from ostack_validator.schema import ConfigSchemaRegistry keystone = ConfigSchemaRegistry.register_schema(project='keystone') keystone.version('2013.1.3') keystone.section('DEFAULT') keystone.param( 'admin_token', type='string', default='ADMIN', description="A 'shared secret' between keystone and other openstack " "services") keystone.param( 'bind_host', type='host', default='0.0.0.0', description="The IP address of the network interface to listen on") keystone.param( 'public_port', type='port', default='5000', description="The port number which the public service listens on") keystone.param( 'admin_port', type='port', default='35357', description="The port number which the public admin listens on") keystone.param( 'public_endpoint', type='string', default='http://localhost:%(public_port)s/', description="The base endpoint URLs for keystone that are advertised to " "clients (NOTE: this does NOT affect how keystone listens for " "connections)") keystone.param( 'admin_endpoint', type='string', default='http://localhost:%(admin_port)s/', description="") keystone.param( 'compute_port', type='port', default='8774', description="The port number which the OpenStack Compute service " "listens on") keystone.param( 'policy_file', type='string', default='policy.json', description="Path to your policy definition containing identity actions") keystone.param( 'policy_default_rule', type='string', default='admin_required', description="Rule to check if no matching policy definition is found " "FIXME(dolph): This should really be defined as [policy] " "default_rule") keystone.param( 'member_role_id', type='string', default='9fe2ff9ee4384b1894a90878d3e92bab', description="Role for migrating membership relationships During a SQL " "upgrade, the following values will be used to create a new " "role that will replace records in the user_tenant_membership " "table with explicit role grants. After migration, the " "member_role_id will be used in the API add_user_to_project, " "and member_role_name will be ignored.") keystone.param( 'member_role_name', type='string', default='_member_', description="") keystone.param( 'max_request_body_size', type='string', default='114688', description="enforced by optional sizelimit middleware " "(keystone.middleware:RequestBodySizeLimiter)") keystone.param( 'max_param_size', type='integer', default=64, description="limit the sizes of user & tenant ID/names") keystone.param( 'max_token_size', type='integer', default=8192, description="similar to max_param_size, but provides an exception for " "token values") keystone.param( 'debug', type='boolean', default=False, description="=== Logging Options === Print debugging output (includes " "plaintext request logging, potentially including passwords)") keystone.param( 'verbose', type='boolean', default=False, description="Print more verbose output") keystone.param( 'log_file', type='string', default='keystone.log', description="Name of log file to output to. If not set, logging will go " "to stdout.") keystone.param( 'log_dir', type='string', default='/var/log/keystone', description="The directory to keep log files in (will be prepended to " "--logfile)") keystone.param( 'use_syslog', type='boolean', default=False, description="Use syslog for logging.") keystone.param( 'syslog_log_facility', type='string', default='LOG_USER', description="syslog facility to receive log lines") keystone.param( 'log_config', type='string', default='logging.conf', description="If this option is specified, the logging configuration file " "specified is used and overrides any other logging options " "specified. Please see the Python logging module documentation" " for details on logging configuration files.") keystone.param( 'log_format', type='string', default='%(asctime)s %(levelname)8s [%(name)s] %(message)s', description="A logging.Formatter log message format string which may use " "any of the available logging.LogRecord attributes.") keystone.param( 'log_date_format', type='string', default='%Y-%m-%d %H:%M:%S', description="Format string for %(asctime)s in log records.") keystone.param( 'onready', type='string', default='keystone.common.systemd', description="onready allows you to send a notification when the process " "is ready to serve For example, to have it notify using " "systemd, one could set shell command: onready = " "systemd-notify --ready or a module with notify() method:") keystone.param( 'default_notification_level', type='string', default='INFO', description="Default notification level for outgoing notifications") keystone.param( 'default_publisher_id', type='string', default='', description="Default publisher_id for outgoing notifications; included in " "the payload.") keystone.param( 'rpc_backend', type='string', default='keystone.openstack.common.rpc.impl_kombu', description="The messaging module to use, defaults to kombu.") keystone.param( 'rpc_thread_pool_size', type='integer', default=64, description="Size of RPC thread pool") keystone.param( 'rpc_conn_pool_size', type='integer', default=30, description="Size of RPC connection pool") keystone.param( 'rpc_response_timeout', type='integer', default=60, description="Seconds to wait for a response from call or multicall") keystone.param( 'rpc_cast_timeout', type='integer', default=30, description="Seconds to wait before a cast expires (TTL). Only supported " "by impl_zmq.") keystone.param( 'fake_rabbit', type='boolean', default=False, description="If True, use a fake RabbitMQ provider") keystone.param( 'control_exchange', type='string', default='openstack', description="AMQP exchange to connect to if using RabbitMQ or Qpid") keystone.section('sql') keystone.param( 'connection', type='string', default='sqlite:///keystone.db', description="The SQLAlchemy connection string used to connect to the " "database") keystone.param( 'idle_timeout', type='integer', default=200, description="the timeout before idle sql connections are reaped") keystone.section('identity') keystone.param( 'driver', type='string', default='keystone.identity.backends.sql.Identity', description="") keystone.param( 'default_domain_id', type='string', default='default', description="This references the domain to use for all Identity API v2 " "requests (which are not aware of domains). A domain with " "this ID will be created for you by keystone-manage db_sync " "in migration 008. The domain referenced by this ID cannot " "be deleted on the v3 API, to prevent accidentally breaking " "the v2 API. There is nothing special about this domain, " "other than the fact that it must exist to order to " "maintain support for your v2 clients.") keystone.param( 'domain_specific_drivers_enabled', type='boolean', default=False, description="A subset (or all) of domains can have their own identity " "driver, each with their own partial configuration file in a " "domain configuration directory. Only") keystone.param( 'domain_config_dir', type='string', default='/etc/keystone/domains', description="") keystone.param( 'max_password_length', type='integer', default=4096, description="Maximum supported length for user passwords; decrease to " "improve performance.") keystone.section('credential') keystone.param( 'driver', type='string', default='keystone.credential.backends.sql.Credential', description="") keystone.section('trust') keystone.param( 'enabled', type='boolean', default=True, description="delegation and impersonation features can be optionally " "disabled") keystone.section('os_inherit') keystone.param( 'enabled', type='boolean', default=False, description="role-assignment inheritance to projects from owning domain " "can be optionally enabled") keystone.section('catalog') keystone.param( 'driver', type='string', default='keystone.catalog.backends.sql.Catalog', description="dynamic, sql-based backend (supports API/CLI-based " "management commands)") keystone.param( 'driver', type='string', default='keystone.catalog.backends.templated.TemplatedCatalog', description="static, file-based backend (does *NOT* support any " "management commands)") keystone.param( 'template_file', type='string', default='default_catalog.templates', description="") keystone.section('endpoint_filter') keystone.param( 'driver', type='string', default='keystone.contrib.endpoint_filter.backends.sql.EndpointFilter', description="extension for creating associations between project and " "endpoints in order to provide a tailored catalog for " "project-scoped token requests.") keystone.param( 'return_all_endpoints_if_no_filter', type='boolean', default=True, description="") keystone.section('token') keystone.param( 'driver', type='string', default='keystone.token.backends.sql.Token', description="Provides token persistence.") keystone.param( 'provider', type='string', default='', description="Controls the token construction, validation, and revocation " "operations. Core providers are keystone.token.providers." "[pki|uuid].Provider") keystone.param( 'expiration', type='integer', default=86400, description="Amount of time a token should remain valid (in seconds)") keystone.param( 'bind', type='string', default='', description="External auth mechanisms that should add bind information to " "token. eg kerberos, x509") keystone.param( 'enforce_token_bind', type='string', default='permissive', description="Enforcement policy on tokens presented to keystone with bind " "information. One of disabled, permissive, strict, required " "or a specifically required bind mode e.g. kerberos or x509 " "to require binding to that authentication.") keystone.param( 'caching', type='boolean', default=True, description="Token specific caching toggle. This has no effect unless the " "global caching option is set to True") keystone.param( 'cache_time', type='integer', default=0, description="Token specific cache time-to-live (TTL) in seconds.") keystone.param( 'revocation_cache_time', type='integer', default=3600, description="Revocation-List specific cache time-to-live (TTL) " "in seconds.") keystone.section('cache') keystone.param( 'enabled', type='boolean', default=False, description="Global cache functionality toggle.") keystone.param( 'config_prefix', type='string', default='cache.keystone', description="Prefix for building the configuration dictionary for the " "cache region. This should not need to be changed unless there" " is another dogpile.cache region with the same configuration " "name") keystone.param( 'backend', type='string', default='keystone.common.cache.noop', description="Dogpile.cache backend module. It is recommended that " "Memcache (dogpile.cache.memcache) or Redis " "(dogpile.cache.redis) be used in production deployments. " "Small workloads (single process) like devstack can use the " "dogpile.cache.memory backend.") keystone.param( 'backend_argument', type='string', default='', description="Arguments supplied to the backend module. Specify this " "option once per argument to be passed to the " "dogpile.cache backend. Example format: :") keystone.param( 'proxies', type='string', default='', description="Proxy Classes to import that will affect the way the " "dogpile.cache backend functions. See the dogpile.cache " "documentation on changing-backend-behavior. Comma delimited " "list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2") keystone.param( 'use_key_mangler', type='boolean', default=True, description="Use a key-mangling function (sha1) to ensure fixed length " "cache-keys. This is toggle-able for debugging purposes, " "it is highly recommended to always leave this set to True.") keystone.param( 'debug_cache_backend', type='boolean', default=False, description="Extra debugging from the cache backend (cache keys, " "get/set/delete/etc calls) This is only really useful if you " "need to see the specific cache-backend get/set/delete calls " "with the keys/values. Typically this should be left set to " "False.") keystone.section('policy') keystone.param( 'driver', type='string', default='keystone.policy.backends.sql.Policy', description="") keystone.section('ec2') keystone.param( 'driver', type='string', default='keystone.contrib.ec2.backends.kvs.Ec2', description="") keystone.section('assignment') keystone.param('driver', type='string', default='', description="") keystone.param( 'caching', type='boolean', default=True, description="Assignment specific caching toggle. This has no effect " "unless the global caching option is set to True") keystone.param( 'cache_time', type='integer', default=0, description="Assignment specific cache time-to-live (TTL) in seconds.") keystone.section('oauth1') keystone.param( 'driver', type='string', default='keystone.contrib.oauth1.backends.sql.OAuth1', description="") keystone.param( 'request_token_duration', type='integer', default=28800, description="The Identity service may include expire attributes. If no " "such attribute is included, then the token lasts " "indefinitely. Specify how quickly the request token will " "expire (in seconds)") keystone.param( 'access_token_duration', type='integer', default=86400, description="Specify how quickly the access token will expire " "(in seconds)") keystone.section('ssl') keystone.param('enable', type='boolean', default=True, description="") keystone.param( 'certfile', type='string', default='/etc/keystone/pki/certs/ssl_cert.pem', description="") keystone.param( 'keyfile', type='string', default='/etc/keystone/pki/private/ssl_key.pem', description="") keystone.param( 'ca_certs', type='string', default='/etc/keystone/pki/certs/cacert.pem', description="") keystone.param( 'ca_key', type='string', default='/etc/keystone/pki/private/cakey.pem', description="") keystone.param('key_size', type='integer', default=1024, description="") keystone.param('valid_days', type='integer', default=3650, description="") keystone.param('cert_required', type='boolean', default=False, description="") keystone.param( 'cert_subject', type='string', default='/CUS/STUnset/LUnset/OUnset/CNlocalhost', description="") keystone.section('signing') keystone.param( 'token_format', type='string', default='', description="Deprecated in favor of provider in the [token] section " "Allowed values are PKI or UUID") keystone.param( 'certfile', type='string', default='/etc/keystone/pki/certs/signing_cert.pem', description="") keystone.param( 'keyfile', type='string', default='/etc/keystone/pki/private/signing_key.pem', description="") keystone.param( 'ca_certs', type='string', default='/etc/keystone/pki/certs/cacert.pem', description="") keystone.param( 'ca_key', type='string', default='/etc/keystone/pki/private/cakey.pem', description="") keystone.param('key_size', type='boolean', default=2048, description="") keystone.param('valid_days', type='boolean', default=3650, description="") keystone.param( 'cert_subject', type='string', default='/CUS/STUnset/LUnset/OUnset/CNwww.example.com', description="") keystone.section('ldap') keystone.param( 'url', type='string', default='ldap://localhost', description="") keystone.param( 'user', type='string', default='dcManager,dcexample,dccom', description="") keystone.param('password', type='string', default=None, description="") keystone.param( 'suffix', type='string', default='cnexample,cncom', description="") keystone.param( 'use_dumb_member', type='boolean', default=False, description="") keystone.param( 'allow_subtree_delete', type='boolean', default=False, description="") keystone.param( 'dumb_member', type='string', default='cndumb,dcexample,dccom', description="") keystone.param( 'page_size', type='integer', default=0, description="Maximum results per page; a value of zero ('0') disables " "paging (default)") keystone.param( 'alias_dereferencing', type='string', default='default', description="The LDAP dereferencing option for queries. This can be " "either 'never', 'searching', 'always', 'finding' or " "'default'. The 'default' option falls back to using " "default dereferencing configured by your ldap.conf.") keystone.param( 'query_scope', type='string', default='one', description="The LDAP scope for queries, this can be either 'one' " "(onelevel/singleLevel) or 'sub' (subtree/wholeSubtree)") keystone.param( 'user_tree_dn', type='string', default='ouUsers,dcexample,dccom', description="") keystone.param('user_filter', type='string', default='', description="") keystone.param( 'user_objectclass', type='string', default='inetOrgPerson', description="") keystone.param( 'user_domain_id_attribute', type='string', default='businessCategory', description="") keystone.param( 'user_id_attribute', type='string', default='cn', description="") keystone.param( 'user_name_attribute', type='string', default='sn', description="") keystone.param( 'user_mail_attribute', type='string', default='email', description="") keystone.param( 'user_pass_attribute', type='string', default='userPassword', description="") keystone.param( 'user_enabled_attribute', type='string', default='enabled', description="") keystone.param('user_enabled_mask', type='integer', default=0, description="") keystone.param( 'user_enabled_default', type='boolean', default=True, description="") keystone.param( 'user_attribute_ignore', type='string', default='tenant_id,tenants', description="") keystone.param( 'user_allow_create', type='boolean', default=True, description="") keystone.param( 'user_allow_update', type='boolean', default=True, description="") keystone.param( 'user_allow_delete', type='boolean', default=True, description="") keystone.param( 'user_enabled_emulation', type='boolean', default=False, description="") keystone.param( 'user_enabled_emulation_dn', type='string', default='', description="") keystone.param( 'tenant_tree_dn', type='string', default='ouProjects,dcexample,dccom', description="") keystone.param('tenant_filter', type='string', default='', description="") keystone.param( 'tenant_objectclass', type='string', default='groupOfNames', description="") keystone.param( 'tenant_domain_id_attribute', type='string', default='businessCategory', description="") keystone.param( 'tenant_id_attribute', type='string', default='cn', description="") keystone.param( 'tenant_member_attribute', type='string', default='member', description="") keystone.param( 'tenant_name_attribute', type='string', default='ou', description="") keystone.param( 'tenant_desc_attribute', type='string', default='desc', description="") keystone.param( 'tenant_enabled_attribute', type='string', default='enabled', description="") keystone.param( 'tenant_attribute_ignore', type='string', default='', description="") keystone.param( 'tenant_allow_create', type='boolean', default=True, description="") keystone.param( 'tenant_allow_update', type='boolean', default=True, description="") keystone.param( 'tenant_allow_delete', type='boolean', default=True, description="") keystone.param( 'tenant_enabled_emulation', type='boolean', default=False, description="") keystone.param( 'tenant_enabled_emulation_dn', type='string', default='', description="") keystone.param( 'role_tree_dn', type='string', default='ouRoles,dcexample,dccom', description="") keystone.param('role_filter', type='string', default='', description="") keystone.param( 'role_objectclass', type='string', default='organizationalRole', description="") keystone.param( 'role_id_attribute', type='string', default='cn', description="") keystone.param( 'role_name_attribute', type='string', default='ou', description="") keystone.param( 'role_member_attribute', type='string', default='roleOccupant', description="") keystone.param( 'role_attribute_ignore', type='string', default='', description="") keystone.param( 'role_allow_create', type='boolean', default=True, description="") keystone.param( 'role_allow_update', type='boolean', default=True, description="") keystone.param( 'role_allow_delete', type='boolean', default=True, description="") keystone.param('group_tree_dn', type='string', default='', description="") keystone.param('group_filter', type='string', default='', description="") keystone.param( 'group_objectclass', type='string', default='groupOfNames', description="") keystone.param( 'group_id_attribute', type='string', default='cn', description="") keystone.param( 'group_name_attribute', type='string', default='ou', description="") keystone.param( 'group_member_attribute', type='string', default='member', description="") keystone.param( 'group_desc_attribute', type='string', default='desc', description="") keystone.param( 'group_attribute_ignore', type='string', default='', description="") keystone.param( 'group_allow_create', type='boolean', default=True, description="") keystone.param( 'group_allow_update', type='boolean', default=True, description="") keystone.param( 'group_allow_delete', type='boolean', default=True, description="") keystone.param( 'use_tls', type='boolean', default=False, description="ldap TLS options if both tls_cacertfile and tls_cacertdir " "are set then tls_cacertfile will be used and tls_cacertdir " "is ignored valid options for tls_req_cert are demand, never, " "and allow") keystone.param('tls_cacertfile', type='string', default='', description="") keystone.param('tls_cacertdir', type='string', default='', description="") keystone.param('tls_req_cert', type='string', default='demand', description="") keystone.param( 'user_additional_attribute_mapping', type='string', default='description:name, gecos:name', description="Additional attribute mappings can be used to map ldap " "attributes to internal keystone attributes. This allows " "keystone to fulfill ldap objectclass requirements. An " "example to map the description and gecos attributes to a " "user's name would be:") keystone.param( 'domain_additional_attribute_mapping', type='string', default='', description="") keystone.param( 'group_additional_attribute_mapping', type='string', default='', description="") keystone.param( 'role_additional_attribute_mapping', type='string', default='', description="") keystone.param( 'project_additional_attribute_mapping', type='string', default='', description="") keystone.param( 'user_additional_attribute_mapping', type='string', default='', description="") keystone.section('auth') keystone.param( 'methods', type='string', default='external,password,token,oauth1', description="") keystone.param( 'external', type='string', default='keystone.auth.plugins.external.ExternalDefault', description="") keystone.param( 'password', type='string', default='keystone.auth.plugins.password.Password', description="") keystone.param( 'token', type='string', default='keystone.auth.plugins.token.Token', description="") keystone.param( 'oauth1', type='string', default='keystone.auth.plugins.oauth1.OAuth', description="") keystone.section('paste_deploy') keystone.param( 'config_file', type='string', default='keystone-paste.ini', description="Name of the paste configuration file that defines the " "available pipelines") keystone.commit()