024
#key_size = 2048
# Days the token signing cert is valid for (auto generated certificate).
@@ -1603,6 +1867,7 @@
#ca_key = /etc/keystone/ssl/private/cakey.pem
# SSL key length (in bits) (auto generated certificate). (integer value)
+# Minimum value: 1024
#key_size = 1024
# Days the certificate is valid for once signed (auto generated certificate).
@@ -1632,23 +1897,20 @@
# Amount of time a token should remain valid (in seconds). (integer value)
#expiration = 3600
-# Controls the token construction, validation, and revocation operations. Core
-# providers are "keystone.token.providers.[fernet|pkiz|pki|uuid].Provider". The
-# default provider is uuid. (string value)
-#provider = keystone.token.providers.uuid.Provider
+# Controls the token construction, validation, and revocation operations.
+# Entrypoint in the keystone.token.provider namespace. Core providers are
+# [fernet|pkiz|pki|uuid]. (string value)
+#provider = uuid
-# Token persistence backend driver. (string value)
-#driver = keystone.token.persistence.backends.sql.Token
+# Entrypoint for the token persistence backend driver in the
+# keystone.token.persistence namespace. Supplied drivers are kvs, memcache,
+# memcache_pool, and sql. (string value)
+#driver = sql
# Toggle for token system caching. This has no effect unless global caching is
# enabled. (boolean value)
#caching = true
-# Time to cache the revocation list and the revocation events if revoke
-# extension is enabled (in seconds). This has no effect unless global and token
-# caching are enabled. (integer value)
-#revocation_cache_time = 3600
-
# Time to cache tokens (in seconds). This has no effect unless global and token
# caching are enabled. (integer value)
#cache_time = <None>
@@ -1688,29 +1950,6 @@
# Maximum depth of trust redelegation. (integer value)
#max_redelegation_count = 3
-# Trust backend driver. (string value)
-#driver = keystone.trust.backends.sql.Trust
-
-
-[moon]
-
-# Authorisation backend driver. (string value)
-#authz_driver = keystone.contrib.moon.backends.flat.SuperExtensionConnector
-
-# Moon Log driver. (string value)
-#log_driver = keystone.contrib.moon.backends.flat.LogConnector
-
-# SuperExtension backend driver. (string value)
-#superextension_driver = keystone.contrib.moon.backends.flat.SuperExtensionConnector
-
-# IntraExtension backend driver. (string value)
-#intraextension_driver = keystone.contrib.moon.backends.sql.IntraExtensionConnector
-
-# Tenant backend driver. (string value)
-#tenant_driver = keystone.contrib.moon.backends.sql.TenantConnector
-
-# Local directory where all policies are stored. (string value)
-#policy_directory = /etc/keystone/policies
-
-# Local directory where SuperExtension configuration is stored. (string value)
-#super_extension_directory = /etc/keystone/super_extension
+# Entrypoint for the trust backend driver in the keystone.trust namespace.
+# (string value)
+#driver = sql