summaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone/common/config.py
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/keystone/common/config.py')
-rw-r--r--keystone-moon/keystone/common/config.py284
1 files changed, 187 insertions, 97 deletions
diff --git a/keystone-moon/keystone/common/config.py b/keystone-moon/keystone/common/config.py
index bcaedeef..6cc848b4 100644
--- a/keystone-moon/keystone/common/config.py
+++ b/keystone-moon/keystone/common/config.py
@@ -14,6 +14,7 @@
from oslo_config import cfg
import oslo_messaging
+import passlib.utils
_DEFAULT_AUTH_METHODS = ['external', 'password', 'token', 'oauth1']
@@ -32,14 +33,6 @@ FILE_OPTIONS = {
'AdminTokenAuthMiddleware from your paste '
'application pipelines (for example, in '
'keystone-paste.ini).'),
- cfg.IntOpt('compute_port', default=8774,
- help='(Deprecated) The port which the OpenStack Compute '
- 'service listens on. This option was only used for '
- 'string replacement in the templated catalog backend. '
- 'Templated catalogs should replace the '
- '"$(compute_port)s" substitution with the static port '
- 'of the compute service. As of Juno, this option is '
- 'deprecated and will be removed in the L release.'),
cfg.StrOpt('public_endpoint',
help='The base public endpoint URL for Keystone that is '
'advertised to clients (NOTE: this does NOT affect '
@@ -81,7 +74,13 @@ FILE_OPTIONS = {
help='This is the role name used in combination with the '
'member_role_id option; see that option for more '
'detail.'),
- cfg.IntOpt('crypt_strength', default=40000,
+ # NOTE(lbragstad/morganfainberg): This value of 10k was
+ # measured as having an approximate 30% clock-time savings
+ # over the old default of 40k. The passlib default is not
+ # static and grows over time to constantly approximate ~300ms
+ # of CPU time to hash; this was considered too high. This
+ # value still exceeds the glibc default of 5k.
+ cfg.IntOpt('crypt_strength', default=10000, min=1000, max=100000,
help='The value passed as the keyword "rounds" to '
'passlib\'s encrypt method.'),
cfg.IntOpt('list_limit',
@@ -149,9 +148,10 @@ FILE_OPTIONS = {
'identity configuration files if '
'domain_specific_drivers_enabled is set to true.'),
cfg.StrOpt('driver',
- default=('keystone.identity.backends'
- '.sql.Identity'),
- help='Identity backend driver.'),
+ default='sql',
+ help='Entrypoint for the identity backend driver in the '
+ 'keystone.identity namespace. Supplied drivers are '
+ 'ldap and sql.'),
cfg.BoolOpt('caching', default=True,
help='Toggle for identity caching. This has no '
'effect unless global caching is enabled.'),
@@ -160,6 +160,7 @@ FILE_OPTIONS = {
'no effect unless global and identity caching are '
'enabled.'),
cfg.IntOpt('max_password_length', default=4096,
+ max=passlib.utils.MAX_PASSWORD_SIZE,
help='Maximum supported length for user passwords; '
'decrease to improve performance.'),
cfg.IntOpt('list_limit',
@@ -168,15 +169,16 @@ FILE_OPTIONS = {
],
'identity_mapping': [
cfg.StrOpt('driver',
- default=('keystone.identity.mapping_backends'
- '.sql.Mapping'),
- help='Keystone Identity Mapping backend driver.'),
+ default='sql',
+ help='Entrypoint for the identity mapping backend driver '
+ 'in the keystone.identity.id_mapping namespace.'),
cfg.StrOpt('generator',
- default=('keystone.identity.id_generators'
- '.sha256.Generator'),
- help='Public ID generator for user and group entities. '
- 'The Keystone identity mapper only supports '
- 'generators that produce no more than 64 characters.'),
+ default='sha256',
+ help='Entrypoint for the public ID generator for user and '
+ 'group entities in the keystone.identity.id_generator '
+ 'namespace. The Keystone identity mapper only '
+ 'supports generators that produce no more than 64 '
+ 'characters.'),
cfg.BoolOpt('backward_compatible_ids',
default=True,
help='The format of user and group IDs changed '
@@ -209,8 +211,9 @@ FILE_OPTIONS = {
cfg.IntOpt('max_redelegation_count', default=3,
help='Maximum depth of trust redelegation.'),
cfg.StrOpt('driver',
- default='keystone.trust.backends.sql.Trust',
- help='Trust backend driver.')],
+ default='sql',
+ help='Entrypoint for the trust backend driver in the '
+ 'keystone.trust namespace.')],
'os_inherit': [
cfg.BoolOpt('enabled', default=False,
help='role-assignment inheritance to projects from '
@@ -245,14 +248,17 @@ FILE_OPTIONS = {
help='Amount of time a token should remain valid '
'(in seconds).'),
cfg.StrOpt('provider',
- default='keystone.token.providers.uuid.Provider',
+ default='uuid',
help='Controls the token construction, validation, and '
- 'revocation operations. Core providers are '
- '"keystone.token.providers.[fernet|pkiz|pki|uuid].'
- 'Provider".'),
+ 'revocation operations. Entrypoint in the '
+ 'keystone.token.provider namespace. Core providers '
+ 'are [fernet|pkiz|pki|uuid].'),
cfg.StrOpt('driver',
- default='keystone.token.persistence.backends.sql.Token',
- help='Token persistence backend driver.'),
+ default='sql',
+ help='Entrypoint for the token persistence backend driver '
+ 'in the keystone.token.persistence namespace. '
+ 'Supplied drivers are kvs, memcache, memcache_pool, '
+ 'and sql.'),
cfg.BoolOpt('caching', default=True,
help='Toggle for token system caching. This has no '
'effect unless global caching is enabled.'),
@@ -282,9 +288,10 @@ FILE_OPTIONS = {
],
'revoke': [
cfg.StrOpt('driver',
- default='keystone.contrib.revoke.backends.sql.Revoke',
- help='An implementation of the backend for persisting '
- 'revocation events.'),
+ default='sql',
+ help='Entrypoint for an implementation of the backend for '
+ 'persisting revocation events in the keystone.revoke '
+ 'namespace. Supplied drivers are kvs and sql.'),
cfg.IntOpt('expiration_buffer', default=1800,
help='This value (calculated in seconds) is added to token '
'expiration before a revocation event may be removed '
@@ -326,7 +333,7 @@ FILE_OPTIONS = {
'deployments. Small workloads (single process) '
'like devstack can use the dogpile.cache.memory '
'backend.'),
- cfg.MultiStrOpt('backend_argument', default=[],
+ cfg.MultiStrOpt('backend_argument', default=[], secret=True,
help='Arguments supplied to the backend module. '
'Specify this option once per argument to be '
'passed to the dogpile.cache backend. Example '
@@ -379,7 +386,7 @@ FILE_OPTIONS = {
cfg.StrOpt('ca_key',
default='/etc/keystone/ssl/private/cakey.pem',
help='Path of the CA key file for SSL.'),
- cfg.IntOpt('key_size', default=1024,
+ cfg.IntOpt('key_size', default=1024, min=1024,
help='SSL key length (in bits) (auto generated '
'certificate).'),
cfg.IntOpt('valid_days', default=3650,
@@ -406,7 +413,7 @@ FILE_OPTIONS = {
cfg.StrOpt('ca_key',
default='/etc/keystone/ssl/private/cakey.pem',
help='Path of the CA key for token signing.'),
- cfg.IntOpt('key_size', default=2048,
+ cfg.IntOpt('key_size', default=2048, min=1024,
help='Key size (in bits) for token signing cert '
'(auto generated certificate).'),
cfg.IntOpt('valid_days', default=3650,
@@ -419,17 +426,20 @@ FILE_OPTIONS = {
'token signing.'),
],
'assignment': [
- # assignment has no default for backward compatibility reasons.
- # If assignment driver is not specified, the identity driver chooses
- # the backend
cfg.StrOpt('driver',
- help='Assignment backend driver.'),
+ help='Entrypoint for the assignment backend driver in the '
+ 'keystone.assignment namespace. Supplied drivers are '
+ 'ldap and sql. If an assignment driver is not '
+ 'specified, the identity driver will choose the '
+ 'assignment driver.'),
],
'resource': [
cfg.StrOpt('driver',
- help='Resource backend driver. If a resource driver is '
- 'not specified, the assignment driver will choose '
- 'the resource driver.'),
+ help='Entrypoint for the resource backend driver in the '
+ 'keystone.resource namespace. Supplied drivers are '
+ 'ldap and sql. If a resource driver is not specified, '
+ 'the assignment driver will choose the resource '
+ 'driver.'),
cfg.BoolOpt('caching', default=True,
deprecated_opts=[cfg.DeprecatedOpt('caching',
group='assignment')],
@@ -448,16 +458,25 @@ FILE_OPTIONS = {
],
'domain_config': [
cfg.StrOpt('driver',
- default='keystone.resource.config_backends.sql.'
- 'DomainConfig',
- help='Domain config backend driver.'),
+ default='sql',
+ help='Entrypoint for the domain config backend driver in '
+ 'the keystone.resource.domain_config namespace.'),
+ cfg.BoolOpt('caching', default=True,
+ help='Toggle for domain config caching. This has no '
+ 'effect unless global caching is enabled.'),
+ cfg.IntOpt('cache_time', default=300,
+ help='TTL (in seconds) to cache domain config data. This '
+ 'has no effect unless domain config caching is '
+ 'enabled.'),
],
'role': [
# The role driver has no default for backward compatibility reasons.
# If role driver is not specified, the assignment driver chooses
# the backend
cfg.StrOpt('driver',
- help='Role backend driver.'),
+ help='Entrypoint for the role backend driver in the '
+ 'keystone.role namespace. Supplied drivers are ldap '
+ 'and sql.'),
cfg.BoolOpt('caching', default=True,
help='Toggle for role caching. This has no effect '
'unless global caching is enabled.'),
@@ -470,14 +489,15 @@ FILE_OPTIONS = {
],
'credential': [
cfg.StrOpt('driver',
- default=('keystone.credential.backends'
- '.sql.Credential'),
- help='Credential backend driver.'),
+ default='sql',
+ help='Entrypoint for the credential backend driver in the '
+ 'keystone.credential namespace.'),
],
'oauth1': [
cfg.StrOpt('driver',
- default='keystone.contrib.oauth1.backends.sql.OAuth1',
- help='Credential backend driver.'),
+ default='sql',
+ help='Entrypoint for hte OAuth backend driver in the '
+ 'keystone.oauth1 namespace.'),
cfg.IntOpt('request_token_duration', default=28800,
help='Duration (in seconds) for the OAuth Request Token.'),
cfg.IntOpt('access_token_duration', default=86400,
@@ -485,9 +505,9 @@ FILE_OPTIONS = {
],
'federation': [
cfg.StrOpt('driver',
- default='keystone.contrib.federation.'
- 'backends.sql.Federation',
- help='Federation backend driver.'),
+ default='sql',
+ help='Entrypoint for the federation backend driver in the '
+ 'keystone.federation namespace.'),
cfg.StrOpt('assertion_prefix', default='',
help='Value to be used when filtering assertion parameters '
'from the environment.'),
@@ -502,9 +522,7 @@ FILE_OPTIONS = {
'an admin will not be able to create a domain with '
'this name or update an existing domain to this '
'name. You are not advised to change this value '
- 'unless you really have to. Changing this option '
- 'to empty string or None will not have any impact and '
- 'default name will be used.'),
+ 'unless you really have to.'),
cfg.MultiStrOpt('trusted_dashboard', default=[],
help='A list of trusted dashboard hosts. Before '
'accepting a Single Sign-On request to return a '
@@ -519,26 +537,31 @@ FILE_OPTIONS = {
],
'policy': [
cfg.StrOpt('driver',
- default='keystone.policy.backends.sql.Policy',
- help='Policy backend driver.'),
+ default='sql',
+ help='Entrypoint for the policy backend driver in the '
+ 'keystone.policy namespace. Supplied drivers are '
+ 'rules and sql.'),
cfg.IntOpt('list_limit',
help='Maximum number of entities that will be returned '
'in a policy collection.'),
],
'endpoint_filter': [
cfg.StrOpt('driver',
- default='keystone.contrib.endpoint_filter.backends'
- '.sql.EndpointFilter',
- help='Endpoint Filter backend driver'),
+ default='sql',
+ help='Entrypoint for the endpoint filter backend driver in '
+ 'the keystone.endpoint_filter namespace.'),
cfg.BoolOpt('return_all_endpoints_if_no_filter', default=True,
help='Toggle to return all active endpoints if no filter '
'exists.'),
],
'endpoint_policy': [
+ cfg.BoolOpt('enabled',
+ default=True,
+ help='Enable endpoint_policy functionality.'),
cfg.StrOpt('driver',
- default='keystone.contrib.endpoint_policy.backends'
- '.sql.EndpointPolicy',
- help='Endpoint policy backend driver'),
+ default='sql',
+ help='Entrypoint for the endpoint policy backend driver in '
+ 'the keystone.endpoint_policy namespace.'),
],
'ldap': [
cfg.StrOpt('url', default='ldap://localhost',
@@ -561,18 +584,19 @@ FILE_OPTIONS = {
'Only enable this option if your LDAP server '
'supports subtree deletion.'),
cfg.StrOpt('query_scope', default='one',
- help='The LDAP scope for queries, this can be either '
- '"one" (onelevel/singleLevel) or "sub" '
- '(subtree/wholeSubtree).'),
+ choices=['one', 'sub'],
+ help='The LDAP scope for queries, "one" represents '
+ 'oneLevel/singleLevel and "sub" represents '
+ 'subtree/wholeSubtree options.'),
cfg.IntOpt('page_size', default=0,
help='Maximum results per page; a value of zero ("0") '
'disables paging.'),
cfg.StrOpt('alias_dereferencing', default='default',
- help='The LDAP dereferencing option for queries. This '
- 'can be either "never", "searching", "always", '
- '"finding" or "default". The "default" option falls '
- 'back to using default dereferencing configured by '
- 'your ldap.conf.'),
+ choices=['never', 'searching', 'always', 'finding',
+ 'default'],
+ help='The LDAP dereferencing option for queries. The '
+ '"default" option falls back to using default '
+ 'dereferencing configured by your ldap.conf.'),
cfg.IntOpt('debug_level',
help='Sets the LDAP debugging level for LDAP calls. '
'A value of 0 means that debugging is not enabled. '
@@ -582,7 +606,8 @@ FILE_OPTIONS = {
help='Override the system\'s default referral chasing '
'behavior for queries.'),
cfg.StrOpt('user_tree_dn',
- help='Search base for users.'),
+ help='Search base for users. '
+ 'Defaults to the suffix value.'),
cfg.StrOpt('user_filter',
help='LDAP search filter for users.'),
cfg.StrOpt('user_objectclass', default='inetOrgPerson',
@@ -622,7 +647,7 @@ FILE_OPTIONS = {
'the typical value is "512". This is typically used '
'when "user_enabled_attribute = userAccountControl".'),
cfg.ListOpt('user_attribute_ignore',
- default=['default_project_id', 'tenants'],
+ default=['default_project_id'],
help='List of attributes stripped off the user on '
'update.'),
cfg.StrOpt('user_default_project_id_attribute',
@@ -653,61 +678,76 @@ FILE_OPTIONS = {
cfg.StrOpt('project_tree_dn',
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_tree_dn', group='ldap')],
- help='Search base for projects'),
+ deprecated_for_removal=True,
+ help='Search base for projects. '
+ 'Defaults to the suffix value.'),
cfg.StrOpt('project_filter',
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_filter', group='ldap')],
+ deprecated_for_removal=True,
help='LDAP search filter for projects.'),
cfg.StrOpt('project_objectclass', default='groupOfNames',
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_objectclass', group='ldap')],
+ deprecated_for_removal=True,
help='LDAP objectclass for projects.'),
cfg.StrOpt('project_id_attribute', default='cn',
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_id_attribute', group='ldap')],
+ deprecated_for_removal=True,
help='LDAP attribute mapped to project id.'),
cfg.StrOpt('project_member_attribute', default='member',
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_member_attribute', group='ldap')],
+ deprecated_for_removal=True,
help='LDAP attribute mapped to project membership for '
'user.'),
cfg.StrOpt('project_name_attribute', default='ou',
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_name_attribute', group='ldap')],
+ deprecated_for_removal=True,
help='LDAP attribute mapped to project name.'),
cfg.StrOpt('project_desc_attribute', default='description',
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_desc_attribute', group='ldap')],
+ deprecated_for_removal=True,
help='LDAP attribute mapped to project description.'),
cfg.StrOpt('project_enabled_attribute', default='enabled',
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_enabled_attribute', group='ldap')],
+ deprecated_for_removal=True,
help='LDAP attribute mapped to project enabled.'),
cfg.StrOpt('project_domain_id_attribute',
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_domain_id_attribute', group='ldap')],
+ deprecated_for_removal=True,
default='businessCategory',
help='LDAP attribute mapped to project domain_id.'),
cfg.ListOpt('project_attribute_ignore', default=[],
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_attribute_ignore', group='ldap')],
+ deprecated_for_removal=True,
help='List of attributes stripped off the project on '
'update.'),
cfg.BoolOpt('project_allow_create', default=True,
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_allow_create', group='ldap')],
+ deprecated_for_removal=True,
help='Allow project creation in LDAP backend.'),
cfg.BoolOpt('project_allow_update', default=True,
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_allow_update', group='ldap')],
+ deprecated_for_removal=True,
help='Allow project update in LDAP backend.'),
cfg.BoolOpt('project_allow_delete', default=True,
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_allow_delete', group='ldap')],
+ deprecated_for_removal=True,
help='Allow project deletion in LDAP backend.'),
cfg.BoolOpt('project_enabled_emulation', default=False,
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_enabled_emulation', group='ldap')],
+ deprecated_for_removal=True,
help='If true, Keystone uses an alternative method to '
'determine if a project is enabled or not by '
'checking if they are a member of the '
@@ -715,11 +755,13 @@ FILE_OPTIONS = {
cfg.StrOpt('project_enabled_emulation_dn',
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_enabled_emulation_dn', group='ldap')],
+ deprecated_for_removal=True,
help='DN of the group entry to hold enabled projects when '
'using enabled emulation.'),
cfg.ListOpt('project_additional_attribute_mapping',
deprecated_opts=[cfg.DeprecatedOpt(
'tenant_additional_attribute_mapping', group='ldap')],
+ deprecated_for_removal=True,
default=[],
help='Additional attribute mappings for projects. '
'Attribute mapping format is '
@@ -728,27 +770,39 @@ FILE_OPTIONS = {
'Identity API attribute.'),
cfg.StrOpt('role_tree_dn',
- help='Search base for roles.'),
+ deprecated_for_removal=True,
+ help='Search base for roles. '
+ 'Defaults to the suffix value.'),
cfg.StrOpt('role_filter',
+ deprecated_for_removal=True,
help='LDAP search filter for roles.'),
cfg.StrOpt('role_objectclass', default='organizationalRole',
+ deprecated_for_removal=True,
help='LDAP objectclass for roles.'),
cfg.StrOpt('role_id_attribute', default='cn',
+ deprecated_for_removal=True,
help='LDAP attribute mapped to role id.'),
cfg.StrOpt('role_name_attribute', default='ou',
+ deprecated_for_removal=True,
help='LDAP attribute mapped to role name.'),
cfg.StrOpt('role_member_attribute', default='roleOccupant',
+ deprecated_for_removal=True,
help='LDAP attribute mapped to role membership.'),
cfg.ListOpt('role_attribute_ignore', default=[],
+ deprecated_for_removal=True,
help='List of attributes stripped off the role on '
'update.'),
cfg.BoolOpt('role_allow_create', default=True,
+ deprecated_for_removal=True,
help='Allow role creation in LDAP backend.'),
cfg.BoolOpt('role_allow_update', default=True,
+ deprecated_for_removal=True,
help='Allow role update in LDAP backend.'),
cfg.BoolOpt('role_allow_delete', default=True,
+ deprecated_for_removal=True,
help='Allow role deletion in LDAP backend.'),
cfg.ListOpt('role_additional_attribute_mapping',
+ deprecated_for_removal=True,
default=[],
help='Additional attribute mappings for roles. Attribute '
'mapping format is <ldap_attr>:<user_attr>, where '
@@ -756,7 +810,8 @@ FILE_OPTIONS = {
'user_attr is the Identity API attribute.'),
cfg.StrOpt('group_tree_dn',
- help='Search base for groups.'),
+ help='Search base for groups. '
+ 'Defaults to the suffix value.'),
cfg.StrOpt('group_filter',
help='LDAP search filter for groups.'),
cfg.StrOpt('group_objectclass', default='groupOfNames',
@@ -794,8 +849,9 @@ FILE_OPTIONS = {
cfg.BoolOpt('use_tls', default=False,
help='Enable TLS for communicating with LDAP servers.'),
cfg.StrOpt('tls_req_cert', default='demand',
- help='Valid options for tls_req_cert are demand, never, '
- 'and allow.'),
+ choices=['demand', 'never', 'allow'],
+ help='Specifies what checks to perform on client '
+ 'certificates in an incoming TLS session.'),
cfg.BoolOpt('use_pool', default=False,
help='Enable LDAP connection pooling.'),
cfg.IntOpt('pool_size', default=10,
@@ -821,20 +877,22 @@ FILE_OPTIONS = {
],
'auth': [
cfg.ListOpt('methods', default=_DEFAULT_AUTH_METHODS,
- help='Default auth methods.'),
+ help='Allowed authentication methods.'),
cfg.StrOpt('password',
- default='keystone.auth.plugins.password.Password',
- help='The password auth plugin module.'),
+ help='Entrypoint for the password auth plugin module in '
+ 'the keystone.auth.password namespace.'),
cfg.StrOpt('token',
- default='keystone.auth.plugins.token.Token',
- help='The token auth plugin module.'),
+ help='Entrypoint for the token auth plugin module in the '
+ 'keystone.auth.token namespace.'),
# deals with REMOTE_USER authentication
cfg.StrOpt('external',
- default='keystone.auth.plugins.external.DefaultDomain',
- help='The external (REMOTE_USER) auth plugin module.'),
+ help='Entrypoint for the external (REMOTE_USER) auth '
+ 'plugin module in the keystone.auth.external '
+ 'namespace. Supplied drivers are DefaultDomain and '
+ 'Domain. The default driver is DefaultDomain.'),
cfg.StrOpt('oauth1',
- default='keystone.auth.plugins.oauth1.OAuth',
- help='The oAuth1.0 auth plugin module.'),
+ help='Entrypoint for the oAuth1.0 auth plugin module in '
+ 'the keystone.auth.oauth1 namespace.'),
],
'paste_deploy': [
cfg.StrOpt('config_file', default='keystone-paste.ini',
@@ -880,8 +938,10 @@ FILE_OPTIONS = {
help='Catalog template file name for use with the '
'template catalog backend.'),
cfg.StrOpt('driver',
- default='keystone.catalog.backends.sql.Catalog',
- help='Catalog backend driver.'),
+ default='sql',
+ help='Entrypoint for the catalog backend driver in the '
+ 'keystone.catalog namespace. Supplied drivers are '
+ 'kvs, sql, templated, and endpoint_filter.sql'),
cfg.BoolOpt('caching', default=True,
help='Toggle for catalog caching. This has no '
'effect unless global caching is enabled.'),
@@ -963,25 +1023,33 @@ FILE_OPTIONS = {
cfg.StrOpt('idp_contact_telephone',
help='Telephone number of contact person.'),
cfg.StrOpt('idp_contact_type', default='other',
- help='Contact type. Allowed values are: '
- 'technical, support, administrative '
- 'billing, and other'),
+ choices=['technical', 'support', 'administrative',
+ 'billing', 'other'],
+ help='The contact type describing the main point of '
+ 'contact for the identity provider.'),
cfg.StrOpt('idp_metadata_path',
default='/etc/keystone/saml2_idp_metadata.xml',
help='Path to the Identity Provider Metadata file. '
'This file should be generated with the '
'keystone-manage saml_idp_metadata command.'),
+ cfg.StrOpt('relay_state_prefix',
+ default='ss:mem:',
+ help='The prefix to use for the RelayState SAML '
+ 'attribute, used when generating ECP wrapped '
+ 'assertions.'),
],
'eventlet_server': [
cfg.IntOpt('public_workers',
deprecated_name='public_workers',
deprecated_group='DEFAULT',
+ deprecated_for_removal=True,
help='The number of worker processes to serve the public '
'eventlet application. Defaults to number of CPUs '
'(minimum of 2).'),
cfg.IntOpt('admin_workers',
deprecated_name='admin_workers',
deprecated_group='DEFAULT',
+ deprecated_for_removal=True,
help='The number of worker processes to serve the admin '
'eventlet application. Defaults to number of CPUs '
'(minimum of 2).'),
@@ -991,10 +1059,13 @@ FILE_OPTIONS = {
group='DEFAULT'),
cfg.DeprecatedOpt('public_bind_host',
group='DEFAULT'), ],
+ deprecated_for_removal=True,
help='The IP address of the network interface for the '
'public service to listen on.'),
- cfg.IntOpt('public_port', default=5000, deprecated_name='public_port',
+ cfg.IntOpt('public_port', default=5000, min=1, max=65535,
+ deprecated_name='public_port',
deprecated_group='DEFAULT',
+ deprecated_for_removal=True,
help='The port number which the public service listens '
'on.'),
cfg.StrOpt('admin_bind_host',
@@ -1003,15 +1074,28 @@ FILE_OPTIONS = {
group='DEFAULT'),
cfg.DeprecatedOpt('admin_bind_host',
group='DEFAULT')],
+ deprecated_for_removal=True,
help='The IP address of the network interface for the '
'admin service to listen on.'),
- cfg.IntOpt('admin_port', default=35357, deprecated_name='admin_port',
+ cfg.IntOpt('admin_port', default=35357, min=1, max=65535,
+ deprecated_name='admin_port',
deprecated_group='DEFAULT',
+ deprecated_for_removal=True,
help='The port number which the admin service listens '
'on.'),
+ cfg.BoolOpt('wsgi_keep_alive', default=True,
+ help="If set to false, disables keepalives on the server; "
+ "all connections will be closed after serving one "
+ "request."),
+ cfg.IntOpt('client_socket_timeout', default=900,
+ help="Timeout for socket operations on a client "
+ "connection. If an incoming connection is idle for "
+ "this number of seconds it will be closed. A value "
+ "of '0' means wait forever."),
cfg.BoolOpt('tcp_keepalive', default=False,
deprecated_name='tcp_keepalive',
deprecated_group='DEFAULT',
+ deprecated_for_removal=True,
help='Set this to true if you want to enable '
'TCP_KEEPALIVE on server sockets, i.e. sockets used '
'by the Keystone wsgi server for client '
@@ -1020,6 +1104,7 @@ FILE_OPTIONS = {
default=600,
deprecated_name='tcp_keepidle',
deprecated_group='DEFAULT',
+ deprecated_for_removal=True,
help='Sets the value of TCP_KEEPIDLE in seconds for each '
'server socket. Only applies if tcp_keepalive is '
'true.'),
@@ -1027,11 +1112,13 @@ FILE_OPTIONS = {
'eventlet_server_ssl': [
cfg.BoolOpt('enable', default=False, deprecated_name='enable',
deprecated_group='ssl',
+ deprecated_for_removal=True,
help='Toggle for SSL support on the Keystone '
'eventlet servers.'),
cfg.StrOpt('certfile',
default="/etc/keystone/ssl/certs/keystone.pem",
deprecated_name='certfile', deprecated_group='ssl',
+ deprecated_for_removal=True,
help='Path of the certfile for SSL. For non-production '
'environments, you may be interested in using '
'`keystone-manage ssl_setup` to generate self-signed '
@@ -1039,13 +1126,16 @@ FILE_OPTIONS = {
cfg.StrOpt('keyfile',
default='/etc/keystone/ssl/private/keystonekey.pem',
deprecated_name='keyfile', deprecated_group='ssl',
+ deprecated_for_removal=True,
help='Path of the keyfile for SSL.'),
cfg.StrOpt('ca_certs',
default='/etc/keystone/ssl/certs/ca.pem',
deprecated_name='ca_certs', deprecated_group='ssl',
+ deprecated_for_removal=True,
help='Path of the CA cert file for SSL.'),
cfg.BoolOpt('cert_required', default=False,
deprecated_name='cert_required', deprecated_group='ssl',
+ deprecated_for_removal=True,
help='Require client certificate.'),
],
}
@@ -1080,7 +1170,7 @@ def configure(conf=None):
cfg.StrOpt('pydev-debug-host',
help='Host to connect to for remote debugger.'))
conf.register_cli_opt(
- cfg.IntOpt('pydev-debug-port',
+ cfg.IntOpt('pydev-debug-port', min=1, max=65535,
help='Port to connect to for remote debugger.'))
for section in FILE_OPTIONS:
@@ -1115,4 +1205,4 @@ def list_opts():
:returns: a list of (group_name, opts) tuples
"""
- return FILE_OPTIONS.items()
+ return list(FILE_OPTIONS.items())