[DEFAULT] # A "shared secret" between keystone and other openstack services # admin_token = ADMIN admin_token = 6acf77b518934c31a784085dd50c4a83 # The IP address of the network interface to listen on # bind_host = 0.0.0.0 bind_host = 0.0.0.0 # The port number which the public service listens on # public_port = 5000 public_port = 5000 # The port number which the public admin listens on # admin_port = 35357 admin_port = 35357 # The base endpoint URLs for keystone that are advertised to clients # (NOTE: this does NOT affect how keystone listens for connections) # public_endpoint = http://localhost:%(public_port)s/ # admin_endpoint = http://localhost:%(admin_port)s/ # The port number which the OpenStack Compute service listens on # compute_port = 8774 compute_port = 8774 # Path to your policy definition containing identity actions # policy_file = policy.json # Rule to check if no matching policy definition is found # FIXME(dolph): This should really be defined as [policy] default_rule # policy_default_rule = admin_required # Role for migrating membership relationships # During a SQL upgrade, the following values will be used to create a new role # that will replace records in the user_tenant_membership table with explicit # role grants. After migration, the member_role_id will be used in the API # add_user_to_project, and member_role_name will be ignored. # member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab # member_role_name = _member_ # enforced by optional sizelimit middleware (keystone.middleware:RequestBodySizeLimiter) # max_request_body_size = 114688 # limit the sizes of user & tenant ID/names # max_param_size = 64 # similar to max_param_size, but provides an exception for token values # max_token_size = 8192 # === Logging Options === # Print debugging output # (includes plaintext request logging, potentially including passwords) # debug = False debug = False # Print more verbose output # verbose = False verbose = False # Name of log file to output to. If not set, logging will go to stdout. # log_file = /var/log/keystone/keystone.log # The directory to keep log files in (will be prepended to --logfile) # log_dir = /var/log/keystone # Use syslog for logging. # use_syslog = False use_syslog = False # syslog facility to receive log lines # syslog_log_facility = LOG_USER # If this option is specified, the logging configuration file specified is # used and overrides any other logging options specified. Please see the # Python logging module documentation for details on logging configuration # files. # log_config = logging.conf # A logging.Formatter log message format string which may use any of the # available logging.LogRecord attributes. # log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s # Format string for %(asctime)s in log records. # log_date_format = %Y-%m-%d %H:%M:%S # onready allows you to send a notification when the process is ready to serve # For example, to have it notify using systemd, one could set shell command: # onready = systemd-notify --ready # or a module with notify() method: # onready = keystone.common.systemd # === Notification Options === # Notifications can be sent when users or projects are created, updated or # deleted. There are three methods of sending notifications: logging (via the # log_file directive), rpc (via a message queue) and no_op (no notifications # sent, the default) # notification_driver can be defined multiple times # Do nothing driver (the default) # notification_driver = keystone.openstack.common.notifier.no_op_notifier # Logging driver example (not enabled by default) # notification_driver = keystone.openstack.common.notifier.log_notifier # RPC driver example (not enabled by default) # notification_driver = keystone.openstack.common.notifier.rpc_notifier # Default notification level for outgoing notifications # default_notification_level = INFO # Default publisher_id for outgoing notifications; included in the payload. # default_publisher_id = # AMQP topics to publish to when using the RPC notification driver. # Multiple values can be specified by separating with commas. # The actual topic names will be %s.%(default_notification_level)s # notification_topics = notifications # === RPC Options === # For Keystone, these options apply only when the RPC notification driver is # used. # The messaging module to use, defaults to kombu. # rpc_backend = keystone.openstack.common.rpc.impl_kombu # Size of RPC thread pool # rpc_thread_pool_size = 64 # Size of RPC connection pool # rpc_conn_pool_size = 30 # Seconds to wait for a response from call or multicall # rpc_response_timeout = 60 # Seconds to wait before a cast expires (TTL). Only supported by impl_zmq. # rpc_cast_timeout = 30 # Modules of exceptions that are permitted to be recreated upon receiving # exception data from an rpc call. # allowed_rpc_exception_modules = keystone.openstack.common.exception,nova.exception,cinder.exception,exceptions # If True, use a fake RabbitMQ provider # fake_rabbit = False # AMQP exchange to connect to if using RabbitMQ or Qpid # control_exchange = openstack [sql] # The SQLAlchemy connection string used to connect to the database # connection = mysql://keystone:keystone@localhost/keystone connection = mysql://keystone_admin:9ddc0859165e4bd3@10.76.254.220/keystone # the timeout before idle sql connections are reaped # idle_timeout = 200 idle_timeout = 200 [identity] #driver = keystone.identity.backends.sql.Identity driver = keystone.identity.backends.ldap.Identity # This references the domain to use for all Identity API v2 requests (which are # not aware of domains). A domain with this ID will be created for you by # keystone-manage db_sync in migration 008. The domain referenced by this ID # cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. # There is nothing special about this domain, other than the fact that it must # exist to order to maintain support for your v2 clients. # default_domain_id = default # # A subset (or all) of domains can have their own identity driver, each with # their own partial configuration file in a domain configuration directory. # Only values specific to the domain need to be placed in the domain specific # configuration file. This feature is disabled by default; set # domain_specific_drivers_enabled to True to enable. # domain_specific_drivers_enabled = False # domain_config_dir = /etc/keystone/domains # Maximum supported length for user passwords; decrease to improve performance. # max_password_length = 4096 [credential] # driver = keystone.credential.backends.sql.Credential [trust] # driver = keystone.trust.backends.sql.Trust # delegation and impersonation features can be optionally disabled # enabled = True [os_inherit] # role-assignment inheritance to projects from owning domain can be # optionally enabled # enabled = False [catalog] # dynamic, sql-based backend (supports API/CLI-based management commands) # driver = keystone.catalog.backends.sql.Catalog driver = keystone.catalog.backends.sql.Catalog # static, file-based backend (does *NOT* support any management commands) # driver = keystone.catalog.backends.templated.TemplatedCatalog # template_file = /etc/keystone/default_catalog.templates [endpoint_filter] # extension for creating associations between project and endpoints in order to # provide a tailored catalog for project-scoped token requests. # driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter # return_all_endpoints_if_no_filter = True [token] # Provides token persistence. # driver = keystone.token.backends.sql.Token driver = keystone.token.backends.sql.Token # Controls the token construction, validation, and revocation operations. # Core providers are keystone.token.providers.[pki|uuid].Provider # provider = # Amount of time a token should remain valid (in seconds) # expiration = 86400 # External auth mechanisms that should add bind information to token. # eg kerberos, x509 # bind = # Enforcement policy on tokens presented to keystone with bind information. # One of disabled, permissive, strict, required or a specifically required bind # mode e.g. kerberos or x509 to require binding to that authentication. # enforce_token_bind = permissive # Token specific caching toggle. This has no effect unless the global caching # option is set to True # caching = True # Token specific cache time-to-live (TTL) in seconds. # cache_time = # Revocation-List specific cache time-to-live (TTL) in seconds. # revocation_cache_time = 3600 [cache] # Global cache functionality toggle. # enabled = False # Prefix for building the configuration dictionary for the cache region. This # should not need to be changed unless there is another dogpile.cache region # with the same configuration name # config_prefix = cache.keystone # Default TTL, in seconds, for any cached item in the dogpile.cache region. # This applies to any cached method that doesn't have an explicit cache # expiration time defined for it. # expiration_time = 600 # Dogpile.cache backend module. It is recommended that Memcache # (dogpile.cache.memcache) or Redis (dogpile.cache.redis) be used in production # deployments. Small workloads (single process) like devstack can use the # dogpile.cache.memory backend. # backend = keystone.common.cache.noop # Arguments supplied to the backend module. Specify this option once per # argument to be passed to the dogpile.cache backend. # Example format: : # backend_argument = # Proxy Classes to import that will affect the way the dogpile.cache backend # functions. See the dogpile.cache documentation on changing-backend-behavior. # Comma delimited list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2 # proxies = # Use a key-mangling function (sha1) to ensure fixed length cache-keys. This # is toggle-able for debugging purposes, it is highly recommended to always # leave this set to True. # use_key_mangler = True # Extra debugging from the cache backend (cache keys, get/set/delete/etc calls) # This is only really useful if you need to see the specific cache-backend # get/set/delete calls with the keys/values. Typically this should be left # set to False. # debug_cache_backend = False [policy] # driver = keystone.policy.backends.sql.Policy [ec2] # driver = keystone.contrib.ec2.backends.sql.Ec2 [assignment] # driver = keystone.assignment.backends.sql.Assignment # Assignment specific caching toggle. This has no effect unless the global # caching option is set to True # caching = True # Assignment specific cache time-to-live (TTL) in seconds. # cache_time = [oauth1] # driver = keystone.contrib.oauth1.backends.sql.OAuth1 # The Identity service may include expire attributes. # If no such attribute is included, then the token lasts indefinitely. # Specify how quickly the request token will expire (in seconds) # request_token_duration = 28800 # Specify how quickly the access token will expire (in seconds) # access_token_duration = 86400 [ssl] #enable = True #certfile = /etc/keystone/pki/certs/ssl_cert.pem #keyfile = /etc/keystone/pki/private/ssl_key.pem #ca_certs = /etc/keystone/pki/certs/cacert.pem #ca_key = /etc/keystone/pki/private/cakey.pem #key_size = 1024 #valid_days = 3650 #cert_required = False #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost [signing] # Deprecated in favor of provider in the [token] section # Allowed values are PKI or UUID #token_format = token_format =PKI #certfile = /etc/keystone/pki/certs/signing_cert.pem #keyfile = /etc/keystone/pki/private/signing_key.pem #ca_certs = /etc/keystone/pki/certs/cacert.pem #ca_key = /etc/keystone/pki/private/cakey.pem #key_size = 2048 #valid_days = 3650 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com [ldap] url = ldap://127.0.0.1 user = "cn=man,OU=Russia,OU=International Users,DC=corp,DC=emc,DC=com" password = "hxQCaMcx6NJ42" suffix = "OU=Russia,OU=International Users,DC=corp,DC=emc,DC=com" ## use_dumb_member = False ## allow_subtree_delete = False ## dumb_member = cn=dumb,dc=example,dc=com # Maximum results per page; a value of zero ('0') disables paging (default) # page_size = 0 # The LDAP dereferencing option for queries. This can be either 'never', # 'searching', 'always', 'finding' or 'default'. The 'default' option falls # back to using default dereferencing configured by your ldap.conf. # alias_dereferencing = default # The LDAP scope for queries, this can be either 'one' # (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree) query_scope = sub user_tree_dn = "OU=Russia,OU=International Users,DC=corp,DC=emc,DC=com" # user_filter = user_objectclass = organizationalPerson user_id_attribute = cn user_name_attribute = sAMAccountName user_mail_attribute = mail user_pass_attribute = userPassword user_enabled_attribute = userAccountControl user_enabled_mask = 2 user_enabled_default = 512 user_attribute_ignore = mail,password,tenant_id,tenants # user_default_project_id_attribute = user_allow_create = False user_allow_update = False user_allow_delete = False # user_enabled_emulation = False # user_enabled_emulation_dn = tenant_tree_dn = "ou=Projects,ou=OpenStack,OU=Russia,OU=International Users,DC=corp,DC=emc,DC=com" tenant_filter = (st=true) tenant_objectclass = organizationalUnit # tenant_domain_id_attribute = businessCategory tenant_id_attribute = ou tenant_member_attribute = member tenant_name_attribute = ou tenant_desc_attribute = description tenant_enabled_attribute = st tenant_attribute_ignore =description,businessCategory tenant_allow_create = True tenant_allow_update = True tenant_allow_delete = True # tenant_enabled_emulation = False # tenant_enabled_emulation_dn = role_tree_dn = "ou=Roles,ou=OpenStack,OU=Russia,OU=International Users,DC=corp,DC=emc,DC=com" # role_filter = role_objectclass = organizationalRole role_id_attribute = cn role_name_attribute = cn role_member_attribute = roleOccupant # role_attribute_ignore = role_allow_create = True role_allow_update = True role_allow_delete = True # group_tree_dn = # group_filter = # group_objectclass = groupOfNames # group_id_attribute = cn # group_name_attribute = ou # group_member_attribute = member # group_desc_attribute = desc # group_attribute_ignore = # group_allow_create = True # group_allow_update = True # group_allow_delete = True # ldap TLS options # if both tls_cacertfile and tls_cacertdir are set then # tls_cacertfile will be used and tls_cacertdir is ignored # valid options for tls_req_cert are demand, never, and allow # use_tls = False # tls_cacertfile = # tls_cacertdir = # tls_req_cert = demand # Additional attribute mappings can be used to map ldap attributes to internal # keystone attributes. This allows keystone to fulfill ldap objectclass # requirements. An example to map the description and gecos attributes to a # user's name would be: # user_additional_attribute_mapping = description:name, gecos:name # # domain_additional_attribute_mapping = # group_additional_attribute_mapping = # role_additional_attribute_mapping = # project_additional_attribute_mapping = # user_additional_attribute_mapping = [auth] methods = external,password,token,oauth1 #external = keystone.auth.plugins.external.ExternalDefault password = keystone.auth.plugins.password.Password token = keystone.auth.plugins.token.Token oauth1 = keystone.auth.plugins.oauth1.OAuth [paste_deploy] # Name of the paste configuration file that defines the available pipelines # config_file = /usr/share/keystone/keystone-dist-paste.ini