keystone-9.0.0/�������������������������������������������������������������������������������������0000775�0005670�0005671�00000000000�12701407246�014525� 5����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������keystone-9.0.0/etc/���������������������������������������������������������������������������������0000775�0005670�0005671�00000000000�12701407246�015300� 5����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������keystone-9.0.0/etc/sso_callback_template.html�������������������������������������������������������0000664�0005670�0005671�00000001231�12701407102�022465� 0����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Keystone WebSSO redirect
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������keystone-9.0.0/etc/policy.v3cloudsample.json��������������������������������������������������������0000664�0005670�0005671�00000033117�12701407102�022246� 0����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������{
"admin_required": "role:admin",
"cloud_admin": "role:admin and (token.is_admin_project:True or domain_id:admin_domain_id)",
"service_role": "role:service",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
"service_admin_or_owner": "rule:service_or_admin or rule:owner",
"default": "rule:admin_required",
"identity:get_region": "",
"identity:list_regions": "",
"identity:create_region": "rule:cloud_admin",
"identity:update_region": "rule:cloud_admin",
"identity:delete_region": "rule:cloud_admin",
"identity:get_service": "rule:admin_required",
"identity:list_services": "rule:admin_required",
"identity:create_service": "rule:cloud_admin",
"identity:update_service": "rule:cloud_admin",
"identity:delete_service": "rule:cloud_admin",
"identity:get_endpoint": "rule:admin_required",
"identity:list_endpoints": "rule:admin_required",
"identity:create_endpoint": "rule:cloud_admin",
"identity:update_endpoint": "rule:cloud_admin",
"identity:delete_endpoint": "rule:cloud_admin",
"identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:list_domains": "rule:cloud_admin",
"identity:create_domain": "rule:cloud_admin",
"identity:update_domain": "rule:cloud_admin",
"identity:delete_domain": "rule:cloud_admin",
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
"identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
"identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
"identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
"identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
"admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
"admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
"identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
"identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
"identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
"identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
"admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
"admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
"identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_domain_id",
"identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
"identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
"identity:get_credential": "rule:admin_required",
"identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
"identity:create_credential": "rule:admin_required",
"identity:update_credential": "rule:admin_required",
"identity:delete_credential": "rule:admin_required",
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:ec2_list_credentials": "rule:admin_required or rule:owner",
"identity:ec2_create_credential": "rule:admin_required or rule:owner",
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:get_role": "rule:admin_required",
"identity:list_roles": "rule:admin_required",
"identity:create_role": "rule:cloud_admin",
"identity:update_role": "rule:cloud_admin",
"identity:delete_role": "rule:cloud_admin",
"identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles",
"identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles",
"identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role",
"identity:update_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role",
"identity:delete_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role",
"domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s",
"get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role",
"domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s",
"project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s",
"list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles",
"domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s",
"project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s",
"identity:get_implied_role": "rule:cloud_admin",
"identity:list_implied_roles": "rule:cloud_admin",
"identity:create_implied_role": "rule:cloud_admin",
"identity:delete_implied_role": "rule:cloud_admin",
"identity:list_role_inference_rules": "rule:cloud_admin",
"identity:check_implied_role": "rule:cloud_admin",
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"domain_admin_for_grants": "rule:domain_admin_for_global_role_grants or rule:domain_admin_for_domain_role_grants",
"domain_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and rule:domain_admin_grant_match",
"domain_admin_for_domain_role_grants": "rule:admin_required and domain_id:%(target.role.domain_id)s and rule:domain_admin_grant_match",
"domain_admin_grant_match": "domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s",
"project_admin_for_grants": "rule:project_admin_for_global_role_grants or rule:project_admin_for_domain_role_grants",
"project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(project_id)s",
"project_admin_for_domain_role_grants": "rule:admin_required and project_domain_id:%(target.role.domain_id)s and project_id:%(project_id)s",
"domain_admin_for_list_grants": "rule:admin_required and rule:domain_admin_grant_match",
"project_admin_for_list_grants": "rule:admin_required and project_id:%(project_id)s",
"admin_on_domain_filter" : "rule:admin_required and domain_id:%(scope.domain.id)s",
"admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s",
"admin_on_domain_of_project_filter" : "rule:admin_required and domain_id:%(target.project.domain_id)s",
"identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",
"identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter",
"identity:get_policy": "rule:cloud_admin",
"identity:list_policies": "rule:cloud_admin",
"identity:create_policy": "rule:cloud_admin",
"identity:update_policy": "rule:cloud_admin",
"identity:delete_policy": "rule:cloud_admin",
"identity:change_password": "rule:owner",
"identity:check_token": "rule:admin_or_owner",
"identity:validate_token": "rule:service_admin_or_owner",
"identity:validate_token_head": "rule:service_or_admin",
"identity:revocation_list": "rule:service_or_admin",
"identity:revoke_token": "rule:admin_or_owner",
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
"identity:list_trusts": "",
"identity:list_roles_for_trust": "",
"identity:get_role_for_trust": "",
"identity:delete_trust": "",
"identity:create_consumer": "rule:admin_required",
"identity:get_consumer": "rule:admin_required",
"identity:list_consumers": "rule:admin_required",
"identity:delete_consumer": "rule:admin_required",
"identity:update_consumer": "rule:admin_required",
"identity:authorize_request_token": "rule:admin_required",
"identity:list_access_token_roles": "rule:admin_required",
"identity:get_access_token_role": "rule:admin_required",
"identity:list_access_tokens": "rule:admin_required",
"identity:get_access_token": "rule:admin_required",
"identity:delete_access_token": "rule:admin_required",
"identity:list_projects_for_endpoint": "rule:admin_required",
"identity:add_endpoint_to_project": "rule:admin_required",
"identity:check_endpoint_in_project": "rule:admin_required",
"identity:list_endpoints_for_project": "rule:admin_required",
"identity:remove_endpoint_from_project": "rule:admin_required",
"identity:create_endpoint_group": "rule:admin_required",
"identity:list_endpoint_groups": "rule:admin_required",
"identity:get_endpoint_group": "rule:admin_required",
"identity:update_endpoint_group": "rule:admin_required",
"identity:delete_endpoint_group": "rule:admin_required",
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
"identity:get_endpoint_group_in_project": "rule:admin_required",
"identity:list_endpoint_groups_for_project": "rule:admin_required",
"identity:add_endpoint_group_to_project": "rule:admin_required",
"identity:remove_endpoint_group_from_project": "rule:admin_required",
"identity:create_identity_provider": "rule:cloud_admin",
"identity:list_identity_providers": "rule:cloud_admin",
"identity:get_identity_providers": "rule:cloud_admin",
"identity:update_identity_provider": "rule:cloud_admin",
"identity:delete_identity_provider": "rule:cloud_admin",
"identity:create_protocol": "rule:cloud_admin",
"identity:update_protocol": "rule:cloud_admin",
"identity:get_protocol": "rule:cloud_admin",
"identity:list_protocols": "rule:cloud_admin",
"identity:delete_protocol": "rule:cloud_admin",
"identity:create_mapping": "rule:cloud_admin",
"identity:get_mapping": "rule:cloud_admin",
"identity:list_mappings": "rule:cloud_admin",
"identity:delete_mapping": "rule:cloud_admin",
"identity:update_mapping": "rule:cloud_admin",
"identity:create_service_provider": "rule:cloud_admin",
"identity:list_service_providers": "rule:cloud_admin",
"identity:get_service_provider": "rule:cloud_admin",
"identity:update_service_provider": "rule:cloud_admin",
"identity:delete_service_provider": "rule:cloud_admin",
"identity:get_auth_catalog": "",
"identity:get_auth_projects": "",
"identity:get_auth_domains": "",
"identity:list_projects_for_groups": "",
"identity:list_domains_for_groups": "",
"identity:list_revoke_events": "",
"identity:create_policy_association_for_endpoint": "rule:cloud_admin",
"identity:check_policy_association_for_endpoint": "rule:cloud_admin",
"identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
"identity:create_policy_association_for_service": "rule:cloud_admin",
"identity:check_policy_association_for_service": "rule:cloud_admin",
"identity:delete_policy_association_for_service": "rule:cloud_admin",
"identity:create_policy_association_for_region_and_service": "rule:cloud_admin",
"identity:check_policy_association_for_region_and_service": "rule:cloud_admin",
"identity:delete_policy_association_for_region_and_service": "rule:cloud_admin",
"identity:get_policy_for_endpoint": "rule:cloud_admin",
"identity:list_endpoints_for_policy": "rule:cloud_admin",
"identity:create_domain_config": "rule:cloud_admin",
"identity:get_domain_config": "rule:cloud_admin",
"identity:update_domain_config": "rule:cloud_admin",
"identity:delete_domain_config": "rule:cloud_admin",
"identity:get_domain_config_default": "rule:cloud_admin"
}
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������keystone-9.0.0/etc/default_catalog.templates��������������������������������������������������������0000664�0005670�0005671�00000004377�12701407102�022340� 0����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# config for templated.Catalog, using camelCase because I don't want to do
# translations for keystone compat
catalog.RegionOne.identity.publicURL = http://localhost:$(public_port)s/v2.0
catalog.RegionOne.identity.adminURL = http://localhost:$(admin_port)s/v2.0
catalog.RegionOne.identity.internalURL = http://localhost:$(public_port)s/v2.0
catalog.RegionOne.identity.name = Identity Service
# fake compute service for now to help novaclient tests work
catalog.RegionOne.computev21.publicURL = http://localhost:8774/v2.1/$(tenant_id)s
catalog.RegionOne.computev21.adminURL = http://localhost:8774/v2.1/$(tenant_id)s
catalog.RegionOne.computev21.internalURL = http://localhost:8774/v2.1/$(tenant_id)s
catalog.RegionOne.computev21.name = Compute Service V2.1
catalog.RegionOne.volumev2.publicURL = http://localhost:8776/v2/$(tenant_id)s
catalog.RegionOne.volumev2.adminURL = http://localhost:8776/v2/$(tenant_id)s
catalog.RegionOne.volumev2.internalURL = http://localhost:8776/v2/$(tenant_id)s
catalog.RegionOne.volumev2.name = Volume Service V2
catalog.RegionOne.ec2.publicURL = http://localhost:8773/services/Cloud
catalog.RegionOne.ec2.adminURL = http://localhost:8773/services/Admin
catalog.RegionOne.ec2.internalURL = http://localhost:8773/services/Cloud
catalog.RegionOne.ec2.name = EC2 Service
catalog.RegionOne.image.publicURL = http://localhost:9292
catalog.RegionOne.image.adminURL = http://localhost:9292
catalog.RegionOne.image.internalURL = http://localhost:9292
catalog.RegionOne.image.name = Image Service
catalog.RegionOne.network.publicURL = http://localhost:9696
catalog.RegionOne.network.adminURL = http://localhost:9696
catalog.RegionOne.network.internalURL = http://localhost:9696
catalog.RegionOne.network.name = Network Service
catalog.RegionOne.orchestration.publicURL = http://localhost:8004/v1/$(tenant_id)s
catalog.RegionOne.orchestration.adminURL = http://localhost:8004/v1/$(tenant_id)s
catalog.RegionOne.orchestration.internalURL = http://localhost:8004/v1/$(tenant_id)s
catalog.RegionOne.orchestration.name = Orchestration Service
catalog.RegionOne.metering.publicURL = http://localhost:8777
catalog.RegionOne.metering.adminURL = http://localhost:8777
catalog.RegionOne.metering.internalURL = http://localhost:8777
catalog.RegionOne.metering.name = Telemetry Service
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������keystone-9.0.0/etc/logging.conf.sample��������������������������������������������������������������0000664�0005670�0005671�00000002026�12701407102�021044� 0����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������[loggers]
keys=root,access
[handlers]
keys=production,file,access_file,devel
[formatters]
keys=minimal,normal,debug
###########
# Loggers #
###########
[logger_root]
level=WARNING
handlers=file
[logger_access]
level=INFO
qualname=access
handlers=access_file
################
# Log Handlers #
################
[handler_production]
class=handlers.SysLogHandler
level=ERROR
formatter=normal
args=(('localhost', handlers.SYSLOG_UDP_PORT), handlers.SysLogHandler.LOG_USER)
[handler_file]
class=handlers.WatchedFileHandler
level=WARNING
formatter=normal
args=('error.log',)
[handler_access_file]
class=handlers.WatchedFileHandler
level=INFO
formatter=minimal
args=('access.log',)
[handler_devel]
class=StreamHandler
level=NOTSET
formatter=debug
args=(sys.stdout,)
##################
# Log Formatters #
##################
[formatter_minimal]
format=%(message)s
[formatter_normal]
format=(%(name)s): %(asctime)s %(levelname)s %(message)s
[formatter_debug]
format=(%(name)s): %(asctime)s %(levelname)s %(module)s %(funcName)s %(message)s
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������keystone-9.0.0/etc/policy.json����������������������������������������������������������������������0000664�0005670�0005671�00000022743�12701407102�017471� 0����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������{
"admin_required": "role:admin or is_admin:1",
"service_role": "role:service",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner" : "user_id:%(user_id)s",
"admin_or_owner": "rule:admin_required or rule:owner",
"token_subject": "user_id:%(target.token.user_id)s",
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
"default": "rule:admin_required",
"identity:get_region": "",
"identity:list_regions": "",
"identity:create_region": "rule:admin_required",
"identity:update_region": "rule:admin_required",
"identity:delete_region": "rule:admin_required",
"identity:get_service": "rule:admin_required",
"identity:list_services": "rule:admin_required",
"identity:create_service": "rule:admin_required",
"identity:update_service": "rule:admin_required",
"identity:delete_service": "rule:admin_required",
"identity:get_endpoint": "rule:admin_required",
"identity:list_endpoints": "rule:admin_required",
"identity:create_endpoint": "rule:admin_required",
"identity:update_endpoint": "rule:admin_required",
"identity:delete_endpoint": "rule:admin_required",
"identity:get_domain": "rule:admin_required",
"identity:list_domains": "rule:admin_required",
"identity:create_domain": "rule:admin_required",
"identity:update_domain": "rule:admin_required",
"identity:delete_domain": "rule:admin_required",
"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
"identity:list_projects": "rule:admin_required",
"identity:list_user_projects": "rule:admin_or_owner",
"identity:create_project": "rule:admin_required",
"identity:update_project": "rule:admin_required",
"identity:delete_project": "rule:admin_required",
"identity:get_user": "rule:admin_required",
"identity:list_users": "rule:admin_required",
"identity:create_user": "rule:admin_required",
"identity:update_user": "rule:admin_required",
"identity:delete_user": "rule:admin_required",
"identity:change_password": "rule:admin_or_owner",
"identity:get_group": "rule:admin_required",
"identity:list_groups": "rule:admin_required",
"identity:list_groups_for_user": "rule:admin_or_owner",
"identity:create_group": "rule:admin_required",
"identity:update_group": "rule:admin_required",
"identity:delete_group": "rule:admin_required",
"identity:list_users_in_group": "rule:admin_required",
"identity:remove_user_from_group": "rule:admin_required",
"identity:check_user_in_group": "rule:admin_required",
"identity:add_user_to_group": "rule:admin_required",
"identity:get_credential": "rule:admin_required",
"identity:list_credentials": "rule:admin_required",
"identity:create_credential": "rule:admin_required",
"identity:update_credential": "rule:admin_required",
"identity:delete_credential": "rule:admin_required",
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:ec2_list_credentials": "rule:admin_or_owner",
"identity:ec2_create_credential": "rule:admin_or_owner",
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
"identity:get_role": "rule:admin_required",
"identity:list_roles": "rule:admin_required",
"identity:create_role": "rule:admin_required",
"identity:update_role": "rule:admin_required",
"identity:delete_role": "rule:admin_required",
"identity:get_domain_role": "rule:admin_required",
"identity:list_domain_roles": "rule:admin_required",
"identity:create_domain_role": "rule:admin_required",
"identity:update_domain_role": "rule:admin_required",
"identity:delete_domain_role": "rule:admin_required",
"identity:get_implied_role": "rule:admin_required ",
"identity:list_implied_roles": "rule:admin_required",
"identity:create_implied_role": "rule:admin_required",
"identity:delete_implied_role": "rule:admin_required",
"identity:list_role_inference_rules": "rule:admin_required",
"identity:check_implied_role": "rule:admin_required",
"identity:check_grant": "rule:admin_required",
"identity:list_grants": "rule:admin_required",
"identity:create_grant": "rule:admin_required",
"identity:revoke_grant": "rule:admin_required",
"identity:list_role_assignments": "rule:admin_required",
"identity:list_role_assignments_for_tree": "rule:admin_required",
"identity:get_policy": "rule:admin_required",
"identity:list_policies": "rule:admin_required",
"identity:create_policy": "rule:admin_required",
"identity:update_policy": "rule:admin_required",
"identity:delete_policy": "rule:admin_required",
"identity:check_token": "rule:admin_or_token_subject",
"identity:validate_token": "rule:service_admin_or_token_subject",
"identity:validate_token_head": "rule:service_or_admin",
"identity:revocation_list": "rule:service_or_admin",
"identity:revoke_token": "rule:admin_or_token_subject",
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
"identity:list_trusts": "",
"identity:list_roles_for_trust": "",
"identity:get_role_for_trust": "",
"identity:delete_trust": "",
"identity:create_consumer": "rule:admin_required",
"identity:get_consumer": "rule:admin_required",
"identity:list_consumers": "rule:admin_required",
"identity:delete_consumer": "rule:admin_required",
"identity:update_consumer": "rule:admin_required",
"identity:authorize_request_token": "rule:admin_required",
"identity:list_access_token_roles": "rule:admin_required",
"identity:get_access_token_role": "rule:admin_required",
"identity:list_access_tokens": "rule:admin_required",
"identity:get_access_token": "rule:admin_required",
"identity:delete_access_token": "rule:admin_required",
"identity:list_projects_for_endpoint": "rule:admin_required",
"identity:add_endpoint_to_project": "rule:admin_required",
"identity:check_endpoint_in_project": "rule:admin_required",
"identity:list_endpoints_for_project": "rule:admin_required",
"identity:remove_endpoint_from_project": "rule:admin_required",
"identity:create_endpoint_group": "rule:admin_required",
"identity:list_endpoint_groups": "rule:admin_required",
"identity:get_endpoint_group": "rule:admin_required",
"identity:update_endpoint_group": "rule:admin_required",
"identity:delete_endpoint_group": "rule:admin_required",
"identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
"identity:get_endpoint_group_in_project": "rule:admin_required",
"identity:list_endpoint_groups_for_project": "rule:admin_required",
"identity:add_endpoint_group_to_project": "rule:admin_required",
"identity:remove_endpoint_group_from_project": "rule:admin_required",
"identity:create_identity_provider": "rule:admin_required",
"identity:list_identity_providers": "rule:admin_required",
"identity:get_identity_providers": "rule:admin_required",
"identity:update_identity_provider": "rule:admin_required",
"identity:delete_identity_provider": "rule:admin_required",
"identity:create_protocol": "rule:admin_required",
"identity:update_protocol": "rule:admin_required",
"identity:get_protocol": "rule:admin_required",
"identity:list_protocols": "rule:admin_required",
"identity:delete_protocol": "rule:admin_required",
"identity:create_mapping": "rule:admin_required",
"identity:get_mapping": "rule:admin_required",
"identity:list_mappings": "rule:admin_required",
"identity:delete_mapping": "rule:admin_required",
"identity:update_mapping": "rule:admin_required",
"identity:create_service_provider": "rule:admin_required",
"identity:list_service_providers": "rule:admin_required",
"identity:get_service_provider": "rule:admin_required",
"identity:update_service_provider": "rule:admin_required",
"identity:delete_service_provider": "rule:admin_required",
"identity:get_auth_catalog": "",
"identity:get_auth_projects": "",
"identity:get_auth_domains": "",
"identity:list_projects_for_groups": "",
"identity:list_domains_for_groups": "",
"identity:list_revoke_events": "",
"identity:create_policy_association_for_endpoint": "rule:admin_required",
"identity:check_policy_association_for_endpoint": "rule:admin_required",
"identity:delete_policy_association_for_endpoint": "rule:admin_required",
"identity:create_policy_association_for_service": "rule:admin_required",
"identity:check_policy_association_for_service": "rule:admin_required",
"identity:delete_policy_association_for_service": "rule:admin_required",
"identity:create_policy_association_for_region_and_service": "rule:admin_required",
"identity:check_policy_association_for_region_and_service": "rule:admin_required",
"identity:delete_policy_association_for_region_and_service": "rule:admin_required",
"identity:get_policy_for_endpoint": "rule:admin_required",
"identity:list_endpoints_for_policy": "rule:admin_required",
"identity:create_domain_config": "rule:admin_required",
"identity:get_domain_config": "rule:admin_required",
"identity:update_domain_config": "rule:admin_required",
"identity:delete_domain_config": "rule:admin_required",
"identity:get_domain_config_default": "rule:admin_required"
}
�����������������������������keystone-9.0.0/etc/keystone-paste.ini���������������������������������������������������������������0000664�0005670�0005671�00000004540�12701407102�020746� 0����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Keystone PasteDeploy configuration file.
[filter:debug]
use = egg:oslo.middleware#debug
[filter:request_id]
use = egg:oslo.middleware#request_id
[filter:build_auth_context]
use = egg:keystone#build_auth_context
[filter:token_auth]
use = egg:keystone#token_auth
[filter:admin_token_auth]
# This is deprecated in the M release and will be removed in the O release.
# Use `keystone-manage bootstrap` and remove this from the pipelines below.
use = egg:keystone#admin_token_auth
[filter:json_body]
use = egg:keystone#json_body
[filter:cors]
use = egg:oslo.middleware#cors
oslo_config_project = keystone
[filter:ec2_extension]
use = egg:keystone#ec2_extension
[filter:ec2_extension_v3]
use = egg:keystone#ec2_extension_v3
[filter:s3_extension]
use = egg:keystone#s3_extension
[filter:url_normalize]
use = egg:keystone#url_normalize
[filter:sizelimit]
use = egg:oslo.middleware#sizelimit
[app:public_service]
use = egg:keystone#public_service
[app:service_v3]
use = egg:keystone#service_v3
[app:admin_service]
use = egg:keystone#admin_service
[pipeline:public_api]
# The last item in this pipeline must be public_service or an equivalent
# application. It cannot be a filter.
pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service
[pipeline:admin_api]
# The last item in this pipeline must be admin_service or an equivalent
# application. It cannot be a filter.
pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service
[pipeline:api_v3]
# The last item in this pipeline must be service_v3 or an equivalent
# application. It cannot be a filter.
pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
[app:public_version_service]
use = egg:keystone#public_version_service
[app:admin_version_service]
use = egg:keystone#admin_version_service
[pipeline:public_version_api]
pipeline = cors sizelimit url_normalize public_version_service
[pipeline:admin_version_api]
pipeline = cors sizelimit url_normalize admin_version_service
[composite:main]
use = egg:Paste#urlmap
/v2.0 = public_api
/v3 = api_v3
/ = public_version_api
[composite:admin]
use = egg:Paste#urlmap
/v2.0 = admin_api
/v3 = api_v3
/ = admin_version_api
����������������������������������������������������������������������������������������������������������������������������������������������������������������keystone-9.0.0/etc/keystone.conf.sample�������������������������������������������������������������0000664�0005670�0005671�00000216615�12701407102�021272� 0����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������[DEFAULT]
#
# From keystone
#
# A "shared secret" that can be used to bootstrap Keystone. This "token" does
# not represent a user, and carries no explicit authorization. If set to
# `None`, the value is ignored and the `admin_token` log in mechanism is
# effectively disabled. To completely disable `admin_token` in production
# (highly recommended), remove AdminTokenAuthMiddleware from your paste
# application pipelines (for example, in keystone-paste.ini). (string value)
#admin_token =
# The base public endpoint URL for Keystone that is advertised to clients
# (NOTE: this does NOT affect how Keystone listens for connections). Defaults
# to the base host URL of the request. E.g. a request to
# http://server:5000/v3/users will default to http://server:5000. You should
# only need to set this value if the base URL contains a path (e.g. /prefix/v3)
# or the endpoint should be found on a different server. (string value)
#public_endpoint =
# The base admin endpoint URL for Keystone that is advertised to clients (NOTE:
# this does NOT affect how Keystone listens for connections). Defaults to the
# base host URL of the request. E.g. a request to http://server:35357/v3/users
# will default to http://server:35357. You should only need to set this value
# if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be
# found on a different server. (string value)
#admin_endpoint =
# Maximum depth of the project hierarchy, excluding the project acting as a
# domain at the top of the hierarchy. WARNING: setting it to a large value may
# adversely impact performance. (integer value)
#max_project_tree_depth = 5
# Limit the sizes of user & project ID/names. (integer value)
#max_param_size = 64
# Similar to max_param_size, but provides an exception for token values.
# (integer value)
#max_token_size = 8192
# Similar to the member_role_name option, this represents the default role ID
# used to associate users with their default projects in the v2 API. This will
# be used as the explicit role where one is not specified by the v2 API.
# (string value)
#member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
# This is the role name used in combination with the member_role_id option; see
# that option for more detail. (string value)
#member_role_name = _member_
# The value passed as the keyword "rounds" to passlib's encrypt method.
# (integer value)
# Minimum value: 1000
# Maximum value: 100000
#crypt_strength = 10000
# The maximum number of entities that will be returned in a collection, with no
# limit set by default. This global limit may be then overridden for a specific
# driver, by specifying a list_limit in the appropriate section (e.g.
# [assignment]). (integer value)
#list_limit =
# Set this to false if you want to enable the ability for user, group and
# project entities to be moved between domains by updating their domain_id.
# Allowing such movement is not recommended if the scope of a domain admin is
# being restricted by use of an appropriate policy file (see
# policy.v3cloudsample as an example). This ability is deprecated and will be
# removed in a future release. (boolean value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#domain_id_immutable = true
# If set to true, strict password length checking is performed for password
# manipulation. If a password exceeds the maximum length, the operation will
# fail with an HTTP 403 Forbidden error. If set to false, passwords are
# automatically truncated to the maximum length. (boolean value)
#strict_password_check = false
# The HTTP header used to determine the scheme for the original request, even
# if it was removed by an SSL terminating proxy. (string value)
#secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO
# If set to true the server will return information in the response that may
# allow an unauthenticated or authenticated user to get more information than
# normal, such as why authentication failed. This may be useful for debugging
# but is insecure. (boolean value)
#insecure_debug = false
#
# From keystone.notifications
#
# Default publisher_id for outgoing notifications (string value)
#default_publisher_id =
# Define the notification format for Identity Service events. A "basic"
# notification has information about the resource being operated on. A "cadf"
# notification has the same information, as well as information about the
# initiator of the event. (string value)
# Allowed values: basic, cadf
#notification_format = basic
# Define the notification options to opt-out from. The value expected is:
# identity... This field can be set multiple times in
# order to add more notifications to opt-out from. For example:
# notification_opt_out=identity.user.created
# notification_opt_out=identity.authenticate.success (multi valued)
#notification_opt_out =
#
# From oslo.log
#
# If set to true, the logging level will be set to DEBUG instead of the default
# INFO level. (boolean value)
#debug = false
# If set to false, the logging level will be set to WARNING instead of the
# default INFO level. (boolean value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#verbose = true
# The name of a logging configuration file. This file is appended to any
# existing logging configuration files. For details about logging configuration
# files, see the Python logging module documentation. Note that when logging
# configuration files are used then all logging configuration is set in the
# configuration file and other logging configuration options are ignored (for
# example, logging_context_format_string). (string value)
# Deprecated group/name - [DEFAULT]/log_config
#log_config_append =
# Defines the format string for %%(asctime)s in log records. Default:
# %(default)s . This option is ignored if log_config_append is set. (string
# value)
#log_date_format = %Y-%m-%d %H:%M:%S
# (Optional) Name of log file to send logging output to. If no default is set,
# logging will go to stderr as defined by use_stderr. This option is ignored if
# log_config_append is set. (string value)
# Deprecated group/name - [DEFAULT]/logfile
#log_file =
# (Optional) The base directory used for relative log_file paths. This option
# is ignored if log_config_append is set. (string value)
# Deprecated group/name - [DEFAULT]/logdir
#log_dir =
# Uses logging handler designed to watch file system. When log file is moved or
# removed this handler will open a new log file with specified path
# instantaneously. It makes sense only if log_file option is specified and
# Linux platform is used. This option is ignored if log_config_append is set.
# (boolean value)
#watch_log_file = false
# Use syslog for logging. Existing syslog format is DEPRECATED and will be
# changed later to honor RFC5424. This option is ignored if log_config_append
# is set. (boolean value)
#use_syslog = false
# Syslog facility to receive log lines. This option is ignored if
# log_config_append is set. (string value)
#syslog_log_facility = LOG_USER
# Log output to standard error. This option is ignored if log_config_append is
# set. (boolean value)
#use_stderr = true
# Format string to use for log messages with context. (string value)
#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
# Format string to use for log messages when context is undefined. (string
# value)
#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
# Additional data to append to log message when logging level for the message
# is DEBUG. (string value)
#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
# Prefix each line of exception output with this format. (string value)
#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
# Defines the format string for %(user_identity)s that is used in
# logging_context_format_string. (string value)
#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s
# List of package logging levels in logger=LEVEL pairs. This option is ignored
# if log_config_append is set. (list value)
#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO
# Enables or disables publication of error events. (boolean value)
#publish_errors = false
# The format for an instance that is passed with the log message. (string
# value)
#instance_format = "[instance: %(uuid)s] "
# The format for an instance UUID that is passed with the log message. (string
# value)
#instance_uuid_format = "[instance: %(uuid)s] "
# Enables or disables fatal status of deprecations. (boolean value)
#fatal_deprecations = false
#
# From oslo.messaging
#
# Size of RPC connection pool. (integer value)
# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
#rpc_conn_pool_size = 30
# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
# The "host" option should point or resolve to this address. (string value)
#rpc_zmq_bind_address = *
# MatchMaker driver. (string value)
# Allowed values: redis, dummy
#rpc_zmq_matchmaker = redis
# Type of concurrency used. Either "native" or "eventlet" (string value)
#rpc_zmq_concurrency = eventlet
# Number of ZeroMQ contexts, defaults to 1. (integer value)
#rpc_zmq_contexts = 1
# Maximum number of ingress messages to locally buffer per topic. Default is
# unlimited. (integer value)
#rpc_zmq_topic_backlog =
# Directory for holding IPC sockets. (string value)
#rpc_zmq_ipc_dir = /var/run/openstack
# Name of this node. Must be a valid hostname, FQDN, or IP address. Must match
# "host" option, if running Nova. (string value)
#rpc_zmq_host = localhost
# Seconds to wait before a cast expires (TTL). The default value of -1
# specifies an infinite linger period. The value of 0 specifies no linger
# period. Pending messages shall be discarded immediately when the socket is
# closed. Only supported by impl_zmq. (integer value)
#rpc_cast_timeout = -1
# The default number of seconds that poll should wait. Poll raises timeout
# exception when timeout expired. (integer value)
#rpc_poll_timeout = 1
# Expiration timeout in seconds of a name service record about existing target
# ( < 0 means no timeout). (integer value)
#zmq_target_expire = 120
# Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy. (boolean
# value)
#use_pub_sub = true
# Minimal port number for random ports range. (port value)
# Minimum value: 0
# Maximum value: 65535
#rpc_zmq_min_port = 49152
# Maximal port number for random ports range. (integer value)
# Minimum value: 1
# Maximum value: 65536
#rpc_zmq_max_port = 65536
# Number of retries to find free port number before fail with ZMQBindError.
# (integer value)
#rpc_zmq_bind_port_retries = 100
# Size of executor thread pool. (integer value)
# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size
#executor_thread_pool_size = 64
# Seconds to wait for a response from a call. (integer value)
#rpc_response_timeout = 60
# A URL representing the messaging driver to use and its full configuration. If
# not set, we fall back to the rpc_backend option and driver specific
# configuration. (string value)
#transport_url =
# The messaging driver to use, defaults to rabbit. Other drivers include amqp
# and zmq. (string value)
#rpc_backend = rabbit
# The default exchange under which topics are scoped. May be overridden by an
# exchange name specified in the transport_url option. (string value)
#control_exchange = keystone
#
# From oslo.service.service
#
# Enable eventlet backdoor. Acceptable values are 0, , and
# :, where 0 results in listening on a random tcp port number;
# results in listening on the specified port number (and not enabling
# backdoor if that port is in use); and : results in listening on
# the smallest unused port number within the specified range of port numbers.
# The chosen port is displayed in the service's log file. (string value)
#backdoor_port =
# Enable eventlet backdoor, using the provided path as a unix socket that can
# receive connections. This option is mutually exclusive with 'backdoor_port'
# in that only one should be provided. If both are provided then the existence
# of this option overrides the usage of that option. (string value)
#backdoor_socket =
# Enables or disables logging values of all registered options when starting a
# service (at DEBUG level). (boolean value)
#log_options = true
# Specify a timeout after which a gracefully shutdown server will exit. Zero
# value means endless wait. (integer value)
#graceful_shutdown_timeout = 60
[assignment]
#
# From keystone
#
# Entrypoint for the assignment backend driver in the keystone.assignment
# namespace. Only an SQL driver is supplied. If an assignment driver is not
# specified, the identity driver will choose the assignment driver (driver
# selection based on `[identity]/driver` option is deprecated and will be
# removed in the "O" release). (string value)
#driver =
# A list of role names which are prohibited from being an implied role. (list
# value)
#prohibited_implied_role = admin
[auth]
#
# From keystone
#
# Allowed authentication methods. (list value)
#methods = external,password,token,oauth1
# Entrypoint for the password auth plugin module in the keystone.auth.password
# namespace. (string value)
#password =
# Entrypoint for the token auth plugin module in the keystone.auth.token
# namespace. (string value)
#token =
# Entrypoint for the external (REMOTE_USER) auth plugin module in the
# keystone.auth.external namespace. Supplied drivers are DefaultDomain and
# Domain. The default driver is DefaultDomain. (string value)
#external =
# Entrypoint for the oAuth1.0 auth plugin module in the keystone.auth.oauth1
# namespace. (string value)
#oauth1 =
[cache]
#
# From oslo.cache
#
# Prefix for building the configuration dictionary for the cache region. This
# should not need to be changed unless there is another dogpile.cache region
# with the same configuration name. (string value)
#config_prefix = cache.oslo
# Default TTL, in seconds, for any cached item in the dogpile.cache region.
# This applies to any cached method that doesn't have an explicit cache
# expiration time defined for it. (integer value)
#expiration_time = 600
# Dogpile.cache backend module. It is recommended that Memcache with pooling
# (oslo_cache.memcache_pool) or Redis (dogpile.cache.redis) be used in
# production deployments. Small workloads (single process) like devstack can
# use the dogpile.cache.memory backend. (string value)
#backend = dogpile.cache.null
# Arguments supplied to the backend module. Specify this option once per
# argument to be passed to the dogpile.cache backend. Example format:
# ":". (multi valued)
#backend_argument =
# Proxy classes to import that will affect the way the dogpile.cache backend
# functions. See the dogpile.cache documentation on changing-backend-behavior.
# (list value)
#proxies =
# Global toggle for caching. (boolean value)
#enabled = false
# Extra debugging from the cache backend (cache keys, get/set/delete/etc
# calls). This is only really useful if you need to see the specific cache-
# backend get/set/delete calls with the keys/values. Typically this should be
# left set to false. (boolean value)
#debug_cache_backend = false
# Memcache servers in the format of "host:port". (dogpile.cache.memcache and
# oslo_cache.memcache_pool backends only). (list value)
#memcache_servers = localhost:11211
# Number of seconds memcached server is considered dead before it is tried
# again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
# (integer value)
#memcache_dead_retry = 300
# Timeout in seconds for every call to a server. (dogpile.cache.memcache and
# oslo_cache.memcache_pool backends only). (integer value)
#memcache_socket_timeout = 3
# Max total number of open connections to every memcached server.
# (oslo_cache.memcache_pool backend only). (integer value)
#memcache_pool_maxsize = 10
# Number of seconds a connection to memcached is held unused in the pool before
# it is closed. (oslo_cache.memcache_pool backend only). (integer value)
#memcache_pool_unused_timeout = 60
# Number of seconds that an operation will wait to get a memcache client
# connection. (integer value)
#memcache_pool_connection_get_timeout = 10
[catalog]
#
# From keystone
#
# Catalog template file name for use with the template catalog backend. (string
# value)
#template_file = default_catalog.templates
# Entrypoint for the catalog backend driver in the keystone.catalog namespace.
# Supplied drivers are kvs, sql, templated, and endpoint_filter.sql (string
# value)
#driver = sql
# Toggle for catalog caching. This has no effect unless global caching is
# enabled. (boolean value)
#caching = true
# Time to cache catalog data (in seconds). This has no effect unless global and
# catalog caching are enabled. (integer value)
#cache_time =
# Maximum number of entities that will be returned in a catalog collection.
# (integer value)
#list_limit =
[cors]
#
# From oslo.middleware
#
# Indicate whether this resource may be shared with the domain received in the
# requests "origin" header. (list value)
#allowed_origin =
# Indicate that the actual request can include user credentials (boolean value)
#allow_credentials = true
# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
# Headers. (list value)
#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
# Maximum cache age of CORS preflight requests. (integer value)
#max_age = 3600
# Indicate which methods can be used during the actual request. (list value)
#allow_methods = GET,PUT,POST,DELETE,PATCH
# Indicate which header field names may be used during the actual request.
# (list value)
#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name
[cors.subdomain]
#
# From oslo.middleware
#
# Indicate whether this resource may be shared with the domain received in the
# requests "origin" header. (list value)
#allowed_origin =
# Indicate that the actual request can include user credentials (boolean value)
#allow_credentials = true
# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
# Headers. (list value)
#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
# Maximum cache age of CORS preflight requests. (integer value)
#max_age = 3600
# Indicate which methods can be used during the actual request. (list value)
#allow_methods = GET,PUT,POST,DELETE,PATCH
# Indicate which header field names may be used during the actual request.
# (list value)
#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name
[credential]
#
# From keystone
#
# Entrypoint for the credential backend driver in the keystone.credential
# namespace. (string value)
#driver = sql
[database]
#
# From oslo.db
#
# The file name to use with SQLite. (string value)
# Deprecated group/name - [DEFAULT]/sqlite_db
#sqlite_db = oslo.sqlite
# If True, SQLite uses synchronous mode. (boolean value)
# Deprecated group/name - [DEFAULT]/sqlite_synchronous
#sqlite_synchronous = true
# The back end to use for the database. (string value)
# Deprecated group/name - [DEFAULT]/db_backend
#backend = sqlalchemy
# The SQLAlchemy connection string to use to connect to the database. (string
# value)
# Deprecated group/name - [DEFAULT]/sql_connection
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection =
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
#slave_connection =
# The SQL mode to be used for MySQL sessions. This option, including the
# default, overrides any server-set SQL mode. To use whatever SQL mode is set
# by the server configuration, set this to no value. Example: mysql_sql_mode=
# (string value)
#mysql_sql_mode = TRADITIONAL
# Timeout before idle SQL connections are reaped. (integer value)
# Deprecated group/name - [DEFAULT]/sql_idle_timeout
# Deprecated group/name - [DATABASE]/sql_idle_timeout
# Deprecated group/name - [sql]/idle_timeout
#idle_timeout = 3600
# Minimum number of SQL connections to keep open in a pool. (integer value)
# Deprecated group/name - [DEFAULT]/sql_min_pool_size
# Deprecated group/name - [DATABASE]/sql_min_pool_size
#min_pool_size = 1
# Maximum number of SQL connections to keep open in a pool. (integer value)
# Deprecated group/name - [DEFAULT]/sql_max_pool_size
# Deprecated group/name - [DATABASE]/sql_max_pool_size
#max_pool_size =
# Maximum number of database connection retries during startup. Set to -1 to
# specify an infinite retry count. (integer value)
# Deprecated group/name - [DEFAULT]/sql_max_retries
# Deprecated group/name - [DATABASE]/sql_max_retries
#max_retries = 10
# Interval between retries of opening a SQL connection. (integer value)
# Deprecated group/name - [DEFAULT]/sql_retry_interval
# Deprecated group/name - [DATABASE]/reconnect_interval
#retry_interval = 10
# If set, use this value for max_overflow with SQLAlchemy. (integer value)
# Deprecated group/name - [DEFAULT]/sql_max_overflow
# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
#max_overflow = 50
# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer
# value)
# Deprecated group/name - [DEFAULT]/sql_connection_debug
#connection_debug = 0
# Add Python stack traces to SQL as comment strings. (boolean value)
# Deprecated group/name - [DEFAULT]/sql_connection_trace
#connection_trace = false
# If set, use this value for pool_timeout with SQLAlchemy. (integer value)
# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout
#pool_timeout =
# Enable the experimental use of database reconnect on connection lost.
# (boolean value)
#use_db_reconnect = false
# Seconds between retries of a database transaction. (integer value)
#db_retry_interval = 1
# If True, increases the interval between retries of a database operation up to
# db_max_retry_interval. (boolean value)
#db_inc_retry_interval = true
# If db_inc_retry_interval is set, the maximum seconds between retries of a
# database operation. (integer value)
#db_max_retry_interval = 10
# Maximum retries in case of connection error or deadlock error before error is
# raised. Set to -1 to specify an infinite retry count. (integer value)
#db_max_retries = 20
[domain_config]
#
# From keystone
#
# Entrypoint for the domain config backend driver in the
# keystone.resource.domain_config namespace. (string value)
#driver = sql
# Toggle for domain config caching. This has no effect unless global caching is
# enabled. (boolean value)
#caching = true
# TTL (in seconds) to cache domain config data. This has no effect unless
# domain config caching is enabled. (integer value)
#cache_time = 300
[endpoint_filter]
#
# From keystone
#
# Entrypoint for the endpoint filter backend driver in the
# keystone.endpoint_filter namespace. (string value)
#driver = sql
# Toggle to return all active endpoints if no filter exists. (boolean value)
#return_all_endpoints_if_no_filter = true
[endpoint_policy]
#
# From keystone
#
# Enable endpoint_policy functionality. (boolean value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: The option to enable the OS-ENDPOINT-POLICY extension has been
# deprecated in the M release and will be removed in the O release. The OS-
# ENDPOINT-POLICY extension will be enabled by default.
#enabled = true
# Entrypoint for the endpoint policy backend driver in the
# keystone.endpoint_policy namespace. (string value)
#driver = sql
[eventlet_server]
#
# From keystone
#
# The number of worker processes to serve the public eventlet application.
# Defaults to number of CPUs (minimum of 2). (integer value)
# Deprecated group/name - [DEFAULT]/public_workers
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#public_workers =
# The number of worker processes to serve the admin eventlet application.
# Defaults to number of CPUs (minimum of 2). (integer value)
# Deprecated group/name - [DEFAULT]/admin_workers
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#admin_workers =
# The IP address of the network interface for the public service to listen on.
# (string value)
# Deprecated group/name - [DEFAULT]/bind_host
# Deprecated group/name - [DEFAULT]/public_bind_host
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#public_bind_host = 0.0.0.0
# The port number which the public service listens on. (port value)
# Minimum value: 0
# Maximum value: 65535
# Deprecated group/name - [DEFAULT]/public_port
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#public_port = 5000
# The IP address of the network interface for the admin service to listen on.
# (string value)
# Deprecated group/name - [DEFAULT]/bind_host
# Deprecated group/name - [DEFAULT]/admin_bind_host
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#admin_bind_host = 0.0.0.0
# The port number which the admin service listens on. (port value)
# Minimum value: 0
# Maximum value: 65535
# Deprecated group/name - [DEFAULT]/admin_port
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#admin_port = 35357
# If set to false, disables keepalives on the server; all connections will be
# closed after serving one request. (boolean value)
#wsgi_keep_alive = true
# Timeout for socket operations on a client connection. If an incoming
# connection is idle for this number of seconds it will be closed. A value of
# "0" means wait forever. (integer value)
#client_socket_timeout = 900
# Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e.
# sockets used by the Keystone wsgi server for client connections. (boolean
# value)
# Deprecated group/name - [DEFAULT]/tcp_keepalive
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#tcp_keepalive = false
# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only
# applies if tcp_keepalive is true. Ignored if system does not support it.
# (integer value)
# Deprecated group/name - [DEFAULT]/tcp_keepidle
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#tcp_keepidle = 600
[eventlet_server_ssl]
#
# From keystone
#
# Toggle for SSL support on the Keystone eventlet servers. (boolean value)
# Deprecated group/name - [ssl]/enable
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#enable = false
# Path of the certfile for SSL. For non-production environments, you may be
# interested in using `keystone-manage ssl_setup` to generate self-signed
# certificates. (string value)
# Deprecated group/name - [ssl]/certfile
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#certfile = /etc/keystone/ssl/certs/keystone.pem
# Path of the keyfile for SSL. (string value)
# Deprecated group/name - [ssl]/keyfile
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#keyfile = /etc/keystone/ssl/private/keystonekey.pem
# Path of the CA cert file for SSL. (string value)
# Deprecated group/name - [ssl]/ca_certs
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#ca_certs = /etc/keystone/ssl/certs/ca.pem
# Require client certificate. (boolean value)
# Deprecated group/name - [ssl]/cert_required
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#cert_required = false
[federation]
#
# From keystone
#
# Entrypoint for the federation backend driver in the keystone.federation
# namespace. (string value)
#driver = sql
# Value to be used when filtering assertion parameters from the environment.
# (string value)
#assertion_prefix =
# Value to be used to obtain the entity ID of the Identity Provider from the
# environment (e.g. if using the mod_shib plugin this value is `Shib-Identity-
# Provider`). (string value)
#remote_id_attribute =
# A domain name that is reserved to allow federated ephemeral users to have a
# domain concept. Note that an admin will not be able to create a domain with
# this name or update an existing domain to this name. You are not advised to
# change this value unless you really have to. (string value)
#federated_domain_name = Federated
# A list of trusted dashboard hosts. Before accepting a Single Sign-On request
# to return a token, the origin host must be a member of the trusted_dashboard
# list. This configuration option may be repeated for multiple values. For
# example: trusted_dashboard=http://acme.com/auth/websso
# trusted_dashboard=http://beta.com/auth/websso (multi valued)
#trusted_dashboard =
# Location of Single Sign-On callback handler, will return a token to a trusted
# dashboard host. (string value)
#sso_callback_template = /etc/keystone/sso_callback_template.html
[fernet_tokens]
#
# From keystone
#
# Directory containing Fernet token keys. (string value)
#key_repository = /etc/keystone/fernet-keys/
# This controls how many keys are held in rotation by keystone-manage
# fernet_rotate before they are discarded. The default value of 3 means that
# keystone will maintain one staged key, one primary key, and one secondary
# key. Increasing this value means that additional secondary keys will be kept
# in the rotation. (integer value)
#max_active_keys = 3
[identity]
#
# From keystone
#
# This references the domain to use for all Identity API v2 requests (which are
# not aware of domains). A domain with this ID will be created for you by
# keystone-manage db_sync in migration 008. The domain referenced by this ID
# cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.
# There is nothing special about this domain, other than the fact that it must
# exist to order to maintain support for your v2 clients. (string value)
#default_domain_id = default
# A subset (or all) of domains can have their own identity driver, each with
# their own partial configuration options, stored in either the resource
# backend or in a file in a domain configuration directory (depending on the
# setting of domain_configurations_from_database). Only values specific to the
# domain need to be specified in this manner. This feature is disabled by
# default; set to true to enable. (boolean value)
#domain_specific_drivers_enabled = false
# Extract the domain specific configuration options from the resource backend
# where they have been stored with the domain data. This feature is disabled by
# default (in which case the domain specific options will be loaded from files
# in the domain configuration directory); set to true to enable. (boolean
# value)
#domain_configurations_from_database = false
# Path for Keystone to locate the domain specific identity configuration files
# if domain_specific_drivers_enabled is set to true. (string value)
#domain_config_dir = /etc/keystone/domains
# Entrypoint for the identity backend driver in the keystone.identity
# namespace. Supplied drivers are ldap and sql. (string value)
#driver = sql
# Toggle for identity caching. This has no effect unless global caching is
# enabled. (boolean value)
#caching = true
# Time to cache identity data (in seconds). This has no effect unless global
# and identity caching are enabled. (integer value)
#cache_time = 600
# Maximum supported length for user passwords; decrease to improve performance.
# (integer value)
# Maximum value: 4096
#max_password_length = 4096
# Maximum number of entities that will be returned in an identity collection.
# (integer value)
#list_limit =
[identity_mapping]
#
# From keystone
#
# Entrypoint for the identity mapping backend driver in the
# keystone.identity.id_mapping namespace. (string value)
#driver = sql
# Entrypoint for the public ID generator for user and group entities in the
# keystone.identity.id_generator namespace. The Keystone identity mapper only
# supports generators that produce no more than 64 characters. (string value)
#generator = sha256
# The format of user and group IDs changed in Juno for backends that do not
# generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the
# underlying attribute in LDAP. By default this mapping is disabled, which
# ensures that existing IDs will not change. Even when the mapping is enabled
# by using domain specific drivers, any users and groups from the default
# domain being handled by LDAP will still not be mapped to ensure their IDs
# remain backward compatible. Setting this value to False will enable the
# mapping for even the default LDAP driver. It is only safe to do this if you
# do not already have assignments for users and groups from the default LDAP
# domain, and it is acceptable for Keystone to provide the different IDs to
# clients than it did previously. Typically this means that the only time you
# can set this value to False is when configuring a fresh installation.
# (boolean value)
#backward_compatible_ids = true
[kvs]
#
# From keystone
#
# Extra dogpile.cache backend modules to register with the dogpile.cache
# library. (list value)
#backends =
# Prefix for building the configuration dictionary for the KVS region. This
# should not need to be changed unless there is another dogpile.cache region
# with the same configuration name. (string value)
#config_prefix = keystone.kvs
# Toggle to disable using a key-mangling function to ensure fixed length keys.
# This is toggle-able for debugging purposes, it is highly recommended to
# always leave this set to true. (boolean value)
#enable_key_mangler = true
# Default lock timeout (in seconds) for distributed locking. (integer value)
#default_lock_timeout = 5
[ldap]
#
# From keystone
#
# URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified
# as a comma separated string. The first URL to successfully bind is used for
# the connection. (string value)
#url = ldap://localhost
# User BindDN to query the LDAP server. (string value)
#user =
# Password for the BindDN to query the LDAP server. (string value)
#password =
# LDAP server suffix (string value)
#suffix = cn=example,cn=com
# If true, will add a dummy member to groups. This is required if the
# objectclass for groups requires the "member" attribute. (boolean value)
#use_dumb_member = false
# DN of the "dummy member" to use when "use_dumb_member" is enabled. (string
# value)
#dumb_member = cn=dumb,dc=nonexistent
# Delete subtrees using the subtree delete control. Only enable this option if
# your LDAP server supports subtree deletion. (boolean value)
#allow_subtree_delete = false
# The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub"
# represents subtree/wholeSubtree options. (string value)
# Allowed values: one, sub
#query_scope = one
# Maximum results per page; a value of zero ("0") disables paging. (integer
# value)
#page_size = 0
# The LDAP dereferencing option for queries. The "default" option falls back to
# using default dereferencing configured by your ldap.conf. (string value)
# Allowed values: never, searching, always, finding, default
#alias_dereferencing = default
# Sets the LDAP debugging level for LDAP calls. A value of 0 means that
# debugging is not enabled. This value is a bitmask, consult your LDAP
# documentation for possible values. (integer value)
#debug_level =
# Override the system's default referral chasing behavior for queries. (boolean
# value)
#chase_referrals =
# Search base for users. Defaults to the suffix value. (string value)
#user_tree_dn =
# LDAP search filter for users. (string value)
#user_filter =
# LDAP objectclass for users. (string value)
#user_objectclass = inetOrgPerson
# LDAP attribute mapped to user id. WARNING: must not be a multivalued
# attribute. (string value)
#user_id_attribute = cn
# LDAP attribute mapped to user name. (string value)
#user_name_attribute = sn
# LDAP attribute mapped to user description. (string value)
#user_description_attribute = description
# LDAP attribute mapped to user email. (string value)
#user_mail_attribute = mail
# LDAP attribute mapped to password. (string value)
#user_pass_attribute = userPassword
# LDAP attribute mapped to user enabled flag. (string value)
#user_enabled_attribute = enabled
# Invert the meaning of the boolean enabled values. Some LDAP servers use a
# boolean lock attribute where "true" means an account is disabled. Setting
# "user_enabled_invert = true" will allow these lock attributes to be used.
# This setting will have no effect if "user_enabled_mask" or
# "user_enabled_emulation" settings are in use. (boolean value)
#user_enabled_invert = false
# Bitmask integer to indicate the bit that the enabled value is stored in if
# the LDAP server represents "enabled" as a bit on an integer rather than a
# boolean. A value of "0" indicates the mask is not used. If this is not set to
# "0" the typical value is "2". This is typically used when
# "user_enabled_attribute = userAccountControl". (integer value)
#user_enabled_mask = 0
# Default value to enable users. This should match an appropriate int value if
# the LDAP server uses non-boolean (bitmask) values to indicate if a user is
# enabled or disabled. If this is not set to "True" the typical value is "512".
# This is typically used when "user_enabled_attribute = userAccountControl".
# (string value)
#user_enabled_default = True
# List of attributes stripped off the user on update. (list value)
#user_attribute_ignore = default_project_id
# LDAP attribute mapped to default_project_id for users. (string value)
#user_default_project_id_attribute =
# Allow user creation in LDAP backend. (boolean value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Write support for Identity LDAP backends has been deprecated in the M
# release and will be removed in the O release.
#user_allow_create = true
# Allow user updates in LDAP backend. (boolean value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Write support for Identity LDAP backends has been deprecated in the M
# release and will be removed in the O release.
#user_allow_update = true
# Allow user deletion in LDAP backend. (boolean value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Write support for Identity LDAP backends has been deprecated in the M
# release and will be removed in the O release.
#user_allow_delete = true
# If true, Keystone uses an alternative method to determine if a user is
# enabled or not by checking if they are a member of the
# "user_enabled_emulation_dn" group. (boolean value)
#user_enabled_emulation = false
# DN of the group entry to hold enabled users when using enabled emulation.
# (string value)
#user_enabled_emulation_dn =
# Use the "group_member_attribute" and "group_objectclass" settings to
# determine membership in the emulated enabled group. (boolean value)
#user_enabled_emulation_use_group_config = false
# List of additional LDAP attributes used for mapping additional attribute
# mappings for users. Attribute mapping format is :,
# where ldap_attr is the attribute in the LDAP entry and user_attr is the
# Identity API attribute. (list value)
#user_additional_attribute_mapping =
# Search base for groups. Defaults to the suffix value. (string value)
#group_tree_dn =
# LDAP search filter for groups. (string value)
#group_filter =
# LDAP objectclass for groups. (string value)
#group_objectclass = groupOfNames
# LDAP attribute mapped to group id. (string value)
#group_id_attribute = cn
# LDAP attribute mapped to group name. (string value)
#group_name_attribute = ou
# LDAP attribute mapped to show group membership. (string value)
#group_member_attribute = member
# LDAP attribute mapped to group description. (string value)
#group_desc_attribute = description
# List of attributes stripped off the group on update. (list value)
#group_attribute_ignore =
# Allow group creation in LDAP backend. (boolean value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Write support for Identity LDAP backends has been deprecated in the M
# release and will be removed in the O release.
#group_allow_create = true
# Allow group update in LDAP backend. (boolean value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Write support for Identity LDAP backends has been deprecated in the M
# release and will be removed in the O release.
#group_allow_update = true
# Allow group deletion in LDAP backend. (boolean value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Write support for Identity LDAP backends has been deprecated in the M
# release and will be removed in the O release.
#group_allow_delete = true
# Additional attribute mappings for groups. Attribute mapping format is
# :, where ldap_attr is the attribute in the LDAP entry
# and user_attr is the Identity API attribute. (list value)
#group_additional_attribute_mapping =
# CA certificate file path for communicating with LDAP servers. (string value)
#tls_cacertfile =
# CA certificate directory path for communicating with LDAP servers. (string
# value)
#tls_cacertdir =
# Enable TLS for communicating with LDAP servers. (boolean value)
#use_tls = false
# Specifies what checks to perform on client certificates in an incoming TLS
# session. (string value)
# Allowed values: demand, never, allow
#tls_req_cert = demand
# Enable LDAP connection pooling. (boolean value)
#use_pool = true
# Connection pool size. (integer value)
#pool_size = 10
# Maximum count of reconnect trials. (integer value)
#pool_retry_max = 3
# Time span in seconds to wait between two reconnect trials. (floating point
# value)
#pool_retry_delay = 0.1
# Connector timeout in seconds. Value -1 indicates indefinite wait for
# response. (integer value)
#pool_connection_timeout = -1
# Connection lifetime in seconds. (integer value)
#pool_connection_lifetime = 600
# Enable LDAP connection pooling for end user authentication. If use_pool is
# disabled, then this setting is meaningless and is not used at all. (boolean
# value)
#use_auth_pool = true
# End user auth connection pool size. (integer value)
#auth_pool_size = 100
# End user auth connection lifetime in seconds. (integer value)
#auth_pool_connection_lifetime = 60
# If the members of the group objectclass are user IDs rather than DNs, set
# this to true. This is the case when using posixGroup as the group objectclass
# and OpenDirectory. (boolean value)
#group_members_are_ids = false
[matchmaker_redis]
#
# From oslo.messaging
#
# Host to locate redis. (string value)
#host = 127.0.0.1
# Use this port to connect to redis host. (port value)
# Minimum value: 0
# Maximum value: 65535
#port = 6379
# Password for Redis server (optional). (string value)
#password =
# List of Redis Sentinel hosts (fault tolerance mode) e.g.
# [host:port, host1:port ... ] (list value)
#sentinel_hosts =
# Redis replica set name. (string value)
#sentinel_group_name = oslo-messaging-zeromq
# Time in ms to wait between connection attempts. (integer value)
#wait_timeout = 500
# Time in ms to wait before the transaction is killed. (integer value)
#check_timeout = 20000
# Timeout in ms on blocking socket operations (integer value)
#socket_timeout = 1000
[memcache]
#
# From keystone
#
# Memcache servers in the format of "host:port". (list value)
#servers = localhost:11211
# Number of seconds memcached server is considered dead before it is tried
# again. This is used by the key value store system (e.g. token pooled
# memcached persistence backend). (integer value)
#dead_retry = 300
# Timeout in seconds for every call to a server. This is used by the key value
# store system (e.g. token pooled memcached persistence backend). (integer
# value)
#socket_timeout = 3
# Max total number of open connections to every memcached server. This is used
# by the key value store system (e.g. token pooled memcached persistence
# backend). (integer value)
#pool_maxsize = 10
# Number of seconds a connection to memcached is held unused in the pool before
# it is closed. This is used by the key value store system (e.g. token pooled
# memcached persistence backend). (integer value)
#pool_unused_timeout = 60
# Number of seconds that an operation will wait to get a memcache client
# connection. This is used by the key value store system (e.g. token pooled
# memcached persistence backend). (integer value)
#pool_connection_get_timeout = 10
[oauth1]
#
# From keystone
#
# Entrypoint for the OAuth backend driver in the keystone.oauth1 namespace.
# (string value)
#driver = sql
# Duration (in seconds) for the OAuth Request Token. (integer value)
#request_token_duration = 28800
# Duration (in seconds) for the OAuth Access Token. (integer value)
#access_token_duration = 86400
[os_inherit]
#
# From keystone
#
# role-assignment inheritance to projects from owning domain or from projects
# higher in the hierarchy can be optionally disabled. In the future, this
# option will be removed and the hierarchy will be always enabled. (boolean
# value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: The option to enable the OS-INHERIT extension has been deprecated in
# the M release and will be removed in the O release. The OS-INHERIT extension
# will be enabled by default.
#enabled = true
[oslo_messaging_amqp]
#
# From oslo.messaging
#
# address prefix used when sending to a specific server (string value)
# Deprecated group/name - [amqp1]/server_request_prefix
#server_request_prefix = exclusive
# address prefix used when broadcasting to all servers (string value)
# Deprecated group/name - [amqp1]/broadcast_prefix
#broadcast_prefix = broadcast
# address prefix when sending to any server in group (string value)
# Deprecated group/name - [amqp1]/group_request_prefix
#group_request_prefix = unicast
# Name for the AMQP container (string value)
# Deprecated group/name - [amqp1]/container_name
#container_name =
# Timeout for inactive connections (in seconds) (integer value)
# Deprecated group/name - [amqp1]/idle_timeout
#idle_timeout = 0
# Debug: dump AMQP frames to stdout (boolean value)
# Deprecated group/name - [amqp1]/trace
#trace = false
# CA certificate PEM file to verify server certificate (string value)
# Deprecated group/name - [amqp1]/ssl_ca_file
#ssl_ca_file =
# Identifying certificate PEM file to present to clients (string value)
# Deprecated group/name - [amqp1]/ssl_cert_file
#ssl_cert_file =
# Private key PEM file used to sign cert_file certificate (string value)
# Deprecated group/name - [amqp1]/ssl_key_file
#ssl_key_file =
# Password for decrypting ssl_key_file (if encrypted) (string value)
# Deprecated group/name - [amqp1]/ssl_key_password
#ssl_key_password =
# Accept clients using either SSL or plain TCP (boolean value)
# Deprecated group/name - [amqp1]/allow_insecure_clients
#allow_insecure_clients = false
# Space separated list of acceptable SASL mechanisms (string value)
# Deprecated group/name - [amqp1]/sasl_mechanisms
#sasl_mechanisms =
# Path to directory that contains the SASL configuration (string value)
# Deprecated group/name - [amqp1]/sasl_config_dir
#sasl_config_dir =
# Name of configuration file (without .conf suffix) (string value)
# Deprecated group/name - [amqp1]/sasl_config_name
#sasl_config_name =
# User name for message broker authentication (string value)
# Deprecated group/name - [amqp1]/username
#username =
# Password for message broker authentication (string value)
# Deprecated group/name - [amqp1]/password
#password =
[oslo_messaging_notifications]
#
# From oslo.messaging
#
# The Drivers(s) to handle sending notifications. Possible values are
# messaging, messagingv2, routing, log, test, noop (multi valued)
# Deprecated group/name - [DEFAULT]/notification_driver
#driver =
# A URL representing the messaging driver to use for notifications. If not set,
# we fall back to the same configuration used for RPC. (string value)
# Deprecated group/name - [DEFAULT]/notification_transport_url
#transport_url =
# AMQP topic used for OpenStack notifications. (list value)
# Deprecated group/name - [rpc_notifier2]/topics
# Deprecated group/name - [DEFAULT]/notification_topics
#topics = notifications
[oslo_messaging_rabbit]
#
# From oslo.messaging
#
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/amqp_durable_queues
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues = false
# Auto-delete queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/amqp_auto_delete
#amqp_auto_delete = false
# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and
# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some
# distributions. (string value)
# Deprecated group/name - [DEFAULT]/kombu_ssl_version
#kombu_ssl_version =
# SSL key file (valid only if SSL enabled). (string value)
# Deprecated group/name - [DEFAULT]/kombu_ssl_keyfile
#kombu_ssl_keyfile =
# SSL cert file (valid only if SSL enabled). (string value)
# Deprecated group/name - [DEFAULT]/kombu_ssl_certfile
#kombu_ssl_certfile =
# SSL certification authority file (valid only if SSL enabled). (string value)
# Deprecated group/name - [DEFAULT]/kombu_ssl_ca_certs
#kombu_ssl_ca_certs =
# How long to wait before reconnecting in response to an AMQP consumer cancel
# notification. (floating point value)
# Deprecated group/name - [DEFAULT]/kombu_reconnect_delay
#kombu_reconnect_delay = 1.0
# EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not
# be used. This option may notbe available in future versions. (string value)
#kombu_compression =
# How long to wait a missing client beforce abandoning to send it its replies.
# This value should not be longer than rpc_response_timeout. (integer value)
# Deprecated group/name - [DEFAULT]/kombu_reconnect_timeout
#kombu_missing_consumer_retry_timeout = 60
# Determines how the next RabbitMQ node is chosen in case the one we are
# currently connected to becomes unavailable. Takes effect only if more than
# one RabbitMQ node is provided in config. (string value)
# Allowed values: round-robin, shuffle
#kombu_failover_strategy = round-robin
# The RabbitMQ broker address where a single node is used. (string value)
# Deprecated group/name - [DEFAULT]/rabbit_host
#rabbit_host = localhost
# The RabbitMQ broker port where a single node is used. (port value)
# Minimum value: 0
# Maximum value: 65535
# Deprecated group/name - [DEFAULT]/rabbit_port
#rabbit_port = 5672
# RabbitMQ HA cluster host:port pairs. (list value)
# Deprecated group/name - [DEFAULT]/rabbit_hosts
#rabbit_hosts = $rabbit_host:$rabbit_port
# Connect over SSL for RabbitMQ. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_use_ssl
#rabbit_use_ssl = false
# The RabbitMQ userid. (string value)
# Deprecated group/name - [DEFAULT]/rabbit_userid
#rabbit_userid = guest
# The RabbitMQ password. (string value)
# Deprecated group/name - [DEFAULT]/rabbit_password
#rabbit_password = guest
# The RabbitMQ login method. (string value)
# Deprecated group/name - [DEFAULT]/rabbit_login_method
#rabbit_login_method = AMQPLAIN
# The RabbitMQ virtual host. (string value)
# Deprecated group/name - [DEFAULT]/rabbit_virtual_host
#rabbit_virtual_host = /
# How frequently to retry connecting with RabbitMQ. (integer value)
#rabbit_retry_interval = 1
# How long to backoff for between retries when connecting to RabbitMQ. (integer
# value)
# Deprecated group/name - [DEFAULT]/rabbit_retry_backoff
#rabbit_retry_backoff = 2
# Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
# (integer value)
#rabbit_interval_max = 30
# Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry
# count). (integer value)
# Deprecated group/name - [DEFAULT]/rabbit_max_retries
#rabbit_max_retries = 0
# Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this
# option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring
# is no longer controlled by the x-ha-policy argument when declaring a queue.
# If you just want to make sure that all queues (except those with auto-
# generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy
# HA '^(?!amq\.).*' '{"ha-mode": "all"}' " (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_ha_queues
#rabbit_ha_queues = false
# Positive integer representing duration in seconds for queue TTL (x-expires).
# Queues which are unused for the duration of the TTL are automatically
# deleted. The parameter affects only reply and fanout queues. (integer value)
# Minimum value: 1
#rabbit_transient_queues_ttl = 1800
# Specifies the number of messages to prefetch. Setting to zero allows
# unlimited messages. (integer value)
#rabbit_qos_prefetch_count = 0
# Number of seconds after which the Rabbit broker is considered down if
# heartbeat's keep-alive fails (0 disable the heartbeat). EXPERIMENTAL (integer
# value)
#heartbeat_timeout_threshold = 60
# How often times during the heartbeat_timeout_threshold we check the
# heartbeat. (integer value)
#heartbeat_rate = 2
# Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value)
# Deprecated group/name - [DEFAULT]/fake_rabbit
#fake_rabbit = false
# Maximum number of channels to allow (integer value)
#channel_max =
# The maximum byte size for an AMQP frame (integer value)
#frame_max =
# How often to send heartbeats for consumer's connections (integer value)
#heartbeat_interval = 1
# Enable SSL (boolean value)
#ssl =
# Arguments passed to ssl.wrap_socket (dict value)
#ssl_options =
# Set socket timeout in seconds for connection's socket (floating point value)
#socket_timeout = 0.25
# Set TCP_USER_TIMEOUT in seconds for connection's socket (floating point
# value)
#tcp_user_timeout = 0.25
# Set delay for reconnection to some host which has connection error (floating
# point value)
#host_connection_reconnect_delay = 0.25
# Maximum number of connections to keep queued. (integer value)
#pool_max_size = 10
# Maximum number of connections to create above `pool_max_size`. (integer
# value)
#pool_max_overflow = 0
# Default number of seconds to wait for a connections to available (integer
# value)
#pool_timeout = 30
# Lifetime of a connection (since creation) in seconds or None for no
# recycling. Expired connections are closed on acquire. (integer value)
#pool_recycle = 600
# Threshold at which inactive (since release) connections are considered stale
# in seconds or None for no staleness. Stale connections are closed on acquire.
# (integer value)
#pool_stale = 60
# Persist notification messages. (boolean value)
#notification_persistence = false
# Exchange name for for sending notifications (string value)
#default_notification_exchange = ${control_exchange}_notification
# Max number of not acknowledged message which RabbitMQ can send to
# notification listener. (integer value)
#notification_listener_prefetch_count = 100
# Reconnecting retry count in case of connectivity problem during sending
# notification, -1 means infinite retry. (integer value)
#default_notification_retry_attempts = -1
# Reconnecting retry delay in case of connectivity problem during sending
# notification message (floating point value)
#notification_retry_delay = 0.25
# Time to live for rpc queues without consumers in seconds. (integer value)
#rpc_queue_expiration = 60
# Exchange name for sending RPC messages (string value)
#default_rpc_exchange = ${control_exchange}_rpc
# Exchange name for receiving RPC replies (string value)
#rpc_reply_exchange = ${control_exchange}_rpc_reply
# Max number of not acknowledged message which RabbitMQ can send to rpc
# listener. (integer value)
#rpc_listener_prefetch_count = 100
# Max number of not acknowledged message which RabbitMQ can send to rpc reply
# listener. (integer value)
#rpc_reply_listener_prefetch_count = 100
# Reconnecting retry count in case of connectivity problem during sending
# reply. -1 means infinite retry during rpc_timeout (integer value)
#rpc_reply_retry_attempts = -1
# Reconnecting retry delay in case of connectivity problem during sending
# reply. (floating point value)
#rpc_reply_retry_delay = 0.25
# Reconnecting retry count in case of connectivity problem during sending RPC
# message, -1 means infinite retry. If actual retry attempts in not 0 the rpc
# request could be processed more then one time (integer value)
#default_rpc_retry_attempts = -1
# Reconnecting retry delay in case of connectivity problem during sending RPC
# message (floating point value)
#rpc_retry_delay = 0.25
[oslo_middleware]
#
# From oslo.middleware
#
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
#max_request_body_size = 114688
# The HTTP Header that will be used to determine what the original request
# protocol scheme was, even if it was hidden by an SSL termination proxy.
# (string value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
#secure_proxy_ssl_header = X-Forwarded-Proto
[oslo_policy]
#
# From oslo.policy
#
# The JSON file that defines policies. (string value)
# Deprecated group/name - [DEFAULT]/policy_file
#policy_file = policy.json
# Default rule. Enforced when a requested rule is not found. (string value)
# Deprecated group/name - [DEFAULT]/policy_default_rule
#policy_default_rule = default
# Directories where policy configuration files are stored. They can be relative
# to any directory in the search path defined by the config_dir option, or
# absolute paths. The file defined by policy_file must exist for these
# directories to be searched. Missing or empty directories are ignored. (multi
# valued)
# Deprecated group/name - [DEFAULT]/policy_dirs
#policy_dirs = policy.d
[paste_deploy]
#
# From keystone
#
# Name of the paste configuration file that defines the available pipelines.
# (string value)
#config_file = keystone-paste.ini
[policy]
#
# From keystone
#
# Entrypoint for the policy backend driver in the keystone.policy namespace.
# Supplied drivers are rules and sql. (string value)
#driver = sql
# Maximum number of entities that will be returned in a policy collection.
# (integer value)
#list_limit =
[resource]
#
# From keystone
#
# Entrypoint for the resource backend driver in the keystone.resource
# namespace. Only an SQL driver is supplied. If a resource driver is not
# specified, the assignment driver will choose the resource driver. (string
# value)
#driver =
# Toggle for resource caching. This has no effect unless global caching is
# enabled. (boolean value)
# Deprecated group/name - [assignment]/caching
#caching = true
# TTL (in seconds) to cache resource data. This has no effect unless global
# caching is enabled. (integer value)
# Deprecated group/name - [assignment]/cache_time
#cache_time =
# Maximum number of entities that will be returned in a resource collection.
# (integer value)
# Deprecated group/name - [assignment]/list_limit
#list_limit =
# Name of the domain that owns the `admin_project_name`. Defaults to None.
# (string value)
#admin_project_domain_name =
# Special project for performing administrative operations on remote services.
# Tokens scoped to this project will contain the key/value
# `is_admin_project=true`. Defaults to None. (string value)
#admin_project_name =
# Whether the names of projects are restricted from containing url reserved
# characters. If set to new, attempts to create or update a project with a url
# unsafe name will return an error. In addition, if set to strict, attempts to
# scope a token using an unsafe project name will return an error. (string
# value)
# Allowed values: off, new, strict
#project_name_url_safe = off
# Whether the names of domains are restricted from containing url reserved
# characters. If set to new, attempts to create or update a domain with a url
# unsafe name will return an error. In addition, if set to strict, attempts to
# scope a token using a domain name which is unsafe will return an error.
# (string value)
# Allowed values: off, new, strict
#domain_name_url_safe = off
[revoke]
#
# From keystone
#
# Entrypoint for an implementation of the backend for persisting revocation
# events in the keystone.revoke namespace. Supplied drivers are kvs and sql.
# (string value)
#driver = sql
# This value (calculated in seconds) is added to token expiration before a
# revocation event may be removed from the backend. (integer value)
#expiration_buffer = 1800
# Toggle for revocation event caching. This has no effect unless global caching
# is enabled. (boolean value)
#caching = true
# Time to cache the revocation list and the revocation events (in seconds).
# This has no effect unless global and token caching are enabled. (integer
# value)
# Deprecated group/name - [token]/revocation_cache_time
#cache_time = 3600
[role]
#
# From keystone
#
# Entrypoint for the role backend driver in the keystone.role namespace.
# Supplied drivers are ldap and sql. (string value)
#driver =
# Toggle for role caching. This has no effect unless global caching is enabled.
# (boolean value)
#caching = true
# TTL (in seconds) to cache role data. This has no effect unless global caching
# is enabled. (integer value)
#cache_time =
# Maximum number of entities that will be returned in a role collection.
# (integer value)
#list_limit =
[saml]
#
# From keystone
#
# Default TTL, in seconds, for any generated SAML assertion created by
# Keystone. (integer value)
#assertion_expiration_time = 3600
# Binary to be called for XML signing. Install the appropriate package, specify
# absolute path or adjust your PATH environment variable if the binary cannot
# be found. (string value)
#xmlsec1_binary = xmlsec1
# Path of the certfile for SAML signing. For non-production environments, you
# may be interested in using `keystone-manage pki_setup` to generate self-
# signed certificates. Note, the path cannot contain a comma. (string value)
#certfile = /etc/keystone/ssl/certs/signing_cert.pem
# Path of the keyfile for SAML signing. Note, the path cannot contain a comma.
# (string value)
#keyfile = /etc/keystone/ssl/private/signing_key.pem
# Entity ID value for unique Identity Provider identification. Usually FQDN is
# set with a suffix. A value is required to generate IDP Metadata. For example:
# https://keystone.example.com/v3/OS-FEDERATION/saml2/idp (string value)
#idp_entity_id =
# Identity Provider Single-Sign-On service value, required in the Identity
# Provider's metadata. A value is required to generate IDP Metadata. For
# example: https://keystone.example.com/v3/OS-FEDERATION/saml2/sso (string
# value)
#idp_sso_endpoint =
# Language used by the organization. (string value)
#idp_lang = en
# Organization name the installation belongs to. (string value)
#idp_organization_name =
# Organization name to be displayed. (string value)
#idp_organization_display_name =
# URL of the organization. (string value)
#idp_organization_url =
# Company of contact person. (string value)
#idp_contact_company =
# Given name of contact person (string value)
#idp_contact_name =
# Surname of contact person. (string value)
#idp_contact_surname =
# Email address of contact person. (string value)
#idp_contact_email =
# Telephone number of contact person. (string value)
#idp_contact_telephone =
# The contact type describing the main point of contact for the identity
# provider. (string value)
# Allowed values: technical, support, administrative, billing, other
#idp_contact_type = other
# Path to the Identity Provider Metadata file. This file should be generated
# with the keystone-manage saml_idp_metadata command. (string value)
#idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml
# The prefix to use for the RelayState SAML attribute, used when generating ECP
# wrapped assertions. (string value)
#relay_state_prefix = ss:mem:
[shadow_users]
#
# From keystone
#
# Entrypoint for the shadow users backend driver in the
# keystone.identity.shadow_users namespace. (string value)
#driver = sql
[signing]
#
# From keystone
#
# Path of the certfile for token signing. For non-production environments, you
# may be interested in using `keystone-manage pki_setup` to generate self-
# signed certificates. (string value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: PKI token support has been deprecated in the M release and will be
# removed in the O release. Fernet or UUID tokens are recommended.
#certfile = /etc/keystone/ssl/certs/signing_cert.pem
# Path of the keyfile for token signing. (string value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: PKI token support has been deprecated in the M release and will be
# removed in the O release. Fernet or UUID tokens are recommended.
#keyfile = /etc/keystone/ssl/private/signing_key.pem
# Path of the CA for token signing. (string value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: PKI token support has been deprecated in the M release and will be
# removed in the O release. Fernet or UUID tokens are recommended.
#ca_certs = /etc/keystone/ssl/certs/ca.pem
# Path of the CA key for token signing. (string value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: PKI token support has been deprecated in the M release and will be
# removed in the O release. Fernet or UUID tokens are recommended.
#ca_key = /etc/keystone/ssl/private/cakey.pem
# Key size (in bits) for token signing cert (auto generated certificate).
# (integer value)
# Minimum value: 1024
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: PKI token support has been deprecated in the M release and will be
# removed in the O release. Fernet or UUID tokens are recommended.
#key_size = 2048
# Days the token signing cert is valid for (auto generated certificate).
# (integer value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: PKI token support has been deprecated in the M release and will be
# removed in the O release. Fernet or UUID tokens are recommended.
#valid_days = 3650
# Certificate subject (auto generated certificate) for token signing. (string
# value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: PKI token support has been deprecated in the M release and will be
# removed in the O release. Fernet or UUID tokens are recommended.
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
[ssl]
#
# From keystone
#
# Path of the CA key file for SSL. (string value)
#ca_key = /etc/keystone/ssl/private/cakey.pem
# SSL key length (in bits) (auto generated certificate). (integer value)
# Minimum value: 1024
#key_size = 1024
# Days the certificate is valid for once signed (auto generated certificate).
# (integer value)
#valid_days = 3650
# SSL certificate subject (auto generated certificate). (string value)
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
[token]
#
# From keystone
#
# External auth mechanisms that should add bind information to token, e.g.,
# kerberos,x509. (list value)
#bind =
# Enforcement policy on tokens presented to Keystone with bind information. One
# of disabled, permissive, strict, required or a specifically required bind
# mode, e.g., kerberos or x509 to require binding to that authentication.
# (string value)
#enforce_token_bind = permissive
# Amount of time a token should remain valid (in seconds). (integer value)
#expiration = 3600
# Controls the token construction, validation, and revocation operations.
# Entrypoint in the keystone.token.provider namespace. Core providers are
# [fernet|pkiz|pki|uuid]. (string value)
#provider = uuid
# Entrypoint for the token persistence backend driver in the
# keystone.token.persistence namespace. Supplied drivers are kvs, memcache,
# memcache_pool, and sql. (string value)
#driver = sql
# Toggle for token system caching. This has no effect unless global caching is
# enabled. (boolean value)
#caching = true
# Time to cache tokens (in seconds). This has no effect unless global and token
# caching are enabled. (integer value)
#cache_time =
# Revoke token by token identifier. Setting revoke_by_id to true enables
# various forms of enumerating tokens, e.g. `list tokens for user`. These
# enumerations are processed to determine the list of tokens to revoke. Only
# disable if you are switching to using the Revoke extension with a backend
# other than KVS, which stores events in memory. (boolean value)
#revoke_by_id = true
# Allow rescoping of scoped token. Setting allow_rescoped_scoped_token to false
# prevents a user from exchanging a scoped token for any other token. (boolean
# value)
#allow_rescope_scoped_token = true
# The hash algorithm to use for PKI tokens. This can be set to any algorithm
# that hashlib supports. WARNING: Before changing this value, the auth_token
# middleware must be configured with the hash_algorithms, otherwise token
# revocation will not be processed correctly. (string value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: PKI token support has been deprecated in the M release and will be
# removed in the O release. Fernet or UUID tokens are recommended.
#hash_algorithm = md5
# Add roles to token that are not explicitly added, but that are linked
# implicitly to other roles. (boolean value)
#infer_roles = true
[tokenless_auth]
#
# From keystone
#
# The list of trusted issuers to further filter the certificates that are
# allowed to participate in the X.509 tokenless authorization. If the option is
# absent then no certificates will be allowed. The naming format for the
# attributes of a Distinguished Name(DN) must be separated by a comma and
# contain no spaces. This configuration option may be repeated for multiple
# values. For example: trusted_issuer=CN=john,OU=keystone,O=openstack
# trusted_issuer=CN=mary,OU=eng,O=abc (multi valued)
#trusted_issuer =
# The protocol name for the X.509 tokenless authorization along with the option
# issuer_attribute below can look up its corresponding mapping. (string value)
#protocol = x509
# The issuer attribute that is served as an IdP ID for the X.509 tokenless
# authorization along with the protocol to look up its corresponding mapping.
# It is the environment variable in the WSGI environment that references to the
# issuer of the client certificate. (string value)
#issuer_attribute = SSL_CLIENT_I_DN
[trust]
#
# From keystone
#
# Delegation and impersonation features can be optionally disabled. (boolean
# value)
#enabled = true
# Enable redelegation feature. (boolean value)
#allow_redelegation = false
# Maximum depth of trust redelegation. (integer value)
#max_redelegation_count = 3
# Entrypoint for the trust backend driver in the keystone.trust namespace.
# (string value)
#driver = sql
�������������������������������������������������������������������������������������������������������������������keystone-9.0.0/babel.cfg����������������������������������������������������������������������������0000664�0005670�0005671�00000000020�12701407102�016232� 0����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������[python: **.py]
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������keystone-9.0.0/.coveragerc��������������������������������������������������������������������������0000664�0005670�0005671�00000000135�12701407102�016634� 0����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������[run]
branch = True
source = keystone
omit = keystone/tests/*
[report]
ignore_errors = True
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������keystone-9.0.0/config-generator/��������������������������������������������������������������������0000775�0005670�0005671�00000000000�12701407246�017756� 5����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������keystone-9.0.0/config-generator/keystone.conf�������������������������������������������������������0000664�0005670�0005671�00000000662�12701407102�022461� 0����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������[DEFAULT]
output_file = etc/keystone.conf.sample
wrap_width = 79
namespace = keystone
namespace = keystone.notifications
namespace = oslo.cache
namespace = oslo.log
namespace = oslo.messaging
namespace = oslo.policy
namespace = oslo.db
namespace = oslo.middleware
namespace = oslo.service.service
# We don't use oslo.concurrency config options in
# keystone now, just in case it slips through unnoticed.
#namespace = oslo.concurrency
������������������������������������������������������������������������������keystone-9.0.0/setup.cfg����������������������������������������������������������������������������0000664�0005670�0005671�00000014250�12701407246�016350� 0����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������[metadata]
name = keystone
summary = OpenStack Identity
description-file =
README.rst
author = OpenStack
author-email = openstack-dev@lists.openstack.org
home-page = http://docs.openstack.org/developer/keystone/
classifier =
Environment :: OpenStack
Intended Audience :: Information Technology
Intended Audience :: System Administrators
License :: OSI Approved :: Apache Software License
Operating System :: POSIX :: Linux
Programming Language :: Python
Programming Language :: Python :: 2
Programming Language :: Python :: 2.7
[files]
packages =
keystone
[extras]
ldap =
python-ldap>=2.4:python_version=='2.7' # PSF
ldappool>=1.0:python_version=='2.7' # MPL
memcache =
python-memcached>=1.56 # PSF
mongodb =
pymongo!=3.1,>=3.0.2 # Apache-2.0
bandit =
bandit>=0.17.3 # Apache-2.0
[global]
setup-hooks =
pbr.hooks.setup_hook
[egg_info]
tag_build =
tag_date = 0
tag_svn_revision = 0
[build_sphinx]
all_files = 1
build-dir = doc/build
source-dir = doc/source
[compile_catalog]
directory = keystone/locale
domain = keystone
[update_catalog]
domain = keystone
output_dir = keystone/locale
input_file = keystone/locale/keystone.pot
[extract_messages]
keywords = _ gettext ngettext l_ lazy_gettext
mapping_file = babel.cfg
output_file = keystone/locale/keystone.pot
copyright_holder = OpenStack Foundation
msgid_bugs_address = https://bugs.launchpad.net/keystone
[pbr]
warnerrors = True
autodoc_tree_index_modules = True
[entry_points]
console_scripts =
keystone-all = keystone.cmd.all:main
keystone-manage = keystone.cmd.manage:main
wsgi_scripts =
keystone-wsgi-admin = keystone.server.wsgi:initialize_admin_application
keystone-wsgi-public = keystone.server.wsgi:initialize_public_application
keystone.assignment =
sql = keystone.assignment.backends.sql:Assignment
keystone.auth.external =
default = keystone.auth.plugins.external:DefaultDomain
DefaultDomain = keystone.auth.plugins.external:DefaultDomain
Domain = keystone.auth.plugins.external:Domain
keystone.auth.kerberos =
default = keystone.auth.plugins.external:KerberosDomain
keystone.auth.oauth1 =
default = keystone.auth.plugins.oauth1:OAuth
keystone.auth.openid =
default = keystone.auth.plugins.mapped:Mapped
keystone.auth.password =
default = keystone.auth.plugins.password:Password
keystone.auth.saml2 =
default = keystone.auth.plugins.mapped:Mapped
keystone.auth.token =
default = keystone.auth.plugins.token:Token
keystone.auth.totp =
default = keystone.auth.plugins.totp:TOTP
keystone.auth.x509 =
default = keystone.auth.plugins.mapped:Mapped
keystone.catalog =
sql = keystone.catalog.backends.sql:Catalog
templated = keystone.catalog.backends.templated:Catalog
endpoint_filter.sql = keystone.contrib.endpoint_filter.backends.catalog_sql:EndpointFilterCatalog
keystone.credential =
sql = keystone.credential.backends.sql:Credential
keystone.identity =
ldap = keystone.identity.backends.ldap:Identity
sql = keystone.identity.backends.sql:Identity
keystone.identity.id_generator =
sha256 = keystone.identity.id_generators.sha256:Generator
keystone.identity.id_mapping =
sql = keystone.identity.mapping_backends.sql:Mapping
keystone.identity.shadow_users =
sql = keystone.identity.shadow_backends.sql:ShadowUsers
keystone.policy =
rules = keystone.policy.backends.rules:Policy
sql = keystone.policy.backends.sql:Policy
keystone.resource =
sql = keystone.resource.backends.sql:Resource
keystone.resource.domain_config =
sql = keystone.resource.config_backends.sql:DomainConfig
keystone.role =
sql = keystone.assignment.role_backends.sql:Role
keystone.token.persistence =
kvs = keystone.token.persistence.backends.kvs:Token
memcache = keystone.token.persistence.backends.memcache:Token
memcache_pool = keystone.token.persistence.backends.memcache_pool:Token
sql = keystone.token.persistence.backends.sql:Token
keystone.token.provider =
fernet = keystone.token.providers.fernet:Provider
uuid = keystone.token.providers.uuid:Provider
pki = keystone.token.providers.pki:Provider
pkiz = keystone.token.providers.pkiz:Provider
keystone.trust =
sql = keystone.trust.backends.sql:Trust
keystone.endpoint_filter =
sql = keystone.catalog.backends.sql:Catalog
keystone.endpoint_policy =
sql = keystone.endpoint_policy.backends.sql:EndpointPolicy
keystone.federation =
sql = keystone.federation.backends.sql:Federation
keystone.oauth1 =
sql = keystone.oauth1.backends.sql:OAuth1
keystone.revoke =
sql = keystone.revoke.backends.sql:Revoke
oslo.config.opts =
keystone = keystone.common.config:list_opts
keystone.notifications = keystone.notifications:list_opts
oslo.config.opts.defaults =
keystone = keystone.common.config:set_middleware_defaults
paste.filter_factory =
admin_token_auth = keystone.middleware:AdminTokenAuthMiddleware.factory
build_auth_context = keystone.middleware:AuthContextMiddleware.factory
crud_extension = keystone.contrib.admin_crud:CrudExtension.factory
debug = oslo_middleware:Debug.factory
endpoint_filter_extension = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
ec2_extension = keystone.contrib.ec2:Ec2Extension.factory
ec2_extension_v3 = keystone.contrib.ec2:Ec2ExtensionV3.factory
federation_extension = keystone.contrib.federation.routers:FederationExtension.factory
json_body = keystone.middleware:JsonBodyMiddleware.factory
oauth1_extension = keystone.contrib.oauth1.routers:OAuth1Extension.factory
request_id = oslo_middleware:RequestId.factory
revoke_extension = keystone.contrib.revoke.routers:RevokeExtension.factory
s3_extension = keystone.contrib.s3:S3Extension.factory
simple_cert_extension = keystone.contrib.simple_cert:SimpleCertExtension.factory
sizelimit = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
token_auth = keystone.middleware:TokenAuthMiddleware.factory
url_normalize = keystone.middleware:NormalizingFilter.factory
user_crud_extension = keystone.contrib.user_crud:CrudExtension.factory
paste.app_factory =
admin_service = keystone.version.service:admin_app_factory
admin_version_service = keystone.version.service:admin_version_app_factory
public_service = keystone.version.service:public_app_factory
public_version_service = keystone.version.service:public_version_app_factory
service_v3 = keystone.version.service:v3_app_factory
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������keystone-9.0.0/tools/�������������������������������������������������������������������������������0000775�0005670�0005671�00000000000�12701407246�015665� 5����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������keystone-9.0.0/tools/pretty_tox.sh������������������������������������������������������������������0000775�0005670�0005671�00000000506�12701407102�020435� 0����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/env bash
set -o pipefail
TESTRARGS=$1
python setup.py testr --testr-args="--subunit $TESTRARGS" | subunit-trace -f
retval=$?
# NOTE(mtreinish) The pipe above would eat the slowest display from pbr's testr
# wrapper so just manually print the slowest tests.
echo -e "\nSlowest Tests:\n"
testr slowest
exit $retval
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������keystone-9.0.0/tools/pretty_tox_py3.sh��������������������������������������������������������������0000775�0005670�0005671�00000000647�12701407102�021236� 0����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/env bash
set -o pipefail
TESTRARGS=`python -c 'print ("^((?!%s).)*$" % "|".join(f.strip() for f in open("tests-py3-blacklist.txt")))'`
python setup.py testr --testr-args="--subunit $TESTRARGS" | subunit-trace -f
retval=$?
# NOTE(mtreinish) The pipe above would eat the slowest display from pbr's testr
# wrapper so just manually print the slowest tests.
echo -e "\nSlowest Tests:\n"
testr slowest
exit $retval
�����������������������������������������������������������������������������������������keystone-9.0.0/tools/sample_data.sh�����������������������������������������������������������������0000775�0005670�0005671�00000022567�12701407105�020504� 0����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/env bash
# Copyright 2013 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# Sample initial data for Keystone using python-openstackclient
#
# This script is based on the original DevStack keystone_data.sh script.
#
# It demonstrates how to bootstrap Keystone with an administrative user
# using the OS_TOKEN and OS_URL environment variables and the administrative
# API. It will get the admin_token (OS_TOKEN) and admin_port from
# keystone.conf if available.
#
# Disable creation of endpoints by setting DISABLE_ENDPOINTS environment variable.
# Use this with the Catalog Templated backend.
#
# A EC2-compatible credential is created for the admin user and
# placed in etc/ec2rc.
#
# Tenant User Roles
# -------------------------------------------------------
# demo admin admin
# service glance service
# service nova service
# service ec2 service
# service swift service
# service neutron service
# By default, passwords used are those in the OpenStack Install and Deploy Manual.
# One can override these (publicly known, and hence, insecure) passwords by setting the appropriate
# environment variables. A common default password for all the services can be used by
# setting the "SERVICE_PASSWORD" environment variable.
# Test to verify that the openstackclient is installed, if not exit
type openstack >/dev/null 2>&1 || {
echo >&2 "openstackclient is not installed. Please install it to use this script. Aborting."
exit 1
}
ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}
NOVA_PASSWORD=${NOVA_PASSWORD:-${SERVICE_PASSWORD:-nova}}
GLANCE_PASSWORD=${GLANCE_PASSWORD:-${SERVICE_PASSWORD:-glance}}
EC2_PASSWORD=${EC2_PASSWORD:-${SERVICE_PASSWORD:-ec2}}
SWIFT_PASSWORD=${SWIFT_PASSWORD:-${SERVICE_PASSWORD:-swiftpass}}
NEUTRON_PASSWORD=${NEUTRON_PASSWORD:-${SERVICE_PASSWORD:-neutron}}
CONTROLLER_PUBLIC_ADDRESS=${CONTROLLER_PUBLIC_ADDRESS:-localhost}
CONTROLLER_ADMIN_ADDRESS=${CONTROLLER_ADMIN_ADDRESS:-localhost}
CONTROLLER_INTERNAL_ADDRESS=${CONTROLLER_INTERNAL_ADDRESS:-localhost}
TOOLS_DIR=$(cd $(dirname "$0") && pwd)
KEYSTONE_CONF=${KEYSTONE_CONF:-/etc/keystone/keystone.conf}
if [[ -r "$KEYSTONE_CONF" ]]; then
EC2RC="$(dirname "$KEYSTONE_CONF")/ec2rc"
elif [[ -r "$TOOLS_DIR/../etc/keystone.conf" ]]; then
# assume git checkout
KEYSTONE_CONF="$TOOLS_DIR/../etc/keystone.conf"
EC2RC="$TOOLS_DIR/../etc/ec2rc"
else
KEYSTONE_CONF=""
EC2RC="ec2rc"
fi
# Extract some info from Keystone's configuration file
if [[ -r "$KEYSTONE_CONF" ]]; then
CONFIG_SERVICE_TOKEN=$(sed 's/[[:space:]]//g' $KEYSTONE_CONF | grep ^admin_token= | cut -d'=' -f2)
if [[ -z "${CONFIG_SERVICE_TOKEN}" ]]; then
# default config options are commented out, so lets try those
CONFIG_SERVICE_TOKEN=$(sed 's/[[:space:]]//g' $KEYSTONE_CONF | grep ^\#admin_token= | cut -d'=' -f2)
fi
CONFIG_ADMIN_PORT=$(sed 's/[[:space:]]//g' $KEYSTONE_CONF | grep ^admin_port= | cut -d'=' -f2)
if [[ -z "${CONFIG_ADMIN_PORT}" ]]; then
# default config options are commented out, so lets try those
CONFIG_ADMIN_PORT=$(sed 's/[[:space:]]//g' $KEYSTONE_CONF | grep ^\#admin_port= | cut -d'=' -f2)
fi
fi
export OS_TOKEN=${OS_TOKEN:-$CONFIG_SERVICE_TOKEN}
if [[ -z "$OS_TOKEN" ]]; then
echo "No service token found."
echo "Set OS_TOKEN manually from keystone.conf admin_token."
exit 1
fi
export OS_URL=${OS_URL:-http://$CONTROLLER_PUBLIC_ADDRESS:${CONFIG_ADMIN_PORT:-35357}/v2.0}
function get_id () {
echo `"$@" | grep ' id ' | awk '{print $4}'`
}
#
# Roles
#
openstack role create admin
openstack role create service
#
# Default tenant
#
openstack project create demo \
--description "Default Tenant"
openstack user create admin --project demo \
--password "${ADMIN_PASSWORD}"
openstack role add --user admin \
--project demo\
admin
#
# Service tenant
#
openstack project create service \
--description "Service Tenant"
openstack user create glance --project service\
--password "${GLANCE_PASSWORD}"
openstack role add --user glance \
--project service \
service
openstack user create nova --project service\
--password "${NOVA_PASSWORD}"
openstack role add --user nova \
--project service \
service
openstack user create ec2 --project service \
--password "${EC2_PASSWORD}"
openstack role add --user ec2 \
--project service \
service
openstack user create swift --project service \
--password "${SWIFT_PASSWORD}" \
openstack role add --user swift \
--project service \
service
openstack user create neutron --project service \
--password "${NEUTRON_PASSWORD}" \
openstack role add --user neutron \
--project service \
service
#
# Keystone service
#
openstack service create --name keystone \
--description "Keystone Identity Service" \
identity
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
openstack endpoint create --region RegionOne \
--publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:\$(public_port)s/v2.0" \
--adminurl "http://$CONTROLLER_ADMIN_ADDRESS:\$(admin_port)s/v2.0" \
--internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:\$(public_port)s/v2.0" \
keystone
fi
#
# Nova service
#
openstack service create --name=nova \
--description="Nova Compute Service" \
compute
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
openstack endpoint create --region RegionOne \
--publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8774/v2/\$(tenant_id)s" \
--adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8774/v2/\$(tenant_id)s" \
--internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8774/v2/\$(tenant_id)s" \
nova
fi
#
# Volume service
#
openstack service create --name=volume \
--description="Cinder Volume Service" \
volume
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
openstack endpoint create --region RegionOne \
--publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8776/v1/\$(tenant_id)s" \
--adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8776/v1/\$(tenant_id)s" \
--internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8776/v1/\$(tenant_id)s" \
volume
fi
#
# Image service
#
openstack service create --name=glance \
--description="Glance Image Service" \
image
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
openstack endpoint create --region RegionOne \
--publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:9292" \
--adminurl "http://$CONTROLLER_ADMIN_ADDRESS:9292" \
--internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:9292" \
glance
fi
#
# EC2 service
#
openstack service create --name=ec2 \
--description="EC2 Compatibility Layer" \
ec2
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
openstack endpoint create --region RegionOne \
--publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8773/services/Cloud" \
--adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8773/services/Admin" \
--internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8773/services/Cloud" \
ec2
fi
#
# Swift service
#
openstack service create --name=swift \
--description="Swift Object Storage Service" \
object-store
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
openstack endpoint create --region RegionOne \
--publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8080/v1/AUTH_\$(tenant_id)s" \
--adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8080/v1" \
--internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8080/v1/AUTH_\$(tenant_id)s" \
swift
fi
#
# Neutron service
#
openstack service create --name=neutron \
--description="Neutron Network Service" \
network
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
openstack endpoint create --region RegionOne \
--publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:9696" \
--adminurl "http://$CONTROLLER_ADMIN_ADDRESS:9696" \
--internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:9696" \
neutron
fi
# create ec2 creds and parse the secret and access key returned
ADMIN_USER=$(get_id openstack user show admin)
RESULT=$(openstack ec2 credentials create --project service --user $ADMIN_USER)
ADMIN_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'`
ADMIN_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'`
# write the secret and access to ec2rc
cat > $EC2RC <`_.
This is usually the best place to ask questions and find your way around. IRC
stands for Internet Relay Chat and it is a way to chat online in real time.
You can also ask a question and come back to the log files to read the answer
later. Logs for the #openstack IRC channels are stored at
``_.
For more information regarding OpenStack IRC channels please visit the
`OpenStack IRC Wiki `_.
OpenStack Wiki
--------------
The wiki is a living source of knowledge. It is edited by the community, and
has collections of links and other sources of information. Typically the pages
are a good place to write drafts for specs or documentation, describe a
blueprint, or collaborate with others.
`OpenStack Wiki `_
* `useful Keystone project links `_
Keystone on Launchpad
---------------------
Launchpad is a code hosting that OpenStack is using to track bugs, feature
work, and releases of OpenStack. Like other OpenStack projects, Keystone source
code is hosted on git.openstack.org
* `Keystone Project Page on Launchpad `_
* `Keystone Source Repository `_
Within launchpad, we use
`blueprints `_, to track feature
work, and track `bugs `_ as well. If
you are looking for a place to get started contributing to keystone, please
look at any bugs for Keystone that are tagged as `low-hanging-fruit
`_.
OpenStack Blog
--------------
The OpenStack blog includes a weekly newsletter that aggregates OpenStack news
from around the internet, as well as providing inside information on upcoming
events and posts from OpenStack contributors.
`OpenStack Blog `_
See also: `Planet OpenStack `_, an aggregation of
blogs about OpenStack from around the internet, combined into a web site and
RSS feed. If you'd like to contribute with your blog posts, there are
instructions for `adding your blog `_.
Twitter
-------
Because all the cool kids do it: `@openstack `_.
Also follow the `#openstack `_
tag for relevant tweets.
�����������keystone-9.0.0/doc/source/configure_federation.rst��������������������������������������������������0000664�0005670�0005671�00000034443�12701407102�023504� 0����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������..
Licensed under the Apache License, Version 2.0 (the "License"); you may not
use this file except in compliance with the License. You may obtain a copy
of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
===================================
Configuring Keystone for Federation
===================================
-----------
Definitions
-----------
* `Service Provider (SP)`: provides a service to an end-user.
* `Identity Provider (IdP)`: service that stores information about users and
groups.
* `SAML assertion`: contains information about a user as provided by an IdP.
-----------------------------------
Keystone as a Service Provider (SP)
-----------------------------------
.. NOTE::
This feature is considered stable and supported as of the Juno release.
Prerequisites
-------------
This approach to federation supports keystone as a Service Provider, consuming
identity properties issued by an external Identity Provider, such as SAML
assertions or OpenID Connect claims.
Federated users are not mirrored in the keystone identity backend
(for example, using the SQL driver). The external Identity Provider is
responsible for authenticating users, and communicates the result of
authentication to keystone using identity properties. Keystone maps these
values to keystone user groups and assignments created in keystone.
The following configuration steps were performed on a machine running
Ubuntu 12.04 and Apache 2.2.22.
To enable federation, you'll need to:
1. Run keystone under Apache, rather than using ``keystone-all``.
2. Configure Apache to use a federation capable authentication method.
3. Configure ``federation`` in keystone.
Configure Apache to use a federation capable authentication method
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There is currently support for two major federation protocols:
* SAML - Keystone supports the following implementations:
* Shibboleth - see `Setup Shibboleth`_.
* Mellon - see `Setup Mellon`_.
* OpenID Connect - see `Setup OpenID Connect`_.
.. _`Setup Shibboleth`: federation/shibboleth.html
.. _`Setup OpenID Connect`: federation/openidc.html
.. _`Setup Mellon`: federation/mellon.html
Configure keystone and Horizon for Single Sign-On
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* To configure horizon to access a federated keystone,
follow the steps outlined at: `Keystone Federation and Horizon`_.
.. _`Keystone Federation and Horizon`: federation/websso.html
Configuring Federation in Keystone
-----------------------------------
Now that the Identity Provider and keystone are communicating we can start to
configure ``federation``.
1. Configure authentication drivers in ``keystone.conf``
2. Add local keystone groups and roles
3. Add Identity Provider(s), Mapping(s), and Protocol(s)
Configure authentication drivers in ``keystone.conf``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. NOTE::
``saml2`` has been deprecated as of the Mitaka release. Support for the
``saml2`` wrapper will be removed as of the "O" release. The recommended authentication method
is ``mapped``, which supports ``saml2``.
Add the authentication methods to the ``[auth]`` section in ``keystone.conf``.
Names should be equal to protocol names added via Identity API v3. Here we use
examples ``mapped`` and ``openid``.
.. code-block:: bash
[auth]
methods = external,password,token,mapped,openid
Create keystone groups and assign roles
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As mentioned earlier, no new users will be added to the Identity backend, but
the Identity Service requires group-based role assignments to authorize
federated users. The federation mapping function will map the user into local
Identity Service groups objects, and hence to local role assignments.
Thus, it is required to create the necessary Identity Service groups that
correspond to the Identity Provider's groups; additionally, these groups should
be assigned roles on one or more projects or domains.
You may be interested in more information on `group management
`_
and `role assignments
`_,
both of which are exposed to the CLI via `python-openstackclient
`_.
Add Identity Provider(s), Mapping(s), and Protocol(s)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To utilize federation the following must be created in the Identity Service:
* Identity Provider
* Mapping
* Protocol
More information on ``federation in keystone`` can be found `here
`__.
~~~~~~~~~~~~~~~~~
Identity Provider
~~~~~~~~~~~~~~~~~
Create an Identity Provider object in keystone, which represents the Identity
Provider we will use to authenticate end users.
More information on identity providers can be found `here
`__.
~~~~~~~
Mapping
~~~~~~~
A mapping is a list of rules. The only Identity API objects that will support mapping are groups
and users.
Mapping adds a set of rules to map federation protocol attributes to Identity API objects.
There are many different ways to setup as well as combine these rules. More information on
rules can be found on the :doc:`mapping_combinations` page.
An Identity Provider has exactly one mapping specified per protocol.
Mapping objects can be used multiple times by different combinations of Identity Provider and Protocol.
More information on mapping can be found `here
`__.
~~~~~~~~
Protocol
~~~~~~~~
A protocol contains information that dictates which Mapping rules to use for an incoming
request made by an IdP. An IdP may have multiple supported protocols.
Add `Protocol object
`__ and specify the mapping id
you want to use with the combination of the IdP and Protocol.
Performing federated authentication
-----------------------------------
1. Authenticate externally and generate an unscoped token in keystone
2. Determine accessible resources
3. Get a scoped token
Get an unscoped token
~~~~~~~~~~~~~~~~~~~~~
Unlike other authentication methods in the Identity Service, the user does not
issue an HTTP POST request with authentication data in the request body. To
start federated authentication a user must access the dedicated URL with
Identity Provider's and Protocol's identifiers stored within a protected URL.
The URL has a format of:
``/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth``.
In this instance we follow a standard SAML2 authentication procedure, that is,
the user will be redirected to the Identity Provider's authentication webpage
and be prompted for credentials. After successfully authenticating the user
will be redirected to the Service Provider's endpoint. If using a web browser,
a token will be returned in XML format.
In the returned unscoped token, a list of Identity Service groups the user
belongs to will be included.
More information on getting an unscoped token can be found `here
`__.
~~~~~~~~~~~~
Example cURL
~~~~~~~~~~~~
Note that the request does not include a body. The following url would be
considered protected by ``mod_shib`` and Apache, as such a request made
to the URL would be redirected to the Identity Provider, to start the
SAML authentication procedure.
.. code-block:: bash
$ curl -X GET -D - http://localhost:5000/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth
Determine accessible resources
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By using the previously returned token, the user can issue requests to the list
projects and domains that are accessible.
* List projects a federated user can access: ``GET /OS-FEDERATION/projects``
* List domains a federated user can access: ``GET /OS-FEDERATION/domains``
More information on listing resources can be found `here
`__.
~~~~~~~~~~~~
Example cURL
~~~~~~~~~~~~
.. code-block:: bash
$ curl -X GET -H "X-Auth-Token: " http://localhost:5000/v3/OS-FEDERATION/projects
or
.. code-block:: bash
$ curl -X GET -H "X-Auth-Token: " http://localhost:5000/v3/OS-FEDERATION/domains
Get a scoped token
~~~~~~~~~~~~~~~~~~
A federated user may request a scoped token, by using the unscoped token. A
project or domain may be specified by either ``id`` or ``name``. An ``id`` is
sufficient to uniquely identify a project or domain.
More information on getting a scoped token can be found `here
`__.
~~~~~~~~~~~~
Example cURL
~~~~~~~~~~~~
.. code-block:: bash
$ curl -X POST -H "Content-Type: application/json" -d '{"auth":{"identity":{"methods":["mapped"],"saml2":{"id":""}},"scope":{"project":{"domain": {"name": "Default"},"name":"service"}}}}' -D - http://localhost:5000/v3/auth/tokens
--------------------------------------
Keystone as an Identity Provider (IdP)
--------------------------------------
.. NOTE::
This feature is experimental and unsupported in Juno (with several issues
that will not be backported). These issues have been fixed and this feature
is considered stable and supported as of the Kilo release.
.. NOTE::
This feature requires installation of the xmlsec1 tool via your
distribution packaging system (for instance apt or yum)
Example for apt:
.. code-block:: bash
$ apt-get install xmlsec1
Configuration Options
---------------------
There are certain settings in ``keystone.conf`` that must be setup, prior to
attempting to federate multiple keystone deployments.
Within ``keystone.conf``, assign values to the ``[saml]`` related fields, for
example:
.. code-block:: ini
[saml]
certfile=/etc/keystone/ssl/certs/ca.pem
keyfile=/etc/keystone/ssl/private/cakey.pem
idp_entity_id=https://keystone.example.com/v3/OS-FEDERATION/saml2/idp
idp_sso_endpoint=https://keystone.example.com/v3/OS-FEDERATION/saml2/sso
idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml
Though not necessary, the follow Organization configuration options should
also be setup. It is recommended that these values be URL safe.
.. code-block:: ini
idp_organization_name=example_company
idp_organization_display_name=Example Corp.
idp_organization_url=example.com
As with the Organization options, the Contact options, are not necessary, but
it's advisable to set these values too.
.. code-block:: ini
idp_contact_company=example_company
idp_contact_name=John
idp_contact_surname=Smith
idp_contact_email=jsmith@example.com
idp_contact_telephone=555-55-5555
idp_contact_type=technical
Generate Metadata
-----------------
In order to create a trust between the IdP and SP, metadata must be exchanged.
To create metadata for your keystone IdP, run the ``keystone-manage`` command
and pipe the output to a file. For example:
.. code-block:: bash
$ keystone-manage saml_idp_metadata > /etc/keystone/saml2_idp_metadata.xml
.. NOTE::
The file location should match the value of the configuration option
``idp_metadata_path`` that was assigned in the previous section.
Create a Service Provider (SP)
------------------------------
In this example we are creating a new Service Provider with an ID of ``BETA``,
a ``sp_url`` of ``http://beta.example.com/Shibboleth.sso/SAML2/ECP`` and a
``auth_url`` of ``http://beta.example.com:5000/v3/OS-FEDERATION/identity_providers/beta/protocols/saml2/auth``
. The ``sp_url`` will be used when creating a SAML assertion for ``BETA`` and
signed by the current keystone IdP. The ``auth_url`` is used to retrieve the
token for ``BETA`` once the SAML assertion is sent. Although the ``enabled``
field is optional we are passing it set to ``true`` otherwise it will be set to
``false`` by default.
.. code-block:: bash
$ curl -s -X PUT \
-H "X-Auth-Token: $OS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"service_provider": {"auth_url": "http://beta.example.com:5000/v3/OS-FEDERATION/identity_providers/beta/protocols/saml2/auth", "sp_url": "https://example.com:5000/Shibboleth.sso/SAML2/ECP", "enabled": true}}' \
http://localhost:5000/v3/OS-FEDERATION/service_providers/BETA | python -mjson.tool
Testing it all out
------------------
Lastly, if a scoped token and a Service Provider scope are presented to the
local keystone, the result will be a full ECP wrapped SAML Assertion,
specifically intended for the Service Provider keystone.
.. NOTE::
ECP stands for Enhanced Client or Proxy, an extension from the SAML2
protocol used in non-browser interfaces, like in the following example
with cURL.
.. code-block:: bash
$ curl -s -X POST \
-H "Content-Type: application/json" \
-d '{"auth": {"scope": {"service_provider": {"id": "BETA"}}, "identity": {"token": {"id": "d793d935b9c343f783955cf39ee7dc3c"}, "methods": ["token"]}}}' \
http://localhost:5000/v3/auth/OS-FEDERATION/saml2/ecp
.. NOTE::
Use URL http://localhost:5000/v3/auth/OS-FEDERATION/saml2 to request for
pure SAML Assertions.
At this point the ECP wrapped SAML Assertion can be sent to the Service
Provider keystone using the provided ``auth_url`` in the ``X-Auth-Url`` header
present in the response containing the Assertion, and a valid OpenStack
token, issued by a Service Provider keystone, will be returned.
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������keystone-9.0.0/doc/source/configuration.rst���������������������������������������������������������0000664�0005670�0005671�00000227663�12701407102�022202� 0����������������������������������������������������������������������������������������������������ustar �jenkins�������������������������jenkins�������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������..
Copyright 2011-2012 OpenStack Foundation
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
====================
Configuring Keystone
====================
.. toctree::
:maxdepth: 1
man/keystone-manage
man/keystone-all
Once Keystone is installed, it is configured via a primary configuration file
(``etc/keystone.conf``), a PasteDeploy configuration file
(``etc/keystone-paste.ini``), possibly a separate logging configuration file,
and initializing data into Keystone using the command line client.
By default, Keystone starts a service on `IANA-assigned port 35357
`_.
This may overlap with your system's ephemeral port range, so another process
may already be using this port without being explicitly configured to do so. To
prevent this scenario from occurring, it's recommended that you explicitly
exclude port 35357 from the available ephemeral port range. On a Linux system,
this would be accomplished by:
.. code-block:: bash
$ sysctl -w 'sys.net.ipv4.ip_local_reserved_ports=35357'
To make the above change persistent,
``net.ipv4.ip_local_reserved_ports = 35357`` should be added to
``/etc/sysctl.conf`` or to ``/etc/sysctl.d/keystone.conf``.
Starting and Stopping Keystone under Eventlet
=============================================
.. WARNING::
Running keystone under eventlet has been deprecated as of the Kilo release.
Support for utilizing eventlet will be removed as of the M-release. The
recommended deployment is to run keystone in a WSGI server such as Apache
httpd with ``mod_wsgi``.
Keystone can be run using either its built-in eventlet server or it can be run
embedded in a web server. While the eventlet server is convenient and easy to
use, it's lacking in security features that have been developed into Internet-
based web servers over the years. As such, running the eventlet server as
described in this section is not recommended.
Start Keystone services using the command:
.. code-block:: bash
$ keystone-all
Invoking this command starts up two ``wsgi.Server`` instances, ``admin`` (the
administration API) and ``main`` (the primary/public API interface). Both
services are configured to run in a single process.
.. NOTE::
The separation into ``admin`` and ``main`` interfaces is a historical
anomaly. The new V3 API provides the same interface on both the admin and
main interfaces (this can be configured in ``keystone-paste.ini``, but the
default is to have both the same). The V2.0 API provides a limited public
API (getting and validating tokens) on ``main``, and an administrative API
(which can include creating users and such) on the ``admin`` interface.
Stop the process using ``Control-C``.
.. NOTE::
If you have not already configured Keystone, it may not start as expected.
Configuration Files
===================
The Keystone configuration files are an ``ini`` file format based on Paste_, a
common system used to configure Python WSGI based applications. The PasteDeploy
configuration entries (WSGI pipeline definitions) can be provided in a separate
``keystone-paste.ini`` file, while general and driver-specific configuration
parameters are in the primary configuration file ``keystone.conf``.
.. NOTE::
Since keystone's PasteDeploy configuration file has been separated
from the main keystone configuration file, ``keystone.conf``, all
local configuration or driver-specific configuration parameters must
go in the main keystone configuration file instead of the PasteDeploy
configuration file, i.e. configuration in ``keystone-paste.ini``
is not supported.
The primary configuration file is organized into the following sections:
* ``[DEFAULT]`` - General configuration
* ``[assignment]`` - Assignment system driver configuration
* ``[auth]`` - Authentication plugin configuration
* ``[cache]`` - Caching layer configuration
* ``[catalog]`` - Service catalog driver configuration
* ``[credential]`` - Credential system driver configuration
* ``[endpoint_filter]`` - Endpoint filtering configuration
* ``[endpoint_policy]`` - Endpoint policy configuration
* ``[eventlet_server]`` - Eventlet server configuration
* ``[eventlet_server_ssl]`` - Eventlet server SSL configuration
* ``[federation]`` - Federation driver configuration
* ``[identity]`` - Identity system driver configuration
* ``[identity_mapping]`` - Identity mapping system driver configuration
* ``[kvs]`` - KVS storage backend configuration
* ``[ldap]`` - LDAP configuration options
* ``[memcache]`` - Memcache configuration options
* ``[oauth1]`` - OAuth 1.0a system driver configuration
* ``[os_inherit]`` - Inherited role assignment configuration
* ``[paste_deploy]`` - Pointer to the PasteDeploy configuration file
* ``[policy]`` - Policy system driver configuration for RBAC
* ``[resource]`` - Resource system driver configuration
* ``[revoke]`` - Revocation system driver configuration
* ``[role]`` - Role system driver configuration
* ``[saml]`` - SAML configuration options
* ``[signing]`` - Cryptographic signatures for PKI based tokens
* ``[ssl]`` - SSL certificate generation configuration
* ``[token]`` - Token driver & token provider configuration
* ``[trust]`` - Trust configuration
The Keystone primary configuration file is expected to be named
``keystone.conf``. When starting Keystone, you can specify a different
configuration file to use with ``--config-file``. If you do **not** specify a
configuration file, Keystone will look in the following directories for a
configuration file, in order:
* ``~/.keystone/``
* ``~/``
* ``/etc/keystone/``
* ``/etc/``
PasteDeploy configuration file is specified by the ``config_file`` parameter in
``[paste_deploy]`` section of the primary configuration file. If the parameter
is not an absolute path, then Keystone looks for it in the same directories as
above. If not specified, WSGI pipeline definitions are loaded from the primary
configuration file.
Domain-specific Drivers
-----------------------
Keystone supports the option (disabled by default) to specify identity driver
configurations on a domain by domain basis, allowing, for example, a specific
domain to have its own LDAP or SQL server. This is configured by specifying the
following options:
.. code-block:: ini
[identity]
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains
Setting ``domain_specific_drivers_enabled`` to ``True`` will enable this
feature, causing Keystone to look in the ``domain_config_dir`` for config files
of the form::
keystone..conf
Options given in the domain specific configuration file will override those in
the primary configuration file for the specified domain only. Domains without a
specific configuration file will continue to use the options from the primary
configuration file.
Keystone also supports the ability to store the domain-specific configuration
options in the keystone SQL database, managed via the Identity API, as opposed
to using domain-specific configuration files.
.. NOTE::
The ability to store and manage configuration options via the Identity API
is new and experimental in Kilo.
This capability (which is disabled by default) is enabled by specifying the
following options in the main keystone configuration file:
.. code-block:: ini
[identity]
domain_specific_drivers_enabled = true
domain_configurations_from_database = true
Once enabled, any existing domain-specific configuration files in the
configuration directory will be ignored and only those domain-specific
configuration options specified via the Identity API will be used.
Unlike the file-based method of specifying domain-specific configurations,
options specified via the Identity API will become active without needing to
restart the keystone server. For performance reasons, the current state of
configuration options for a domain are cached in the keystone server, and in
multi-process and multi-threaded keystone configurations, the new
configuration options may not become active until the cache has timed out. The
cache settings for domain config options can be adjusted in the general
keystone configuration file (option ``cache_time`` in the ``domain_config``
group).
.. NOTE::
It is important to notice that when using either of these methods of
specifying domain-specific configuration options, the main keystone
configuration file is still maintained. Only those options that relate
to the Identity driver for users and groups (i.e. specifying whether the
driver for this domain is SQL or LDAP, and, if LDAP, the options that
define that connection) are supported in a domain-specific manner. Further,
when using the configuration options via the Identity API, the driver
option must be set to an LDAP driver (attempting to set it to an SQL driver
will generate an error when it is subsequently used).
For existing installations that already use file-based domain-specific
configurations who wish to migrate to the SQL-based approach, the
``keystone-manage`` command can be used to upload all configuration files to
the SQL database:
.. code-block:: bash
$ keystone-manage domain_config_upload --all
Once uploaded, these domain-configuration options will be visible via the
Identity API as well as applied to the domain-specific drivers. It is also
possible to upload individual domain-specific configuration files by
specifying the domain name:
.. code-block:: bash
$ keystone-manage domain_config_upload --domain-name DOMAINA
.. NOTE::
It is important to notice that by enabling either of the domain-specific
configuration methods, the operations of listing all users and listing all
groups are not supported, those calls will need either a domain filter to
be specified or usage of a domain scoped token.
.. NOTE::
Keystone does not support moving the contents of a domain (i.e. "its" users
and groups) from one backend to another, nor group membership across
backend boundaries.
.. NOTE::
When using the file-based domain-specific configuration method, to delete a
domain that uses a domain specific backend, it's necessary to first disable
it, remove its specific configuration file (i.e. its corresponding
keystone..conf) and then restart the Identity server. When
managing configuration options via the Identity API, the domain can simply
be disabled and deleted via the Identity API; since any domain-specific
configuration options will automatically be removed.
.. NOTE::
Although Keystone supports multiple LDAP backends via the above
domain-specific configuration methods, it currently only supports one SQL
backend. This could be either the default driver or a single
domain-specific backend, perhaps for storing service users in a
predominantly LDAP installation.
Due to the need for user and group IDs to be unique across an OpenStack
installation and for Keystone to be able to deduce which domain and backend to
use from just a user or group ID, it dynamically builds a persistent identity
mapping table from a public ID to the actual domain, local ID (within that
backend) and entity type. The public ID is automatically generated by Keystone
when it first encounters the entity. If the local ID of the entity is from a
backend that does not guarantee to generate UUIDs, a hash algorithm will
generate a public ID for that entity, which is what will be exposed by
Keystone.
The use of a hash will ensure that if the public ID needs to be regenerated
then the same public ID will be created. This is useful if you are running
multiple keystones and want to ensure the same ID would be generated whichever
server you hit.
While Keystone will dynamically maintain the identity mapping, including
removing entries when entities are deleted via the Keystone, for those entities
in backends that are managed outside of Keystone (e.g. a Read Only LDAP),
Keystone will not know if entities have been deleted and hence will continue to
carry stale identity mappings in its table. While benign, keystone provides an
ability for operators to purge the mapping table of such stale entries using
the keystone-manage command, for example:
.. code-block:: bash
$ keystone-manage mapping_purge --domain-name DOMAINA --local-id abc@de.com
A typical usage would be for an operator to obtain a list of those entries in
an external backend that had been deleted out-of-band to Keystone, and then
call keystone-manage to purge those entries by specifying the domain and
local-id. The type of the entity (i.e. user or group) may also be specified if
this is needed to uniquely identify the mapping.
Since public IDs can be regenerated **with the correct generator
implementation**, if the details of those entries that have been deleted are
not available, then it is safe to simply bulk purge identity mappings
periodically, for example:
.. code-block:: bash
$ keystone-manage mapping_purge --domain-name DOMAINA
will purge all the mappings for DOMAINA. The entire mapping table can be purged
with the following command:
.. code-block:: bash
$ keystone-manage mapping_purge --all
Public ID Generators
--------------------
Keystone supports a customizable public ID generator and it is specified in the
``[identity_mapping]`` section of the configuration file. Keystone provides a
sha256 generator as default, which produces regeneratable public IDs. The
generator algorithm for public IDs is a balance between key size (i.e. the
length of the public ID), the probability of collision and, in some
circumstances, the security of the public ID. The maximum length of public ID
supported by Keystone is 64 characters, and the default generator (sha256) uses
this full capability. Since the public ID is what is exposed externally by
Keystone and potentially stored in external systems, some installations may
wish to make use of other generator algorithms that have a different trade-off
of attributes. A different generator can be installed by configuring the
following property:
* ``generator`` - identity mapping generator. Defaults to ``sha256``
(implemented by :class:`keystone.identity.id_generators.sha256.Generator`)
.. WARNING::
Changing the generator may cause all existing public IDs to be become
invalid, so typically the generator selection should be considered
immutable for a given installation.
Authentication Plugins
----------------------
.. NOTE::
This feature is only supported by Keystone for the Identity API v3 clients.
Keystone supports authentication plugins and they are specified in the
``[auth]`` section of the configuration file. However, an authentication plugin
may also have its own section in the configuration file. It is up to the plugin
to register its own configuration options.
* ``methods`` - comma-delimited list of authentication plugin names
* ```` - specify the class which handles to authentication method,
in the same manner as one would specify a backend driver.
Keystone provides three authentication methods by default. ``password`` handles
password authentication and ``token`` handles token authentication.
``external`` is used in conjunction with authentication performed by a
container web server that sets the ``REMOTE_USER`` environment variable. For
more details, refer to :doc:`External Authentication `.
How to Implement an Authentication Plugin
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All authentication plugins must extend the
:class:`keystone.auth.core.AuthMethodHandler` class and implement the
``authenticate()`` method. The ``authenticate()`` method expects the following
parameters.
* ``context`` - Keystone's request context
* ``auth_payload`` - the content of the authentication for a given method
* ``auth_context`` - user authentication context, a dictionary shared by all
plugins. It contains ``method_names`` and ``extras`` by default.
``method_names`` is a list and ``extras`` is a dictionary.
If successful, the ``authenticate()`` method must provide a valid ``user_id``
in ``auth_context`` and return ``None``. ``method_name`` is used to convey any
additional authentication methods in case authentication is for re-scoping. For
example, if the authentication is for re-scoping, a plugin must append the
previous method names into ``method_names``. Also, a plugin may add any
additional information into ``extras``. Anything in ``extras`` will be conveyed
in the token's ``extras`` field.
If authentication requires multiple steps, the ``authenticate()`` method must
return the payload in the form of a dictionary for the next authentication
step.
If authentication is unsuccessful, the ``authenticate()`` method must raise a
:class:`keystone.exception.Unauthorized` exception.
Simply add the new plugin name to the ``methods`` list along with your plugin
class configuration in the ``[auth]`` sections of the configuration file to
deploy it.
If the plugin requires additional configurations, it may register its own
section in the configuration file.
Plugins are invoked in the order in which they are specified in the ``methods``
attribute of the ``authentication`` request body. If multiple plugins are
invoked, all plugins must succeed in order to for the entire authentication to
be successful. Furthermore, all the plugins invoked must agree on the
``user_id`` in the ``auth_context``.
The ``REMOTE_USER`` environment variable is only set from a containing
webserver. However, to ensure that a user must go through other authentication
mechanisms, even if this variable is set, remove ``external`` from the list of
plugins specified in ``methods``. This effectively disables external
authentication. For more details, refer to :doc:`ExternalAuthentication
`.
Token Persistence Driver
------------------------
Keystone supports customizable token persistence drivers. These can be
specified in the ``[token]`` section of the configuration file. Keystone
provides three non-test persistence backends. These can be set with the
``[token] driver`` configuration option.
The drivers Keystone provides are:
* ``memcache_pool`` - The pooled memcached token persistence engine. This
backend supports the concept of pooled memcache client object (allowing for
the re-use of the client objects). This backend has a number of extra tunable
options in the ``[memcache]`` section of the config. Implemented by
:class:`keystone.token.persistence.backends.memcache_pool.Token`
* ``sql`` - The SQL-based (default) token persistence engine. Implemented by
:class:`keystone.token.persistence.backends.sql.Token`
* ``memcache`` - The memcached based token persistence backend. This backend
relies on ``dogpile.cache`` and stores the token data in a set of memcached
servers. The servers URLs are specified in the ``[memcache] servers``
configuration option in the Keystone config. Implemented by
:class:`keystone.token.persistence.backends.memcache.Token`
.. WARNING::
It is recommended you use the ``memcache_pool`` backend instead of
``memcache`` as the token persistence driver if you are deploying Keystone
under eventlet instead of Apache httpd with ``mod_wsgi``. This
recommendation is due to known issues with the use of ``thread.local``
under eventlet that can allow the leaking of memcache client objects and
consumption of extra sockets.
Token Provider
--------------
Keystone supports customizable token provider and it is specified in the
``[token]`` section of the configuration file. Keystone provides both UUID and
PKI token providers. However, users may register their own token provider by
configuring the following property.
* ``provider`` - token provider driver. Defaults to ``uuid``. Implemented by
:class:`keystone.token.providers.uuid.Provider`
UUID, PKI, PKIZ, or Fernet?
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Each token format uses different technologies to achieve various performance,
scaling and architectural requirements.
UUID tokens contain randomly generated UUID4 payloads that are issued and
validated by the identity service. They are encoded using their hex digest for
transport and are thus URL-friendly. They must be persisted by the identity
service in order to be later validated. Revoking them is simply a matter of
deleting them from the token persistence backend.
Both PKI and PKIZ tokens contain JSON payloads that represent the entire token
validation response that would normally be retrieved from keystone. The payload
is then signed using `Cryptographic Message Syntax (CMS)
`_. The combination
of CMS and the exhaustive payload allows PKI and PKIZ tokens to be verified
offline using keystone's public signing key. The only reason for them to be
persisted by the identity service is to later build token revocation *lists*
(explicit lists of tokens that have been revoked), otherwise they are
theoretically ephemeral when supported by token revocation *events* (which
describe invalidated tokens rather than enumerate them). PKIZ tokens add zlib
compression after signing to achieve a smaller overall token size. To make them
URL-friendly, PKI tokens are base64 encoded and then arbitrarily manipulated to
replace unsafe characters with safe ones whereas PKIZ tokens use conventional
base64url encoding. Due to the size of the payload and the overhead incurred by
the CMS format, both PKI and PKIZ tokens may be too long to fit in either
headers or URLs if they contain extensive service catalogs or other additional
attributes. Some third-party applications such as web servers and clients may
need to be recompiled from source to customize the limitations that PKI and
PKIZ tokens would otherwise exceed). Both PKI and PKIZ tokens require signing
certificates which may be created using ``keystone-manage pki_setup`` for
demonstration purposes (this is not recommended for production deployments: use
certificates issued by an trusted CA instead).
Fernet tokens contain a limited amount of identity and authorization data in a
`MessagePacked `_ payload. The payload is then wrapped as
a `Fernet `_ message for transport, where
Fernet provides the required web safe characteristics for use in URLs and
headers. Fernet tokens require symmetric encryption keys which can be
established using ``keystone-manage fernet_setup`` and periodically rotated
using ``keystone-manage fernet_rotate``.
.. WARNING::
UUID, PKI, PKIZ, and Fernet tokens are all bearer tokens, meaning that they
must be protected from unnecessary disclosure to prevent unauthorized
access.
Caching Layer
-------------
Keystone supports a caching layer that is above the configurable subsystems
(e.g. ``token``, ``identity``, etc). Keystone uses the `dogpile.cache`_ library
which allows for flexible cache backends. The majority of the caching
configuration options are set in the ``[cache]`` section. However, each section
that has the capability to be cached usually has a ``caching`` boolean value
that will toggle caching for that specific section. The current default
behavior is that subsystem caching is enabled, but the global toggle is set to
disabled.
``[cache]`` configuration section:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* ``enabled`` - enables/disables caching across all of keystone
* ``debug_cache_backend`` - enables more in-depth logging from the cache
backend (get, set, delete, etc)
* ``backend`` - the caching backend module to use e.g.
``dogpile.cache.memcached``
.. NOTE::
A given ``backend`` must be registered with ``dogpile.cache`` before it
can be used. The default backend is the ``Keystone`` no-op backend
(``keystone.common.cache.noop``). If caching is desired a different
backend will need to be specified. Current functional backends are:
* ``dogpile.cache.memcached`` - Memcached backend using the standard
`python-memcached`_ library (recommended for use with Apache httpd with
``mod_wsgi``)
* ``dogpile.cache.pylibmc`` - Memcached backend using the `pylibmc`_
library
* ``dogpile.cache.bmemcached`` - Memcached using `python-binary-memcached`_
library.
* ``dogpile.cache.redis`` - `Redis`_ backend
* ``dogpile.cache.dbm`` - local DBM file backend
* ``dogpile.cache.memory`` - in-memory cache
* ``keystone.cache.mongo`` - MongoDB as caching backend
* ``keystone.cache.memcache_pool`` - An eventlet-safe implementation of
``dogpile.cache.memcached``. This implementation also provides client
connection re-use.
.. WARNING::
``dogpile.cache.memory`` is not suitable for use outside of unit
testing as it does not cleanup its internal cache on cache
expiration, does not provide isolation to the cached data (values
in the store can be inadvertently changed without extra layers of
data protection added), and does not share cache between processes.
This means that caching and cache invalidation will not be
consistent or reliable when using ``Keystone`` and the
``dogpile.cache.memory`` backend under any real workload.
.. WARNING::
Do not use ``dogpile.cache.memcached`` backend if you are deploying
Keystone under eventlet. There are known issues with the use of
``thread.local`` under eventlet that can allow the leaking of
memcache client objects and consumption of extra sockets.
* ``expiration_time`` - int, the default length of time to cache a specific
value. A value of ``0`` indicates to not cache anything. It is recommended
that the ``enabled`` option be used to disable cache instead of setting this
to ``0``.
* ``backend_argument`` - an argument passed to the backend when instantiated
``backend_argument`` should be specified once per argument to be passed to
the backend and in the format of ``:``. e.g.:
``backend_argument = host:localhost``
* ``proxies`` - comma delimited list of `ProxyBackends`_ e.g.
``my.example.Proxy, my.example.Proxy2``
Current Keystone systems that have caching capabilities:
* ``token``
The token system has a separate ``cache_time`` configuration option,
that can be set to a value above or below the global
``expiration_time`` default, allowing for different caching behavior
from the other systems in ``Keystone``. This option is set in the
``[token]`` section of the configuration file.
The Token Revocation List cache time is handled by the configuration
option ``revocation_cache_time`` in the ``[token]`` section. The
revocation list is refreshed whenever a token is revoked. It typically
sees significantly more requests than specific token retrievals or
token validation calls.
* ``resource``
The resource system has a separate ``cache_time`` configuration option,
that can be set to a value above or below the global
``expiration_time`` default, allowing for different caching behavior
from the other systems in ``Keystone``. This option is set in the
``[resource]`` section of the configuration file.
Currently ``resource`` has caching for ``project`` and ``domain``
specific requests (primarily around the CRUD actions). The
``list_projects`` and ``list_domains`` methods are not subject to
caching.
.. WARNING::
Be aware that if a read-only ``resource`` backend is in use, the
cache will not immediately reflect changes on the back end. Any
given change may take up to the ``cache_time`` (if set in the
``[resource]`` section of the configuration) or the global
``expiration_time`` (set in the ``[cache]`` section of the
configuration) before it is reflected. If this type of delay (when
using a read-only ``resource`` backend) is an issue, it is
recommended that caching be disabled on ``resource``. To disable
caching specifically on ``resource``, in the ``[resource]`` section
of the configuration set ``caching`` to ``False``.
* ``role``
Currently ``role`` has caching for ``get_role``, but not for ``list_roles``.
The role system has a separate ``cache_time`` configuration option,
that can be set to a value above or below the global ``expiration_time``
default, allowing for different caching behavior from the other systems in
``Keystone``. This option is set in the ``[role]`` section of the
configuration file.
.. WARNING::
Be aware that if a read-only ``role`` backend is in use, the cache
will not immediately reflect changes on the back end. Any given change
may take up to the ``cache_time`` (if set in the ``[role]``
section of the configuration) or the global ``expiration_time`` (set in
the ``[cache]`` section of the configuration) before it is reflected.
If this type of delay (when using a read-only ``role`` backend) is
an issue, it is recommended that caching be disabled on ``role``.
To disable caching specifically on ``role``, in the ``[role]``
section of the configuration set ``caching`` to ``False``.
For more information about the different backends (and configuration options):
* `dogpile.cache.backends.memory`_
* `dogpile.cache.backends.memcached`_
* `dogpile.cache.backends.redis`_
* `dogpile.cache.backends.file`_
* :py:mod:`keystone.common.cache.backends.mongo`
.. _`dogpile.cache`: http://dogpilecache.readthedocs.org/en/latest/
.. _`python-memcached`: http://www.tummy.com/software/python-memcached/
.. _`pylibmc`: http://sendapatch.se/projects/pylibmc/index.html
.. _`python-binary-memcached`: https://github.com/jaysonsantos/python-binary-memcached
.. _`Redis`: http://redis.io/
.. _`dogpile.cache.backends.memory`: http://dogpilecache.readthedocs.org/en/latest/api.html#memory-backend
.. _`dogpile.cache.backends.memcached`: http://dogpilecache.readthedocs.org/en/latest/api.html#memcached-backends
.. _`dogpile.cache.backends.redis`: http://dogpilecache.readthedocs.org/en/latest/api.html#redis-backends
.. _`dogpile.cache.backends.file`: http://dogpilecache.readthedocs.org/en/latest/api.html#file-backends
.. _`ProxyBackends`: http://dogpilecache.readthedocs.org/en/latest/api.html#proxy-backends
Certificates for PKI
--------------------
PKI stands for Public Key Infrastructure. Tokens are documents,
cryptographically signed using the X509 standard. In order to work correctly
token generation requires a public/private key pair. The public key must be
signed in an X509 certificate, and the certificate used to sign it must be
available as Certificate Authority (CA) certificate. These files can be either
externally generated or generated using the ``keystone-manage`` utility.
The files used for signing and verifying certificates are set in the Keystone
configuration file. The private key should only be readable by the system user
that will run Keystone. The values that specify the certificates are under the
``[signing]`` section of the configuration file. The configuration values are:
* ``certfile`` - Location of certificate used to verify tokens. Default is
``/etc/keystone/ssl/certs/signing_cert.pem``
* ``keyfile`` - Location of private key used to sign tokens. Default is
``/etc/keystone/ssl/private/signing_key.pem``
* ``ca_certs`` - Location of certificate for the authority that issued the
above certificate. Default is ``/etc/keystone/ssl/certs/ca.pem``
Signing Certificate Issued by External CA
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You may use a signing certificate issued by an external CA instead of generated
by ``keystone-manage``. However, certificate issued by external CA must satisfy
the following conditions:
* all certificate and key files must be in Privacy Enhanced Mail (PEM) format
* private key files must not be protected by a password
The basic workflow for using a signing certificate issued by an external CA
involves:
1. `Request Signing Certificate from External CA`_
2. Convert certificate and private key to PEM if needed
3. `Install External Signing Certificate`_
Request Signing Certificate from External CA
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
One way to request a signing certificate from an external CA is to first
generate a PKCS #10 Certificate Request Syntax (CRS) using OpenSSL CLI.
First create a certificate request configuration file (e.g. ``cert_req.conf``):
.. code-block:: ini
[ req ]
default_bits = 2048
default_keyfile = keystonekey.pem
default_md = default
prompt = no
distinguished_name = distinguished_name
[ distinguished_name ]
countryName = US
stateOrProvinceName = CA
localityName = Sunnyvale
organizationName = OpenStack
organizationalUnitName = Keystone
commonName = Keystone Signing
emailAddress = keystone@openstack.org
Then generate a CRS with OpenSSL CLI. **Do not encrypt the generated private
key. The -nodes option must be used.**
For example:
.. code-block:: bash
$ openssl req -newkey rsa:2048 -keyout signing_key.pem -keyform PEM -out signing_cert_req.pem -outform PEM -config cert_req.conf -nodes
If everything is successfully, you should end up with ``signing_cert_req.pem``
and ``signing_key.pem``. Send ``signing_cert_req.pem`` to your CA to request a
token signing certificate and make sure to ask the certificate to be in PEM
format. Also, make sure your trusted CA certificate chain is also in PEM
format.
Install External Signing Certificate
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Assuming you have the following already:
* ``signing_cert.pem`` - (Keystone token) signing certificate in PEM format
* ``signing_key.pem`` - corresponding (non-encrypted) private key in PEM format
* ``cacert.pem`` - trust CA certificate chain in PEM format
Copy the above to your certificate directory. For example:
.. code-block:: bash
$ mkdir -p /etc/keystone/ssl/certs
$ cp signing_cert.pem /etc/keystone/ssl/certs/
$ cp signing_key.pem /etc/keystone/ssl/certs/
$ cp cacert.pem /etc/keystone/ssl/certs/
$ chmod -R 700 /etc/keystone/ssl/certs
**Make sure the certificate directory is root-protected.**
If your certificate directory path is different from the default
``/etc/keystone/ssl/certs``, make sure it is reflected in the ``[signing]``
section of the configuration file.
Generating a Signing Certificate using pki_setup
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
``keystone-manage pki_setup`` is a development tool. We recommend that you do
not use ``keystone-manage pki_setup`` in a production environment. In
production, an external CA should be used instead. This is because the CA
secret key should generally be kept apart from the token signing secret keys so
that a compromise of a node does not lead to an attacker being able to generate
valid signed Keystone tokens. This is a low probability attack vector, as
compromise of a Keystone service machine's filesystem security almost certainly
means the attacker will be able to gain direct access to the token backend.
When using the ``keystone-manage pki_setup`` to generate the certificates, the
following configuration options in the ``[signing]`` section are used:
* ``ca_key`` - Default is ``/etc/keystone/ssl/private/cakey.pem``
* ``key_size`` - Default is ``2048``
* ``valid_days`` - Default is ``3650``
If ``keystone-manage pki_setup`` is not used then these options don't need to
be set.
Encryption Keys for Fernet
--------------------------
``keystone-manage fernet_setup`` will attempt to create a key repository as
configured in the ``[fernet_tokens]`` section of ``keystone.conf`` and
bootstrap it with encryption keys.
A single 256-bit key is actually composed of two smaller keys: a 128-bit key
used for SHA256 HMAC signing and a 128-bit key used for AES encryption. See the
`Fernet token `_ specification for more detail.
``keystone-manage fernet_rotate`` will rotate encryption keys through the
following states:
* **Staged key**: In a key rotation, a new key is introduced into the rotation
in this state. Only one key is considered to be the *staged* key at any given
time. This key will become the *primary* during the *next* key rotation. This
key is only used to validate tokens and serves to avoid race conditions in
multi-node deployments (all nodes should recognize all *primary* keys in the
deployment at all times). In a multi-node Keystone deployment this would
allow for the *staged* key to be replicated to all Keystone nodes before
being promoted to *primary* on a single node. This prevents the case where a
*primary* key is created on one Keystone node and tokens encrypted/signed with
that new *primary* are rejected on another Keystone node because the new
*primary* doesn't exist there yet.
* **Primary key**: In a key rotation, the old *staged* key is promoted to be
the *primary*. Only one key is considered to be the *primary* key at any
given time. This is the key used to generate new tokens. This key is also
used to validate previously generated tokens.
* **Secondary keys**: In a key rotation, the old *primary* key is demoted to be
a *secondary* key. *Secondary* keys are only used to validate previously
generated tokens. You can maintain any number of *secondary* keys, up to
``[fernet_tokens] max_active_keys`` (where "active" refers to the sum of all
recognized keys in any state: *staged*, *primary* or *secondary*). When
``max_active_keys`` is exceeded during a key rotation, the oldest keys are
discarded.
When a new primary key is created, all new tokens will be encrypted using the
new primary key. The old primary key is demoted to a secondary key, which can
still be used for validating tokens. Excess secondary keys (beyond
``[fernet_tokens] max_active_keys``) are revoked. Revoked keys are permanently
deleted.
Rotating keys too frequently, or with ``[fernet_tokens] max_active_keys`` set
too low, will cause tokens to become invalid prior to their expiration.
Service Catalog
---------------
Keystone provides two configuration options for your service catalog.
SQL-based Service Catalog (``sql.Catalog``)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
A dynamic database-backed driver fully supporting persistent configuration.
``keystone.conf`` example:
.. code-block:: ini
[catalog]
driver = sql
.. NOTE::
A `template_file` does not need to be defined for the sql.Catalog driver.
To build your service catalog using this driver, see the built-in help:
.. code-block:: bash
$ openstack --help
$ openstack help service create
$ openstack help endpoint create
You can also refer to `an example in Keystone (tools/sample_data.sh)
`_.
File-based Service Catalog (``templated.Catalog``)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The templated catalog is an in-memory backend initialized from a read-only
``template_file``. Choose this option only if you know that your service
catalog will not change very much over time.
.. NOTE::
Attempting to change your service catalog against this driver will result
in ``HTTP 501 Not Implemented`` errors. This is the expected behavior. If
you want to use these commands, you must instead use the SQL-based Service
Catalog driver.
``keystone.conf`` example:
.. code-block:: ini
[catalog]
driver = templated
template_file = /opt/stack/keystone/etc/default_catalog.templates
The value of ``template_file`` is expected to be an absolute path to your
service catalog configuration. An example ``template_file`` is included in
Keystone, however you should create your own to reflect your deployment.
Another such example is `available in devstack
(files/default_catalog.templates)
`_.
Endpoint Filtering enables creation of ad-hoc catalogs for each project-scoped
token request.
Configure the endpoint filter catalog driver in the ``[catalog]`` section.
For example:
.. code-block:: ini
[catalog]
driver = catalog_sql
In the ``[endpoint_filter]`` section, set ``return_all_endpoints_if_no_filter``
to ``False`` to return an empty catalog if no associations are made.
For example:
.. code-block:: ini
[endpoint_filter]
return_all_endpoints_if_no_filter = False
See `API Specification for Endpoint Filtering `_ for
the details of API definition.
.. NOTE:: Support status for Endpoint Filtering
*Experimental* (Icehouse, Juno)
*Stable* (Kilo)
Logging
-------
Logging is configured externally to the rest of Keystone. Configure the path to
your logging configuration file using the ``[DEFAULT] log_config_append``
option of ``keystone.conf``. If you wish to route all your logging through
syslog, set the ``[DEFAULT] use_syslog`` option.
A sample ``log_config_append`` file is included with the project at
``etc/logging.conf.sample``. Like other OpenStack projects, Keystone uses the
`Python logging module`_, which includes extensive configuration options for
choosing the output levels and formats.
.. _Paste: http://pythonpaste.org/
.. _`Python logging module`: http://docs.python.org/library/logging.html
SSL
---
Keystone may be configured to support SSL and 2-way SSL out-of-the-box. The
X509 certificates used by Keystone can be generated by ``keystone-manage``
or obtained externally and configured for use with Keystone as described in
this section. Here is the description of each of them and their purpose:
.. WARNING::
The SSL configuration options available to the eventlet server
(``keystone-all``) described here are severely limited. A secure
deployment should have Keystone running in a web server (such as Apache
httpd), or behind an SSL terminator. When running Keystone in a web server
or behind an SSL terminator the options described in this section have no
effect and SSL is configured in the web server or SSL terminator.
Types of certificates
^^^^^^^^^^^^^^^^^^^^^
* ``cacert.pem``: Certificate Authority chain to validate against.
* ``ssl_cert.pem``: Public certificate for Keystone server.
* ``middleware.pem``: Public and private certificate for Keystone
middleware/client.
* ``cakey.pem``: Private key for the CA.
* ``ssl_key.pem``: Private key for the Keystone server.
Note that you may choose whatever names you want for these certificates, or
combine the public/private keys in the same file if you wish. These
certificates are just provided as an example.
Configuration
^^^^^^^^^^^^^
To enable SSL modify the ``etc/keystone.conf`` file under the ``[ssl]`` and
``[eventlet_server_ssl]`` sections. The following is an SSL configuration
example using the included sample certificates:
.. code-block:: ini
[eventlet_server_ssl]
enable = True
certfile =
keyfile =
ca_certs =
cert_required = False
[ssl]
ca_key =
key_size = 1024
valid_days=3650
cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
* ``enable``: True enables SSL. Defaults to False.
* ``certfile``: Path to Keystone public certificate file.
* ``keyfile``: Path to Keystone private certificate file. If the private key is
included in the certfile, the keyfile may be omitted.
* ``ca_certs``: Path to CA trust chain.
* ``cert_required``: Requires client certificate. Defaults to False.
When generating SSL certificates the following values are read
* ``key_size``: Key size to create. Defaults to 1024.
* ``valid_days``: How long the certificate is valid for. Defaults to 3650
(10 years).
* ``ca_key``: The private key for the CA. Defaults to
``/etc/keystone/ssl/certs/cakey.pem``.
* ``cert_subject``: The subject to set in the certificate. Defaults to
``/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost``. When setting the subject it
is important to set CN to be the address of the server so client validation
will succeed. This generally means having the subject be at least
``/CN=``
Generating SSL certificates
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Certificates for encrypted HTTP communication can be generated by:
.. code-block:: bash
$ keystone-manage ssl_setup
This will create a private key, a public key and a certificate that will be
used to encrypt communications with keystone. In the event that a Certificate
Authority is not given a testing one will be created.
It is likely in a production environment that these certificates will be
created and provided externally. Note that ``ssl_setup`` is a development tool
and is only recommended for developments environment. We do not recommend using
``ssl_setup`` for production environments.
User CRUD additions for the V2.0 API
------------------------------------
For the V2.0 API, Keystone provides an additional capability that allows users
to use a HTTP PATCH to change their own password.
Each user can then change their own password with a HTTP PATCH :
.. code-block:: bash
$ curl -X PATCH http://localhost:5000/v2.0/OS-KSCRUD/users/ -H "Content-type: application/json" \
-H "X_Auth_Token: " -d '{"user": {"password": "ABCD", "original_password": "DCBA"}}'
In addition to changing their password all of the user's current tokens will be
revoked.
Inherited Role Assignments
--------------------------
Keystone provides an optional capability to assign roles on a project or domain
that, rather than affect the project or domain itself, are instead inherited to
the project subtree or to all projects owned by that domain. This capability is
enabled by default, but can be disabled by including the following in
``keystone.conf``:
.. code-block:: ini
[os_inherit]
enabled = False
Endpoint Policy
---------------
The Endpoint Policy feature provides associations between service endpoints
and policies that are already stored in the Identity server and referenced
by a policy ID.
Configure the endpoint policy backend driver in the ``[endpoint_policy]``
section. For example:
.. code-block:: ini
[endpoint_policy]
driver = sql
See `API Specification for Endpoint Policy `_
for the details of API definition.
.. NOTE:: Support status for Endpoint Policy
*Experimental* (Juno)
*Stable* (Kilo)
OAuth1 1.0a
-----------
The OAuth 1.0a feature provides the ability for Identity users to delegate
roles to third party consumers via the OAuth 1.0a specification.
To enable OAuth1:
1. Add the oauth1 driver to the ``[oauth1]`` section in ``keystone.conf``. For
example:
.. code-block:: ini
[oauth1]
driver = sql
2. Add the ``oauth1`` authentication method to the ``[auth]`` section in
``keystone.conf``:
.. code-block:: ini
[auth]
methods = external,password,token,oauth1
3. If deploying under Apache httpd with ``mod_wsgi``, set the
`WSGIPassAuthorization` to allow the OAuth Authorization headers to pass
through `mod_wsgi`. For example, add the following to the keystone virtual
host file:
.. code-block:: ini
WSGIPassAuthorization On
See `API Specification for OAuth 1.0a `_ for the details of
API definition.
.. NOTE:: Support status for OAuth 1.0a
*Experimental* (Havana, Icehouse)
*Stable* (Juno)
Revocation Events
-----------------
The Revocation Events feature provides a list of token revocations. Each event
expresses a set of criteria which describes a set of tokens that are
no longer valid.
Add the revoke backend driver to the ``[revoke]`` section in
``keystone.conf``. For example:
.. code-block:: ini
[revoke]
driver = sql
See `API Specification for Revocation Events `_ for
the details of API definition.
.. NOTE:: Support status for Revocation Events
*Experimental* (Juno)
*Stable* (Kilo)
Token Binding
-------------
Token binding refers to the practice of embedding information from external
authentication providers (like a company's Kerberos server) inside the token
such that a client may enforce that the token only be used in conjunction with
that specified authentication. This is an additional security mechanism as it
means that if a token is stolen it will not be usable without also providing
the external authentication.
To activate token binding you must specify the types of authentication that
token binding should be used for in ``keystone.conf`` e.g.:
.. code-block:: ini
[token]
bind = kerberos
Currently only ``kerberos`` is supported.
To enforce checking of token binding the ``enforce_token_bind`` parameter
should be set to one of the following modes:
* ``disabled`` disable token bind checking
* ``permissive`` enable bind checking, if a token is bound to a mechanism that
is unknown to the server then ignore it. This is the default.
* ``strict`` enable bind checking, if a token is bound to a mechanism that is
unknown to the server then this token should be rejected.
* ``required`` enable bind checking and require that at least 1 bind mechanism
is used for tokens.
* named enable bind checking and require that the specified authentication
mechanism is used. e.g.:
.. code-block:: ini
[token]
enforce_token_bind = kerberos
*Do not* set ``enforce_token_bind = named`` as there is not an authentication
mechanism called ``named``.
Limiting the number of entities returned in a collection
--------------------------------------------------------
Keystone provides a method of setting a limit to the number of entities
returned in a collection, which is useful to prevent overly long response times
for list queries that have not specified a sufficiently narrow filter. This
limit can be set globally by setting ``list_limit`` in the default section of
``keystone.conf``, with no limit set by default. Individual driver sections may
override this global value with a specific limit, for example:
.. code-block:: ini
[resource]
list_limit = 100
If a response to ``list_{entity}`` call has been truncated, then the response
status code will still be 200 (OK), but the ``truncated`` attribute in the
collection will be set to ``true``.
URL safe naming of projects and domains
---------------------------------------
In the future, keystone may offer the ability to identify a project in a
hierarchy via a URL style of naming from the root of the hierarchy (for example
specifying 'projectA/projectB/projectC' as the project name in an
authentication request). In order to prepare for this, keystone supports the
optional ability to ensure both projects and domains are named without
including any of the reserverd characters specified in section 2.2 of
`rfc3986 `_.
The safety of the names of projects and domains can be controlled via two
configuration options:
.. code-block:: ini
[resource]
project_name_url_safe = off
domain_name_url_safe = off
When set to ``off`` (which is the default), no checking is done on the URL
safeness of names. When set to ``new``, an attempt to create a new project or
domain with an unsafe name (or update the name of a project or domain to be
unsafe) will cause a status code of 400 (Bad Request) to be returned. Setting
the configuration option to ``strict`` will, in addition to preventing the
creation and updating of entities with unsafe names, cause an authentication
attempt which specifies a project or domain name that is unsafe to return a
status code of 401 (Unauthorized).
It is recommended that installations take the steps necessary to where they
can run with both options set to ``strict`` as soon as is practical.
Sample Configuration Files
--------------------------
The ``etc/`` folder distributed with Keystone contains example configuration
files for each Server application.
* ``etc/keystone.conf.sample``
* ``etc/keystone-paste.ini``
* ``etc/logging.conf.sample``
* ``etc/default_catalog.templates``
* ``etc/sso_callback_template.html``
.. _`API protection with RBAC`:
Keystone API protection with Role Based Access Control (RBAC)
=============================================================
Like most OpenStack projects, Keystone supports the protection of its APIs by
defining policy rules based on an RBAC approach. These are stored in a JSON
policy file, the name and location of which is set in the main Keystone
configuration file.
Each Keystone v3 API has a line in the policy file which dictates what level of
protection is applied to it, where each line is of the form::
: or
where:
```` can contain ```` or ````
```` is a set of identifiers that must match between the token
provided by the caller of the API and the parameters or target entities of the
API call in question. For example:
.. code-block:: javascript
"identity:create_user": "role:admin and domain_id:%(user.domain_id)s"
Indicates that to create a user you must have the admin role in your token and
in addition the domain_id in your token (which implies this must be a domain
scoped token) must match the domain_id in the user object you are trying to
create. In other words, you must have the admin role on the domain in which you
are creating the user, and the token you are using must be scoped to that
domain.
Each component of a match statement is of the form::
: or
The following attributes are available
* Attributes from token: user_id, the domain_id or project_id depending on
the scope, and the list of roles you have within that scope
* Attributes related to API call: Any parameters that are passed into the API
call are available, along with any filters specified in the query string.
Attributes of objects passed can be referenced using an object.attribute
syntax (e.g. user.domain_id). The target objects of an API are also available
using a target.object.attribute syntax. For instance:
.. code-block:: javascript
"identity:delete_user": "role:admin and domain_id:%(target.user.domain_id)s"
would ensure that the user object that is being deleted is in the same
domain as the token provided.
Every target object (except token) has an `id` and a `name` available as
`target.