diff options
Diffstat (limited to 'keystone-moon/etc')
-rw-r--r-- | keystone-moon/etc/keystone-paste.ini | 54 | ||||
-rw-r--r-- | keystone-moon/etc/keystone.conf.sample | 551 | ||||
-rw-r--r-- | keystone-moon/etc/policy.json | 11 | ||||
-rw-r--r-- | keystone-moon/etc/policy.v3cloudsample.json | 13 |
4 files changed, 433 insertions, 196 deletions
diff --git a/keystone-moon/etc/keystone-paste.ini b/keystone-moon/etc/keystone-paste.ini index 24f167fa..70db3823 100644 --- a/keystone-moon/etc/keystone-paste.ini +++ b/keystone-moon/etc/keystone-paste.ini @@ -1,73 +1,67 @@ # Keystone PasteDeploy configuration file. -[filter:moon] -paste.filter_factory = keystone.contrib.moon.routers:Admin.factory - [filter:debug] -paste.filter_factory = keystone.common.wsgi:Debug.factory +use = egg:keystone#debug [filter:request_id] -paste.filter_factory = oslo_middleware:RequestId.factory +use = egg:keystone#request_id [filter:build_auth_context] -paste.filter_factory = keystone.middleware:AuthContextMiddleware.factory +use = egg:keystone#build_auth_context [filter:token_auth] -paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory +use = egg:keystone#token_auth [filter:admin_token_auth] -paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory +use = egg:keystone#admin_token_auth [filter:json_body] -paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory +use = egg:keystone#json_body [filter:user_crud_extension] -paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory +use = egg:keystone#user_crud_extension [filter:crud_extension] -paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory +use = egg:keystone#crud_extension [filter:ec2_extension] -paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory +use = egg:keystone#ec2_extension [filter:ec2_extension_v3] -paste.filter_factory = keystone.contrib.ec2:Ec2ExtensionV3.factory +use = egg:keystone#ec2_extension_v3 [filter:federation_extension] -paste.filter_factory = keystone.contrib.federation.routers:FederationExtension.factory +use = egg:keystone#federation_extension [filter:oauth1_extension] -paste.filter_factory = keystone.contrib.oauth1.routers:OAuth1Extension.factory +use = egg:keystone#oauth1_extension [filter:s3_extension] -paste.filter_factory = keystone.contrib.s3:S3Extension.factory +use = egg:keystone#s3_extension [filter:endpoint_filter_extension] -paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory - -[filter:endpoint_policy_extension] -paste.filter_factory = keystone.contrib.endpoint_policy.routers:EndpointPolicyExtension.factory +use = egg:keystone#endpoint_filter_extension [filter:simple_cert_extension] -paste.filter_factory = keystone.contrib.simple_cert:SimpleCertExtension.factory +use = egg:keystone#simple_cert_extension [filter:revoke_extension] -paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory +use = egg:keystone#revoke_extension [filter:url_normalize] -paste.filter_factory = keystone.middleware:NormalizingFilter.factory +use = egg:keystone#url_normalize [filter:sizelimit] -paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory +use = egg:keystone#sizelimit [app:public_service] -paste.app_factory = keystone.service:public_app_factory +use = egg:keystone#public_service [app:service_v3] -paste.app_factory = keystone.service:v3_app_factory +use = egg:keystone#service_v3 [app:admin_service] -paste.app_factory = keystone.service:admin_app_factory +use = egg:keystone#admin_service [pipeline:public_api] # The last item in this pipeline must be public_service or an equivalent @@ -82,13 +76,13 @@ pipeline = sizelimit url_normalize request_id build_auth_context token_auth admi [pipeline:api_v3] # The last item in this pipeline must be service_v3 or an equivalent # application. It cannot be a filter. -pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension endpoint_policy_extension service_v3 +pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3 [app:public_version_service] -paste.app_factory = keystone.service:public_version_app_factory +use = egg:keystone#public_version_service [app:admin_version_service] -paste.app_factory = keystone.service:admin_version_app_factory +use = egg:keystone#admin_version_service [pipeline:public_version_api] pipeline = sizelimit url_normalize public_version_service diff --git a/keystone-moon/etc/keystone.conf.sample b/keystone-moon/etc/keystone.conf.sample index b3c741c8..ec5a08cc 100644 --- a/keystone-moon/etc/keystone.conf.sample +++ b/keystone-moon/etc/keystone.conf.sample @@ -11,13 +11,6 @@ # value) #admin_token = ADMIN -# (Deprecated) The port which the OpenStack Compute service listens on. This -# option was only used for string replacement in the templated catalog backend. -# Templated catalogs should replace the "$(compute_port)s" substitution with -# the static port of the compute service. As of Juno, this option is deprecated -# and will be removed in the L release. (integer value) -#compute_port = 8774 - # The base public endpoint URL for Keystone that is advertised to clients # (NOTE: this does NOT affect how Keystone listens for connections). Defaults # to the base host URL of the request. E.g. a request to @@ -57,7 +50,9 @@ # The value passed as the keyword "rounds" to passlib's encrypt method. # (integer value) -#crypt_strength = 40000 +# Minimum value: 1000 +# Maximum value: 100000 +#crypt_strength = 10000 # The maximum number of entities that will be returned in a collection, with no # limit set by default. This global limit may be then overridden for a specific @@ -93,48 +88,23 @@ # Define the notification format for Identity Service events. A "basic" # notification has information about the resource being operated on. A "cadf" # notification has the same information, as well as information about the -# initiator of the event. Valid options are: basic and cadf (string value) +# initiator of the event. (string value) +# Allowed values: basic, cadf #notification_format = basic # -# From keystone.openstack.common.eventlet_backdoor -# - -# Enable eventlet backdoor. Acceptable values are 0, <port>, and -# <start>:<end>, where 0 results in listening on a random tcp port number; -# <port> results in listening on the specified port number (and not enabling -# backdoor if that port is in use); and <start>:<end> results in listening on -# the smallest unused port number within the specified range of port numbers. -# The chosen port is displayed in the service's log file. (string value) -#backdoor_port = <None> - -# -# From keystone.openstack.common.policy -# - -# The JSON file that defines policies. (string value) -#policy_file = policy.json - -# Default rule. Enforced when a requested rule is not found. (string value) -#policy_default_rule = default - -# Directories where policy configuration files are stored. They can be relative -# to any directory in the search path defined by the config_dir option, or -# absolute paths. The file defined by policy_file must exist for these -# directories to be searched. (multi valued) -#policy_dirs = policy.d - -# # From oslo.log # -# Print debugging output (set logging level to DEBUG instead of default WARNING +# Print debugging output (set logging level to DEBUG instead of default INFO # level). (boolean value) #debug = false -# Print more verbose output (set logging level to INFO instead of default -# WARNING level). (boolean value) -#verbose = false +# If set to false, will disable INFO logging level, making WARNING the default. +# (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#verbose = true # The name of a logging configuration file. This file is appended to any # existing logging configuration files. For details about logging configuration @@ -162,15 +132,17 @@ # Deprecated group/name - [DEFAULT]/logdir #log_dir = <None> -# Use syslog for logging. Existing syslog format is DEPRECATED during I, and -# will change in J to honor RFC5424. (boolean value) +# Use syslog for logging. Existing syslog format is DEPRECATED and will be +# changed later to honor RFC5424. (boolean value) #use_syslog = false # (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, # prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The -# format without the APP-NAME is deprecated in I, and will be removed in J. -# (boolean value) -#use_syslog_rfc_format = false +# format without the APP-NAME is deprecated in Kilo, and will be removed in +# Mitaka, along with this option. (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#use_syslog_rfc_format = true # Syslog facility to receive log lines. (string value) #syslog_log_facility = LOG_USER @@ -188,17 +160,14 @@ #logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d # Prefix each line of exception output with this format. (string value) -#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s +#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s # List of logger=LEVEL pairs. (list value) -#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN # Enables or disables publication of error events. (boolean value) #publish_errors = false -# Enables or disables fatal status of deprecations. (boolean value) -#fatal_deprecations = false - # The format for an instance that is passed with the log message. (string # value) #instance_format = "[instance: %(uuid)s] " @@ -207,16 +176,23 @@ # value) #instance_uuid_format = "[instance: %(uuid)s] " +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations = false + # # From oslo.messaging # +# Size of RPC connection pool. (integer value) +# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size +#rpc_conn_pool_size = 30 + # ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. # The "host" option should point or resolve to this address. (string value) #rpc_zmq_bind_address = * # MatchMaker driver. (string value) -#rpc_zmq_matchmaker = oslo_messaging._drivers.matchmaker.MatchMakerLocalhost +#rpc_zmq_matchmaker = local # ZeroMQ receiver listening port. (integer value) #rpc_zmq_port = 9501 @@ -245,10 +221,12 @@ # Heartbeat time-to-live. (integer value) #matchmaker_heartbeat_ttl = 600 -# Size of RPC thread pool. (integer value) -#rpc_thread_pool_size = 64 +# Size of executor thread pool. (integer value) +# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size +#executor_thread_pool_size = 64 -# Driver or drivers to handle sending notifications. (multi valued) +# The Drivers(s) to handle sending notifications. Possible values are +# messaging, messagingv2, routing, log, test, noop (multi valued) #notification_driver = # AMQP topic used for OpenStack notifications. (list value) @@ -271,6 +249,22 @@ # exchange name specified in the transport_url option. (string value) #control_exchange = keystone +# +# From oslo.service.service +# + +# Enable eventlet backdoor. Acceptable values are 0, <port>, and +# <start>:<end>, where 0 results in listening on a random tcp port number; +# <port> results in listening on the specified port number (and not enabling +# backdoor if that port is in use); and <start>:<end> results in listening on +# the smallest unused port number within the specified range of port numbers. +# The chosen port is displayed in the service's log file. (string value) +#backdoor_port = <None> + +# Enables or disables logging values of all registered options when starting a +# service (at DEBUG level). (boolean value) +#log_options = true + [assignment] @@ -278,7 +272,10 @@ # From keystone # -# Assignment backend driver. (string value) +# Entrypoint for the assignment backend driver in the keystone.assignment +# namespace. Supplied drivers are ldap and sql. If an assignment driver is not +# specified, the identity driver will choose the assignment driver. (string +# value) #driver = <None> @@ -288,17 +285,25 @@ # From keystone # -# Default auth methods. (list value) -#methods = external,password,token +# Allowed authentication methods. (list value) +#methods = external,password,token,oauth1 + +# Entrypoint for the password auth plugin module in the keystone.auth.password +# namespace. (string value) +#password = <None> -# The password auth plugin module. (string value) -#password = keystone.auth.plugins.password.Password +# Entrypoint for the token auth plugin module in the keystone.auth.token +# namespace. (string value) +#token = <None> -# The token auth plugin module. (string value) -#token = keystone.auth.plugins.token.Token +# Entrypoint for the external (REMOTE_USER) auth plugin module in the +# keystone.auth.external namespace. Supplied drivers are DefaultDomain and +# Domain. The default driver is DefaultDomain. (string value) +#external = <None> -# The external (REMOTE_USER) auth plugin module. (string value) -#external = keystone.auth.plugins.external.DefaultDomain +# Entrypoint for the oAuth1.0 auth plugin module in the keystone.auth.oauth1 +# namespace. (string value) +#oauth1 = <None> [cache] @@ -379,8 +384,10 @@ # value) #template_file = default_catalog.templates -# Catalog backend driver. (string value) -#driver = keystone.catalog.backends.sql.Catalog +# Entrypoint for the catalog backend driver in the keystone.catalog namespace. +# Supplied drivers are kvs, sql, templated, and endpoint_filter.sql (string +# value) +#driver = sql # Toggle for catalog caching. This has no effect unless global caching is # enabled. (boolean value) @@ -395,14 +402,71 @@ #list_limit = <None> +[cors] + +# +# From oslo.middleware +# + +# Indicate whether this resource may be shared with the domain received in the +# requests "origin" header. (string value) +#allowed_origin = <None> + +# Indicate that the actual request can include user credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple +# Headers. (list value) +#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list value) +#allow_methods = GET,POST,PUT,DELETE,OPTIONS + +# Indicate which header field names may be used during the actual request. +# (list value) +#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma + + +[cors.subdomain] + +# +# From oslo.middleware +# + +# Indicate whether this resource may be shared with the domain received in the +# requests "origin" header. (string value) +#allowed_origin = <None> + +# Indicate that the actual request can include user credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple +# Headers. (list value) +#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list value) +#allow_methods = GET,POST,PUT,DELETE,OPTIONS + +# Indicate which header field names may be used during the actual request. +# (list value) +#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma + + [credential] # # From keystone # -# Credential backend driver. (string value) -#driver = keystone.credential.backends.sql.Credential +# Entrypoint for the credential backend driver in the keystone.credential +# namespace. (string value) +#driver = sql [database] @@ -505,14 +569,34 @@ #db_max_retries = 20 +[domain_config] + +# +# From keystone +# + +# Entrypoint for the domain config backend driver in the +# keystone.resource.domain_config namespace. (string value) +#driver = sql + +# Toggle for domain config caching. This has no effect unless global caching is +# enabled. (boolean value) +#caching = true + +# TTL (in seconds) to cache domain config data. This has no effect unless +# domain config caching is enabled. (integer value) +#cache_time = 300 + + [endpoint_filter] # # From keystone # -# Endpoint Filter backend driver (string value) -#driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter +# Entrypoint for the endpoint filter backend driver in the +# keystone.endpoint_filter namespace. (string value) +#driver = sql # Toggle to return all active endpoints if no filter exists. (boolean value) #return_all_endpoints_if_no_filter = true @@ -524,8 +608,12 @@ # From keystone # -# Endpoint policy backend driver (string value) -#driver = keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy +# Enable endpoint_policy functionality. (boolean value) +#enabled = true + +# Entrypoint for the endpoint policy backend driver in the +# keystone.endpoint_policy namespace. (string value) +#driver = sql [eventlet_server] @@ -537,42 +625,71 @@ # The number of worker processes to serve the public eventlet application. # Defaults to number of CPUs (minimum of 2). (integer value) # Deprecated group/name - [DEFAULT]/public_workers +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #public_workers = <None> # The number of worker processes to serve the admin eventlet application. # Defaults to number of CPUs (minimum of 2). (integer value) # Deprecated group/name - [DEFAULT]/admin_workers +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #admin_workers = <None> # The IP address of the network interface for the public service to listen on. # (string value) # Deprecated group/name - [DEFAULT]/bind_host # Deprecated group/name - [DEFAULT]/public_bind_host +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #public_bind_host = 0.0.0.0 # The port number which the public service listens on. (integer value) +# Minimum value: 1 +# Maximum value: 65535 # Deprecated group/name - [DEFAULT]/public_port +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #public_port = 5000 # The IP address of the network interface for the admin service to listen on. # (string value) # Deprecated group/name - [DEFAULT]/bind_host # Deprecated group/name - [DEFAULT]/admin_bind_host +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #admin_bind_host = 0.0.0.0 # The port number which the admin service listens on. (integer value) +# Minimum value: 1 +# Maximum value: 65535 # Deprecated group/name - [DEFAULT]/admin_port +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #admin_port = 35357 +# If set to false, disables keepalives on the server; all connections will be +# closed after serving one request. (boolean value) +#wsgi_keep_alive = true + +# Timeout for socket operations on a client connection. If an incoming +# connection is idle for this number of seconds it will be closed. A value of +# '0' means wait forever. (integer value) +#client_socket_timeout = 900 + # Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e. # sockets used by the Keystone wsgi server for client connections. (boolean # value) # Deprecated group/name - [DEFAULT]/tcp_keepalive +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #tcp_keepalive = false # Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only # applies if tcp_keepalive is true. (integer value) # Deprecated group/name - [DEFAULT]/tcp_keepidle +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #tcp_keepidle = 600 @@ -584,24 +701,34 @@ # Toggle for SSL support on the Keystone eventlet servers. (boolean value) # Deprecated group/name - [ssl]/enable +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #enable = false # Path of the certfile for SSL. For non-production environments, you may be # interested in using `keystone-manage ssl_setup` to generate self-signed # certificates. (string value) # Deprecated group/name - [ssl]/certfile +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #certfile = /etc/keystone/ssl/certs/keystone.pem # Path of the keyfile for SSL. (string value) # Deprecated group/name - [ssl]/keyfile +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #keyfile = /etc/keystone/ssl/private/keystonekey.pem # Path of the CA cert file for SSL. (string value) # Deprecated group/name - [ssl]/ca_certs +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #ca_certs = /etc/keystone/ssl/certs/ca.pem # Require client certificate. (boolean value) # Deprecated group/name - [ssl]/cert_required +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #cert_required = false @@ -611,8 +738,9 @@ # From keystone # -# Federation backend driver. (string value) -#driver = keystone.contrib.federation.backends.sql.Federation +# Entrypoint for the federation backend driver in the keystone.federation +# namespace. (string value) +#driver = sql # Value to be used when filtering assertion parameters from the environment. # (string value) @@ -626,9 +754,7 @@ # A domain name that is reserved to allow federated ephemeral users to have a # domain concept. Note that an admin will not be able to create a domain with # this name or update an existing domain to this name. You are not advised to -# change this value unless you really have to. Changing this option to empty -# string or None will not have any impact and default name will be used. -# (string value) +# change this value unless you really have to. (string value) #federated_domain_name = Federated # A list of trusted dashboard hosts. Before accepting a Single Sign-On request @@ -685,16 +811,17 @@ # Extract the domain specific configuration options from the resource backend # where they have been stored with the domain data. This feature is disabled by # default (in which case the domain specific options will be loaded from files -# in the domain configuration directory); set to true to enable. This feature -# is not yet supported. (boolean value) +# in the domain configuration directory); set to true to enable. (boolean +# value) #domain_configurations_from_database = false # Path for Keystone to locate the domain specific identity configuration files # if domain_specific_drivers_enabled is set to true. (string value) #domain_config_dir = /etc/keystone/domains -# Identity backend driver. (string value) -#driver = keystone.identity.backends.sql.Identity +# Entrypoint for the identity backend driver in the keystone.identity +# namespace. Supplied drivers are ldap and sql. (string value) +#driver = sql # Toggle for identity caching. This has no effect unless global caching is # enabled. (boolean value) @@ -706,6 +833,7 @@ # Maximum supported length for user passwords; decrease to improve performance. # (integer value) +# Maximum value: 4096 #max_password_length = 4096 # Maximum number of entities that will be returned in an identity collection. @@ -719,13 +847,14 @@ # From keystone # -# Keystone Identity Mapping backend driver. (string value) -#driver = keystone.identity.mapping_backends.sql.Mapping +# Entrypoint for the identity mapping backend driver in the +# keystone.identity.id_mapping namespace. (string value) +#driver = sql -# Public ID generator for user and group entities. The Keystone identity mapper -# only supports generators that produce no more than 64 characters. (string -# value) -#generator = keystone.identity.id_generators.sha256.Generator +# Entrypoint for the public ID generator for user and group entities in the +# keystone.identity.id_generator namespace. The Keystone identity mapper only +# supports generators that produce no more than 64 characters. (string value) +#generator = sha256 # The format of user and group IDs changed in Juno for backends that do not # generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the @@ -763,7 +892,7 @@ # always leave this set to true. (boolean value) #enable_key_mangler = true -# Default lock timeout for distributed locking. (integer value) +# Default lock timeout (in seconds) for distributed locking. (integer value) #default_lock_timeout = 5 @@ -797,18 +926,18 @@ # your LDAP server supports subtree deletion. (boolean value) #allow_subtree_delete = false -# The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) -# or "sub" (subtree/wholeSubtree). (string value) +# The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub" +# represents subtree/wholeSubtree options. (string value) +# Allowed values: one, sub #query_scope = one # Maximum results per page; a value of zero ("0") disables paging. (integer # value) #page_size = 0 -# The LDAP dereferencing option for queries. This can be either "never", -# "searching", "always", "finding" or "default". The "default" option falls -# back to using default dereferencing configured by your ldap.conf. (string -# value) +# The LDAP dereferencing option for queries. The "default" option falls back to +# using default dereferencing configured by your ldap.conf. (string value) +# Allowed values: never, searching, always, finding, default #alias_dereferencing = default # Sets the LDAP debugging level for LDAP calls. A value of 0 means that @@ -820,7 +949,7 @@ # value) #chase_referrals = <None> -# Search base for users. (string value) +# Search base for users. Defaults to the suffix value. (string value) #user_tree_dn = <None> # LDAP search filter for users. (string value) @@ -867,7 +996,7 @@ #user_enabled_default = True # List of attributes stripped off the user on update. (list value) -#user_attribute_ignore = default_project_id,tenants +#user_attribute_ignore = default_project_id # LDAP attribute mapped to default_project_id for users. (string value) #user_default_project_id_attribute = <None> @@ -896,111 +1025,165 @@ # Identity API attribute. (list value) #user_additional_attribute_mapping = -# Search base for projects (string value) +# Search base for projects. Defaults to the suffix value. (string value) # Deprecated group/name - [ldap]/tenant_tree_dn +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #project_tree_dn = <None> # LDAP search filter for projects. (string value) # Deprecated group/name - [ldap]/tenant_filter +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #project_filter = <None> # LDAP objectclass for projects. (string value) # Deprecated group/name - [ldap]/tenant_objectclass +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #project_objectclass = groupOfNames # LDAP attribute mapped to project id. (string value) # Deprecated group/name - [ldap]/tenant_id_attribute +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #project_id_attribute = cn # LDAP attribute mapped to project membership for user. (string value) # Deprecated group/name - [ldap]/tenant_member_attribute +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #project_member_attribute = member # LDAP attribute mapped to project name. (string value) # Deprecated group/name - [ldap]/tenant_name_attribute +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #project_name_attribute = ou # LDAP attribute mapped to project description. (string value) # Deprecated group/name - [ldap]/tenant_desc_attribute +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #project_desc_attribute = description # LDAP attribute mapped to project enabled. (string value) # Deprecated group/name - [ldap]/tenant_enabled_attribute +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #project_enabled_attribute = enabled # LDAP attribute mapped to project domain_id. (string value) # Deprecated group/name - [ldap]/tenant_domain_id_attribute +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #project_domain_id_attribute = businessCategory # List of attributes stripped off the project on update. (list value) # Deprecated group/name - [ldap]/tenant_attribute_ignore +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #project_attribute_ignore = # Allow project creation in LDAP backend. (boolean value) # Deprecated group/name - [ldap]/tenant_allow_create +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #project_allow_create = true # Allow project update in LDAP backend. (boolean value) # Deprecated group/name - [ldap]/tenant_allow_update +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #project_allow_update = true # Allow project deletion in LDAP backend. (boolean value) # Deprecated group/name - [ldap]/tenant_allow_delete +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #project_allow_delete = true # If true, Keystone uses an alternative method to determine if a project is # enabled or not by checking if they are a member of the # "project_enabled_emulation_dn" group. (boolean value) # Deprecated group/name - [ldap]/tenant_enabled_emulation +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #project_enabled_emulation = false # DN of the group entry to hold enabled projects when using enabled emulation. # (string value) # Deprecated group/name - [ldap]/tenant_enabled_emulation_dn +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #project_enabled_emulation_dn = <None> # Additional attribute mappings for projects. Attribute mapping format is # <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry # and user_attr is the Identity API attribute. (list value) # Deprecated group/name - [ldap]/tenant_additional_attribute_mapping +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #project_additional_attribute_mapping = -# Search base for roles. (string value) +# Search base for roles. Defaults to the suffix value. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #role_tree_dn = <None> # LDAP search filter for roles. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #role_filter = <None> # LDAP objectclass for roles. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #role_objectclass = organizationalRole # LDAP attribute mapped to role id. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #role_id_attribute = cn # LDAP attribute mapped to role name. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #role_name_attribute = ou # LDAP attribute mapped to role membership. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #role_member_attribute = roleOccupant # List of attributes stripped off the role on update. (list value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #role_attribute_ignore = # Allow role creation in LDAP backend. (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #role_allow_create = true # Allow role update in LDAP backend. (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #role_allow_update = true # Allow role deletion in LDAP backend. (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #role_allow_delete = true # Additional attribute mappings for roles. Attribute mapping format is # <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry # and user_attr is the Identity API attribute. (list value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. #role_additional_attribute_mapping = -# Search base for groups. (string value) +# Search base for groups. Defaults to the suffix value. (string value) #group_tree_dn = <None> # LDAP search filter for groups. (string value) @@ -1048,7 +1231,9 @@ # Enable TLS for communicating with LDAP servers. (boolean value) #use_tls = false -# Valid options for tls_req_cert are demand, never, and allow. (string value) +# Specifies what checks to perform on client certificates in an incoming TLS +# session. (string value) +# Allowed values: demand, never, allow #tls_req_cert = demand # Enable LDAP connection pooling. (boolean value) @@ -1151,8 +1336,9 @@ # From keystone # -# Credential backend driver. (string value) -#driver = keystone.contrib.oauth1.backends.sql.OAuth1 +# Entrypoint for hte OAuth backend driver in the keystone.oauth1 namespace. +# (string value) +#driver = sql # Duration (in seconds) for the OAuth Request Token. (integer value) #request_token_duration = 28800 @@ -1202,7 +1388,7 @@ # Deprecated group/name - [amqp1]/trace #trace = false -# CA certificate PEM file for verifing server certificate (string value) +# CA certificate PEM file to verify server certificate (string value) # Deprecated group/name - [amqp1]/ssl_ca_file #ssl_ca_file = @@ -1230,6 +1416,7 @@ # # Use durable queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/amqp_durable_queues # Deprecated group/name - [DEFAULT]/rabbit_durable_queues #amqp_durable_queues = false @@ -1237,9 +1424,15 @@ # Deprecated group/name - [DEFAULT]/amqp_auto_delete #amqp_auto_delete = false -# Size of RPC connection pool. (integer value) -# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size -#rpc_conn_pool_size = 30 +# Send a single AMQP reply to call message. The current behaviour since oslo- +# incubator is to send two AMQP replies - first one with the payload, a second +# one to ensure the other have finish to send the payload. We are going to +# remove it in the N release, but we must keep backward compatible at the same +# time. This option provides such compatibility - it defaults to False in +# Liberty and can be turned on for early adopters with a new installations or +# for testing. Please note, that this option will be removed in the Mitaka +# release. (boolean value) +#send_single_reply = false # Qpid broker hostname. (string value) # Deprecated group/name - [DEFAULT]/qpid_hostname @@ -1296,6 +1489,7 @@ # # Use durable queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/amqp_durable_queues # Deprecated group/name - [DEFAULT]/rabbit_durable_queues #amqp_durable_queues = false @@ -1303,9 +1497,15 @@ # Deprecated group/name - [DEFAULT]/amqp_auto_delete #amqp_auto_delete = false -# Size of RPC connection pool. (integer value) -# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size -#rpc_conn_pool_size = 30 +# Send a single AMQP reply to call message. The current behaviour since oslo- +# incubator is to send two AMQP replies - first one with the payload, a second +# one to ensure the other have finish to send the payload. We are going to +# remove it in the N release, but we must keep backward compatible at the same +# time. This option provides such compatibility - it defaults to False in +# Liberty and can be turned on for early adopters with a new installations or +# for testing. Please note, that this option will be removed in the Mitaka +# release. (boolean value) +#send_single_reply = false # SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and # SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some @@ -1330,6 +1530,10 @@ # Deprecated group/name - [DEFAULT]/kombu_reconnect_delay #kombu_reconnect_delay = 1.0 +# How long to wait before considering a reconnect attempt to have failed. This +# value should not be longer than rpc_response_timeout. (integer value) +#kombu_reconnect_timeout = 60 + # The RabbitMQ broker address where a single node is used. (string value) # Deprecated group/name - [DEFAULT]/rabbit_host #rabbit_host = localhost @@ -1380,6 +1584,15 @@ # Deprecated group/name - [DEFAULT]/rabbit_ha_queues #rabbit_ha_queues = false +# Number of seconds after which the Rabbit broker is considered down if +# heartbeat's keep-alive fails (0 disable the heartbeat). EXPERIMENTAL (integer +# value) +#heartbeat_timeout_threshold = 60 + +# How often times during the heartbeat_timeout_threshold we check the +# heartbeat. (integer value) +#heartbeat_rate = 2 + # Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value) # Deprecated group/name - [DEFAULT]/fake_rabbit #fake_rabbit = false @@ -1396,6 +1609,40 @@ # Deprecated group/name - [DEFAULT]/max_request_body_size #max_request_body_size = 114688 +# +# From oslo.middleware +# + +# The HTTP Header that will be used to determine what the original request +# protocol scheme was, even if it was hidden by an SSL termination proxy. +# (string value) +#secure_proxy_ssl_header = X-Forwarded-Proto + + +[oslo_policy] + +# +# From oslo.policy +# + +# The JSON file that defines policies. (string value) +# Deprecated group/name - [DEFAULT]/policy_file +#policy_file = policy.json + +# Default rule. Enforced when a requested rule is not found. (string value) +# Deprecated group/name - [DEFAULT]/policy_default_rule +#policy_default_rule = default + +# Directories where policy configuration files are stored. They can be relative +# to any directory in the search path defined by the config_dir option, or +# absolute paths. The file defined by policy_file must exist for these +# directories to be searched. Missing or empty directories are ignored. (multi +# valued) +# Deprecated group/name - [DEFAULT]/policy_dirs +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#policy_dirs = policy.d + [paste_deploy] @@ -1414,8 +1661,9 @@ # From keystone # -# Policy backend driver. (string value) -#driver = keystone.policy.backends.sql.Policy +# Entrypoint for the policy backend driver in the keystone.policy namespace. +# Supplied drivers are rules and sql. (string value) +#driver = sql # Maximum number of entities that will be returned in a policy collection. # (integer value) @@ -1428,8 +1676,10 @@ # From keystone # -# Resource backend driver. If a resource driver is not specified, the -# assignment driver will choose the resource driver. (string value) +# Entrypoint for the resource backend driver in the keystone.resource +# namespace. Supplied drivers are ldap and sql. If a resource driver is not +# specified, the assignment driver will choose the resource driver. (string +# value) #driver = <None> # Toggle for resource caching. This has no effect unless global caching is @@ -1454,9 +1704,10 @@ # From keystone # -# An implementation of the backend for persisting revocation events. (string -# value) -#driver = keystone.contrib.revoke.backends.sql.Revoke +# Entrypoint for an implementation of the backend for persisting revocation +# events in the keystone.revoke namespace. Supplied drivers are kvs and sql. +# (string value) +#driver = sql # This value (calculated in seconds) is added to token expiration before a # revocation event may be removed from the backend. (integer value) @@ -1466,6 +1717,12 @@ # is enabled. (boolean value) #caching = true +# Time to cache the revocation list and the revocation events (in seconds). +# This has no effect unless global and token caching are enabled. (integer +# value) +# Deprecated group/name - [token]/revocation_cache_time +#cache_time = 3600 + [role] @@ -1473,7 +1730,8 @@ # From keystone # -# Role backend driver. (string value) +# Entrypoint for the role backend driver in the keystone.role namespace. +# Supplied drivers are ldap and sql. (string value) #driver = <None> # Toggle for role caching. This has no effect unless global caching is enabled. @@ -1551,14 +1809,19 @@ # Telephone number of contact person. (string value) #idp_contact_telephone = <None> -# Contact type. Allowed values are: technical, support, administrative billing, -# and other (string value) +# The contact type describing the main point of contact for the identity +# provider. (string value) +# Allowed values: technical, support, administrative, billing, other #idp_contact_type = other # Path to the Identity Provider Metadata file. This file should be generated # with the keystone-manage saml_idp_metadata command. (string value) #idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml +# The prefix to use for the RelayState SAML attribute, used when generating ECP +# wrapped assertions. (string value) +#relay_state_prefix = ss:mem: + [signing] @@ -1582,6 +1845,7 @@ # Key size (in bits) for token signing cert (auto generated certificate). # (integer value) +# Minimum value: 1024 #key_size = 2048 # Days the token signing cert is valid for (auto generated certificate). @@ -1603,6 +1867,7 @@ #ca_key = /etc/keystone/ssl/private/cakey.pem # SSL key length (in bits) (auto generated certificate). (integer value) +# Minimum value: 1024 #key_size = 1024 # Days the certificate is valid for once signed (auto generated certificate). @@ -1632,23 +1897,20 @@ # Amount of time a token should remain valid (in seconds). (integer value) #expiration = 3600 -# Controls the token construction, validation, and revocation operations. Core -# providers are "keystone.token.providers.[fernet|pkiz|pki|uuid].Provider". The -# default provider is uuid. (string value) -#provider = keystone.token.providers.uuid.Provider +# Controls the token construction, validation, and revocation operations. +# Entrypoint in the keystone.token.provider namespace. Core providers are +# [fernet|pkiz|pki|uuid]. (string value) +#provider = uuid -# Token persistence backend driver. (string value) -#driver = keystone.token.persistence.backends.sql.Token +# Entrypoint for the token persistence backend driver in the +# keystone.token.persistence namespace. Supplied drivers are kvs, memcache, +# memcache_pool, and sql. (string value) +#driver = sql # Toggle for token system caching. This has no effect unless global caching is # enabled. (boolean value) #caching = true -# Time to cache the revocation list and the revocation events if revoke -# extension is enabled (in seconds). This has no effect unless global and token -# caching are enabled. (integer value) -#revocation_cache_time = 3600 - # Time to cache tokens (in seconds). This has no effect unless global and token # caching are enabled. (integer value) #cache_time = <None> @@ -1688,29 +1950,6 @@ # Maximum depth of trust redelegation. (integer value) #max_redelegation_count = 3 -# Trust backend driver. (string value) -#driver = keystone.trust.backends.sql.Trust - - -[moon] - -# Authorisation backend driver. (string value) -#authz_driver = keystone.contrib.moon.backends.flat.SuperExtensionConnector - -# Moon Log driver. (string value) -#log_driver = keystone.contrib.moon.backends.flat.LogConnector - -# SuperExtension backend driver. (string value) -#superextension_driver = keystone.contrib.moon.backends.flat.SuperExtensionConnector - -# IntraExtension backend driver. (string value) -#intraextension_driver = keystone.contrib.moon.backends.sql.IntraExtensionConnector - -# Tenant backend driver. (string value) -#tenant_driver = keystone.contrib.moon.backends.sql.TenantConnector - -# Local directory where all policies are stored. (string value) -#policy_directory = /etc/keystone/policies - -# Local directory where SuperExtension configuration is stored. (string value) -#super_extension_directory = /etc/keystone/super_extension +# Entrypoint for the trust backend driver in the keystone.trust namespace. +# (string value) +#driver = sql diff --git a/keystone-moon/etc/policy.json b/keystone-moon/etc/policy.json index f0a081d3..ebb94b02 100644 --- a/keystone-moon/etc/policy.json +++ b/keystone-moon/etc/policy.json @@ -4,6 +4,9 @@ "service_or_admin": "rule:admin_required or rule:service_role", "owner" : "user_id:%(user_id)s", "admin_or_owner": "rule:admin_required or rule:owner", + "token_subject": "user_id:%(target.token.user_id)s", + "admin_or_token_subject": "rule:admin_required or rule:token_subject", + "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject", "default": "rule:admin_required", @@ -86,14 +89,13 @@ "identity:update_policy": "rule:admin_required", "identity:delete_policy": "rule:admin_required", - "identity:check_token": "rule:admin_required", - "identity:validate_token": "rule:service_or_admin", + "identity:check_token": "rule:admin_or_token_subject", + "identity:validate_token": "rule:service_admin_or_token_subject", "identity:validate_token_head": "rule:service_or_admin", "identity:revocation_list": "rule:service_or_admin", - "identity:revoke_token": "rule:admin_or_owner", + "identity:revoke_token": "rule:admin_or_token_subject", "identity:create_trust": "user_id:%(trust.trustor_user_id)s", - "identity:get_trust": "rule:admin_or_owner", "identity:list_trusts": "", "identity:list_roles_for_trust": "", "identity:get_role_for_trust": "", @@ -126,6 +128,7 @@ "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", "identity:get_endpoint_group_in_project": "rule:admin_required", + "identity:list_endpoint_groups_for_project": "rule:admin_required", "identity:add_endpoint_group_to_project": "rule:admin_required", "identity:remove_endpoint_group_from_project": "rule:admin_required", diff --git a/keystone-moon/etc/policy.v3cloudsample.json b/keystone-moon/etc/policy.v3cloudsample.json index a15b33f2..a96996c6 100644 --- a/keystone-moon/etc/policy.v3cloudsample.json +++ b/keystone-moon/etc/policy.v3cloudsample.json @@ -7,6 +7,7 @@ "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner", "admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin", "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s", + "service_admin_or_owner": "rule:service_or_admin or rule:owner", "default": "rule:admin_required", @@ -28,7 +29,7 @@ "identity:update_endpoint": "rule:cloud_admin", "identity:delete_endpoint": "rule:cloud_admin", - "identity:get_domain": "rule:cloud_admin", + "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id", "identity:list_domains": "rule:cloud_admin", "identity:create_domain": "rule:cloud_admin", "identity:update_domain": "rule:cloud_admin", @@ -88,9 +89,9 @@ "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", - "admin_on_domain_filter" : "rule:cloud_admin or (rule:admin_required and domain_id:%(scope.domain.id)s)", - "admin_on_project_filter" : "rule:cloud_admin or (rule:admin_required and project_id:%(scope.project.id)s)", - "identity:list_role_assignments": "rule:admin_on_domain_filter or rule:admin_on_project_filter", + "admin_on_domain_filter" : "rule:admin_required and domain_id:%(scope.domain.id)s", + "admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s", + "identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter", "identity:get_policy": "rule:cloud_admin", "identity:list_policies": "rule:cloud_admin", @@ -100,13 +101,12 @@ "identity:change_password": "rule:owner", "identity:check_token": "rule:admin_or_owner", - "identity:validate_token": "rule:service_or_admin", + "identity:validate_token": "rule:service_admin_or_owner", "identity:validate_token_head": "rule:service_or_admin", "identity:revocation_list": "rule:service_or_admin", "identity:revoke_token": "rule:admin_or_owner", "identity:create_trust": "user_id:%(trust.trustor_user_id)s", - "identity:get_trust": "rule:admin_or_owner", "identity:list_trusts": "", "identity:list_roles_for_trust": "", "identity:get_role_for_trust": "", @@ -139,6 +139,7 @@ "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", "identity:get_endpoint_group_in_project": "rule:admin_required", + "identity:list_endpoint_groups_for_project": "rule:admin_required", "identity:add_endpoint_group_to_project": "rule:admin_required", "identity:remove_endpoint_group_from_project": "rule:admin_required", |