blob: e52f532a7bf5275d47d12c1226aded0d12d6ff55 [file] [log] [blame]
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001{% from "keystone/map.jinja" import server with context %}
2[DEFAULT]
3
4#
5# From keystone
6#
7
8# A "shared secret" that can be used to bootstrap Keystone. This "token" does
9# not represent a user, and carries no explicit authorization. To disable in
10# production (highly recommended), remove AdminTokenAuthMiddleware from your
11# paste application pipelines (for example, in keystone-paste.ini). (string
12# value)
13#admin_token = ADMIN
14admin_token={{ server.service_token }}
15
16# The base public endpoint URL for Keystone that is advertised to clients
17# (NOTE: this does NOT affect how Keystone listens for connections). Defaults
18# to the base host URL of the request. E.g. a request to
19# http://server:5000/v3/users will default to http://server:5000. You should
20# only need to set this value if the base URL contains a path (e.g. /prefix/v3)
21# or the endpoint should be found on a different server. (string value)
22#public_endpoint = <None>
23
24# The base admin endpoint URL for Keystone that is advertised to clients (NOTE:
25# this does NOT affect how Keystone listens for connections). Defaults to the
26# base host URL of the request. E.g. a request to http://server:35357/v3/users
27# will default to http://server:35357. You should only need to set this value
28# if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be
29# found on a different server. (string value)
30#admin_endpoint = <None>
31
32# Maximum depth of the project hierarchy. WARNING: setting it to a large value
33# may adversely impact performance. (integer value)
34#max_project_tree_depth = 5
35
36# Limit the sizes of user & project ID/names. (integer value)
37#max_param_size = 64
38
39# Similar to max_param_size, but provides an exception for token values.
40# (integer value)
41#max_token_size = 8192
42
43# Similar to the member_role_name option, this represents the default role ID
44# used to associate users with their default projects in the v2 API. This will
45# be used as the explicit role where one is not specified by the v2 API.
46# (string value)
47#member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
48
49# This is the role name used in combination with the member_role_id option; see
50# that option for more detail. (string value)
51#member_role_name = _member_
52
53# The value passed as the keyword "rounds" to passlib's encrypt method.
54# (integer value)
55# Minimum value: 1000
56# Maximum value: 100000
57#crypt_strength = 10000
58
59# The maximum number of entities that will be returned in a collection, with no
60# limit set by default. This global limit may be then overridden for a specific
61# driver, by specifying a list_limit in the appropriate section (e.g.
62# [assignment]). (integer value)
63#list_limit = <None>
64
65# Set this to false if you want to enable the ability for user, group and
66# project entities to be moved between domains by updating their domain_id.
67# Allowing such movement is not recommended if the scope of a domain admin is
68# being restricted by use of an appropriate policy file (see
69# policy.v3cloudsample as an example). (boolean value)
70#domain_id_immutable = true
71
72# If set to true, strict password length checking is performed for password
73# manipulation. If a password exceeds the maximum length, the operation will
74# fail with an HTTP 403 Forbidden error. If set to false, passwords are
75# automatically truncated to the maximum length. (boolean value)
76#strict_password_check = false
77
78# The HTTP header used to determine the scheme for the original request, even
79# if it was removed by an SSL terminating proxy. Typical value is
80# "HTTP_X_FORWARDED_PROTO". (string value)
Filip Pytloun5e607fd2016-01-05 12:17:29 +010081secure_proxy_ssl_header = "HTTP_X_FORWARDED_PROTO"
Jakub Pavlik0fa0f442015-10-19 16:32:35 +020082
83#
84# From keystone.notifications
85#
86
87# Default publisher_id for outgoing notifications (string value)
88#default_publisher_id = <None>
89
90# Define the notification format for Identity Service events. A "basic"
91# notification has information about the resource being operated on. A "cadf"
92# notification has the same information, as well as information about the
93# initiator of the event. (string value)
94# Allowed values: basic, cadf
95#notification_format = basic
Petr Michalec45a9af42016-11-29 16:40:00 +010096notification_format = {{ server.get("notification_format", "basic") }}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +020097
98#
99# From oslo.log
100#
101
102# Print debugging output (set logging level to DEBUG instead of default INFO
103# level). (boolean value)
104#debug = false
105debug = false
106
107# If set to false, will disable INFO logging level, making WARNING the default.
108# (boolean value)
109# This option is deprecated for removal.
110# Its value may be silently ignored in the future.
111#verbose = true
112verbose = true
113
114# The name of a logging configuration file. This file is appended to any
115# existing logging configuration files. For details about logging configuration
116# files, see the Python logging module documentation. (string value)
117# Deprecated group/name - [DEFAULT]/log_config
118#log_config_append = <None>
119
120# DEPRECATED. A logging.Formatter log message format string which may use any
121# of the available logging.LogRecord attributes. This option is deprecated.
122# Please use logging_context_format_string and logging_default_format_string
123# instead. (string value)
124#log_format = <None>
125
126# Format string for %%(asctime)s in log records. Default: %(default)s . (string
127# value)
128#log_date_format = %Y-%m-%d %H:%M:%S
129
130# (Optional) Name of log file to output to. If no default is set, logging will
131# go to stdout. (string value)
132# Deprecated group/name - [DEFAULT]/logfile
133#log_file = <None>
134
135# (Optional) The base directory used for relative --log-file paths. (string
136# value)
137# Deprecated group/name - [DEFAULT]/logdir
138#log_dir = <None>
139log_dir = /var/log/keystone
140
141# Use syslog for logging. Existing syslog format is DEPRECATED and will be
142# changed later to honor RFC5424. (boolean value)
143#use_syslog = false
144
145# (Optional) Enables or disables syslog rfc5424 format for logging. If enabled,
146# prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The
147# format without the APP-NAME is deprecated in Kilo, and will be removed in
148# Mitaka, along with this option. (boolean value)
149# This option is deprecated for removal.
150# Its value may be silently ignored in the future.
151#use_syslog_rfc_format = true
152
153# Syslog facility to receive log lines. (string value)
154#syslog_log_facility = LOG_USER
155
156# Log output to standard error. (boolean value)
157#use_stderr = true
158
159# Format string to use for log messages with context. (string value)
160#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
161
162# Format string to use for log messages without context. (string value)
163#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
164
165# Data to append to log format when level is DEBUG. (string value)
166#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
167
168# Prefix each line of exception output with this format. (string value)
169#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
170
171# List of logger=LEVEL pairs. (list value)
172#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN
173
174# Enables or disables publication of error events. (boolean value)
175#publish_errors = false
176
177# The format for an instance that is passed with the log message. (string
178# value)
179#instance_format = "[instance: %(uuid)s] "
180
181# The format for an instance UUID that is passed with the log message. (string
182# value)
183#instance_uuid_format = "[instance: %(uuid)s] "
184
185# Enables or disables fatal status of deprecations. (boolean value)
186#fatal_deprecations = false
187
188#
189# From oslo.messaging
190#
191
192# Size of RPC connection pool. (integer value)
193# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
194#rpc_conn_pool_size = 30
195
196# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
197# The "host" option should point or resolve to this address. (string value)
198#rpc_zmq_bind_address = *
199
200# MatchMaker driver. (string value)
201#rpc_zmq_matchmaker = local
202
203# ZeroMQ receiver listening port. (integer value)
204#rpc_zmq_port = 9501
205
206# Number of ZeroMQ contexts, defaults to 1. (integer value)
207#rpc_zmq_contexts = 1
208
209# Maximum number of ingress messages to locally buffer per topic. Default is
210# unlimited. (integer value)
211#rpc_zmq_topic_backlog = <None>
212
213# Directory for holding IPC sockets. (string value)
214#rpc_zmq_ipc_dir = /var/run/openstack
215
216# Name of this node. Must be a valid hostname, FQDN, or IP address. Must match
217# "host" option, if running Nova. (string value)
218#rpc_zmq_host = localhost
219
220# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
221# (integer value)
222#rpc_cast_timeout = 30
223
224# Heartbeat frequency. (integer value)
225#matchmaker_heartbeat_freq = 300
226
227# Heartbeat time-to-live. (integer value)
228#matchmaker_heartbeat_ttl = 600
229
230# Size of executor thread pool. (integer value)
231# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size
232#executor_thread_pool_size = 64
233
234# The Drivers(s) to handle sending notifications. Possible values are
235# messaging, messagingv2, routing, log, test, noop (multi valued)
236{%- if server.notification %}
237#notification_driver=
Jakub Pavlik72e31d62016-04-08 16:26:57 +0200238notification_driver=messagingv2
Jakub Pavlik0fa0f442015-10-19 16:32:35 +0200239{%- endif %}
240# AMQP topic used for OpenStack notifications. (list value)
241# Deprecated group/name - [rpc_notifier2]/topics
242#notification_topics = notifications
243
244# Seconds to wait for a response from a call. (integer value)
245#rpc_response_timeout = 60
246
247# A URL representing the messaging driver to use and its full configuration. If
248# not set, we fall back to the rpc_backend option and driver specific
249# configuration. (string value)
250#transport_url = <None>
251
252# The messaging driver to use, defaults to rabbit. Other drivers include qpid
253# and zmq. (string value)
254#rpc_backend = rabbit
255
256# The default exchange under which topics are scoped. May be overridden by an
257# exchange name specified in the transport_url option. (string value)
258#control_exchange = keystone
259
260#
261# From oslo.service.service
262#
263
264# Enable eventlet backdoor. Acceptable values are 0, <port>, and
265# <start>:<end>, where 0 results in listening on a random tcp port number;
266# <port> results in listening on the specified port number (and not enabling
267# backdoor if that port is in use); and <start>:<end> results in listening on
268# the smallest unused port number within the specified range of port numbers.
269# The chosen port is displayed in the service's log file. (string value)
270#backdoor_port = <None>
271
272# Enables or disables logging values of all registered options when starting a
273# service (at DEBUG level). (boolean value)
274#log_options = true
275
276
277[assignment]
278
279#
280# From keystone
281#
282
283# Entrypoint for the assignment backend driver in the keystone.assignment
284# namespace. Supplied drivers are ldap and sql. If an assignment driver is not
285# specified, the identity driver will choose the assignment driver. (string
286# value)
287#driver = <None>
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100288{%- if server.get("assignment", {}).get("backend", "sql") == "ldap" %}
289driver = ldap
Filip Pytlound35151a2016-01-18 16:08:37 +0100290{%- else %}
291driver = sql
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100292{%- endif %}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +0200293
294
295[auth]
296
297#
298# From keystone
299#
300
301# Allowed authentication methods. (list value)
302#methods = external,password,token,oauth1
303
Alexander Noskov78b81e02016-12-05 16:20:50 +0400304{% if server.websso is defined %}
305methods = external,password,token,{{ server.websso.protocol }}
306{{ server.websso.protocol }} = keystone.auth.plugins.mapped.Mapped
307{%- endif %}
308
Jakub Pavlik0fa0f442015-10-19 16:32:35 +0200309# Entrypoint for the password auth plugin module in the keystone.auth.password
310# namespace. (string value)
311#password = <None>
312
313# Entrypoint for the token auth plugin module in the keystone.auth.token
314# namespace. (string value)
315#token = <None>
316
317# Entrypoint for the external (REMOTE_USER) auth plugin module in the
318# keystone.auth.external namespace. Supplied drivers are DefaultDomain and
319# Domain. The default driver is DefaultDomain. (string value)
320#external = <None>
321
322# Entrypoint for the oAuth1.0 auth plugin module in the keystone.auth.oauth1
323# namespace. (string value)
324#oauth1 = <None>
325
Alexander Noskov78b81e02016-12-05 16:20:50 +0400326{% if server.websso is defined %}
327[{{ server.websso.protocol }}]
328remote_id_attribute = {{ server.websso.remote_id_attribute }}
329{%- endif %}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +0200330
331[cache]
332
333#
334# From keystone
335#
336
337# Prefix for building the configuration dictionary for the cache region. This
338# should not need to be changed unless there is another dogpile.cache region
339# with the same configuration name. (string value)
340#config_prefix = cache.keystone
341
342# Default TTL, in seconds, for any cached item in the dogpile.cache region.
343# This applies to any cached method that doesn't have an explicit cache
344# expiration time defined for it. (integer value)
345#expiration_time = 600
346
347# Dogpile.cache backend module. It is recommended that Memcache with pooling
348# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in
349# production deployments. Small workloads (single process) like devstack can
350# use the dogpile.cache.memory backend. (string value)
351#backend = keystone.common.cache.noop
352backend=keystone.cache.memcache_pool
353
354# Arguments supplied to the backend module. Specify this option once per
355# argument to be passed to the dogpile.cache backend. Example format:
356# "<argname>:<value>". (multi valued)
357#backend_argument =
358
359# Proxy classes to import that will affect the way the dogpile.cache backend
360# functions. See the dogpile.cache documentation on changing-backend-behavior.
361# (list value)
362#proxies =
363
364# Global toggle for all caching using the should_cache_fn mechanism. (boolean
365# value)
366#enabled = false
367enabled = true
368
369# Extra debugging from the cache backend (cache keys, get/set/delete/etc
370# calls). This is only really useful if you need to see the specific cache-
371# backend get/set/delete calls with the keys/values. Typically this should be
372# left set to false. (boolean value)
373#debug_cache_backend = false
374
375# Memcache servers in the format of "host:port". (dogpile.cache.memcache and
376# keystone.cache.memcache_pool backends only). (list value)
377#memcache_servers = localhost:11211
378{%- if server.cache is defined %}
379{%- if server.cache.members is defined %}
380memcache_servers = {%- for member in server.cache.members %}{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{%- endfor %}
381{%- else %}
382memcache_servers = ['{{ server.cache.host }}:{{ server.cache.port }}']
383{%- endif %}
384{%- endif %}
385
386# Number of seconds memcached server is considered dead before it is tried
387# again. (dogpile.cache.memcache and keystone.cache.memcache_pool backends
388# only). (integer value)
389#memcache_dead_retry = 300
390memcache_dead_retry = 300
391
392# Timeout in seconds for every call to a server. (dogpile.cache.memcache and
393# keystone.cache.memcache_pool backends only). (integer value)
394#memcache_socket_timeout = 3
395memcache_socket_timeout = 1
396
397# Max total number of open connections to every memcached server.
398# (keystone.cache.memcache_pool backend only). (integer value)
399#memcache_pool_maxsize = 10
400memcache_pool_maxsize = 100
401
402# Number of seconds a connection to memcached is held unused in the pool before
403# it is closed. (keystone.cache.memcache_pool backend only). (integer value)
404#memcache_pool_unused_timeout = 60
405memcache_pool_unused_timeout = 60
406
407# Number of seconds that an operation will wait to get a memcache client
408# connection. (integer value)
409#memcache_pool_connection_get_timeout = 10
410
411
412[catalog]
413
414#
415# From keystone
416#
417
418# Catalog template file name for use with the template catalog backend. (string
419# value)
420#template_file = default_catalog.templates
421template_file = default_catalog.templates
422
423# Entrypoint for the catalog backend driver in the keystone.catalog namespace.
424# Supplied drivers are kvs, sql, templated, and endpoint_filter.sql (string
425# value)
426driver = sql
427#template_file=/etc/keystone/default_catalog.templates
428
429# Catalog backend driver. (string value)
430#driver=keystone.catalog.backends.sql.Catalog
431#driver=keystone.catalog.backends.sql.Catalog
432
433# Toggle for catalog caching. This has no effect unless global caching is
434# enabled. (boolean value)
435#caching = true
436
437# Time to cache catalog data (in seconds). This has no effect unless global and
438# catalog caching are enabled. (integer value)
439#cache_time = <None>
440
441# Maximum number of entities that will be returned in a catalog collection.
442# (integer value)
443#list_limit = <None>
444
445
446[cors]
447
448#
449# From oslo.middleware
450#
451
452# Indicate whether this resource may be shared with the domain received in the
453# requests "origin" header. (string value)
454#allowed_origin = <None>
455
456# Indicate that the actual request can include user credentials (boolean value)
457#allow_credentials = true
458
459# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
460# Headers. (list value)
461#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
462
463# Maximum cache age of CORS preflight requests. (integer value)
464#max_age = 3600
465
466# Indicate which methods can be used during the actual request. (list value)
467#allow_methods = GET,POST,PUT,DELETE,OPTIONS
468
469# Indicate which header field names may be used during the actual request.
470# (list value)
471#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
472
473
474[cors.subdomain]
475
476#
477# From oslo.middleware
478#
479
480# Indicate whether this resource may be shared with the domain received in the
481# requests "origin" header. (string value)
482#allowed_origin = <None>
483
484# Indicate that the actual request can include user credentials (boolean value)
485#allow_credentials = true
486
487# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
488# Headers. (list value)
489#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
490
491# Maximum cache age of CORS preflight requests. (integer value)
492#max_age = 3600
493
494# Indicate which methods can be used during the actual request. (list value)
495#allow_methods = GET,POST,PUT,DELETE,OPTIONS
496
497# Indicate which header field names may be used during the actual request.
498# (list value)
499#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
500
501
502[credential]
503
504#
505# From keystone
506#
507
508# Entrypoint for the credential backend driver in the keystone.credential
509# namespace. (string value)
510#driver = sql
511
512
513[database]
514
515#
516# From oslo.db
517#
518
519# The file name to use with SQLite. (string value)
520# Deprecated group/name - [DEFAULT]/sqlite_db
521#sqlite_db = oslo.sqlite
522
523# If True, SQLite uses synchronous mode. (boolean value)
524# Deprecated group/name - [DEFAULT]/sqlite_synchronous
525#sqlite_synchronous = true
526
527# The back end to use for the database. (string value)
528# Deprecated group/name - [DEFAULT]/db_backend
529#backend = sqlalchemy
530
531# The SQLAlchemy connection string to use to connect to the database. (string
532# value)
533# Deprecated group/name - [DEFAULT]/sql_connection
534# Deprecated group/name - [DATABASE]/sql_connection
535# Deprecated group/name - [sql]/connection
536#connection = <None>
537connection={{ server.database.engine }}://{{ server.database.user }}:{{ server.database.password }}@{{ server.database.host }}/{{ server.database.name }}
538
539# The SQLAlchemy connection string to use to connect to the slave database.
540# (string value)
541#slave_connection = <None>
542
543# The SQL mode to be used for MySQL sessions. This option, including the
544# default, overrides any server-set SQL mode. To use whatever SQL mode is set
545# by the server configuration, set this to no value. Example: mysql_sql_mode=
546# (string value)
547#mysql_sql_mode = TRADITIONAL
548
549# Timeout before idle SQL connections are reaped. (integer value)
550# Deprecated group/name - [DEFAULT]/sql_idle_timeout
551# Deprecated group/name - [DATABASE]/sql_idle_timeout
552# Deprecated group/name - [sql]/idle_timeout
553#idle_timeout = 3600
554idle_timeout = 3600
555
556# Minimum number of SQL connections to keep open in a pool. (integer value)
557# Deprecated group/name - [DEFAULT]/sql_min_pool_size
558# Deprecated group/name - [DATABASE]/sql_min_pool_size
559#min_pool_size = 1
560
561# Maximum number of SQL connections to keep open in a pool. (integer value)
562# Deprecated group/name - [DEFAULT]/sql_max_pool_size
563# Deprecated group/name - [DATABASE]/sql_max_pool_size
564#max_pool_size = <None>
565max_pool_size=10
566max_overflow=30
567max_retries=-1
568
569# Maximum number of database connection retries during startup. Set to -1 to
570# specify an infinite retry count. (integer value)
571# Deprecated group/name - [DEFAULT]/sql_max_retries
572# Deprecated group/name - [DATABASE]/sql_max_retries
573#max_retries = 10
574
575# Interval between retries of opening a SQL connection. (integer value)
576# Deprecated group/name - [DEFAULT]/sql_retry_interval
577# Deprecated group/name - [DATABASE]/reconnect_interval
578#retry_interval = 10
579
580# If set, use this value for max_overflow with SQLAlchemy. (integer value)
581# Deprecated group/name - [DEFAULT]/sql_max_overflow
582# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
583#max_overflow = <None>
584
585# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer
586# value)
587# Deprecated group/name - [DEFAULT]/sql_connection_debug
588#connection_debug = 0
589
590# Add Python stack traces to SQL as comment strings. (boolean value)
591# Deprecated group/name - [DEFAULT]/sql_connection_trace
592#connection_trace = false
593
594# If set, use this value for pool_timeout with SQLAlchemy. (integer value)
595# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout
596#pool_timeout = <None>
597
598# Enable the experimental use of database reconnect on connection lost.
599# (boolean value)
600#use_db_reconnect = false
601
602# Seconds between retries of a database transaction. (integer value)
603#db_retry_interval = 1
604
605# If True, increases the interval between retries of a database operation up to
606# db_max_retry_interval. (boolean value)
607#db_inc_retry_interval = true
608
609# If db_inc_retry_interval is set, the maximum seconds between retries of a
610# database operation. (integer value)
611#db_max_retry_interval = 10
612
613# Maximum retries in case of connection error or deadlock error before error is
614# raised. Set to -1 to specify an infinite retry count. (integer value)
615#db_max_retries = 20
616
617
618[domain_config]
619
620#
621# From keystone
622#
623
624# Entrypoint for the domain config backend driver in the
625# keystone.resource.domain_config namespace. (string value)
626#driver = sql
627
628# Toggle for domain config caching. This has no effect unless global caching is
629# enabled. (boolean value)
630#caching = true
631
632# TTL (in seconds) to cache domain config data. This has no effect unless
633# domain config caching is enabled. (integer value)
634#cache_time = 300
635
636
637[endpoint_filter]
638
639#
640# From keystone
641#
642
643# Entrypoint for the endpoint filter backend driver in the
644# keystone.endpoint_filter namespace. (string value)
645#driver = sql
646
647# Toggle to return all active endpoints if no filter exists. (boolean value)
648#return_all_endpoints_if_no_filter = true
649
650
651[endpoint_policy]
652
653#
654# From keystone
655#
656
657# Enable endpoint_policy functionality. (boolean value)
658#enabled = true
659
660# Entrypoint for the endpoint policy backend driver in the
661# keystone.endpoint_policy namespace. (string value)
662#driver = sql
663
664
665[eventlet_server]
666
667#
668# From keystone
669#
670
671# The number of worker processes to serve the public eventlet application.
672# Defaults to number of CPUs (minimum of 2). (integer value)
673# Deprecated group/name - [DEFAULT]/public_workers
674# This option is deprecated for removal.
675# Its value may be silently ignored in the future.
676#public_workers = <None>
677
678# The number of worker processes to serve the admin eventlet application.
679# Defaults to number of CPUs (minimum of 2). (integer value)
680# Deprecated group/name - [DEFAULT]/admin_workers
681# This option is deprecated for removal.
682# Its value may be silently ignored in the future.
683#admin_workers = <None>
684
685# The IP address of the network interface for the public service to listen on.
686# (string value)
687# Deprecated group/name - [DEFAULT]/bind_host
688# Deprecated group/name - [DEFAULT]/public_bind_host
689# This option is deprecated for removal.
690# Its value may be silently ignored in the future.
691#public_bind_host = 0.0.0.0
692public_bind_host={% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}
693
694# The port number which the public service listens on. (integer value)
695# Minimum value: 1
696# Maximum value: 65535
697# Deprecated group/name - [DEFAULT]/public_port
698# This option is deprecated for removal.
699# Its value may be silently ignored in the future.
700#public_port = 5000
701
702# The IP address of the network interface for the admin service to listen on.
703# (string value)
704# Deprecated group/name - [DEFAULT]/bind_host
705# Deprecated group/name - [DEFAULT]/admin_bind_host
706# This option is deprecated for removal.
707# Its value may be silently ignored in the future.
708#admin_bind_host = 0.0.0.0
709admin_bind_host={% if server.bind.address is defined %}{{ server.bind.address }}{% else %}{{ server.bind.public_address }}{% endif %}
710
711# The port number which the admin service listens on. (integer value)
712# Minimum value: 1
713# Maximum value: 65535
714# Deprecated group/name - [DEFAULT]/admin_port
715# This option is deprecated for removal.
716# Its value may be silently ignored in the future.
717#admin_port = 35357
718
719# If set to false, disables keepalives on the server; all connections will be
720# closed after serving one request. (boolean value)
721#wsgi_keep_alive = true
722
723# Timeout for socket operations on a client connection. If an incoming
724# connection is idle for this number of seconds it will be closed. A value of
725# '0' means wait forever. (integer value)
726#client_socket_timeout = 900
727
728# Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e.
729# sockets used by the Keystone wsgi server for client connections. (boolean
730# value)
731# Deprecated group/name - [DEFAULT]/tcp_keepalive
732# This option is deprecated for removal.
733# Its value may be silently ignored in the future.
734#tcp_keepalive = false
735
736# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only
737# applies if tcp_keepalive is true. (integer value)
738# Deprecated group/name - [DEFAULT]/tcp_keepidle
739# This option is deprecated for removal.
740# Its value may be silently ignored in the future.
741#tcp_keepidle = 600
742
743
744[eventlet_server_ssl]
745
746#
747# From keystone
748#
749
750# Toggle for SSL support on the Keystone eventlet servers. (boolean value)
751# Deprecated group/name - [ssl]/enable
752# This option is deprecated for removal.
753# Its value may be silently ignored in the future.
754#enable = false
755
756# Path of the certfile for SSL. For non-production environments, you may be
757# interested in using `keystone-manage ssl_setup` to generate self-signed
758# certificates. (string value)
759# Deprecated group/name - [ssl]/certfile
760# This option is deprecated for removal.
761# Its value may be silently ignored in the future.
762#certfile = /etc/keystone/ssl/certs/keystone.pem
763
764# Path of the keyfile for SSL. (string value)
765# Deprecated group/name - [ssl]/keyfile
766# This option is deprecated for removal.
767# Its value may be silently ignored in the future.
768#keyfile = /etc/keystone/ssl/private/keystonekey.pem
769
770# Path of the CA cert file for SSL. (string value)
771# Deprecated group/name - [ssl]/ca_certs
772# This option is deprecated for removal.
773# Its value may be silently ignored in the future.
774#ca_certs = /etc/keystone/ssl/certs/ca.pem
775
776# Require client certificate. (boolean value)
777# Deprecated group/name - [ssl]/cert_required
778# This option is deprecated for removal.
779# Its value may be silently ignored in the future.
780#cert_required = false
781
782
783[federation]
784
785#
786# From keystone
787#
788
789# Entrypoint for the federation backend driver in the keystone.federation
790# namespace. (string value)
791#driver = sql
Alexander Noskov78b81e02016-12-05 16:20:50 +0400792{% if server.websso is defined %}
793driver = {{ server.websso.federation_driver }}
794{%- endif %}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +0200795
796# Value to be used when filtering assertion parameters from the environment.
797# (string value)
798#assertion_prefix =
799
800# Value to be used to obtain the entity ID of the Identity Provider from the
801# environment (e.g. if using the mod_shib plugin this value is `Shib-Identity-
802# Provider`). (string value)
803#remote_id_attribute = <None>
804
805# A domain name that is reserved to allow federated ephemeral users to have a
806# domain concept. Note that an admin will not be able to create a domain with
807# this name or update an existing domain to this name. You are not advised to
808# change this value unless you really have to. (string value)
809#federated_domain_name = Federated
810
811# A list of trusted dashboard hosts. Before accepting a Single Sign-On request
812# to return a token, the origin host must be a member of the trusted_dashboard
813# list. This configuration option may be repeated for multiple values. For
814# example: trusted_dashboard=http://acme.com trusted_dashboard=http://beta.com
815# (multi valued)
816#trusted_dashboard =
Alexander Noskov78b81e02016-12-05 16:20:50 +0400817{%- if server.websso is defined %}
818{%- if server.websso.trusted_dashboard is defined %}
819{%- for dashboard in server.websso.trusted_dashboard %}
820trusted_dashboard = {{ dashboard }}
821{%- endfor %}
822{%- endif %}
823{%- endif %}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +0200824
825# Location of Single Sign-On callback handler, will return a token to a trusted
826# dashboard host. (string value)
827#sso_callback_template = /etc/keystone/sso_callback_template.html
828
829
830[fernet_tokens]
831
832#
833# From keystone
834#
835
836# Directory containing Fernet token keys. (string value)
837#key_repository = /etc/keystone/fernet-keys/
838key_repository = {{ server.tokens.location }}
839
840# This controls how many keys are held in rotation by keystone-manage
841# fernet_rotate before they are discarded. The default value of 3 means that
842# keystone will maintain one staged key, one primary key, and one secondary
843# key. Increasing this value means that additional secondary keys will be kept
844# in the rotation. (integer value)
845#max_active_keys = 3
Jakub Pavlik6b0b74a2016-09-01 10:49:14 +0200846max_active_keys={{ server.tokens.get('max_active_keys', '3') }}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +0200847
848[identity]
849
850#
851# From keystone
852#
853
854# This references the domain to use for all Identity API v2 requests (which are
855# not aware of domains). A domain with this ID will be created for you by
856# keystone-manage db_sync in migration 008. The domain referenced by this ID
857# cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.
858# There is nothing special about this domain, other than the fact that it must
859# exist to order to maintain support for your v2 clients. (string value)
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100860{%- if server.get('domain', {}) %}
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100861{%- for name, domain in server.domain.iteritems() %}
862{%- if domain.get('default', False) %}
863default_domain_id = {{ name }}
864{%- endif %}
865{%- endfor %}
866{%- endif %}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +0200867
868# A subset (or all) of domains can have their own identity driver, each with
869# their own partial configuration options, stored in either the resource
870# backend or in a file in a domain configuration directory (depending on the
871# setting of domain_configurations_from_database). Only values specific to the
872# domain need to be specified in this manner. This feature is disabled by
873# default; set to true to enable. (boolean value)
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100874{%- if server.get('domain', {}) %}
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100875domain_specific_drivers_enabled = true
876{%- endif %}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +0200877
878# Extract the domain specific configuration options from the resource backend
879# where they have been stored with the domain data. This feature is disabled by
880# default (in which case the domain specific options will be loaded from files
881# in the domain configuration directory); set to true to enable. (boolean
882# value)
883#domain_configurations_from_database = false
884
885# Path for Keystone to locate the domain specific identity configuration files
886# if domain_specific_drivers_enabled is set to true. (string value)
Filip Pytlounaf25d8d2016-01-12 14:21:39 +0100887{%- if server.get('domain', {}) %}
Filip Pytloun6b9ec2b2016-01-12 13:52:01 +0100888domain_config_dir = /etc/keystone/domains
889{%- endif %}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +0200890
891# Entrypoint for the identity backend driver in the keystone.identity
892# namespace. Supplied drivers are ldap and sql. (string value)
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100893{%- if server.get('backend', 'sql') == 'ldap' %}
894driver = ldap
895{%- else %}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +0200896driver = sql
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100897{%- endif %}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +0200898
899# Toggle for identity caching. This has no effect unless global caching is
900# enabled. (boolean value)
901#caching = true
902
903# Time to cache identity data (in seconds). This has no effect unless global
904# and identity caching are enabled. (integer value)
905#cache_time = 600
906
907# Maximum supported length for user passwords; decrease to improve performance.
908# (integer value)
909# Maximum value: 4096
910#max_password_length = 4096
911
912# Maximum number of entities that will be returned in an identity collection.
913# (integer value)
914#list_limit = <None>
915
916
917[identity_mapping]
918
919#
920# From keystone
921#
922
923# Entrypoint for the identity mapping backend driver in the
924# keystone.identity.id_mapping namespace. (string value)
925#driver = sql
926
927# Entrypoint for the public ID generator for user and group entities in the
928# keystone.identity.id_generator namespace. The Keystone identity mapper only
929# supports generators that produce no more than 64 characters. (string value)
930#generator = sha256
931
932# The format of user and group IDs changed in Juno for backends that do not
933# generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the
934# underlying attribute in LDAP. By default this mapping is disabled, which
935# ensures that existing IDs will not change. Even when the mapping is enabled
936# by using domain specific drivers, any users and groups from the default
937# domain being handled by LDAP will still not be mapped to ensure their IDs
938# remain backward compatible. Setting this value to False will enable the
939# mapping for even the default LDAP driver. It is only safe to do this if you
940# do not already have assignments for users and groups from the default LDAP
941# domain, and it is acceptable for Keystone to provide the different IDs to
942# clients than it did previously. Typically this means that the only time you
943# can set this value to False is when configuring a fresh installation.
944# (boolean value)
945#backward_compatible_ids = true
946
947
948[kvs]
949
950#
951# From keystone
952#
953
954# Extra dogpile.cache backend modules to register with the dogpile.cache
955# library. (list value)
956#backends =
957
958# Prefix for building the configuration dictionary for the KVS region. This
959# should not need to be changed unless there is another dogpile.cache region
960# with the same configuration name. (string value)
961#config_prefix = keystone.kvs
962
963# Toggle to disable using a key-mangling function to ensure fixed length keys.
964# This is toggle-able for debugging purposes, it is highly recommended to
965# always leave this set to true. (boolean value)
966#enable_key_mangler = true
967
968# Default lock timeout (in seconds) for distributed locking. (integer value)
969#default_lock_timeout = 5
970
Filip Pytloun1abfdd72016-01-18 11:35:17 +0100971{%- if server.get("backend", "sql") == "ldap" %}
972{%- set ldap = server.ldap %}
973{% include "keystone/files/_ldap.conf" %}
974{%- endif %}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +0200975
976[matchmaker_redis]
977
978#
979# From oslo.messaging
980#
981
982# Host to locate redis. (string value)
983#host = 127.0.0.1
984
985# Use this port to connect to redis host. (integer value)
986#port = 6379
987
988# Password for Redis server (optional). (string value)
989#password = <None>
990
991
992[matchmaker_ring]
993
994#
995# From oslo.messaging
996#
997
998# Matchmaker ring file (JSON). (string value)
999# Deprecated group/name - [DEFAULT]/matchmaker_ringfile
1000#ringfile = /etc/oslo/matchmaker_ring.json
1001
1002
1003[memcache]
1004
1005#
1006# From keystone
1007#
1008
1009# Memcache servers in the format of "host:port". (list value)
1010#servers = localhost:11211
1011{%- if server.cache is defined %}
1012{%- if server.cache.members is defined %}
1013servers = {%- for member in server.cache.members %}{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{%- endfor %}
1014{%- else %}
1015servers = ['{{ server.cache.host }}:{{ server.cache.port }}']
1016{%- endif %}
1017{%- endif %}
1018# Number of seconds memcached server is considered dead before it is tried
1019# again. This is used by the key value store system (e.g. token pooled
1020# memcached persistence backend). (integer value)
1021#dead_retry = 300
1022
1023# Timeout in seconds for every call to a server. This is used by the key value
1024# store system (e.g. token pooled memcached persistence backend). (integer
1025# value)
1026#socket_timeout = 3
1027
1028# Max total number of open connections to every memcached server. This is used
1029# by the key value store system (e.g. token pooled memcached persistence
1030# backend). (integer value)
1031#pool_maxsize = 10
1032
1033# Number of seconds a connection to memcached is held unused in the pool before
1034# it is closed. This is used by the key value store system (e.g. token pooled
1035# memcached persistence backend). (integer value)
1036#pool_unused_timeout = 60
1037
1038# Number of seconds that an operation will wait to get a memcache client
1039# connection. This is used by the key value store system (e.g. token pooled
1040# memcached persistence backend). (integer value)
1041#pool_connection_get_timeout = 10
1042
1043
1044[oauth1]
1045
1046#
1047# From keystone
1048#
1049
1050# Entrypoint for hte OAuth backend driver in the keystone.oauth1 namespace.
1051# (string value)
1052#driver = sql
1053
1054# Duration (in seconds) for the OAuth Request Token. (integer value)
1055#request_token_duration = 28800
1056
1057# Duration (in seconds) for the OAuth Access Token. (integer value)
1058#access_token_duration = 86400
1059
1060
1061[os_inherit]
1062
1063#
1064# From keystone
1065#
1066
1067# role-assignment inheritance to projects from owning domain or from projects
1068# higher in the hierarchy can be optionally enabled. (boolean value)
1069#enabled = false
1070
1071
1072[oslo_messaging_amqp]
1073
1074#
1075# From oslo.messaging
1076#
1077
1078# address prefix used when sending to a specific server (string value)
1079# Deprecated group/name - [amqp1]/server_request_prefix
1080#server_request_prefix = exclusive
1081
1082# address prefix used when broadcasting to all servers (string value)
1083# Deprecated group/name - [amqp1]/broadcast_prefix
1084#broadcast_prefix = broadcast
1085
1086# address prefix when sending to any server in group (string value)
1087# Deprecated group/name - [amqp1]/group_request_prefix
1088#group_request_prefix = unicast
1089
1090# Name for the AMQP container (string value)
1091# Deprecated group/name - [amqp1]/container_name
1092#container_name = <None>
1093
1094# Timeout for inactive connections (in seconds) (integer value)
1095# Deprecated group/name - [amqp1]/idle_timeout
1096#idle_timeout = 0
1097
1098# Debug: dump AMQP frames to stdout (boolean value)
1099# Deprecated group/name - [amqp1]/trace
1100#trace = false
1101
1102# CA certificate PEM file to verify server certificate (string value)
1103# Deprecated group/name - [amqp1]/ssl_ca_file
1104#ssl_ca_file =
1105
1106# Identifying certificate PEM file to present to clients (string value)
1107# Deprecated group/name - [amqp1]/ssl_cert_file
1108#ssl_cert_file =
1109
1110# Private key PEM file used to sign cert_file certificate (string value)
1111# Deprecated group/name - [amqp1]/ssl_key_file
1112#ssl_key_file =
1113
1114# Password for decrypting ssl_key_file (if encrypted) (string value)
1115# Deprecated group/name - [amqp1]/ssl_key_password
1116#ssl_key_password = <None>
1117
1118# Accept clients using either SSL or plain TCP (boolean value)
1119# Deprecated group/name - [amqp1]/allow_insecure_clients
1120#allow_insecure_clients = false
1121
1122
1123[oslo_messaging_qpid]
1124
1125#
1126# From oslo.messaging
1127#
1128
1129# Use durable queues in AMQP. (boolean value)
1130# Deprecated group/name - [DEFAULT]/amqp_durable_queues
1131# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
1132#amqp_durable_queues = false
1133
1134# Auto-delete queues in AMQP. (boolean value)
1135# Deprecated group/name - [DEFAULT]/amqp_auto_delete
1136#amqp_auto_delete = false
1137
1138# Send a single AMQP reply to call message. The current behaviour since oslo-
1139# incubator is to send two AMQP replies - first one with the payload, a second
1140# one to ensure the other have finish to send the payload. We are going to
1141# remove it in the N release, but we must keep backward compatible at the same
1142# time. This option provides such compatibility - it defaults to False in
1143# Liberty and can be turned on for early adopters with a new installations or
1144# for testing. Please note, that this option will be removed in the Mitaka
1145# release. (boolean value)
1146#send_single_reply = false
1147
1148# Qpid broker hostname. (string value)
1149# Deprecated group/name - [DEFAULT]/qpid_hostname
1150#qpid_hostname = localhost
1151
1152# Qpid broker port. (integer value)
1153# Deprecated group/name - [DEFAULT]/qpid_port
1154#qpid_port = 5672
1155
1156# Qpid HA cluster host:port pairs. (list value)
1157# Deprecated group/name - [DEFAULT]/qpid_hosts
1158#qpid_hosts = $qpid_hostname:$qpid_port
1159
1160# Username for Qpid connection. (string value)
1161# Deprecated group/name - [DEFAULT]/qpid_username
1162#qpid_username =
1163
1164# Password for Qpid connection. (string value)
1165# Deprecated group/name - [DEFAULT]/qpid_password
1166#qpid_password =
1167
1168# Space separated list of SASL mechanisms to use for auth. (string value)
1169# Deprecated group/name - [DEFAULT]/qpid_sasl_mechanisms
1170#qpid_sasl_mechanisms =
1171
1172# Seconds between connection keepalive heartbeats. (integer value)
1173# Deprecated group/name - [DEFAULT]/qpid_heartbeat
1174#qpid_heartbeat = 60
1175
1176# Transport to use, either 'tcp' or 'ssl'. (string value)
1177# Deprecated group/name - [DEFAULT]/qpid_protocol
1178#qpid_protocol = tcp
1179
1180# Whether to disable the Nagle algorithm. (boolean value)
1181# Deprecated group/name - [DEFAULT]/qpid_tcp_nodelay
1182#qpid_tcp_nodelay = true
1183
1184# The number of prefetched messages held by receiver. (integer value)
1185# Deprecated group/name - [DEFAULT]/qpid_receiver_capacity
1186#qpid_receiver_capacity = 1
1187
1188# The qpid topology version to use. Version 1 is what was originally used by
1189# impl_qpid. Version 2 includes some backwards-incompatible changes that allow
1190# broker federation to work. Users should update to version 2 when they are
1191# able to take everything down, as it requires a clean break. (integer value)
1192# Deprecated group/name - [DEFAULT]/qpid_topology_version
1193#qpid_topology_version = 1
1194
1195
1196[oslo_messaging_rabbit]
1197
1198#
1199# From oslo.messaging
1200#
Jakub Pavlik72e31d62016-04-08 16:26:57 +02001201{%- if server.notification %}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001202# Use durable queues in AMQP. (boolean value)
1203# Deprecated group/name - [DEFAULT]/amqp_durable_queues
1204# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
1205#amqp_durable_queues = false
1206
1207# Auto-delete queues in AMQP. (boolean value)
1208# Deprecated group/name - [DEFAULT]/amqp_auto_delete
1209#amqp_auto_delete = false
1210
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001211# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and
1212# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some
1213# distributions. (string value)
1214# Deprecated group/name - [DEFAULT]/kombu_ssl_version
1215#kombu_ssl_version =
1216
1217# SSL key file (valid only if SSL enabled). (string value)
1218# Deprecated group/name - [DEFAULT]/kombu_ssl_keyfile
1219#kombu_ssl_keyfile =
1220
1221# SSL cert file (valid only if SSL enabled). (string value)
1222# Deprecated group/name - [DEFAULT]/kombu_ssl_certfile
1223#kombu_ssl_certfile =
1224
1225# SSL certification authority file (valid only if SSL enabled). (string value)
1226# Deprecated group/name - [DEFAULT]/kombu_ssl_ca_certs
1227#kombu_ssl_ca_certs =
1228
1229# How long to wait before reconnecting in response to an AMQP consumer cancel
1230# notification. (floating point value)
1231# Deprecated group/name - [DEFAULT]/kombu_reconnect_delay
1232#kombu_reconnect_delay = 1.0
1233
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001234# The RabbitMQ broker address where a single node is used. (string value)
1235# Deprecated group/name - [DEFAULT]/rabbit_host
1236#rabbit_host = localhost
Jakub Pavlik72e31d62016-04-08 16:26:57 +02001237rabbit_host = {{ server.message_queue.host }}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001238
Jakub Pavlik72e31d62016-04-08 16:26:57 +02001239# The RabbitMQ broker port where a single node is used. (port value)
1240# Minimum value: 0
1241# Maximum value: 65535
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001242# Deprecated group/name - [DEFAULT]/rabbit_port
1243#rabbit_port = 5672
Jakub Pavlik72e31d62016-04-08 16:26:57 +02001244rabbit_port = {{ server.message_queue.port }}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001245
1246# RabbitMQ HA cluster host:port pairs. (list value)
1247# Deprecated group/name - [DEFAULT]/rabbit_hosts
1248#rabbit_hosts = $rabbit_host:$rabbit_port
1249
1250# Connect over SSL for RabbitMQ. (boolean value)
1251# Deprecated group/name - [DEFAULT]/rabbit_use_ssl
1252#rabbit_use_ssl = false
1253
1254# The RabbitMQ userid. (string value)
1255# Deprecated group/name - [DEFAULT]/rabbit_userid
1256#rabbit_userid = guest
Jakub Pavlik72e31d62016-04-08 16:26:57 +02001257rabbit_userid = {{ server.message_queue.user }}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001258
1259# The RabbitMQ password. (string value)
1260# Deprecated group/name - [DEFAULT]/rabbit_password
1261#rabbit_password = guest
Jakub Pavlik72e31d62016-04-08 16:26:57 +02001262rabbit_password = {{ server.message_queue.password }}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001263
1264# The RabbitMQ login method. (string value)
1265# Deprecated group/name - [DEFAULT]/rabbit_login_method
1266#rabbit_login_method = AMQPLAIN
1267
1268# The RabbitMQ virtual host. (string value)
1269# Deprecated group/name - [DEFAULT]/rabbit_virtual_host
1270#rabbit_virtual_host = /
Jakub Pavlik72e31d62016-04-08 16:26:57 +02001271rabbit_virtual_host = {{ server.message_queue.virtual_host }}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001272
1273# How frequently to retry connecting with RabbitMQ. (integer value)
1274#rabbit_retry_interval = 1
1275
1276# How long to backoff for between retries when connecting to RabbitMQ. (integer
1277# value)
1278# Deprecated group/name - [DEFAULT]/rabbit_retry_backoff
1279#rabbit_retry_backoff = 2
1280
Jakub Pavlik72e31d62016-04-08 16:26:57 +02001281# Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
1282# (integer value)
1283#rabbit_interval_max = 30
1284
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001285# Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry
1286# count). (integer value)
1287# Deprecated group/name - [DEFAULT]/rabbit_max_retries
1288#rabbit_max_retries = 0
1289
Jakub Pavlik72e31d62016-04-08 16:26:57 +02001290# Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this
1291# option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring
1292# is no longer controlled by the x-ha-policy argument when declaring a queue.
1293# If you just want to make sure that all queues (except those with auto-
1294# generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy
1295# HA '^(?!amq\.).*' '{"ha-mode": "all"}' " (boolean value)
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001296# Deprecated group/name - [DEFAULT]/rabbit_ha_queues
1297#rabbit_ha_queues = false
1298
Jakub Pavlik72e31d62016-04-08 16:26:57 +02001299# Positive integer representing duration in seconds for queue TTL (x-expires).
1300# Queues which are unused for the duration of the TTL are automatically
1301# deleted. The parameter affects only reply and fanout queues. (integer value)
1302# Minimum value: 1
1303#rabbit_transient_queues_ttl = 1800
1304
1305# Specifies the number of messages to prefetch. Setting to zero allows
1306# unlimited messages. (integer value)
1307#rabbit_qos_prefetch_count = 0
1308
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001309# Number of seconds after which the Rabbit broker is considered down if
1310# heartbeat's keep-alive fails (0 disable the heartbeat). EXPERIMENTAL (integer
1311# value)
1312#heartbeat_timeout_threshold = 60
Jakub Pavlik72e31d62016-04-08 16:26:57 +02001313heartbeat_timeout_threshold = 0
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001314
1315# How often times during the heartbeat_timeout_threshold we check the
1316# heartbeat. (integer value)
1317#heartbeat_rate = 2
Jakub Pavlik72e31d62016-04-08 16:26:57 +02001318heartbeat_rate = 2
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001319
1320# Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value)
1321# Deprecated group/name - [DEFAULT]/fake_rabbit
1322#fake_rabbit = false
Jakub Pavlik72e31d62016-04-08 16:26:57 +02001323{%- endif %}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001324
1325[oslo_middleware]
1326
1327#
1328# From oslo.middleware
1329#
1330
1331# The maximum body size for each request, in bytes. (integer value)
1332# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
1333# Deprecated group/name - [DEFAULT]/max_request_body_size
1334#max_request_body_size = 114688
1335
1336#
1337# From oslo.middleware
1338#
1339
1340# The HTTP Header that will be used to determine what the original request
1341# protocol scheme was, even if it was hidden by an SSL termination proxy.
1342# (string value)
1343#secure_proxy_ssl_header = X-Forwarded-Proto
1344
1345
1346[oslo_policy]
1347
1348#
1349# From oslo.policy
1350#
1351
1352# The JSON file that defines policies. (string value)
1353# Deprecated group/name - [DEFAULT]/policy_file
1354#policy_file = policy.json
1355
1356# Default rule. Enforced when a requested rule is not found. (string value)
1357# Deprecated group/name - [DEFAULT]/policy_default_rule
1358#policy_default_rule = default
1359
1360# Directories where policy configuration files are stored. They can be relative
1361# to any directory in the search path defined by the config_dir option, or
1362# absolute paths. The file defined by policy_file must exist for these
1363# directories to be searched. Missing or empty directories are ignored. (multi
1364# valued)
1365# Deprecated group/name - [DEFAULT]/policy_dirs
1366# This option is deprecated for removal.
1367# Its value may be silently ignored in the future.
1368#policy_dirs = policy.d
1369
1370
1371[paste_deploy]
1372
1373#
1374# From keystone
1375#
1376
1377# Name of the paste configuration file that defines the available pipelines.
1378# (string value)
1379#config_file = keystone-paste.ini
1380
1381
1382[policy]
1383
1384#
1385# From keystone
1386#
1387
1388# Entrypoint for the policy backend driver in the keystone.policy namespace.
1389# Supplied drivers are rules and sql. (string value)
1390#driver = sql
1391
1392# Maximum number of entities that will be returned in a policy collection.
1393# (integer value)
1394#list_limit = <None>
1395
1396
1397[resource]
1398
1399#
1400# From keystone
1401#
1402
1403# Entrypoint for the resource backend driver in the keystone.resource
1404# namespace. Supplied drivers are ldap and sql. If a resource driver is not
1405# specified, the assignment driver will choose the resource driver. (string
1406# value)
1407#driver = <None>
1408
1409# Toggle for resource caching. This has no effect unless global caching is
1410# enabled. (boolean value)
1411# Deprecated group/name - [assignment]/caching
1412#caching = true
1413
1414# TTL (in seconds) to cache resource data. This has no effect unless global
1415# caching is enabled. (integer value)
1416# Deprecated group/name - [assignment]/cache_time
1417#cache_time = <None>
1418
1419# Maximum number of entities that will be returned in a resource collection.
1420# (integer value)
1421# Deprecated group/name - [assignment]/list_limit
1422#list_limit = <None>
1423
1424
1425[revoke]
1426
1427#
1428# From keystone
1429#
1430
1431# Entrypoint for an implementation of the backend for persisting revocation
1432# events in the keystone.revoke namespace. Supplied drivers are kvs and sql.
1433# (string value)
1434#driver = sql
1435
1436# This value (calculated in seconds) is added to token expiration before a
1437# revocation event may be removed from the backend. (integer value)
1438#expiration_buffer = 1800
1439
1440# Toggle for revocation event caching. This has no effect unless global caching
1441# is enabled. (boolean value)
1442#caching = true
1443
1444# Time to cache the revocation list and the revocation events (in seconds).
1445# This has no effect unless global and token caching are enabled. (integer
1446# value)
1447# Deprecated group/name - [token]/revocation_cache_time
1448#cache_time = 3600
1449
1450
1451[role]
1452
1453#
1454# From keystone
1455#
1456
1457# Entrypoint for the role backend driver in the keystone.role namespace.
1458# Supplied drivers are ldap and sql. (string value)
1459#driver = <None>
1460
1461# Toggle for role caching. This has no effect unless global caching is enabled.
1462# (boolean value)
1463#caching = true
1464
1465# TTL (in seconds) to cache role data. This has no effect unless global caching
1466# is enabled. (integer value)
1467#cache_time = <None>
1468
1469# Maximum number of entities that will be returned in a role collection.
1470# (integer value)
1471#list_limit = <None>
1472
1473
1474[saml]
1475
1476#
1477# From keystone
1478#
1479
1480# Default TTL, in seconds, for any generated SAML assertion created by
1481# Keystone. (integer value)
1482#assertion_expiration_time = 3600
1483
1484# Binary to be called for XML signing. Install the appropriate package, specify
1485# absolute path or adjust your PATH environment variable if the binary cannot
1486# be found. (string value)
1487#xmlsec1_binary = xmlsec1
1488
1489# Path of the certfile for SAML signing. For non-production environments, you
1490# may be interested in using `keystone-manage pki_setup` to generate self-
1491# signed certificates. Note, the path cannot contain a comma. (string value)
1492#certfile = /etc/keystone/ssl/certs/signing_cert.pem
1493
1494# Path of the keyfile for SAML signing. Note, the path cannot contain a comma.
1495# (string value)
1496#keyfile = /etc/keystone/ssl/private/signing_key.pem
1497
1498# Entity ID value for unique Identity Provider identification. Usually FQDN is
1499# set with a suffix. A value is required to generate IDP Metadata. For example:
1500# https://keystone.example.com/v3/OS-FEDERATION/saml2/idp (string value)
1501#idp_entity_id = <None>
1502
1503# Identity Provider Single-Sign-On service value, required in the Identity
1504# Provider's metadata. A value is required to generate IDP Metadata. For
1505# example: https://keystone.example.com/v3/OS-FEDERATION/saml2/sso (string
1506# value)
1507#idp_sso_endpoint = <None>
1508
1509# Language used by the organization. (string value)
1510#idp_lang = en
1511
1512# Organization name the installation belongs to. (string value)
1513#idp_organization_name = <None>
1514
1515# Organization name to be displayed. (string value)
1516#idp_organization_display_name = <None>
1517
1518# URL of the organization. (string value)
1519#idp_organization_url = <None>
1520
1521# Company of contact person. (string value)
1522#idp_contact_company = <None>
1523
1524# Given name of contact person (string value)
1525#idp_contact_name = <None>
1526
1527# Surname of contact person. (string value)
1528#idp_contact_surname = <None>
1529
1530# Email address of contact person. (string value)
1531#idp_contact_email = <None>
1532
1533# Telephone number of contact person. (string value)
1534#idp_contact_telephone = <None>
1535
1536# The contact type describing the main point of contact for the identity
1537# provider. (string value)
1538# Allowed values: technical, support, administrative, billing, other
1539#idp_contact_type = other
1540
1541# Path to the Identity Provider Metadata file. This file should be generated
1542# with the keystone-manage saml_idp_metadata command. (string value)
1543#idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml
1544
1545# The prefix to use for the RelayState SAML attribute, used when generating ECP
1546# wrapped assertions. (string value)
1547#relay_state_prefix = ss:mem:
1548
1549
1550[signing]
1551
1552#
1553# From keystone
1554#
1555
1556# Path of the certfile for token signing. For non-production environments, you
1557# may be interested in using `keystone-manage pki_setup` to generate self-
1558# signed certificates. (string value)
1559#certfile = /etc/keystone/ssl/certs/signing_cert.pem
1560
1561# Path of the keyfile for token signing. (string value)
1562#keyfile = /etc/keystone/ssl/private/signing_key.pem
1563
1564# Path of the CA for token signing. (string value)
1565#ca_certs = /etc/keystone/ssl/certs/ca.pem
1566
1567# Path of the CA key for token signing. (string value)
1568#ca_key = /etc/keystone/ssl/private/cakey.pem
1569
1570# Key size (in bits) for token signing cert (auto generated certificate).
1571# (integer value)
1572# Minimum value: 1024
1573#key_size = 2048
1574
1575# Days the token signing cert is valid for (auto generated certificate).
1576# (integer value)
1577#valid_days = 3650
1578
1579# Certificate subject (auto generated certificate) for token signing. (string
1580# value)
1581#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
1582
1583
1584[ssl]
1585
1586#
1587# From keystone
1588#
1589
1590# Path of the CA key file for SSL. (string value)
1591#ca_key = /etc/keystone/ssl/private/cakey.pem
1592
1593# SSL key length (in bits) (auto generated certificate). (integer value)
1594# Minimum value: 1024
1595#key_size = 1024
1596
1597# Days the certificate is valid for once signed (auto generated certificate).
1598# (integer value)
1599#valid_days = 3650
1600
1601# SSL certificate subject (auto generated certificate). (string value)
1602#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
1603
1604
1605[token]
1606
1607#
1608# From keystone
1609#
1610
1611# External auth mechanisms that should add bind information to token, e.g.,
1612# kerberos,x509. (list value)
1613#bind =
1614
1615# Enforcement policy on tokens presented to Keystone with bind information. One
1616# of disabled, permissive, strict, required or a specifically required bind
1617# mode, e.g., kerberos or x509 to require binding to that authentication.
1618# (string value)
1619#enforce_token_bind = permissive
1620
1621# Amount of time a token should remain valid (in seconds). (integer value)
1622#expiration = 3600
1623
1624# Controls the token construction, validation, and revocation operations.
1625# Entrypoint in the keystone.token.provider namespace. Core providers are
1626# [fernet|pkiz|pki|uuid]. (string value)
1627#provider = uuid
1628#expiration = 3600
Jakub Pavlik6a6a6212016-01-31 15:20:24 +01001629expiration = {{ server.tokens.expiration }}
Jakub Pavlik0fa0f442015-10-19 16:32:35 +02001630# Controls the token construction, validation, and revocation operations. Core
1631# providers are "keystone.token.providers.[fernet|pkiz|pki|uuid].Provider".
1632# (string value)
1633#provider = keystone.token.providers.uuid.Provider
1634{% if server.tokens.engine == 'fernet' %}
1635provider = keystone.token.providers.fernet.Provider
1636{% endif %}
1637
1638#driver=keystone.token.persistence.backends.memcache_pool.Token
1639
1640# Entrypoint for the token persistence backend driver in the
1641# keystone.token.persistence namespace. Supplied drivers are kvs, memcache,
1642# memcache_pool, and sql. (string value)
1643driver = memcache_pool
1644
1645# Toggle for token system caching. This has no effect unless global caching is
1646# enabled. (boolean value)
1647#caching = true
1648
1649# Time to cache tokens (in seconds). This has no effect unless global and token
1650# caching are enabled. (integer value)
1651#cache_time = <None>
1652
1653# Revoke token by token identifier. Setting revoke_by_id to true enables
1654# various forms of enumerating tokens, e.g. `list tokens for user`. These
1655# enumerations are processed to determine the list of tokens to revoke. Only
1656# disable if you are switching to using the Revoke extension with a backend
1657# other than KVS, which stores events in memory. (boolean value)
1658#revoke_by_id = true
1659
1660# Allow rescoping of scoped token. Setting allow_rescoped_scoped_token to false
1661# prevents a user from exchanging a scoped token for any other token. (boolean
1662# value)
1663#allow_rescope_scoped_token = true
1664
1665# The hash algorithm to use for PKI tokens. This can be set to any algorithm
1666# that hashlib supports. WARNING: Before changing this value, the auth_token
1667# middleware must be configured with the hash_algorithms, otherwise token
1668# revocation will not be processed correctly. (string value)
1669#hash_algorithm = md5
1670
1671
1672[tokenless_auth]
1673
1674#
1675# From keystone
1676#
1677
1678# The list of trusted issuers to further filter the certificates that are
1679# allowed to participate in the X.509 tokenless authorization. If the option is
1680# absent then no certificates will be allowed. The naming format for the
1681# attributes of a Distinguished Name(DN) must be separated by a comma and
1682# contain no spaces. This configuration option may be repeated for multiple
1683# values. For example: trusted_issuer=CN=john,OU=keystone,O=openstack
1684# trusted_issuer=CN=mary,OU=eng,O=abc (multi valued)
1685#trusted_issuer =
1686
1687# The protocol name for the X.509 tokenless authorization along with the option
1688# issuer_attribute below can look up its corresponding mapping. (string value)
1689#protocol = x509
1690
1691# The issuer attribute that is served as an IdP ID for the X.509 tokenless
1692# authorization along with the protocol to look up its corresponding mapping.
1693# It is the environment variable in the WSGI environment that references to the
1694# issuer of the client certificate. (string value)
1695#issuer_attribute = SSL_CLIENT_I_DN
1696
1697
1698[trust]
1699
1700#
1701# From keystone
1702#
1703
1704# Delegation and impersonation features can be optionally disabled. (boolean
1705# value)
1706#enabled = true
1707
1708# Enable redelegation feature. (boolean value)
1709#allow_redelegation = false
1710
1711# Maximum depth of trust redelegation. (integer value)
1712#max_redelegation_count = 3
1713
1714# Entrypoint for the trust backend driver in the keystone.trust namespace.
1715# (string value)
1716#driver = sql
1717
1718[extra_headers]
1719Distribution = Ubuntu