Login - OpenStack Dashboard

From cebd39fd76f2957a9f702f62206f4c1f22828cf8 Mon Sep 17 00:00:00 2001 From: Luca D'Agati <66645997+lucadagati@users.noreply.github.com> Date: Fri, 21 Feb 2025 17:20:59 +0100 Subject: [PATCH 01/18] Add files via upload added the compose file and configurations for deployment --- conf_conductor/iotronic.conf | 102 ++ conf_keystone/keystone.conf | 2715 ++++++++++++++++++++++++++++++++++ conf_mysql/99-openstack.conf | 13 + conf_ui/local_settings.py | 916 ++++++++++++ conf_wagent/iotronic.conf | 96 ++ docker-compose.yml | 393 +++++ 6 files changed, 4235 insertions(+) create mode 100644 conf_conductor/iotronic.conf create mode 100644 conf_keystone/keystone.conf create mode 100644 conf_mysql/99-openstack.conf create mode 100644 conf_ui/local_settings.py create mode 100644 conf_wagent/iotronic.conf create mode 100644 docker-compose.yml diff --git a/conf_conductor/iotronic.conf b/conf_conductor/iotronic.conf new file mode 100644 index 0000000..30371a1 --- /dev/null +++ b/conf_conductor/iotronic.conf @@ -0,0 +1,102 @@ +[DEFAULT] +transport_url = rabbit://openstack:unime@rabbitmq + +debug=True +log_file = /var/log/iotronic/iotronic-conductor.log +proxy=nginx + + +# Authentication strategy used by iotronic-api: one of +# "keystone" or "noauth". "noauth" should not be used in a +# production environment because all authentication will be +# disabled. (string value) +auth_strategy=keystone + +# Enable pecan debug mode. WARNING: this is insecure and +# should not be used in a production environment. (boolean +# value) +#pecan_debug=false + + +[conductor] +service_port_min=50000 +service_port_max=50100 + +[wamp] +wamp_transport_url = ws://iotronic-wagent:8181/ +wamp_realm = s4t +#skip_cert_verify= False +register_agent = True + + + +[database] +connection = mysql+pymysql://iotronic:unime@iotronic-db/iotronic + +[keystone_authtoken] +www_authenticate_uri = http://keystone:5000 +auth_url = http://keystone:5000 +auth_plugin = password +auth_type = password +project_domain_id = default +user_domain_id = default +project_name = service +username = iotronic +password = unime + + +[neutron] +auth_url = http://controller:5000 +url = http://controller:9696 +auth_strategy = password +auth_type = password +project_domain_name = default +user_domain_name = default +region_name = RegionOne +project_name = service +username = neutron +password = NEUTRON_PASS +retries = 3 +project_domain_id= default + + +[designate] +auth_url = http://controller:5000 +url = http://controller:9001 +auth_strategy = password +project_domain_name = default +user_domain_name = default +region_name = RegionOne +project_name = service +username = designate +password = password +retries = 3 +project_domain_id= default + + +[cors] +# Indicate whether this resource may be shared with the domain +# received in the requests "origin" header. Format: +# "://[:]", no trailing slash. Example: +# https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user +# credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. +# Defaults to HTTP Simple Headers. (list value) +#expose_headers = + +# Maximum cache age of CORS preflight requests. (integer +# value) +#max_age = 3600 + +# Indicate which methods can be used during the actual +# request. (list value) +#allow_methods = OPTIONS,GET,HEAD,POST,PUT,DELETE,TRACE,PATCH + +# Indicate which header field names may be used during the +# actual request. (list value) +#allow_headers = diff --git a/conf_keystone/keystone.conf b/conf_keystone/keystone.conf new file mode 100644 index 0000000..01e3d6f --- /dev/null +++ b/conf_keystone/keystone.conf @@ -0,0 +1,2715 @@ +[DEFAULT] +debug = True +#log_config = /etc/keystone/logging.conf +log_dir = /var/log/keystone + +# +# From keystone +# + +# Using this feature is *NOT* recommended. Instead, use the `keystone-manage +# bootstrap` command. The value of this option is treated as a "shared secret" +# that can be used to bootstrap Keystone through the API. This "token" does not +# represent a user (it has no identity), and carries no explicit authorization +# (it effectively bypasses most authorization checks). If set to `None`, the +# value is ignored and the `admin_token` middleware is effectively disabled. +# (string value) +#admin_token = + +# The base public endpoint URL for Keystone that is advertised to clients +# (NOTE: this does NOT affect how Keystone listens for connections). Defaults +# to the base host URL of the request. For example, if keystone receives a +# request to `http://server:5000/v3/users`, then this will option will be +# automatically treated as `http://server:5000`. You should only need to set +# option if either the value of the base URL contains a path that keystone does +# not automatically infer (`/prefix/v3`), or if the endpoint should be found on +# a different host. (uri value) +#public_endpoint = + +# DEPRECATED: The base admin endpoint URL for Keystone that is advertised to +# clients (NOTE: this does NOT affect how Keystone listens for connections). +# Defaults to the base host URL of the request. For example, if keystone +# receives a request to `http://server:35357/v3/users`, then this will option +# will be automatically treated as `http://server:35357`. You should only need +# to set option if either the value of the base URL contains a path that +# keystone does not automatically infer (`/prefix/v3`), or if the endpoint +# should be found on a different host. (uri value) +# This option is deprecated for removal since R. +# Its value may be silently ignored in the future. +# Reason: With the removal of the 2.0 API keystone does not distinguish between +# admin and public endpoints. +#admin_endpoint = + +# Maximum depth of the project hierarchy, excluding the project acting as a +# domain at the top of the hierarchy. WARNING: Setting it to a large value may +# adversely impact performance. (integer value) +#max_project_tree_depth = 5 + +# Limit the sizes of user & project ID/names. (integer value) +#max_param_size = 64 + +# Similar to `[DEFAULT] max_param_size`, but provides an exception for token +# values. With Fernet tokens, this can be set as low as 255. With UUID tokens, +# this should be set to 32). (integer value) +#max_token_size = 255 + +# The maximum number of entities that will be returned in a collection. This +# global limit may be then overridden for a specific driver, by specifying a +# list_limit in the appropriate section (for example, `[assignment]`). No limit +# is set by default. In larger deployments, it is recommended that you set this +# to a reasonable number to prevent operations like listing all users and +# projects from placing an unnecessary load on the system. (integer value) +#list_limit = + +# If set to true, strict password length checking is performed for password +# manipulation. If a password exceeds the maximum length, the operation will +# fail with an HTTP 403 Forbidden error. If set to false, passwords are +# automatically truncated to the maximum length. (boolean value) +#strict_password_check = false + +# If set to true, then the server will return information in HTTP responses +# that may allow an unauthenticated or authenticated user to get more +# information than normal, such as additional details about why authentication +# failed. This may be useful for debugging but is insecure. (boolean value) +#insecure_debug = false + +# Default `publisher_id` for outgoing notifications. If left undefined, +# Keystone will default to using the server's host name. (string value) +#default_publisher_id = + +# Define the notification format for identity service events. A `basic` +# notification only has information about the resource being operated on. A +# `cadf` notification has the same information, as well as information about +# the initiator of the event. The `cadf` option is entirely backwards +# compatible with the `basic` option, but is fully CADF-compliant, and is +# recommended for auditing use cases. (string value) +# Possible values: +# basic - +# cadf - +#notification_format = cadf + +# You can reduce the number of notifications keystone emits by explicitly +# opting out. Keystone will not emit notifications that match the patterns +# expressed in this list. Values are expected to be in the form of +# `identity..`. By default, all notifications related +# to authentication are automatically suppressed. This field can be set +# multiple times in order to opt-out of multiple notification topics. For +# example, the following suppresses notifications describing user creation or +# successful authentication events: notification_opt_out=identity.user.create +# notification_opt_out=identity.authenticate.success (multi valued) +#notification_opt_out = identity.authenticate.success +#notification_opt_out = identity.authenticate.pending +#notification_opt_out = identity.authenticate.failed + +# +# From oslo.log +# + +# If set to true, the logging level will be set to DEBUG instead of the default +# INFO level. (boolean value) +# Note: This option can be changed without restarting. +#debug = false + +# The name of a logging configuration file. This file is appended to any +# existing logging configuration files. For details about logging configuration +# files, see the Python logging module documentation. Note that when logging +# configuration files are used then all logging configuration is set in the +# configuration file and other logging configuration options are ignored (for +# example, log-date-format). (string value) +# Note: This option can be changed without restarting. +# Deprecated group/name - [DEFAULT]/log_config +#log_config_append = + +# Defines the format string for %%(asctime)s in log records. Default: +# %(default)s . This option is ignored if log_config_append is set. (string +# value) +#log_date_format = %Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to send logging output to. If no default is set, +# logging will go to stderr as defined by use_stderr. This option is ignored if +# log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logfile +#log_file = + +# (Optional) The base directory used for relative log_file paths. This option +# is ignored if log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logdir +#log_dir = + +# Uses logging handler designed to watch file system. When log file is moved or +# removed this handler will open a new log file with specified path +# instantaneously. It makes sense only if log_file option is specified and +# Linux platform is used. This option is ignored if log_config_append is set. +# (boolean value) +#watch_log_file = false + +# Use syslog for logging. Existing syslog format is DEPRECATED and will be +# changed later to honor RFC5424. This option is ignored if log_config_append +# is set. (boolean value) +#use_syslog = false + +# Enable journald for logging. If running in a systemd environment you may wish +# to enable journal support. Doing so will use the journal native protocol +# which includes structured metadata in addition to log messages.This option is +# ignored if log_config_append is set. (boolean value) +#use_journal = false + +# Syslog facility to receive log lines. This option is ignored if +# log_config_append is set. (string value) +#syslog_log_facility = LOG_USER + +# Use JSON formatting for logging. This option is ignored if log_config_append +# is set. (boolean value) +#use_json = false + +# Log output to standard error. This option is ignored if log_config_append is +# set. (boolean value) +#use_stderr = false + +# Log output to Windows Event Log. (boolean value) +#use_eventlog = false + +# The amount of time before the log files are rotated. This option is ignored +# unless log_rotation_type is setto "interval". (integer value) +#log_rotate_interval = 1 + +# Rotation interval type. The time of the last file change (or the time when +# the service was started) is used when scheduling the next rotation. (string +# value) +# Possible values: +# Seconds - +# Minutes - +# Hours - +# Days - +# Weekday - +# Midnight - +#log_rotate_interval_type = days + +# Maximum number of rotated log files. (integer value) +#max_logfile_count = 30 + +# Log file maximum size in MB. This option is ignored if "log_rotation_type" is +# not set to "size". (integer value) +#max_logfile_size_mb = 200 + +# Log rotation type. (string value) +# Possible values: +# interval - Rotate logs at predefined time intervals. +# size - Rotate logs once they reach a predefined size. +# none - Do not rotate log files. +#log_rotation_type = none + +# Format string to use for log messages with context. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages when context is undefined. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Additional data to append to log message when logging level for the message +# is DEBUG. Used by oslo_log.formatters.ContextFormatter (string value) +#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s + +# Defines the format string for %(user_identity)s that is used in +# logging_context_format_string. Used by oslo_log.formatters.ContextFormatter +# (string value) +#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s + +# List of package logging levels in logger=LEVEL pairs. This option is ignored +# if log_config_append is set. (list value) +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,oslo_policy=INFO,dogpile.core.dogpile=INFO + +# Enables or disables publication of error events. (boolean value) +#publish_errors = false + +# The format for an instance that is passed with the log message. (string +# value) +#instance_format = "[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log message. (string +# value) +#instance_uuid_format = "[instance: %(uuid)s] " + +# Interval, number of seconds, of log rate limiting. (integer value) +#rate_limit_interval = 0 + +# Maximum number of logged messages per rate_limit_interval. (integer value) +#rate_limit_burst = 0 + +# Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG +# or empty string. Logs with level greater or equal to rate_limit_except_level +# are not filtered. An empty string means that all levels are filtered. (string +# value) +#rate_limit_except_level = CRITICAL + +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations = false + +# +# From oslo.messaging +# + +# Size of RPC connection pool. (integer value) +#rpc_conn_pool_size = 30 + +# The pool size limit for connections expiration policy (integer value) +#conn_pool_min_size = 2 + +# The time-to-live in sec of idle connections in the pool (integer value) +#conn_pool_ttl = 1200 + +# Size of executor thread pool when executor is threading or eventlet. (integer +# value) +# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size +#executor_thread_pool_size = 64 + +# Seconds to wait for a response from a call. (integer value) +#rpc_response_timeout = 60 + +# The network address and optional user credentials for connecting to the +# messaging backend, in URL format. The expected format is: +# +# driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query +# +# Example: rabbit://rabbitmq:password@127.0.0.1:5672// +# +# For full details on the fields in the URL see the documentation of +# oslo_messaging.TransportURL at +# https://docs.openstack.org/oslo.messaging/latest/reference/transport.html +# (string value) +#transport_url = rabbit:// + +# The default exchange under which topics are scoped. May be overridden by an +# exchange name specified in the transport_url option. (string value) +#control_exchange = keystone + + +[access_rules_config] + +# +# From keystone +# + +# Entry point for the access rules config backend driver in the +# `keystone.access_rules_config` namespace. Keystone only provides a `json` +# driver, so there is no reason to change this unless you are providing a +# custom entry point. (string value) +#driver = json + +# Toggle for access rules caching. This has no effect unless global caching is +# enabled. (boolean value) +#caching = true + +# Time to cache access rule data in seconds. This has no effect unless global +# caching is enabled. (integer value) +#cache_time = + +# Path to access rules configuration. If not present, no access rule +# configuration will be loaded and application credential access rules will be +# unavailable. (string value) +#rules_file = /etc/keystone/access_rules.json + +# Toggles permissive mode for access rules. When enabled, application +# credentials can be created with any access rules regardless of operator's +# configuration. (boolean value) +#permissive = false + + +[application_credential] + +# +# From keystone +# + +# Entry point for the application credential backend driver in the +# `keystone.application_credential` namespace. Keystone only provides a `sql` +# driver, so there is no reason to change this unless you are providing a +# custom entry point. (string value) +#driver = sql + +# Toggle for application credential caching. This has no effect unless global +# caching is enabled. (boolean value) +#caching = true + +# Time to cache application credential data in seconds. This has no effect +# unless global caching is enabled. (integer value) +#cache_time = + +# Maximum number of application credentials a user is permitted to create. A +# value of -1 means unlimited. If a limit is not set, users are permitted to +# create application credentials at will, which could lead to bloat in the +# keystone database or open keystone to a DoS attack. (integer value) +#user_limit = -1 + + +[assignment] + +# +# From keystone +# + +# Entry point for the assignment backend driver (where role assignments are +# stored) in the `keystone.assignment` namespace. Only a SQL driver is supplied +# by keystone itself. Unless you are writing proprietary drivers for keystone, +# you do not need to set this option. (string value) +#driver = sql + +# A list of role names which are prohibited from being an implied role. (list +# value) +#prohibited_implied_role = admin + + +[auth] + +# +# From keystone +# + +# Allowed authentication methods. Note: You should disable the `external` auth +# method if you are currently using federation. External auth and federation +# both use the REMOTE_USER variable. Since both the mapped and external plugin +# are being invoked to validate attributes in the request environment, it can +# cause conflicts. (list value) +#methods = external,password,token,oauth1,mapped,application_credential + +# Entry point for the password auth plugin module in the +# `keystone.auth.password` namespace. You do not need to set this unless you +# are overriding keystone's own password authentication plugin. (string value) +#password = + +# Entry point for the token auth plugin module in the `keystone.auth.token` +# namespace. You do not need to set this unless you are overriding keystone's +# own token authentication plugin. (string value) +#token = + +# Entry point for the external (`REMOTE_USER`) auth plugin module in the +# `keystone.auth.external` namespace. Supplied drivers are `DefaultDomain` and +# `Domain`. The default driver is `DefaultDomain`, which assumes that all users +# identified by the username specified to keystone in the `REMOTE_USER` +# variable exist within the context of the default domain. The `Domain` option +# expects an additional environment variable be presented to keystone, +# `REMOTE_DOMAIN`, containing the domain name of the `REMOTE_USER` (if +# `REMOTE_DOMAIN` is not set, then the default domain will be used instead). +# You do not need to set this unless you are taking advantage of "external +# authentication", where the application server (such as Apache) is handling +# authentication instead of keystone. (string value) +#external = + +# Entry point for the OAuth 1.0a auth plugin module in the +# `keystone.auth.oauth1` namespace. You do not need to set this unless you are +# overriding keystone's own `oauth1` authentication plugin. (string value) +#oauth1 = + +# Entry point for the mapped auth plugin module in the `keystone.auth.mapped` +# namespace. You do not need to set this unless you are overriding keystone's +# own `mapped` authentication plugin. (string value) +#mapped = + +# Entry point for the application_credential auth plugin module in the +# `keystone.auth.application_credential` namespace. You do not need to set this +# unless you are overriding keystone's own `application_credential` +# authentication plugin. (string value) +#application_credential = + + +[cache] + +# +# From oslo.cache +# + +# Prefix for building the configuration dictionary for the cache region. This +# should not need to be changed unless there is another dogpile.cache region +# with the same configuration name. (string value) +#config_prefix = cache.oslo + +# Default TTL, in seconds, for any cached item in the dogpile.cache region. +# This applies to any cached method that doesn't have an explicit cache +# expiration time defined for it. (integer value) +#expiration_time = 600 + +# Cache backend module. For eventlet-based or environments with hundreds of +# threaded servers, Memcache with pooling (oslo_cache.memcache_pool) is +# recommended. For environments with less than 100 threaded servers, Memcached +# (dogpile.cache.memcached) or Redis (dogpile.cache.redis) is recommended. Test +# environments with a single instance of the server can use the +# dogpile.cache.memory backend. (string value) +# Possible values: +# oslo_cache.memcache_pool - +# oslo_cache.dict - +# oslo_cache.mongo - +# oslo_cache.etcd3gw - +# dogpile.cache.memcached - +# dogpile.cache.pylibmc - +# dogpile.cache.bmemcached - +# dogpile.cache.dbm - +# dogpile.cache.redis - +# dogpile.cache.memory - +# dogpile.cache.memory_pickle - +# dogpile.cache.null - +#backend = dogpile.cache.null + +# Arguments supplied to the backend module. Specify this option once per +# argument to be passed to the dogpile.cache backend. Example format: +# ":". (multi valued) +#backend_argument = + +# Proxy classes to import that will affect the way the dogpile.cache backend +# functions. See the dogpile.cache documentation on changing-backend-behavior. +# (list value) +#proxies = + +# Global toggle for caching. (boolean value) +#enabled = true + +# Extra debugging from the cache backend (cache keys, get/set/delete/etc +# calls). This is only really useful if you need to see the specific cache- +# backend get/set/delete calls with the keys/values. Typically this should be +# left set to false. (boolean value) +#debug_cache_backend = false + +# Memcache servers in the format of "host:port". (dogpile.cache.memcache and +# oslo_cache.memcache_pool backends only). (list value) +#memcache_servers = localhost:11211 + +# Number of seconds memcached server is considered dead before it is tried +# again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only). +# (integer value) +#memcache_dead_retry = 300 + +# Timeout in seconds for every call to a server. (dogpile.cache.memcache and +# oslo_cache.memcache_pool backends only). (floating point value) +#memcache_socket_timeout = 3.0 + +# Max total number of open connections to every memcached server. +# (oslo_cache.memcache_pool backend only). (integer value) +#memcache_pool_maxsize = 10 + +# Number of seconds a connection to memcached is held unused in the pool before +# it is closed. (oslo_cache.memcache_pool backend only). (integer value) +#memcache_pool_unused_timeout = 60 + +# Number of seconds that an operation will wait to get a memcache client +# connection. (integer value) +#memcache_pool_connection_get_timeout = 10 + + +[catalog] + +# +# From keystone +# + +# Absolute path to the file used for the templated catalog backend. This option +# is only used if the `[catalog] driver` is set to `templated`. (string value) +#template_file = default_catalog.templates + +# Entry point for the catalog driver in the `keystone.catalog` namespace. +# Keystone provides a `sql` option (which supports basic CRUD operations +# through SQL), a `templated` option (which loads the catalog from a templated +# catalog file on disk), and a `endpoint_filter.sql` option (which supports +# arbitrary service catalogs per project). (string value) +#driver = sql + +# Toggle for catalog caching. This has no effect unless global caching is +# enabled. In a typical deployment, there is no reason to disable this. +# (boolean value) +#caching = true + +# Time to cache catalog data (in seconds). This has no effect unless global and +# catalog caching are both enabled. Catalog data (services, endpoints, etc.) +# typically does not change frequently, and so a longer duration than the +# global default may be desirable. (integer value) +#cache_time = + +# Maximum number of entities that will be returned in a catalog collection. +# There is typically no reason to set this, as it would be unusual for a +# deployment to have enough services or endpoints to exceed a reasonable limit. +# (integer value) +#list_limit = + + +[cors] + +# +# From oslo.middleware +# + +# Indicate whether this resource may be shared with the domain received in the +# requests "origin" header. Format: "://[:]", no trailing +# slash. Example: https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple +# Headers. (list value) +#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,Openstack-Auth-Receipt + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list value) +#allow_methods = GET,PUT,POST,DELETE,PATCH + +# Indicate which header field names may be used during the actual request. +# (list value) +#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name,Openstack-Auth-Receipt + + +[credential] + +# +# From keystone +# + +# Entry point for the credential backend driver in the `keystone.credential` +# namespace. Keystone only provides a `sql` driver, so there's no reason to +# change this unless you are providing a custom entry point. (string value) +#driver = sql + +# Entry point for credential encryption and decryption operations in the +# `keystone.credential.provider` namespace. Keystone only provides a `fernet` +# driver, so there's no reason to change this unless you are providing a custom +# entry point to encrypt and decrypt credentials. (string value) +#provider = fernet + +# Directory containing Fernet keys used to encrypt and decrypt credentials +# stored in the credential backend. Fernet keys used to encrypt credentials +# have no relationship to Fernet keys used to encrypt Fernet tokens. Both sets +# of keys should be managed separately and require different rotation policies. +# Do not share this repository with the repository used to manage keys for +# Fernet tokens. (string value) +#key_repository = /etc/keystone/credential-keys/ + + +[database] +connection = mysql+pymysql://keystone:unime@iotronic-db/keystone + +# +# From oslo.db +# + +# If True, SQLite uses synchronous mode. (boolean value) +#sqlite_synchronous = true + +# The back end to use for the database. (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. (string +# value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +#connection = + +# The SQLAlchemy connection string to use to connect to the slave database. +# (string value) +#slave_connection = + +# The SQL mode to be used for MySQL sessions. This option, including the +# default, overrides any server-set SQL mode. To use whatever SQL mode is set +# by the server configuration, set this to no value. Example: mysql_sql_mode= +# (string value) +#mysql_sql_mode = TRADITIONAL + +# If True, transparently enables support for handling MySQL Cluster (NDB). +# (boolean value) +#mysql_enable_ndb = false + +# Connections which have been present in the connection pool longer than this +# number of seconds will be replaced with a new one the next time they are +# checked out from the pool. (integer value) +# Deprecated group/name - [DATABASE]/idle_timeout +# Deprecated group/name - [database]/idle_timeout +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout +#connection_recycle_time = 3600 + +# DEPRECATED: Minimum number of SQL connections to keep open in a pool. +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: The option to set the minimum pool size is not supported by +# sqlalchemy. +#min_pool_size = 1 + +# Maximum number of SQL connections to keep open in a pool. Setting a value of +# 0 indicates no limit. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size +#max_pool_size = 5 + +# Maximum number of database connection retries during startup. Set to -1 to +# specify an infinite retry count. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a SQL connection. (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = 50 + +# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer +# value) +# Minimum value: 0 +# Maximum value: 100 +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = + +# Enable the experimental use of database reconnect on connection lost. +# (boolean value) +#use_db_reconnect = false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval = 1 + +# If True, increases the interval between retries of a database operation up to +# db_max_retry_interval. (boolean value) +#db_inc_retry_interval = true + +# If db_inc_retry_interval is set, the maximum seconds between retries of a +# database operation. (integer value) +#db_max_retry_interval = 10 + +# Maximum retries in case of connection error or deadlock error before error is +# raised. Set to -1 to specify an infinite retry count. (integer value) +#db_max_retries = 20 + +# Optional URL parameters to append onto the connection URL at connect time; +# specify as param1=value1¶m2=value2&... (string value) +#connection_parameters = + + +[domain_config] + +# +# From keystone +# + +# Entry point for the domain-specific configuration driver in the +# `keystone.resource.domain_config` namespace. Only a `sql` option is provided +# by keystone, so there is no reason to set this unless you are providing a +# custom entry point. (string value) +#driver = sql + +# Toggle for caching of the domain-specific configuration backend. This has no +# effect unless global caching is enabled. There is normally no reason to +# disable this. (boolean value) +#caching = true + +# Time-to-live (TTL, in seconds) to cache domain-specific configuration data. +# This has no effect unless `[domain_config] caching` is enabled. (integer +# value) +#cache_time = 300 + + +[endpoint_filter] + +# +# From keystone +# + +# Entry point for the endpoint filter driver in the `keystone.endpoint_filter` +# namespace. Only a `sql` option is provided by keystone, so there is no reason +# to set this unless you are providing a custom entry point. (string value) +#driver = sql + +# This controls keystone's behavior if the configured endpoint filters do not +# result in any endpoints for a user + project pair (and therefore a +# potentially empty service catalog). If set to true, keystone will return the +# entire service catalog. If set to false, keystone will return an empty +# service catalog. (boolean value) +#return_all_endpoints_if_no_filter = true + + +[endpoint_policy] + +# +# From keystone +# + +# Entry point for the endpoint policy driver in the `keystone.endpoint_policy` +# namespace. Only a `sql` driver is provided by keystone, so there is no reason +# to set this unless you are providing a custom entry point. (string value) +#driver = sql + + +[eventlet_server] + +# +# From keystone +# + +# DEPRECATED: The IP address of the network interface for the public service to +# listen on. (host address value) +# Deprecated group/name - [DEFAULT]/bind_host +# Deprecated group/name - [DEFAULT]/public_bind_host +# This option is deprecated for removal since K. +# Its value may be silently ignored in the future. +# Reason: Support for running keystone under eventlet has been removed in the +# Newton release. These options remain for backwards compatibility because they +# are used for URL substitutions. +#public_bind_host = 0.0.0.0 + +# DEPRECATED: The port number for the public service to listen on. (port value) +# Minimum value: 0 +# Maximum value: 65535 +# Deprecated group/name - [DEFAULT]/public_port +# This option is deprecated for removal since K. +# Its value may be silently ignored in the future. +# Reason: Support for running keystone under eventlet has been removed in the +# Newton release. These options remain for backwards compatibility because they +# are used for URL substitutions. +#public_port = 5000 + +# DEPRECATED: The IP address of the network interface for the admin service to +# listen on. (host address value) +# Deprecated group/name - [DEFAULT]/bind_host +# Deprecated group/name - [DEFAULT]/admin_bind_host +# This option is deprecated for removal since K. +# Its value may be silently ignored in the future. +# Reason: Support for running keystone under eventlet has been removed in the +# Newton release. These options remain for backwards compatibility because they +# are used for URL substitutions. +#admin_bind_host = 0.0.0.0 + +# DEPRECATED: The port number for the admin service to listen on. (port value) +# Minimum value: 0 +# Maximum value: 65535 +# Deprecated group/name - [DEFAULT]/admin_port +# This option is deprecated for removal since K. +# Its value may be silently ignored in the future. +# Reason: Support for running keystone under eventlet has been removed in the +# Newton release. These options remain for backwards compatibility because they +# are used for URL substitutions. +#admin_port = 35357 + + +[extra_headers] +Distribution = Ubuntu + +# +# From keystone +# + +# Specifies the distribution of the keystone server. (string value) +#Distribution = Ubuntu + + +[federation] + +# +# From keystone +# + +# Entry point for the federation backend driver in the `keystone.federation` +# namespace. Keystone only provides a `sql` driver, so there is no reason to +# set this option unless you are providing a custom entry point. (string value) +#driver = sql + +# Prefix to use when filtering environment variable names for federated +# assertions. Matched variables are passed into the federated mapping engine. +# (string value) +#assertion_prefix = + +# Value to be used to obtain the entity ID of the Identity Provider from the +# environment. For `mod_shib`, this would be `Shib-Identity-Provider`. For +# `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`, +# this could be `MELLON_IDP`. (string value) +#remote_id_attribute = + +# An arbitrary domain name that is reserved to allow federated ephemeral users +# to have a domain concept. Note that an admin will not be able to create a +# domain with this name or update an existing domain to this name. You are not +# advised to change this value unless you really have to. (string value) +#federated_domain_name = Federated + +# A list of trusted dashboard hosts. Before accepting a Single Sign-On request +# to return a token, the origin host must be a member of this list. This +# configuration option may be repeated for multiple values. You must set this +# in order to use web-based SSO flows. For example: +# trusted_dashboard=https://acme.example.com/auth/websso +# trusted_dashboard=https://beta.example.com/auth/websso (multi valued) +#trusted_dashboard = + +# Absolute path to an HTML file used as a Single Sign-On callback handler. This +# page is expected to redirect the user from keystone back to a trusted +# dashboard host, by form encoding a token in a POST request. Keystone's +# default value should be sufficient for most deployments. (string value) +#sso_callback_template = /etc/keystone/sso_callback_template.html + +# Toggle for federation caching. This has no effect unless global caching is +# enabled. There is typically no reason to disable this. (boolean value) +#caching = true + + +[fernet_receipts] + +# +# From keystone +# + +# Directory containing Fernet receipt keys. This directory must exist before +# using `keystone-manage fernet_setup` for the first time, must be writable by +# the user running `keystone-manage fernet_setup` or `keystone-manage +# fernet_rotate`, and of course must be readable by keystone's server process. +# The repository may contain keys in one of three states: a single staged key +# (always index 0) used for receipt validation, a single primary key (always +# the highest index) used for receipt creation and validation, and any number +# of secondary keys (all other index values) used for receipt validation. With +# multiple keystone nodes, each node must share the same key repository +# contents, with the exception of the staged key (index 0). It is safe to run +# `keystone-manage fernet_rotate` once on any one node to promote a staged key +# (index 0) to be the new primary (incremented from the previous highest +# index), and produce a new staged key (a new key with index 0); the resulting +# repository can then be atomically replicated to other nodes without any risk +# of race conditions (for example, it is safe to run `keystone-manage +# fernet_rotate` on host A, wait any amount of time, create a tarball of the +# directory on host A, unpack it on host B to a temporary location, and +# atomically move (`mv`) the directory into place on host B). Running +# `keystone-manage fernet_rotate` *twice* on a key repository without syncing +# other nodes will result in receipts that can not be validated by all nodes. +# (string value) +#key_repository = /etc/keystone/fernet-keys/ + +# This controls how many keys are held in rotation by `keystone-manage +# fernet_rotate` before they are discarded. The default value of 3 means that +# keystone will maintain one staged key (always index 0), one primary key (the +# highest numerical index), and one secondary key (every other index). +# Increasing this value means that additional secondary keys will be kept in +# the rotation. (integer value) +# Minimum value: 1 +#max_active_keys = 3 + + +[fernet_tokens] + +# +# From keystone +# + +# Directory containing Fernet token keys. This directory must exist before +# using `keystone-manage fernet_setup` for the first time, must be writable by +# the user running `keystone-manage fernet_setup` or `keystone-manage +# fernet_rotate`, and of course must be readable by keystone's server process. +# The repository may contain keys in one of three states: a single staged key +# (always index 0) used for token validation, a single primary key (always the +# highest index) used for token creation and validation, and any number of +# secondary keys (all other index values) used for token validation. With +# multiple keystone nodes, each node must share the same key repository +# contents, with the exception of the staged key (index 0). It is safe to run +# `keystone-manage fernet_rotate` once on any one node to promote a staged key +# (index 0) to be the new primary (incremented from the previous highest +# index), and produce a new staged key (a new key with index 0); the resulting +# repository can then be atomically replicated to other nodes without any risk +# of race conditions (for example, it is safe to run `keystone-manage +# fernet_rotate` on host A, wait any amount of time, create a tarball of the +# directory on host A, unpack it on host B to a temporary location, and +# atomically move (`mv`) the directory into place on host B). Running +# `keystone-manage fernet_rotate` *twice* on a key repository without syncing +# other nodes will result in tokens that can not be validated by all nodes. +# (string value) +#key_repository = /etc/keystone/fernet-keys/ + +# This controls how many keys are held in rotation by `keystone-manage +# fernet_rotate` before they are discarded. The default value of 3 means that +# keystone will maintain one staged key (always index 0), one primary key (the +# highest numerical index), and one secondary key (every other index). +# Increasing this value means that additional secondary keys will be kept in +# the rotation. (integer value) +# Minimum value: 1 +#max_active_keys = 3 + + +[healthcheck] + +# +# From oslo.middleware +# + +# DEPRECATED: The path to respond to healtcheck requests on. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#path = /healthcheck + +# Show more detailed information as part of the response. Security note: +# Enabling this option may expose sensitive details about the service being +# monitored. Be sure to verify that it will not violate your security policies. +# (boolean value) +#detailed = false + +# Additional backends that can perform health checks and report that +# information back as part of a request. (list value) +#backends = + +# Check the presence of a file to determine if an application is running on a +# port. Used by DisableByFileHealthcheck plugin. (string value) +#disable_by_file_path = + +# Check the presence of a file based on a port to determine if an application +# is running on a port. Expects a "port:path" list of strings. Used by +# DisableByFilesPortsHealthcheck plugin. (list value) +#disable_by_file_paths = + + +[identity] + +# +# From keystone +# + +# This references the domain to use for all Identity API v2 requests (which are +# not aware of domains). A domain with this ID can optionally be created for +# you by `keystone-manage bootstrap`. The domain referenced by this ID cannot +# be deleted on the v3 API, to prevent accidentally breaking the v2 API. There +# is nothing special about this domain, other than the fact that it must exist +# to order to maintain support for your v2 clients. There is typically no +# reason to change this value. (string value) +#default_domain_id = default + +# A subset (or all) of domains can have their own identity driver, each with +# their own partial configuration options, stored in either the resource +# backend or in a file in a domain configuration directory (depending on the +# setting of `[identity] domain_configurations_from_database`). Only values +# specific to the domain need to be specified in this manner. This feature is +# disabled by default, but may be enabled by default in a future release; set +# to true to enable. (boolean value) +#domain_specific_drivers_enabled = false + +# By default, domain-specific configuration data is read from files in the +# directory identified by `[identity] domain_config_dir`. Enabling this +# configuration option allows you to instead manage domain-specific +# configurations through the API, which are then persisted in the backend +# (typically, a SQL database), rather than using configuration files on disk. +# (boolean value) +#domain_configurations_from_database = false + +# Absolute path where keystone should locate domain-specific `[identity]` +# configuration files. This option has no effect unless `[identity] +# domain_specific_drivers_enabled` is set to true. There is typically no reason +# to change this value. (string value) +#domain_config_dir = /etc/keystone/domains + +# Entry point for the identity backend driver in the `keystone.identity` +# namespace. Keystone provides a `sql` and `ldap` driver. This option is also +# used as the default driver selection (along with the other configuration +# variables in this section) in the event that `[identity] +# domain_specific_drivers_enabled` is enabled, but no applicable domain- +# specific configuration is defined for the domain in question. Unless your +# deployment primarily relies on `ldap` AND is not using domain-specific +# configuration, you should typically leave this set to `sql`. (string value) +#driver = sql + +# Toggle for identity caching. This has no effect unless global caching is +# enabled. There is typically no reason to disable this. (boolean value) +#caching = true + +# Time to cache identity data (in seconds). This has no effect unless global +# and identity caching are enabled. (integer value) +#cache_time = 600 + +# Maximum allowed length for user passwords. Decrease this value to improve +# performance. Changing this value does not effect existing passwords. (integer +# value) +# Maximum value: 4096 +#max_password_length = 4096 + +# Maximum number of entities that will be returned in an identity collection. +# (integer value) +#list_limit = + +# The password hashing algorithm to use for passwords stored within keystone. +# (string value) +# Possible values: +# bcrypt - +# scrypt - +# pbkdf2_sha512 - +#password_hash_algorithm = bcrypt + +# This option represents a trade off between security and performance. Higher +# values lead to slower performance, but higher security. Changing this option +# will only affect newly created passwords as existing password hashes already +# have a fixed number of rounds applied, so it is safe to tune this option in a +# running cluster. The default for bcrypt is 12, must be between 4 and 31, +# inclusive. The default for scrypt is 16, must be within `range(1,32)`. The +# default for pbkdf_sha512 is 60000, must be within `range(1,1<<32)` WARNING: +# If using scrypt, increasing this value increases BOTH time AND memory +# requirements to hash a password. (integer value) +#password_hash_rounds = + +# Optional block size to pass to scrypt hash function (the `r` parameter). +# Useful for tuning scrypt to optimal performance for your CPU architecture. +# This option is only used when the `password_hash_algorithm` option is set to +# `scrypt`. Defaults to 8. (integer value) +#scrypt_block_size = + +# Optional parallelism to pass to scrypt hash function (the `p` parameter). +# This option is only used when the `password_hash_algorithm` option is set to +# `scrypt`. Defaults to 1. (integer value) +#scrypt_parallelism = + +# Number of bytes to use in scrypt and pbkfd2_sha512 hashing salt. Default for +# scrypt is 16 bytes. Default for pbkfd2_sha512 is 16 bytes. Limited to a +# maximum of 96 bytes due to the size of the column used to store password +# hashes. (integer value) +# Minimum value: 0 +# Maximum value: 96 +#salt_bytesize = + + +[identity_mapping] + +# +# From keystone +# + +# Entry point for the identity mapping backend driver in the +# `keystone.identity.id_mapping` namespace. Keystone only provides a `sql` +# driver, so there is no reason to change this unless you are providing a +# custom entry point. (string value) +#driver = sql + +# Entry point for the public ID generator for user and group entities in the +# `keystone.identity.id_generator` namespace. The Keystone identity mapper only +# supports generators that produce 64 bytes or less. Keystone only provides a +# `sha256` entry point, so there is no reason to change this value unless +# you're providing a custom entry point. (string value) +#generator = sha256 + +# The format of user and group IDs changed in Juno for backends that do not +# generate UUIDs (for example, LDAP), with keystone providing a hash mapping to +# the underlying attribute in LDAP. By default this mapping is disabled, which +# ensures that existing IDs will not change. Even when the mapping is enabled +# by using domain-specific drivers (`[identity] +# domain_specific_drivers_enabled`), any users and groups from the default +# domain being handled by LDAP will still not be mapped to ensure their IDs +# remain backward compatible. Setting this value to false will enable the new +# mapping for all backends, including the default LDAP driver. It is only +# guaranteed to be safe to enable this option if you do not already have +# assignments for users and groups from the default LDAP domain, and you +# consider it to be acceptable for Keystone to provide the different IDs to +# clients than it did previously (existing IDs in the API will suddenly +# change). Typically this means that the only time you can set this value to +# false is when configuring a fresh installation, although that is the +# recommended value. (boolean value) +#backward_compatible_ids = true + + +[jwt_tokens] + +# +# From keystone +# + +# Directory containing public keys for validating JWS token signatures. This +# directory must exist in order for keystone's server process to start. It must +# also be readable by keystone's server process. It must contain at least one +# public key that corresponds to a private key in `keystone.conf [jwt_tokens] +# jws_private_key_repository`. This option is only applicable in deployments +# issuing JWS tokens and setting `keystone.conf [tokens] provider = jws`. +# (string value) +#jws_public_key_repository = /etc/keystone/jws-keys/public + +# Directory containing private keys for signing JWS tokens. This directory must +# exist in order for keystone's server process to start. It must also be +# readable by keystone's server process. It must contain at least one private +# key that corresponds to a public key in `keystone.conf [jwt_tokens] +# jws_public_key_repository`. In the event there are multiple private keys in +# this directory, keystone will use a key named `private.pem` to sign tokens. +# In the future, keystone may support the ability to sign tokens with multiple +# private keys. For now, only a key named `private.pem` within this directory +# is required to issue JWS tokens. This option is only applicable in +# deployments issuing JWS tokens and setting `keystone.conf [tokens] provider = +# jws`. (string value) +#jws_private_key_repository = /etc/keystone/jws-keys/private + + +[ldap] + +# +# From keystone +# + +# URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified +# as a comma separated string. The first URL to successfully bind is used for +# the connection. (string value) +#url = ldap://localhost + +# The user name of the administrator bind DN to use when querying the LDAP +# server, if your LDAP server requires it. (string value) +#user = + +# The password of the administrator bind DN to use when querying the LDAP +# server, if your LDAP server requires it. (string value) +#password = + +# The default LDAP server suffix to use, if a DN is not defined via either +# `[ldap] user_tree_dn` or `[ldap] group_tree_dn`. (string value) +#suffix = cn=example,cn=com + +# The search scope which defines how deep to search within the search base. A +# value of `one` (representing `oneLevel` or `singleLevel`) indicates a search +# of objects immediately below to the base object, but does not include the +# base object itself. A value of `sub` (representing `subtree` or +# `wholeSubtree`) indicates a search of both the base object itself and the +# entire subtree below it. (string value) +# Possible values: +# one - +# sub - +#query_scope = one + +# Defines the maximum number of results per page that keystone should request +# from the LDAP server when listing objects. A value of zero (`0`) disables +# paging. (integer value) +# Minimum value: 0 +#page_size = 0 + +# The LDAP dereferencing option to use for queries involving aliases. A value +# of `default` falls back to using default dereferencing behavior configured by +# your `ldap.conf`. A value of `never` prevents aliases from being dereferenced +# at all. A value of `searching` dereferences aliases only after name +# resolution. A value of `finding` dereferences aliases only during name +# resolution. A value of `always` dereferences aliases in all cases. (string +# value) +# Possible values: +# never - +# searching - +# always - +# finding - +# default - +#alias_dereferencing = default + +# Sets the LDAP debugging level for LDAP calls. A value of 0 means that +# debugging is not enabled. This value is a bitmask, consult your LDAP +# documentation for possible values. (integer value) +# Minimum value: -1 +#debug_level = + +# Sets keystone's referral chasing behavior across directory partitions. If +# left unset, the system's default behavior will be used. (boolean value) +#chase_referrals = + +# The search base to use for users. Defaults to the `[ldap] suffix` value. +# (string value) +#user_tree_dn = + +# The LDAP search filter to use for users. (string value) +#user_filter = + +# The LDAP object class to use for users. (string value) +#user_objectclass = inetOrgPerson + +# The LDAP attribute mapped to user IDs in keystone. This must NOT be a +# multivalued attribute. User IDs are expected to be globally unique across +# keystone domains and URL-safe. (string value) +#user_id_attribute = cn + +# The LDAP attribute mapped to user names in keystone. User names are expected +# to be unique only within a keystone domain and are not expected to be URL- +# safe. (string value) +#user_name_attribute = sn + +# The LDAP attribute mapped to user descriptions in keystone. (string value) +#user_description_attribute = description + +# The LDAP attribute mapped to user emails in keystone. (string value) +#user_mail_attribute = mail + +# The LDAP attribute mapped to user passwords in keystone. (string value) +#user_pass_attribute = userPassword + +# The LDAP attribute mapped to the user enabled attribute in keystone. If +# setting this option to `userAccountControl`, then you may be interested in +# setting `[ldap] user_enabled_mask` and `[ldap] user_enabled_default` as well. +# (string value) +#user_enabled_attribute = enabled + +# Logically negate the boolean value of the enabled attribute obtained from the +# LDAP server. Some LDAP servers use a boolean lock attribute where "true" +# means an account is disabled. Setting `[ldap] user_enabled_invert = true` +# will allow these lock attributes to be used. This option will have no effect +# if either the `[ldap] user_enabled_mask` or `[ldap] user_enabled_emulation` +# options are in use. (boolean value) +#user_enabled_invert = false + +# Bitmask integer to select which bit indicates the enabled value if the LDAP +# server represents "enabled" as a bit on an integer rather than as a discrete +# boolean. A value of `0` indicates that the mask is not used. If this is not +# set to `0` the typical value is `2`. This is typically used when `[ldap] +# user_enabled_attribute = userAccountControl`. Setting this option causes +# keystone to ignore the value of `[ldap] user_enabled_invert`. (integer value) +# Minimum value: 0 +#user_enabled_mask = 0 + +# The default value to enable users. This should match an appropriate integer +# value if the LDAP server uses non-boolean (bitmask) values to indicate if a +# user is enabled or disabled. If this is not set to `True`, then the typical +# value is `512`. This is typically used when `[ldap] user_enabled_attribute = +# userAccountControl`. (string value) +#user_enabled_default = True + +# List of user attributes to ignore on create and update, or whether a specific +# user attribute should be filtered for list or show user. (list value) +#user_attribute_ignore = default_project_id + +# The LDAP attribute mapped to a user's default_project_id in keystone. This is +# most commonly used when keystone has write access to LDAP. (string value) +#user_default_project_id_attribute = + +# If enabled, keystone uses an alternative method to determine if a user is +# enabled or not by checking if they are a member of the group defined by the +# `[ldap] user_enabled_emulation_dn` option. Enabling this option causes +# keystone to ignore the value of `[ldap] user_enabled_invert`. (boolean value) +#user_enabled_emulation = false + +# DN of the group entry to hold enabled users when using enabled emulation. +# Setting this option has no effect unless `[ldap] user_enabled_emulation` is +# also enabled. (string value) +#user_enabled_emulation_dn = + +# Use the `[ldap] group_member_attribute` and `[ldap] group_objectclass` +# settings to determine membership in the emulated enabled group. Enabling this +# option has no effect unless `[ldap] user_enabled_emulation` is also enabled. +# (boolean value) +#user_enabled_emulation_use_group_config = false + +# A list of LDAP attribute to keystone user attribute pairs used for mapping +# additional attributes to users in keystone. The expected format is +# `:`, where `ldap_attr` is the attribute in the LDAP +# object and `user_attr` is the attribute which should appear in the identity +# API. (list value) +#user_additional_attribute_mapping = + +# The search base to use for groups. Defaults to the `[ldap] suffix` value. +# (string value) +#group_tree_dn = + +# The LDAP search filter to use for groups. (string value) +#group_filter = + +# The LDAP object class to use for groups. If setting this option to +# `posixGroup`, you may also be interested in enabling the `[ldap] +# group_members_are_ids` option. (string value) +#group_objectclass = groupOfNames + +# The LDAP attribute mapped to group IDs in keystone. This must NOT be a +# multivalued attribute. Group IDs are expected to be globally unique across +# keystone domains and URL-safe. (string value) +#group_id_attribute = cn + +# The LDAP attribute mapped to group names in keystone. Group names are +# expected to be unique only within a keystone domain and are not expected to +# be URL-safe. (string value) +#group_name_attribute = ou + +# The LDAP attribute used to indicate that a user is a member of the group. +# (string value) +#group_member_attribute = member + +# Enable this option if the members of the group object class are keystone user +# IDs rather than LDAP DNs. This is the case when using `posixGroup` as the +# group object class in Open Directory. (boolean value) +#group_members_are_ids = false + +# The LDAP attribute mapped to group descriptions in keystone. (string value) +#group_desc_attribute = description + +# List of group attributes to ignore on create and update. or whether a +# specific group attribute should be filtered for list or show group. (list +# value) +#group_attribute_ignore = + +# A list of LDAP attribute to keystone group attribute pairs used for mapping +# additional attributes to groups in keystone. The expected format is +# `:`, where `ldap_attr` is the attribute in the LDAP +# object and `group_attr` is the attribute which should appear in the identity +# API. (list value) +#group_additional_attribute_mapping = + +# If enabled, group queries will use Active Directory specific filters for +# nested groups. (boolean value) +#group_ad_nesting = false + +# An absolute path to a CA certificate file to use when communicating with LDAP +# servers. This option will take precedence over `[ldap] tls_cacertdir`, so +# there is no reason to set both. (string value) +#tls_cacertfile = + +# An absolute path to a CA certificate directory to use when communicating with +# LDAP servers. There is no reason to set this option if you've also set +# `[ldap] tls_cacertfile`. (string value) +#tls_cacertdir = + +# Enable TLS when communicating with LDAP servers. You should also set the +# `[ldap] tls_cacertfile` and `[ldap] tls_cacertdir` options when using this +# option. Do not set this option if you are using LDAP over SSL (LDAPS) instead +# of TLS. (boolean value) +#use_tls = false + +# Specifies which checks to perform against client certificates on incoming TLS +# sessions. If set to `demand`, then a certificate will always be requested and +# required from the LDAP server. If set to `allow`, then a certificate will +# always be requested but not required from the LDAP server. If set to `never`, +# then a certificate will never be requested. (string value) +# Possible values: +# demand - +# never - +# allow - +#tls_req_cert = demand + +# The connection timeout to use with the LDAP server. A value of `-1` means +# that connections will never timeout. (integer value) +# Minimum value: -1 +#connection_timeout = -1 + +# Enable LDAP connection pooling for queries to the LDAP server. There is +# typically no reason to disable this. (boolean value) +#use_pool = true + +# The size of the LDAP connection pool. This option has no effect unless +# `[ldap] use_pool` is also enabled. (integer value) +# Minimum value: 1 +#pool_size = 10 + +# The maximum number of times to attempt reconnecting to the LDAP server before +# aborting. A value of zero prevents retries. This option has no effect unless +# `[ldap] use_pool` is also enabled. (integer value) +# Minimum value: 0 +#pool_retry_max = 3 + +# The number of seconds to wait before attempting to reconnect to the LDAP +# server. This option has no effect unless `[ldap] use_pool` is also enabled. +# (floating point value) +#pool_retry_delay = 0.1 + +# The connection timeout to use when pooling LDAP connections. A value of `-1` +# means that connections will never timeout. This option has no effect unless +# `[ldap] use_pool` is also enabled. (integer value) +# Minimum value: -1 +#pool_connection_timeout = -1 + +# The maximum connection lifetime to the LDAP server in seconds. When this +# lifetime is exceeded, the connection will be unbound and removed from the +# connection pool. This option has no effect unless `[ldap] use_pool` is also +# enabled. (integer value) +# Minimum value: 1 +#pool_connection_lifetime = 600 + +# Enable LDAP connection pooling for end user authentication. There is +# typically no reason to disable this. (boolean value) +#use_auth_pool = true + +# The size of the connection pool to use for end user authentication. This +# option has no effect unless `[ldap] use_auth_pool` is also enabled. (integer +# value) +# Minimum value: 1 +#auth_pool_size = 100 + +# The maximum end user authentication connection lifetime to the LDAP server in +# seconds. When this lifetime is exceeded, the connection will be unbound and +# removed from the connection pool. This option has no effect unless `[ldap] +# use_auth_pool` is also enabled. (integer value) +# Minimum value: 1 +#auth_pool_connection_lifetime = 60 + + +[memcache] + +# +# From keystone +# + +# Number of seconds memcached server is considered dead before it is tried +# again. This is used by the key value store system. (integer value) +#dead_retry = 300 + +# Timeout in seconds for every call to a server. This is used by the key value +# store system. (integer value) +#socket_timeout = 3 + +# Max total number of open connections to every memcached server. This is used +# by the key value store system. (integer value) +#pool_maxsize = 10 + +# Number of seconds a connection to memcached is held unused in the pool before +# it is closed. This is used by the key value store system. (integer value) +#pool_unused_timeout = 60 + +# Number of seconds that an operation will wait to get a memcache client +# connection. This is used by the key value store system. (integer value) +#pool_connection_get_timeout = 10 + + +[oauth1] + +# +# From keystone +# + +# Entry point for the OAuth backend driver in the `keystone.oauth1` namespace. +# Typically, there is no reason to set this option unless you are providing a +# custom entry point. (string value) +#driver = sql + +# Number of seconds for the OAuth Request Token to remain valid after being +# created. This is the amount of time the user has to authorize the token. +# Setting this option to zero means that request tokens will last forever. +# (integer value) +# Minimum value: 0 +#request_token_duration = 28800 + +# Number of seconds for the OAuth Access Token to remain valid after being +# created. This is the amount of time the consumer has to interact with the +# service provider (which is typically keystone). Setting this option to zero +# means that access tokens will last forever. (integer value) +# Minimum value: 0 +#access_token_duration = 86400 + + +[oslo_messaging_amqp] + +# +# From oslo.messaging +# + +# Name for the AMQP container. must be globally unique. Defaults to a generated +# UUID (string value) +#container_name = + +# Timeout for inactive connections (in seconds) (integer value) +#idle_timeout = 0 + +# Debug: dump AMQP frames to stdout (boolean value) +#trace = false + +# Attempt to connect via SSL. If no other ssl-related parameters are given, it +# will use the system's CA-bundle to verify the server's certificate. (boolean +# value) +#ssl = false + +# CA certificate PEM file used to verify the server's certificate (string +# value) +#ssl_ca_file = + +# Self-identifying certificate PEM file for client authentication (string +# value) +#ssl_cert_file = + +# Private key PEM file used to sign ssl_cert_file certificate (optional) +# (string value) +#ssl_key_file = + +# Password for decrypting ssl_key_file (if encrypted) (string value) +#ssl_key_password = + +# By default SSL checks that the name in the server's certificate matches the +# hostname in the transport_url. In some configurations it may be preferable to +# use the virtual hostname instead, for example if the server uses the Server +# Name Indication TLS extension (rfc6066) to provide a certificate per virtual +# host. Set ssl_verify_vhost to True if the server's SSL certificate uses the +# virtual host name instead of the DNS name. (boolean value) +#ssl_verify_vhost = false + +# Space separated list of acceptable SASL mechanisms (string value) +#sasl_mechanisms = + +# Path to directory that contains the SASL configuration (string value) +#sasl_config_dir = + +# Name of configuration file (without .conf suffix) (string value) +#sasl_config_name = + +# SASL realm to use if no realm present in username (string value) +#sasl_default_realm = + +# Seconds to pause before attempting to re-connect. (integer value) +# Minimum value: 1 +#connection_retry_interval = 1 + +# Increase the connection_retry_interval by this many seconds after each +# unsuccessful failover attempt. (integer value) +# Minimum value: 0 +#connection_retry_backoff = 2 + +# Maximum limit for connection_retry_interval + connection_retry_backoff +# (integer value) +# Minimum value: 1 +#connection_retry_interval_max = 30 + +# Time to pause between re-connecting an AMQP 1.0 link that failed due to a +# recoverable error. (integer value) +# Minimum value: 1 +#link_retry_delay = 10 + +# The maximum number of attempts to re-send a reply message which failed due to +# a recoverable error. (integer value) +# Minimum value: -1 +#default_reply_retry = 0 + +# The deadline for an rpc reply message delivery. (integer value) +# Minimum value: 5 +#default_reply_timeout = 30 + +# The deadline for an rpc cast or call message delivery. Only used when caller +# does not provide a timeout expiry. (integer value) +# Minimum value: 5 +#default_send_timeout = 30 + +# The deadline for a sent notification message delivery. Only used when caller +# does not provide a timeout expiry. (integer value) +# Minimum value: 5 +#default_notify_timeout = 30 + +# The duration to schedule a purge of idle sender links. Detach link after +# expiry. (integer value) +# Minimum value: 1 +#default_sender_link_timeout = 600 + +# Indicates the addressing mode used by the driver. +# Permitted values: +# 'legacy' - use legacy non-routable addressing +# 'routable' - use routable addresses +# 'dynamic' - use legacy addresses if the message bus does not support routing +# otherwise use routable addressing (string value) +#addressing_mode = dynamic + +# Enable virtual host support for those message buses that do not natively +# support virtual hosting (such as qpidd). When set to true the virtual host +# name will be added to all message bus addresses, effectively creating a +# private 'subnet' per virtual host. Set to False if the message bus supports +# virtual hosting using the 'hostname' field in the AMQP 1.0 Open performative +# as the name of the virtual host. (boolean value) +#pseudo_vhost = true + +# address prefix used when sending to a specific server (string value) +#server_request_prefix = exclusive + +# address prefix used when broadcasting to all servers (string value) +#broadcast_prefix = broadcast + +# address prefix when sending to any server in group (string value) +#group_request_prefix = unicast + +# Address prefix for all generated RPC addresses (string value) +#rpc_address_prefix = openstack.org/om/rpc + +# Address prefix for all generated Notification addresses (string value) +#notify_address_prefix = openstack.org/om/notify + +# Appended to the address prefix when sending a fanout message. Used by the +# message bus to identify fanout messages. (string value) +#multicast_address = multicast + +# Appended to the address prefix when sending to a particular RPC/Notification +# server. Used by the message bus to identify messages sent to a single +# destination. (string value) +#unicast_address = unicast + +# Appended to the address prefix when sending to a group of consumers. Used by +# the message bus to identify messages that should be delivered in a round- +# robin fashion across consumers. (string value) +#anycast_address = anycast + +# Exchange name used in notification addresses. +# Exchange name resolution precedence: +# Target.exchange if set +# else default_notification_exchange if set +# else control_exchange if set +# else 'notify' (string value) +#default_notification_exchange = + +# Exchange name used in RPC addresses. +# Exchange name resolution precedence: +# Target.exchange if set +# else default_rpc_exchange if set +# else control_exchange if set +# else 'rpc' (string value) +#default_rpc_exchange = + +# Window size for incoming RPC Reply messages. (integer value) +# Minimum value: 1 +#reply_link_credit = 200 + +# Window size for incoming RPC Request messages (integer value) +# Minimum value: 1 +#rpc_server_credit = 100 + +# Window size for incoming Notification messages (integer value) +# Minimum value: 1 +#notify_server_credit = 100 + +# Send messages of this type pre-settled. +# Pre-settled messages will not receive acknowledgement +# from the peer. Note well: pre-settled messages may be +# silently discarded if the delivery fails. +# Permitted values: +# 'rpc-call' - send RPC Calls pre-settled +# 'rpc-reply'- send RPC Replies pre-settled +# 'rpc-cast' - Send RPC Casts pre-settled +# 'notify' - Send Notifications pre-settled +# (multi valued) +#pre_settled = rpc-cast +#pre_settled = rpc-reply + + +[oslo_messaging_kafka] + +# +# From oslo.messaging +# + +# Max fetch bytes of Kafka consumer (integer value) +#kafka_max_fetch_bytes = 1048576 + +# Default timeout(s) for Kafka consumers (floating point value) +#kafka_consumer_timeout = 1.0 + +# DEPRECATED: Pool Size for Kafka Consumers (integer value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Driver no longer uses connection pool. +#pool_size = 10 + +# DEPRECATED: The pool size limit for connections expiration policy (integer +# value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Driver no longer uses connection pool. +#conn_pool_min_size = 2 + +# DEPRECATED: The time-to-live in sec of idle connections in the pool (integer +# value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Driver no longer uses connection pool. +#conn_pool_ttl = 1200 + +# Group id for Kafka consumer. Consumers in one group will coordinate message +# consumption (string value) +#consumer_group = oslo_messaging_consumer + +# Upper bound on the delay for KafkaProducer batching in seconds (floating +# point value) +#producer_batch_timeout = 0.0 + +# Size of batch for the producer async send (integer value) +#producer_batch_size = 16384 + +# Enable asynchronous consumer commits (boolean value) +#enable_auto_commit = false + +# The maximum number of records returned in a poll call (integer value) +#max_poll_records = 500 + +# Protocol used to communicate with brokers (string value) +# Possible values: +# PLAINTEXT - +# SASL_PLAINTEXT - +# SSL - +# SASL_SSL - +#security_protocol = PLAINTEXT + +# Mechanism when security protocol is SASL (string value) +#sasl_mechanism = PLAIN + +# CA certificate PEM file used to verify the server certificate (string value) +#ssl_cafile = + + +[oslo_messaging_notifications] + +# +# From oslo.messaging +# + +# The Drivers(s) to handle sending notifications. Possible values are +# messaging, messagingv2, routing, log, test, noop (multi valued) +# Deprecated group/name - [DEFAULT]/notification_driver +#driver = + +# A URL representing the messaging driver to use for notifications. If not set, +# we fall back to the same configuration used for RPC. (string value) +# Deprecated group/name - [DEFAULT]/notification_transport_url +#transport_url = + +# AMQP topic used for OpenStack notifications. (list value) +# Deprecated group/name - [rpc_notifier2]/topics +# Deprecated group/name - [DEFAULT]/notification_topics +#topics = notifications + +# The maximum number of attempts to re-send a notification message which failed +# to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite +# (integer value) +#retry = -1 + + +[oslo_messaging_rabbit] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +#amqp_durable_queues = false + +# Auto-delete queues in AMQP. (boolean value) +#amqp_auto_delete = false + +# Connect over SSL. (boolean value) +# Deprecated group/name - [oslo_messaging_rabbit]/rabbit_use_ssl +#ssl = false + +# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and +# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some +# distributions. (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_version +#ssl_version = + +# SSL key file (valid only if SSL enabled). (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_keyfile +#ssl_key_file = + +# SSL cert file (valid only if SSL enabled). (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_certfile +#ssl_cert_file = + +# SSL certification authority file (valid only if SSL enabled). (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_ca_certs +#ssl_ca_file = + +# How long to wait before reconnecting in response to an AMQP consumer cancel +# notification. (floating point value) +#kombu_reconnect_delay = 1.0 + +# EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not +# be used. This option may not be available in future versions. (string value) +#kombu_compression = + +# How long to wait a missing client before abandoning to send it its replies. +# This value should not be longer than rpc_response_timeout. (integer value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_reconnect_timeout +#kombu_missing_consumer_retry_timeout = 60 + +# Determines how the next RabbitMQ node is chosen in case the one we are +# currently connected to becomes unavailable. Takes effect only if more than +# one RabbitMQ node is provided in config. (string value) +# Possible values: +# round-robin - +# shuffle - +#kombu_failover_strategy = round-robin + +# The RabbitMQ login method. (string value) +# Possible values: +# PLAIN - +# AMQPLAIN - +# RABBIT-CR-DEMO - +#rabbit_login_method = AMQPLAIN + +# How frequently to retry connecting with RabbitMQ. (integer value) +#rabbit_retry_interval = 1 + +# How long to backoff for between retries when connecting to RabbitMQ. (integer +# value) +#rabbit_retry_backoff = 2 + +# Maximum interval of RabbitMQ connection retries. Default is 30 seconds. +# (integer value) +#rabbit_interval_max = 30 + +# Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this +# option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring +# is no longer controlled by the x-ha-policy argument when declaring a queue. +# If you just want to make sure that all queues (except those with auto- +# generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy +# HA '^(?!amq\.).*' '{"ha-mode": "all"}' " (boolean value) +#rabbit_ha_queues = false + +# Positive integer representing duration in seconds for queue TTL (x-expires). +# Queues which are unused for the duration of the TTL are automatically +# deleted. The parameter affects only reply and fanout queues. (integer value) +# Minimum value: 1 +#rabbit_transient_queues_ttl = 1800 + +# Specifies the number of messages to prefetch. Setting to zero allows +# unlimited messages. (integer value) +#rabbit_qos_prefetch_count = 0 + +# Number of seconds after which the Rabbit broker is considered down if +# heartbeat's keep-alive fails (0 disable the heartbeat). EXPERIMENTAL (integer +# value) +#heartbeat_timeout_threshold = 60 + +# How often times during the heartbeat_timeout_threshold we check the +# heartbeat. (integer value) +#heartbeat_rate = 2 + + +[oslo_middleware] + +# +# From oslo.middleware +# + +# The maximum body size for each request, in bytes. (integer value) +# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size +# Deprecated group/name - [DEFAULT]/max_request_body_size +#max_request_body_size = 114688 + +# DEPRECATED: The HTTP Header that will be used to determine what the original +# request protocol scheme was, even if it was hidden by a SSL termination +# proxy. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#secure_proxy_ssl_header = X-Forwarded-Proto + +# Whether the application is behind a proxy or not. This determines if the +# middleware should parse the headers or not. (boolean value) +#enable_proxy_headers_parsing = false + + +[oslo_policy] + +# +# From oslo.policy +# + +# This option controls whether or not to enforce scope when evaluating +# policies. If ``True``, the scope of the token used in the request is compared +# to the ``scope_types`` of the policy being enforced. If the scopes do not +# match, an ``InvalidScope`` exception will be raised. If ``False``, a message +# will be logged informing operators that policies are being invoked with +# mismatching scope. (boolean value) +#enforce_scope = false + +# The file that defines policies. (string value) +#policy_file = policy.json + +# Default rule. Enforced when a requested rule is not found. (string value) +#policy_default_rule = default + +# Directories where policy configuration files are stored. They can be relative +# to any directory in the search path defined by the config_dir option, or +# absolute paths. The file defined by policy_file must exist for these +# directories to be searched. Missing or empty directories are ignored. (multi +# valued) +#policy_dirs = policy.d + +# Content Type to send and receive data for REST based policy check (string +# value) +# Possible values: +# application/x-www-form-urlencoded - +# application/json - +#remote_content_type = application/x-www-form-urlencoded + +# server identity verification for REST based policy check (boolean value) +#remote_ssl_verify_server_crt = false + +# Absolute path to ca cert file for REST based policy check (string value) +#remote_ssl_ca_crt_file = + +# Absolute path to client cert for REST based policy check (string value) +#remote_ssl_client_crt_file = + +# Absolute path client key file REST based policy check (string value) +#remote_ssl_client_key_file = + + +[policy] + +# +# From keystone +# + +# Entry point for the policy backend driver in the `keystone.policy` namespace. +# Supplied drivers are `rules` (which does not support any CRUD operations for +# the v3 policy API) and `sql`. Typically, there is no reason to set this +# option unless you are providing a custom entry point. (string value) +#driver = sql + +# Maximum number of entities that will be returned in a policy collection. +# (integer value) +#list_limit = + + +[profiler] + +# +# From osprofiler +# + +# +# Enable the profiling for all services on this node. +# +# Default value is False (fully disable the profiling feature). +# +# Possible values: +# +# * True: Enables the feature +# * False: Disables the feature. The profiling cannot be started via this +# project +# operations. If the profiling is triggered by another project, this project +# part will be empty. +# (boolean value) +# Deprecated group/name - [profiler]/profiler_enabled +#enabled = false + +# +# Enable SQL requests profiling in services. +# +# Default value is False (SQL requests won't be traced). +# +# Possible values: +# +# * True: Enables SQL requests profiling. Each SQL query will be part of the +# trace and can the be analyzed by how much time was spent for that. +# * False: Disables SQL requests profiling. The spent time is only shown on a +# higher level of operations. Single SQL queries cannot be analyzed this way. +# (boolean value) +#trace_sqlalchemy = false + +# +# Secret key(s) to use for encrypting context data for performance profiling. +# +# This string value should have the following format: +# [,,...], +# where each key is some random string. A user who triggers the profiling via +# the REST API has to set one of these keys in the headers of the REST API call +# to include profiling results of this node for this particular project. +# +# Both "enabled" flag and "hmac_keys" config options should be set to enable +# profiling. Also, to generate correct profiling information across all +# services +# at least one key needs to be consistent between OpenStack projects. This +# ensures it can be used from client side to generate the trace, containing +# information from all possible resources. +# (string value) +#hmac_keys = SECRET_KEY + +# +# Connection string for a notifier backend. +# +# Default value is ``messaging://`` which sets the notifier to oslo_messaging. +# +# Examples of possible values: +# +# * ``messaging://`` - use oslo_messaging driver for sending spans. +# * ``redis://127.0.0.1:6379`` - use redis driver for sending spans. +# * ``mongodb://127.0.0.1:27017`` - use mongodb driver for sending spans. +# * ``elasticsearch://127.0.0.1:9200`` - use elasticsearch driver for sending +# spans. +# * ``jaeger://127.0.0.1:6831`` - use jaeger tracing as driver for sending +# spans. +# (string value) +#connection_string = messaging:// + +# +# Document type for notification indexing in elasticsearch. +# (string value) +#es_doc_type = notification + +# +# This parameter is a time value parameter (for example: es_scroll_time=2m), +# indicating for how long the nodes that participate in the search will +# maintain +# relevant resources in order to continue and support it. +# (string value) +#es_scroll_time = 2m + +# +# Elasticsearch splits large requests in batches. This parameter defines +# maximum size of each batch (for example: es_scroll_size=10000). +# (integer value) +#es_scroll_size = 10000 + +# +# Redissentinel provides a timeout option on the connections. +# This parameter defines that timeout (for example: socket_timeout=0.1). +# (floating point value) +#socket_timeout = 0.1 + +# +# Redissentinel uses a service name to identify a master redis service. +# This parameter defines the name (for example: +# ``sentinal_service_name=mymaster``). +# (string value) +#sentinel_service_name = mymaster + +# +# Enable filter traces that contain error/exception to a separated place. +# +# Default value is set to False. +# +# Possible values: +# +# * True: Enable filter traces that contain error/exception. +# * False: Disable the filter. +# (boolean value) +#filter_error_trace = false + + +[receipt] + +# +# From keystone +# + +# The amount of time that a receipt should remain valid (in seconds). This +# value should always be very short, as it represents how long a user has to +# reattempt auth with the missing auth methods. (integer value) +# Minimum value: 0 +# Maximum value: 86400 +#expiration = 300 + +# Entry point for the receipt provider in the `keystone.receipt.provider` +# namespace. The receipt provider controls the receipt construction and +# validation operations. Keystone includes just the `fernet` receipt provider +# for now. `fernet` receipts do not need to be persisted at all, but require +# that you run `keystone-manage fernet_setup` (also see the `keystone-manage +# fernet_rotate` command). (string value) +#provider = fernet + +# Toggle for caching receipt creation and validation data. This has no effect +# unless global caching is enabled, or if cache_on_issue is disabled as we only +# cache receipts on issue. (boolean value) +#caching = true + +# The number of seconds to cache receipt creation and validation data. This has +# no effect unless both global and `[receipt] caching` are enabled. (integer +# value) +# Minimum value: 0 +#cache_time = 300 + +# Enable storing issued receipt data to receipt validation cache so that first +# receipt validation doesn't actually cause full validation cycle. This option +# has no effect unless global caching and receipt caching are enabled. (boolean +# value) +#cache_on_issue = true + + +[resource] + +# +# From keystone +# + +# DEPRECATED: Entry point for the resource driver in the `keystone.resource` +# namespace. Only a `sql` driver is supplied by keystone. Unless you are +# writing proprietary drivers for keystone, you do not need to set this option. +# (string value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: Non-SQL resource cannot be used with SQL Identity and has been unable +# to be used since Ocata. SQL Resource backend is a requirement as of Pike. +# Setting this option no longer has an effect on how Keystone operates. +#driver = sql + +# Toggle for resource caching. This has no effect unless global caching is +# enabled. (boolean value) +# Deprecated group/name - [assignment]/caching +#caching = true + +# Time to cache resource data in seconds. This has no effect unless global +# caching is enabled. (integer value) +# Deprecated group/name - [assignment]/cache_time +#cache_time = + +# Maximum number of entities that will be returned in a resource collection. +# (integer value) +# Deprecated group/name - [assignment]/list_limit +#list_limit = + +# Name of the domain that owns the `admin_project_name`. If left unset, then +# there is no admin project. `[resource] admin_project_name` must also be set +# to use this option. (string value) +#admin_project_domain_name = + +# This is a special project which represents cloud-level administrator +# privileges across services. Tokens scoped to this project will contain a true +# `is_admin_project` attribute to indicate to policy systems that the role +# assignments on that specific project should apply equally across every +# project. If left unset, then there is no admin project, and thus no explicit +# means of cross-project role assignments. `[resource] +# admin_project_domain_name` must also be set to use this option. (string +# value) +#admin_project_name = + +# This controls whether the names of projects are restricted from containing +# URL-reserved characters. If set to `new`, attempts to create or update a +# project with a URL-unsafe name will fail. If set to `strict`, attempts to +# scope a token with a URL-unsafe project name will fail, thereby forcing all +# project names to be updated to be URL-safe. (string value) +# Possible values: +# off - +# new - +# strict - +#project_name_url_safe = off + +# This controls whether the names of domains are restricted from containing +# URL-reserved characters. If set to `new`, attempts to create or update a +# domain with a URL-unsafe name will fail. If set to `strict`, attempts to +# scope a token with a URL-unsafe domain name will fail, thereby forcing all +# domain names to be updated to be URL-safe. (string value) +# Possible values: +# off - +# new - +# strict - +#domain_name_url_safe = off + + +[revoke] + +# +# From keystone +# + +# Entry point for the token revocation backend driver in the `keystone.revoke` +# namespace. Keystone only provides a `sql` driver, so there is no reason to +# set this option unless you are providing a custom entry point. (string value) +#driver = sql + +# The number of seconds after a token has expired before a corresponding +# revocation event may be purged from the backend. (integer value) +# Minimum value: 0 +#expiration_buffer = 1800 + +# Toggle for revocation event caching. This has no effect unless global caching +# is enabled. (boolean value) +#caching = true + +# Time to cache the revocation list and the revocation events (in seconds). +# This has no effect unless global and `[revoke] caching` are both enabled. +# (integer value) +# Deprecated group/name - [token]/revocation_cache_time +#cache_time = 3600 + + +[role] + +# +# From keystone +# + +# Entry point for the role backend driver in the `keystone.role` namespace. +# Keystone only provides a `sql` driver, so there's no reason to change this +# unless you are providing a custom entry point. (string value) +#driver = + +# Toggle for role caching. This has no effect unless global caching is enabled. +# In a typical deployment, there is no reason to disable this. (boolean value) +#caching = true + +# Time to cache role data, in seconds. This has no effect unless both global +# caching and `[role] caching` are enabled. (integer value) +#cache_time = + +# Maximum number of entities that will be returned in a role collection. This +# may be useful to tune if you have a large number of discrete roles in your +# deployment. (integer value) +#list_limit = + + +[saml] + +# +# From keystone +# + +# Determines the lifetime for any SAML assertions generated by keystone, using +# `NotOnOrAfter` attributes. (integer value) +#assertion_expiration_time = 3600 + +# Name of, or absolute path to, the binary to be used for XML signing. Although +# only the XML Security Library (`xmlsec1`) is supported, it may have a non- +# standard name or path on your system. If keystone cannot find the binary +# itself, you may need to install the appropriate package, use this option to +# specify an absolute path, or adjust keystone's PATH environment variable. +# (string value) +#xmlsec1_binary = xmlsec1 + +# Absolute path to the public certificate file to use for SAML signing. The +# value cannot contain a comma (`,`). (string value) +#certfile = /etc/keystone/ssl/certs/signing_cert.pem + +# Absolute path to the private key file to use for SAML signing. The value +# cannot contain a comma (`,`). (string value) +#keyfile = /etc/keystone/ssl/private/signing_key.pem + +# This is the unique entity identifier of the identity provider (keystone) to +# use when generating SAML assertions. This value is required to generate +# identity provider metadata and must be a URI (a URL is recommended). For +# example: `https://keystone.example.com/v3/OS-FEDERATION/saml2/idp`. (uri +# value) +#idp_entity_id = + +# This is the single sign-on (SSO) service location of the identity provider +# which accepts HTTP POST requests. A value is required to generate identity +# provider metadata. For example: `https://keystone.example.com/v3/OS- +# FEDERATION/saml2/sso`. (uri value) +#idp_sso_endpoint = + +# This is the language used by the identity provider's organization. (string +# value) +#idp_lang = en + +# This is the name of the identity provider's organization. (string value) +#idp_organization_name = SAML Identity Provider + +# This is the name of the identity provider's organization to be displayed. +# (string value) +#idp_organization_display_name = OpenStack SAML Identity Provider + +# This is the URL of the identity provider's organization. The URL referenced +# here should be useful to humans. (uri value) +#idp_organization_url = https://example.com/ + +# This is the company name of the identity provider's contact person. (string +# value) +#idp_contact_company = Example, Inc. + +# This is the given name of the identity provider's contact person. (string +# value) +#idp_contact_name = SAML Identity Provider Support + +# This is the surname of the identity provider's contact person. (string value) +#idp_contact_surname = Support + +# This is the email address of the identity provider's contact person. (string +# value) +#idp_contact_email = support@example.com + +# This is the telephone number of the identity provider's contact person. +# (string value) +#idp_contact_telephone = +1 800 555 0100 + +# This is the type of contact that best describes the identity provider's +# contact person. (string value) +# Possible values: +# technical - +# support - +# administrative - +# billing - +# other - +#idp_contact_type = other + +# Absolute path to the identity provider metadata file. This file should be +# generated with the `keystone-manage saml_idp_metadata` command. There is +# typically no reason to change this value. (string value) +#idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml + +# The prefix of the RelayState SAML attribute to use when generating enhanced +# client and proxy (ECP) assertions. In a typical deployment, there is no +# reason to change this value. (string value) +#relay_state_prefix = ss:mem: + + +[security_compliance] + +# +# From keystone +# + +# The maximum number of days a user can go without authenticating before being +# considered "inactive" and automatically disabled (locked). This feature is +# disabled by default; set any value to enable it. This feature depends on the +# `sql` backend for the `[identity] driver`. When a user exceeds this threshold +# and is considered "inactive", the user's `enabled` attribute in the HTTP API +# may not match the value of the user's `enabled` column in the user table. +# (integer value) +# Minimum value: 1 +#disable_user_account_days_inactive = + +# The maximum number of times that a user can fail to authenticate before the +# user account is locked for the number of seconds specified by +# `[security_compliance] lockout_duration`. This feature is disabled by +# default. If this feature is enabled and `[security_compliance] +# lockout_duration` is not set, then users may be locked out indefinitely until +# the user is explicitly enabled via the API. This feature depends on the `sql` +# backend for the `[identity] driver`. (integer value) +# Minimum value: 1 +#lockout_failure_attempts = + +# The number of seconds a user account will be locked when the maximum number +# of failed authentication attempts (as specified by `[security_compliance] +# lockout_failure_attempts`) is exceeded. Setting this option will have no +# effect unless you also set `[security_compliance] lockout_failure_attempts` +# to a non-zero value. This feature depends on the `sql` backend for the +# `[identity] driver`. (integer value) +# Minimum value: 1 +#lockout_duration = 1800 + +# The number of days for which a password will be considered valid before +# requiring it to be changed. This feature is disabled by default. If enabled, +# new password changes will have an expiration date, however existing passwords +# would not be impacted. This feature depends on the `sql` backend for the +# `[identity] driver`. (integer value) +# Minimum value: 1 +#password_expires_days = + +# This controls the number of previous user password iterations to keep in +# history, in order to enforce that newly created passwords are unique. The +# total number which includes the new password should not be greater or equal +# to this value. Setting the value to zero (the default) disables this feature. +# Thus, to enable this feature, values must be greater than 0. This feature +# depends on the `sql` backend for the `[identity] driver`. (integer value) +# Minimum value: 0 +#unique_last_password_count = 0 + +# The number of days that a password must be used before the user can change +# it. This prevents users from changing their passwords immediately in order to +# wipe out their password history and reuse an old password. This feature does +# not prevent administrators from manually resetting passwords. It is disabled +# by default and allows for immediate password changes. This feature depends on +# the `sql` backend for the `[identity] driver`. Note: If +# `[security_compliance] password_expires_days` is set, then the value for this +# option should be less than the `password_expires_days`. (integer value) +# Minimum value: 0 +#minimum_password_age = 0 + +# The regular expression used to validate password strength requirements. By +# default, the regular expression will match any password. The following is an +# example of a pattern which requires at least 1 letter, 1 digit, and have a +# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature +# depends on the `sql` backend for the `[identity] driver`. (string value) +#password_regex = + +# Describe your password regular expression here in language for humans. If a +# password fails to match the regular expression, the contents of this +# configuration variable will be returned to users to explain why their +# requested password was insufficient. (string value) +#password_regex_description = + +# Enabling this option requires users to change their password when the user is +# created, or upon administrative reset. Before accessing any services, +# affected users will have to change their password. To ignore this requirement +# for specific users, such as service users, set the `options` attribute +# `ignore_change_password_upon_first_use` to `True` for the desired user via +# the update user API. This feature is disabled by default. This feature is +# only applicable with the `sql` backend for the `[identity] driver`. (boolean +# value) +#change_password_upon_first_use = false + + +[shadow_users] + +# +# From keystone +# + +# Entry point for the shadow users backend driver in the +# `keystone.identity.shadow_users` namespace. This driver is used for +# persisting local user references to externally-managed identities (via +# federation, LDAP, etc). Keystone only provides a `sql` driver, so there is no +# reason to change this option unless you are providing a custom entry point. +# (string value) +#driver = sql + + +[signing] + +# +# From keystone +# + +# DEPRECATED: Absolute path to the public certificate file to use for signing +# responses to revocation lists requests. Set this together with `[signing] +# keyfile`. For non-production environments, you may be interested in using +# `keystone-manage pki_setup` to generate self-signed certificates. (string +# value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#certfile = /etc/keystone/ssl/certs/signing_cert.pem + +# DEPRECATED: Absolute path to the private key file to use for signing +# responses to revocation lists requests. Set this together with `[signing] +# certfile`. (string value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#keyfile = /etc/keystone/ssl/private/signing_key.pem + +# DEPRECATED: Absolute path to the public certificate authority (CA) file to +# use when creating self-signed certificates with `keystone-manage pki_setup`. +# Set this together with `[signing] ca_key`. There is no reason to set this +# option unless you are requesting revocation lists in a non-production +# environment. Use a `[signing] certfile` issued from a trusted certificate +# authority instead. (string value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#ca_certs = /etc/keystone/ssl/certs/ca.pem + +# DEPRECATED: Absolute path to the private certificate authority (CA) key file +# to use when creating self-signed certificates with `keystone-manage +# pki_setup`. Set this together with `[signing] ca_certs`. There is no reason +# to set this option unless you are requesting revocation lists in a non- +# production environment. Use a `[signing] certfile` issued from a trusted +# certificate authority instead. (string value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#ca_key = /etc/keystone/ssl/private/cakey.pem + +# DEPRECATED: Key size (in bits) to use when generating a self-signed token +# signing certificate. There is no reason to set this option unless you are +# requesting revocation lists in a non-production environment. Use a `[signing] +# certfile` issued from a trusted certificate authority instead. (integer +# value) +# Minimum value: 1024 +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#key_size = 2048 + +# DEPRECATED: The validity period (in days) to use when generating a self- +# signed token signing certificate. There is no reason to set this option +# unless you are requesting revocation lists in a non-production environment. +# Use a `[signing] certfile` issued from a trusted certificate authority +# instead. (integer value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#valid_days = 3650 + +# DEPRECATED: The certificate subject to use when generating a self-signed +# token signing certificate. There is no reason to set this option unless you +# are requesting revocation lists in a non-production environment. Use a +# `[signing] certfile` issued from a trusted certificate authority instead. +# (string value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com + + +[token] + +provider = fernet + +# +# From keystone +# + +# The amount of time that a token should remain valid (in seconds). Drastically +# reducing this value may break "long-running" operations that involve multiple +# services to coordinate together, and will force users to authenticate with +# keystone more frequently. Drastically increasing this value will increase the +# number of tokens that will be simultaneously valid. Keystone tokens are also +# bearer tokens, so a shorter duration will also reduce the potential security +# impact of a compromised token. (integer value) +# Minimum value: 0 +# Maximum value: 9223372036854775807 +#expiration = 3600 + +# Entry point for the token provider in the `keystone.token.provider` +# namespace. The token provider controls the token construction, validation, +# and revocation operations. Supported upstream providers are `fernet` and +# `jws`. Neither `fernet` or `jws` tokens require persistence and both require +# additional setup. If using `fernet`, you're required to run `keystone-manage +# fernet_setup`, which creates symmetric keys used to encrypt tokens. If using +# `jws`, you're required to generate an ECDSA keypair using a SHA-256 hash +# algorithm for signing and validating token, which can be done with `keystone- +# manage create_jws_keypair`. Note that `fernet` tokens are encrypted and `jws` +# tokens are only signed. Please be sure to consider this if your deployment +# has security requirements regarding payload contents used to generate token +# IDs. (string value) +#provider = fernet + +# Toggle for caching token creation and validation data. This has no effect +# unless global caching is enabled. (boolean value) +#caching = true + +# The number of seconds to cache token creation and validation data. This has +# no effect unless both global and `[token] caching` are enabled. (integer +# value) +# Minimum value: 0 +# Maximum value: 9223372036854775807 +#cache_time = + +# This toggles support for revoking individual tokens by the token identifier +# and thus various token enumeration operations (such as listing all tokens +# issued to a specific user). These operations are used to determine the list +# of tokens to consider revoked. Do not disable this option if you're using the +# `kvs` `[revoke] driver`. (boolean value) +#revoke_by_id = true + +# This toggles whether scoped tokens may be re-scoped to a new project or +# domain, thereby preventing users from exchanging a scoped token (including +# those with a default project scope) for any other token. This forces users to +# either authenticate for unscoped tokens (and later exchange that unscoped +# token for tokens with a more specific scope) or to provide their credentials +# in every request for a scoped token to avoid re-scoping altogether. (boolean +# value) +#allow_rescope_scoped_token = true + +# DEPRECATED: This controls whether roles should be included with tokens that +# are not directly assigned to the token's scope, but are instead linked +# implicitly to other role assignments. (boolean value) +# This option is deprecated for removal since R. +# Its value may be silently ignored in the future. +# Reason: Default roles depend on a chain of implied role assignments. Ex: an +# admin user will also have the reader and member role. By ensuring that all +# these roles will always appear on the token validation response, we can +# improve the simplicity and readability of policy files. +#infer_roles = true + +# DEPRECATED: Enable storing issued token data to token validation cache so +# that first token validation doesn't actually cause full validation cycle. +# This option has no effect unless global caching is enabled and will still +# cache tokens even if `[token] caching = False`. (boolean value) +# This option is deprecated for removal since S. +# Its value may be silently ignored in the future. +# Reason: Keystone already exposes a configuration option for caching tokens. +# Having a separate configuration option to cache tokens when they are issued +# is redundant, unnecessarily complicated, and is misleading if token caching +# is disabled because tokens will still be pre-cached by default when they are +# issued. The ability to pre-cache tokens when they are issued is going to rely +# exclusively on the ``keystone.conf [token] caching`` option in the future. +#cache_on_issue = true + +# This controls the number of seconds that a token can be retrieved for beyond +# the built-in expiry time. This allows long running operations to succeed. +# Defaults to two days. (integer value) +#allow_expired_window = 172800 + + +[tokenless_auth] + +# +# From keystone +# + +# The list of distinguished names which identify trusted issuers of client +# certificates allowed to use X.509 tokenless authorization. If the option is +# absent then no certificates will be allowed. The format for the values of a +# distinguished name (DN) must be separated by a comma and contain no spaces. +# Furthermore, because an individual DN may contain commas, this configuration +# option may be repeated multiple times to represent multiple values. For +# example, keystone.conf would include two consecutive lines in order to trust +# two different DNs, such as `trusted_issuer = CN=john,OU=keystone,O=openstack` +# and `trusted_issuer = CN=mary,OU=eng,O=abc`. (multi valued) +#trusted_issuer = + +# The federated protocol ID used to represent X.509 tokenless authorization. +# This is used in combination with the value of `[tokenless_auth] +# issuer_attribute` to find a corresponding federated mapping. In a typical +# deployment, there is no reason to change this value. (string value) +#protocol = x509 + +# The name of the WSGI environment variable used to pass the issuer of the +# client certificate to keystone. This attribute is used as an identity +# provider ID for the X.509 tokenless authorization along with the protocol to +# look up its corresponding mapping. In a typical deployment, there is no +# reason to change this value. (string value) +#issuer_attribute = SSL_CLIENT_I_DN + + +[trust] + +# +# From keystone +# + +# Allows authorization to be redelegated from one user to another, effectively +# chaining trusts together. When disabled, the `remaining_uses` attribute of a +# trust is constrained to be zero. (boolean value) +#allow_redelegation = false + +# Maximum number of times that authorization can be redelegated from one user +# to another in a chain of trusts. This number may be reduced further for a +# specific trust. (integer value) +#max_redelegation_count = 3 + +# Entry point for the trust backend driver in the `keystone.trust` namespace. +# Keystone only provides a `sql` driver, so there is no reason to change this +# unless you are providing a custom entry point. (string value) +#driver = sql + + +[unified_limit] + +# +# From keystone +# + +# Entry point for the unified limit backend driver in the +# `keystone.unified_limit` namespace. Keystone only provides a `sql` driver, so +# there's no reason to change this unless you are providing a custom entry +# point. (string value) +#driver = sql + +# Toggle for unified limit caching. This has no effect unless global caching is +# enabled. In a typical deployment, there is no reason to disable this. +# (boolean value) +#caching = true + +# Time to cache unified limit data, in seconds. This has no effect unless both +# global caching and `[unified_limit] caching` are enabled. (integer value) +#cache_time = + +# Maximum number of entities that will be returned in a role collection. This +# may be useful to tune if you have a large number of unified limits in your +# deployment. (integer value) +#list_limit = + +# The enforcement model to use when validating limits associated to projects. +# Enforcement models will behave differently depending on the existing limits, +# which may result in backwards incompatible changes if a model is switched in +# a running deployment. (string value) +# Possible values: +# flat - +# strict_two_level - +#enforcement_model = flat + + +[wsgi] + +# +# From keystone +# + +# If set to true, this enables the oslo debug middleware in Keystone. This +# Middleware prints a lot of information about the request and the response. It +# is useful for getting information about the data on the wire (decoded) and +# passed to the WSGI application pipeline. This middleware has no effect on the +# "debug" setting in the [DEFAULT] section of the config file or setting +# Keystone's log-level to "DEBUG"; it is specific to debugging the WSGI data as +# it enters and leaves Keystone (specific request-related data). This option is +# used for introspection on the request and response data between the web +# server (apache, nginx, etc) and Keystone. This middleware is inserted as the +# first element in the middleware chain and will show the data closest to the +# wire. WARNING: NOT INTENDED FOR USE IN PRODUCTION. THIS MIDDLEWARE CAN AND +# WILL EMIT SENSITIVE/PRIVILEGED DATA. (boolean value) +#debug_middleware = false diff --git a/conf_mysql/99-openstack.conf b/conf_mysql/99-openstack.conf new file mode 100644 index 0000000..4cd6688 --- /dev/null +++ b/conf_mysql/99-openstack.conf @@ -0,0 +1,13 @@ +[mysqld] +bind-address = 0.0.0.0 + +default-storage-engine = innodb +innodb_file_per_table = on +max_connections = 4096 +collation-server = utf8_general_ci +character-set-server = utf8 +wait_timeout = 600 +interactive_timeout = 600 +net_read_timeout = 600 +net_write_timeout = 600 + diff --git a/conf_ui/local_settings.py b/conf_ui/local_settings.py new file mode 100644 index 0000000..042b682 --- /dev/null +++ b/conf_ui/local_settings.py @@ -0,0 +1,916 @@ +# -*- coding: utf-8 -*- + +import os + +from django.utils.translation import ugettext_lazy as _ + +from horizon.utils import secret_key + +from openstack_dashboard.settings import HORIZON_CONFIG + +DEBUG = False + +# This setting controls whether or not compression is enabled. Disabling +# compression makes Horizon considerably slower, but makes it much easier +# to debug JS and CSS changes +#COMPRESS_ENABLED = not DEBUG + +# This setting controls whether compression happens on the fly, or offline +# with `python manage.py compress` +# See https://django-compressor.readthedocs.io/en/latest/usage/#offline-compression +# for more information +#COMPRESS_OFFLINE = not DEBUG + +# WEBROOT is the location relative to Webserver root +# should end with a slash. +WEBROOT = '/' +#LOGIN_URL = WEBROOT + 'auth/login/' +#LOGOUT_URL = WEBROOT + 'auth/logout/' +# +# LOGIN_REDIRECT_URL can be used as an alternative for +# HORIZON_CONFIG.user_home, if user_home is not set. +# Do not set it to '/home/', as this will cause circular redirect loop +#LOGIN_REDIRECT_URL = WEBROOT + +# If horizon is running in production (DEBUG is False), set this +# with the list of host/domain names that the application can serve. +# For more information see: +# https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts +ALLOWED_HOSTS = ['*', ] + +# Set SSL proxy settings: +# Pass this header from the proxy after terminating the SSL, +# and don't forget to strip it from the client's request. +# For more information see: +# https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header +#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') + +# If Horizon is being served through SSL, then uncomment the following two +# settings to better secure the cookies from security exploits +#CSRF_COOKIE_SECURE = True +#SESSION_COOKIE_SECURE = True + +# The absolute path to the directory where message files are collected. +# The message file must have a .json file extension. When the user logins to +# horizon, the message files collected are processed and displayed to the user. +#MESSAGES_PATH=None + +# Overrides for OpenStack API versions. Use this setting to force the +# OpenStack dashboard to use a specific API version for a given service API. +# Versions specified here should be integers or floats, not strings. +# NOTE: The version should be formatted as it appears in the URL for the +# service API. For example, The identity service APIs have inconsistent +# use of the decimal point, so valid options would be 2.0 or 3. +# Minimum compute version to get the instance locked status is 2.9. +#OPENSTACK_API_VERSIONS = { +# "data-processing": 1.1, +# "identity": 3, +# "image": 2, +# "volume": 2, +# "compute": 2, +#} + +# Set this to True if running on a multi-domain model. When this is enabled, it +# will require the user to enter the Domain name in addition to the username +# for login. +#OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False + +# Set this to True if you want available domains displayed as a dropdown menu +# on the login screen. It is strongly advised NOT to enable this for public +# clouds, as advertising enabled domains to unauthenticated customers +# irresponsibly exposes private information. This should only be used for +# private clouds where the dashboard sits behind a corporate firewall. +#OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False + +# If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to +# set the available domains to choose from. This is a list of pairs whose first +# value is the domain name and the second is the display name. +#OPENSTACK_KEYSTONE_DOMAIN_CHOICES = ( +# ('Default', 'Default'), +#) + +# Overrides the default domain used when running on single-domain model +# with Keystone V3. All entities will be created in the default domain. +# NOTE: This value must be the name of the default domain, NOT the ID. +# Also, you will most likely have a value in the keystone policy file like this +# "cloud_admin": "rule:admin_required and domain_id:" +# This value must be the name of the domain whose ID is specified there. +#OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default' + +# Set this to True to enable panels that provide the ability for users to +# manage Identity Providers (IdPs) and establish a set of rules to map +# federation protocol attributes to Identity API attributes. +# This extension requires v3.0+ of the Identity API. +#OPENSTACK_KEYSTONE_FEDERATION_MANAGEMENT = False + +# Set Console type: +# valid options are "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL", "MKS" +# or None. Set to None explicitly if you want to deactivate the console. +#CONSOLE_TYPE = "AUTO" + +# Toggle showing the openrc file for Keystone V2. +# If set to false the link will be removed from the user dropdown menu +# and the API Access page +#SHOW_KEYSTONE_V2_RC = True + +# If provided, a "Report Bug" link will be displayed in the site header +# which links to the value of this setting (ideally a URL containing +# information on how to report issues). +#HORIZON_CONFIG["bug_url"] = "http://bug-report.example.com" + +# Show backdrop element outside the modal, do not close the modal +# after clicking on backdrop. +#HORIZON_CONFIG["modal_backdrop"] = "static" + +# Specify a regular expression to validate user passwords. +#HORIZON_CONFIG["password_validator"] = { +# "regex": '.*', +# "help_text": _("Your password does not meet the requirements."), +#} + +# Turn off browser autocompletion for forms including the login form and +# the database creation workflow if so desired. +#HORIZON_CONFIG["password_autocomplete"] = "off" + +# Setting this to True will disable the reveal button for password fields, +# including on the login form. +#HORIZON_CONFIG["disable_password_reveal"] = False + +LOCAL_PATH = os.path.dirname(os.path.abspath(__file__)) + +# Set custom secret key: +# You can either set it to a specific value or you can let horizon generate a +# default secret key that is unique on this machine, e.i. regardless of the +# amount of Python WSGI workers (if used behind Apache+mod_wsgi): However, +# there may be situations where you would want to set this explicitly, e.g. +# when multiple dashboard instances are distributed on different machines +# (usually behind a load-balancer). Either you have to make sure that a session +# gets all requests routed to the same dashboard instance or you set the same +# SECRET_KEY for all of them. +SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key') + +# We recommend you use memcached for development; otherwise after every reload +# of the django development server, you will have to login again. To use +# memcached set CACHES to something like + +CACHES = { + 'default': { + 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', + 'LOCATION': 'iotronic-ui:11211', + }, +} + +#CACHES = { +# 'default': { +# 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache', +# } +#} + +# Send email to the console by default +EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' +# Or send them to /dev/null +#EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend' + +# Configure these for your outgoing email host +#EMAIL_HOST = 'smtp.my-company.com' +#EMAIL_PORT = 25 +#EMAIL_HOST_USER = 'djangomail' +#EMAIL_HOST_PASSWORD = 'top-secret!' + +# For multiple regions uncomment this configuration, and add (endpoint, title). +#AVAILABLE_REGIONS = [ +# ('http://cluster1.example.com:5000/v3', 'cluster1'), +# ('http://cluster2.example.com:5000/v3', 'cluster2'), +#] + +OPENSTACK_HOST = "keystone" +OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST +OPENSTACK_KEYSTONE_DEFAULT_ROLE = "admin" + +# For setting the default service region on a per-endpoint basis. Note that the +# default value for this setting is {}, and below is just an example of how it +# should be specified. +# A key of '*' is an optional global default if no other key matches. +#DEFAULT_SERVICE_REGIONS = { +# '*': 'RegionOne' +# OPENSTACK_KEYSTONE_URL: 'RegionTwo' +#} + +# Enables keystone web single-sign-on if set to True. +#WEBSSO_ENABLED = False + +# Authentication mechanism to be selected as default. +# The value must be a key from WEBSSO_CHOICES. +#WEBSSO_INITIAL_CHOICE = "credentials" + +# The list of authentication mechanisms which include keystone +# federation protocols and identity provider/federation protocol +# mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol +# IDs are 'saml2' and 'oidc' which represent SAML 2.0, OpenID +# Connect respectively. +# Do not remove the mandatory credentials mechanism. +# Note: The last two tuples are sample mapping keys to a identity provider +# and federation protocol combination (WEBSSO_IDP_MAPPING). +#WEBSSO_CHOICES = ( +# ("credentials", _("Keystone Credentials")), +# ("oidc", _("OpenID Connect")), +# ("saml2", _("Security Assertion Markup Language")), +# ("acme_oidc", "ACME - OpenID Connect"), +# ("acme_saml2", "ACME - SAML2"), +#) + +# A dictionary of specific identity provider and federation protocol +# combinations. From the selected authentication mechanism, the value +# will be looked up as keys in the dictionary. If a match is found, +# it will redirect the user to a identity provider and federation protocol +# specific WebSSO endpoint in keystone, otherwise it will use the value +# as the protocol_id when redirecting to the WebSSO by protocol endpoint. +# NOTE: The value is expected to be a tuple formatted as: (, ). +#WEBSSO_IDP_MAPPING = { +# "acme_oidc": ("acme", "oidc"), +# "acme_saml2": ("acme", "saml2"), +#} + +# If set this URL will be used for web single-sign-on authentication +# instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment +# scenarios where network segmentation is used per security requirement. +# In this case, the controllers are not reachable from public network. +# Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL +# if it is set to the internal endpoint. +#WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3" + +# The Keystone Provider drop down uses Keystone to Keystone federation +# to switch between Keystone service providers. +# Set display name for Identity Provider (dropdown display name) +#KEYSTONE_PROVIDER_IDP_NAME = "Local Keystone" +# This id is used for only for comparison with the service provider IDs. This ID +# should not match any service provider IDs. +#KEYSTONE_PROVIDER_IDP_ID = "localkeystone" + +# Disable SSL certificate checks (useful for self-signed certificates): +#OPENSTACK_SSL_NO_VERIFY = True + +# The CA certificate to use to verify SSL connections +#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' + +# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the +# capabilities of the auth backend for Keystone. +# If Keystone has been configured to use LDAP as the auth backend then set +# can_edit_user to False and name to 'ldap'. +# +# TODO(tres): Remove these once Keystone has an API to identify auth backend. +OPENSTACK_KEYSTONE_BACKEND = { + 'name': 'native', + 'can_edit_user': True, + 'can_edit_group': True, + 'can_edit_project': True, + 'can_edit_domain': True, + 'can_edit_role': True, +} + +# Setting this to True, will add a new "Retrieve Password" action on instance, +# allowing Admin session password retrieval/decryption. +#OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False + +# The Launch Instance user experience has been significantly enhanced. +# You can choose whether to enable the new launch instance experience, +# the legacy experience, or both. The legacy experience will be removed +# in a future release, but is available as a temporary backup setting to ensure +# compatibility with existing deployments. Further development will not be +# done on the legacy experience. Please report any problems with the new +# experience via the Launchpad tracking system. +# +# Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to +# determine the experience to enable. Set them both to true to enable +# both. +#LAUNCH_INSTANCE_LEGACY_ENABLED = True +#LAUNCH_INSTANCE_NG_ENABLED = False + +# A dictionary of settings which can be used to provide the default values for +# properties found in the Launch Instance modal. +#LAUNCH_INSTANCE_DEFAULTS = { +# 'config_drive': False, +# 'enable_scheduler_hints': True, +# 'disable_image': False, +# 'disable_instance_snapshot': False, +# 'disable_volume': False, +# 'disable_volume_snapshot': False, +# 'create_volume': True, +#} + +# The Xen Hypervisor has the ability to set the mount point for volumes +# attached to instances (other Hypervisors currently do not). Setting +# can_set_mount_point to True will add the option to set the mount point +# from the UI. +OPENSTACK_HYPERVISOR_FEATURES = { + 'can_set_mount_point': False, + 'can_set_password': False, + 'requires_keypair': False, + 'enable_quotas': True +} + +# This settings controls whether IP addresses of servers are retrieved from +# neutron in the project instance table. Setting this to ``False`` may mitigate +# a performance issue in the project instance table in large deployments. +#OPENSTACK_INSTANCE_RETRIEVE_IP_ADDRESSES = True + +# The OPENSTACK_CINDER_FEATURES settings can be used to enable optional +# services provided by cinder that is not exposed by its extension API. +OPENSTACK_CINDER_FEATURES = { + 'enable_backup': False, +} + +# The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional +# services provided by neutron. Options currently available are load +# balancer service, security groups, quotas, VPN service. +OPENSTACK_NEUTRON_NETWORK = { + 'enable_router': True, + 'enable_quotas': True, + 'enable_ipv6': True, + 'enable_distributed_router': False, + 'enable_ha_router': False, + 'enable_fip_topology_check': True, + + # Default dns servers you would like to use when a subnet is + # created. This is only a default, users can still choose a different + # list of dns servers when creating a new subnet. + # The entries below are examples only, and are not appropriate for + # real deployments + # 'default_dns_nameservers': ["8.8.8.8", "8.8.4.4", "208.67.222.222"], + + # Set which provider network types are supported. Only the network types + # in this list will be available to choose from when creating a network. + # Network types include local, flat, vlan, gre, vxlan and geneve. + # 'supported_provider_types': ['*'], + + # You can configure available segmentation ID range per network type + # in your deployment. + # 'segmentation_id_range': { + # 'vlan': [1024, 2048], + # 'vxlan': [4094, 65536], + # }, + + # You can define additional provider network types here. + # 'extra_provider_types': { + # 'awesome_type': { + # 'display_name': 'Awesome New Type', + # 'require_physical_network': False, + # 'require_segmentation_id': True, + # } + # }, + + # Set which VNIC types are supported for port binding. Only the VNIC + # types in this list will be available to choose from when creating a + # port. + # VNIC types include 'normal', 'direct', 'direct-physical', 'macvtap', + # 'baremetal' and 'virtio-forwarder' + # Set to empty list or None to disable VNIC type selection. + 'supported_vnic_types': ['*'], + + # Set list of available physical networks to be selected in the physical + # network field on the admin create network modal. If it's set to an empty + # list, the field will be a regular input field. + # e.g. ['default', 'test'] + 'physical_networks': [], + +} + +# The OPENSTACK_HEAT_STACK settings can be used to disable password +# field required while launching the stack. +OPENSTACK_HEAT_STACK = { + 'enable_user_pass': True, +} + +# The OPENSTACK_IMAGE_BACKEND settings can be used to customize features +# in the OpenStack Dashboard related to the Image service, such as the list +# of supported image formats. +#OPENSTACK_IMAGE_BACKEND = { +# 'image_formats': [ +# ('', _('Select format')), +# ('aki', _('AKI - Amazon Kernel Image')), +# ('ami', _('AMI - Amazon Machine Image')), +# ('ari', _('ARI - Amazon Ramdisk Image')), +# ('docker', _('Docker')), +# ('iso', _('ISO - Optical Disk Image')), +# ('ova', _('OVA - Open Virtual Appliance')), +# ('qcow2', _('QCOW2 - QEMU Emulator')), +# ('raw', _('Raw')), +# ('vdi', _('VDI - Virtual Disk Image')), +# ('vhd', _('VHD - Virtual Hard Disk')), +# ('vhdx', _('VHDX - Large Virtual Hard Disk')), +# ('vmdk', _('VMDK - Virtual Machine Disk')), +# ], +#} + +# The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for +# image custom property attributes that appear on image detail pages. +IMAGE_CUSTOM_PROPERTY_TITLES = { + "architecture": _("Architecture"), + "kernel_id": _("Kernel ID"), + "ramdisk_id": _("Ramdisk ID"), + "image_state": _("Euca2ools state"), + "project_id": _("Project ID"), + "image_type": _("Image Type"), +} + +# The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image +# custom properties should not be displayed in the Image Custom Properties +# table. +IMAGE_RESERVED_CUSTOM_PROPERTIES = [] + +# Set to 'legacy' or 'direct' to allow users to upload images to glance via +# Horizon server. When enabled, a file form field will appear on the create +# image form. If set to 'off', there will be no file form field on the create +# image form. See documentation for deployment considerations. +#HORIZON_IMAGES_UPLOAD_MODE = 'legacy' + +# Allow a location to be set when creating or updating Glance images. +# If using Glance V2, this value should be False unless the Glance +# configuration and policies allow setting locations. +#IMAGES_ALLOW_LOCATION = False + +# A dictionary of default settings for create image modal. +#CREATE_IMAGE_DEFAULTS = { +# 'image_visibility': "public", +#} + +# OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints +# in the Keystone service catalog. Use this setting when Horizon is running +# external to the OpenStack environment. The default is 'publicURL'. +#OPENSTACK_ENDPOINT_TYPE = "publicURL" + +# SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the +# case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints +# in the Keystone service catalog. Use this setting when Horizon is running +# external to the OpenStack environment. The default is None. This +# value should differ from OPENSTACK_ENDPOINT_TYPE if used. +#SECONDARY_ENDPOINT_TYPE = None + +# The number of objects (Swift containers/objects or images) to display +# on a single page before providing a paging element (a "more" link) +# to paginate results. +API_RESULT_LIMIT = 1000 +API_RESULT_PAGE_SIZE = 20 + +# The size of chunk in bytes for downloading objects from Swift +SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024 + +# The default number of lines displayed for instance console log. +INSTANCE_LOG_LENGTH = 35 + +# Specify a maximum number of items to display in a dropdown. +DROPDOWN_MAX_ITEMS = 30 + +# The timezone of the server. This should correspond with the timezone +# of your entire OpenStack installation, and hopefully be in UTC. +TIME_ZONE = "UTC" + +# When launching an instance, the menu of available flavors is +# sorted by RAM usage, ascending. If you would like a different sort order, +# you can provide another flavor attribute as sorting key. Alternatively, you +# can provide a custom callback method to use for sorting. You can also provide +# a flag for reverse sort. For more info, see +# http://docs.python.org/2/library/functions.html#sorted +#CREATE_INSTANCE_FLAVOR_SORT = { +# 'key': 'name', +# # or +# 'key': my_awesome_callback_method, +# 'reverse': False, +#} + +# Set this to True to display an 'Admin Password' field on the Change Password +# form to verify that it is indeed the admin logged-in who wants to change +# the password. +#ENFORCE_PASSWORD_CHECK = False + +# Modules that provide /auth routes that can be used to handle different types +# of user authentication. Add auth plugins that require extra route handling to +# this list. +#AUTHENTICATION_URLS = [ +# 'openstack_auth.urls', +#] + +# The Horizon Policy Enforcement engine uses these values to load per service +# policy rule files. The content of these files should match the files the +# OpenStack services are using to determine role based access control in the +# target installation. + +# Path to directory containing policy.json files +#POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf") + +# Map of local copy of service policy files. +# Please insure that your identity policy file matches the one being used on +# your keystone servers. There is an alternate policy file that may be used +# in the Keystone v3 multi-domain case, policy.v3cloudsample.json. +# This file is not included in the Horizon repository by default but can be +# found at +# http://git.openstack.org/cgit/openstack/keystone/tree/etc/ \ +# policy.v3cloudsample.json +# Having matching policy files on the Horizon and Keystone servers is essential +# for normal operation. This holds true for all services and their policy files. +#POLICY_FILES = { +# 'identity': 'keystone_policy.json', +# 'compute': 'nova_policy.json', +# 'volume': 'cinder_policy.json', +# 'image': 'glance_policy.json', +# 'network': 'neutron_policy.json', +#} + +# Change this patch to the appropriate list of tuples containing +# a key, label and static directory containing two files: +# _variables.scss and _styles.scss +AVAILABLE_THEMES = [ + ('default', 'Default', 'themes/default'), +# ('material', 'Material', 'themes/material'), +] + +LOGGING = { + 'version': 1, + # When set to True this will disable all logging except + # for loggers specified in this configuration dictionary. Note that + # if nothing is specified here and disable_existing_loggers is True, + # django.db.backends will still log unless it is disabled explicitly. + 'disable_existing_loggers': False, + # If apache2 mod_wsgi is used to deploy OpenStack dashboard + # timestamp is output by mod_wsgi. If WSGI framework you use does not + # output timestamp for logging, add %(asctime)s in the following + # format definitions. + 'formatters': { + 'console': { + 'format': '%(levelname)s %(name)s %(message)s' + }, + 'operation': { + # The format of "%(message)s" is defined by + # OPERATION_LOG_OPTIONS['format'] + 'format': '%(message)s' + }, + }, + 'handlers': { + 'null': { + 'level': 'DEBUG', + 'class': 'logging.NullHandler', + }, + 'console': { + # Set the level to "DEBUG" for verbose output logging. + 'level': 'INFO', + 'class': 'logging.StreamHandler', + 'formatter': 'console', + }, + 'operation': { + 'level': 'INFO', + 'class': 'logging.StreamHandler', + 'formatter': 'operation', + }, + }, + 'loggers': { + 'horizon': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'horizon.operation_log': { + 'handlers': ['operation'], + 'level': 'INFO', + 'propagate': False, + }, + 'openstack_dashboard': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'novaclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'cinderclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'keystoneauth': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'keystoneclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'glanceclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'neutronclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'swiftclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'oslo_policy': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'openstack_auth': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'django': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + # Logging from django.db.backends is VERY verbose, send to null + # by default. + 'django.db.backends': { + 'handlers': ['null'], + 'propagate': False, + }, + 'requests': { + 'handlers': ['null'], + 'propagate': False, + }, + 'urllib3': { + 'handlers': ['null'], + 'propagate': False, + }, + 'chardet.charsetprober': { + 'handlers': ['null'], + 'propagate': False, + }, + 'iso8601': { + 'handlers': ['null'], + 'propagate': False, + }, + 'scss': { + 'handlers': ['null'], + 'propagate': False, + }, + }, +} + +# 'direction' should not be specified for all_tcp/udp/icmp. +# It is specified in the form. +SECURITY_GROUP_RULES = { + 'all_tcp': { + 'name': _('All TCP'), + 'ip_protocol': 'tcp', + 'from_port': '1', + 'to_port': '65535', + }, + 'all_udp': { + 'name': _('All UDP'), + 'ip_protocol': 'udp', + 'from_port': '1', + 'to_port': '65535', + }, + 'all_icmp': { + 'name': _('All ICMP'), + 'ip_protocol': 'icmp', + 'from_port': '-1', + 'to_port': '-1', + }, + 'ssh': { + 'name': 'SSH', + 'ip_protocol': 'tcp', + 'from_port': '22', + 'to_port': '22', + }, + 'smtp': { + 'name': 'SMTP', + 'ip_protocol': 'tcp', + 'from_port': '25', + 'to_port': '25', + }, + 'dns': { + 'name': 'DNS', + 'ip_protocol': 'tcp', + 'from_port': '53', + 'to_port': '53', + }, + 'http': { + 'name': 'HTTP', + 'ip_protocol': 'tcp', + 'from_port': '80', + 'to_port': '80', + }, + 'pop3': { + 'name': 'POP3', + 'ip_protocol': 'tcp', + 'from_port': '110', + 'to_port': '110', + }, + 'imap': { + 'name': 'IMAP', + 'ip_protocol': 'tcp', + 'from_port': '143', + 'to_port': '143', + }, + 'ldap': { + 'name': 'LDAP', + 'ip_protocol': 'tcp', + 'from_port': '389', + 'to_port': '389', + }, + 'https': { + 'name': 'HTTPS', + 'ip_protocol': 'tcp', + 'from_port': '443', + 'to_port': '443', + }, + 'smtps': { + 'name': 'SMTPS', + 'ip_protocol': 'tcp', + 'from_port': '465', + 'to_port': '465', + }, + 'imaps': { + 'name': 'IMAPS', + 'ip_protocol': 'tcp', + 'from_port': '993', + 'to_port': '993', + }, + 'pop3s': { + 'name': 'POP3S', + 'ip_protocol': 'tcp', + 'from_port': '995', + 'to_port': '995', + }, + 'ms_sql': { + 'name': 'MS SQL', + 'ip_protocol': 'tcp', + 'from_port': '1433', + 'to_port': '1433', + }, + 'mysql': { + 'name': 'MYSQL', + 'ip_protocol': 'tcp', + 'from_port': '3306', + 'to_port': '3306', + }, + 'rdp': { + 'name': 'RDP', + 'ip_protocol': 'tcp', + 'from_port': '3389', + 'to_port': '3389', + }, +} + +# Deprecation Notice: +# +# The setting FLAVOR_EXTRA_KEYS has been deprecated. +# Please load extra spec metadata into the Glance Metadata Definition Catalog. +# +# The sample quota definitions can be found in: +# /etc/metadefs/compute-quota.json +# +# The metadata definition catalog supports CLI and API: +# $glance --os-image-api-version 2 help md-namespace-import +# $glance-manage db_load_metadefs +# +# See Metadata Definitions on: +# https://docs.openstack.org/glance/latest/user/glancemetadefcatalogapi.html + +# The hash algorithm to use for authentication tokens. This must +# match the hash algorithm that the identity server and the +# auth_token middleware are using. Allowed values are the +# algorithms supported by Python's hashlib library. +#OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5' + +# AngularJS requires some settings to be made available to +# the client side. Some settings are required by in-tree / built-in horizon +# features. These settings must be added to REST_API_REQUIRED_SETTINGS in the +# form of ['SETTING_1','SETTING_2'], etc. +# +# You may remove settings from this list for security purposes, but do so at +# the risk of breaking a built-in horizon feature. These settings are required +# for horizon to function properly. Only remove them if you know what you +# are doing. These settings may in the future be moved to be defined within +# the enabled panel configuration. +# You should not add settings to this list for out of tree extensions. +# See: https://wiki.openstack.org/wiki/Horizon/RESTAPI +REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES', + 'LAUNCH_INSTANCE_DEFAULTS', + 'OPENSTACK_IMAGE_FORMATS', + 'OPENSTACK_KEYSTONE_BACKEND', + 'OPENSTACK_KEYSTONE_DEFAULT_DOMAIN', + 'CREATE_IMAGE_DEFAULTS', + 'ENFORCE_PASSWORD_CHECK'] + +# Additional settings can be made available to the client side for +# extensibility by specifying them in REST_API_ADDITIONAL_SETTINGS +# !! Please use extreme caution as the settings are transferred via HTTP/S +# and are not encrypted on the browser. This is an experimental API and +# may be deprecated in the future without notice. +#REST_API_ADDITIONAL_SETTINGS = [] + +############################################################################### +# Ubuntu Settings +############################################################################### + + # The default theme if no cookie is present +DEFAULT_THEME = 'default' + +# Default Ubuntu apache configuration uses /horizon as the application root. +WEBROOT='/horizon/' + +# By default, validation of the HTTP Host header is disabled. Production +# installations should have this set accordingly. For more information +# see https://docs.djangoproject.com/en/dev/ref/settings/. +ALLOWED_HOSTS = '*' + +# Compress all assets offline as part of packaging installation +COMPRESS_OFFLINE = True + +# DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded +# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame +# Scripting (XFS) vulnerability, so this option allows extra security hardening +# where iframes are not used in deployment. Default setting is True. +# For more information see: +# http://tinyurl.com/anticlickjack +#DISALLOW_IFRAME_EMBED = True + +# Help URL can be made available for the client. To provide a help URL, edit the +# following attribute to the URL of your choice. +#HORIZON_CONFIG["help_url"] = "http://openstack.mycompany.org" + +# Settings for OperationLogMiddleware +# OPERATION_LOG_ENABLED is flag to use the function to log an operation on +# Horizon. +# mask_targets is arrangement for appointing a target to mask. +# method_targets is arrangement of HTTP method to output log. +# format is the log contents. +#OPERATION_LOG_ENABLED = False +#OPERATION_LOG_OPTIONS = { +# 'mask_fields': ['password'], +# 'target_methods': ['POST'], +# 'ignored_urls': ['/js/', '/static/', '^/api/'], +# 'format': ("[%(client_ip)s] [%(domain_name)s]" +# " [%(domain_id)s] [%(project_name)s]" +# " [%(project_id)s] [%(user_name)s] [%(user_id)s] [%(request_scheme)s]" +# " [%(referer_url)s] [%(request_url)s] [%(message)s] [%(method)s]" +# " [%(http_status)s] [%(param)s]"), +#} + +# The default date range in the Overview panel meters - either minus N +# days (if the value is integer N), or from the beginning of the current month +# until today (if set to None). This setting should be used to limit the amount +# of data fetched by default when rendering the Overview panel. +#OVERVIEW_DAYS_RANGE = 1 + +# To allow operators to require users provide a search criteria first +# before loading any data into the views, set the following dict +# attributes to True in each one of the panels you want to enable this feature. +# Follow the convention . +#FILTER_DATA_FIRST = { +# 'admin.instances': False, +# 'admin.images': False, +# 'admin.networks': False, +# 'admin.routers': False, +# 'admin.volumes': False, +# 'identity.users': False, +# 'identity.projects': False, +# 'identity.groups': False, +# 'identity.roles': False +#} + +# Dict used to restrict user private subnet cidr range. +# An empty list means that user input will not be restricted +# for a corresponding IP version. By default, there is +# no restriction for IPv4 or IPv6. To restrict +# user private subnet cidr range set ALLOWED_PRIVATE_SUBNET_CIDR +# to something like +#ALLOWED_PRIVATE_SUBNET_CIDR = { +# 'ipv4': ['10.0.0.0/8', '192.168.0.0/16'], +# 'ipv6': ['fc00::/7'] +#} +ALLOWED_PRIVATE_SUBNET_CIDR = {'ipv4': [], 'ipv6': []} + +# Projects and users can have extra attributes as defined by keystone v3. +# Horizon has the ability to display these extra attributes via this setting. +# If you'd like to display extra data in the project or user tables, set the +# corresponding dict key to the attribute name, followed by the display name. +# For more information, see horizon's customization +# (https://docs.openstack.org/horizon/latest/configuration/customizing.html#horizon-customization-module-overrides) +#PROJECT_TABLE_EXTRA_INFO = { +# 'phone_num': _('Phone Number'), +#} +#USER_TABLE_EXTRA_INFO = { +# 'phone_num': _('Phone Number'), +#} + +# Password will have an expiration date when using keystone v3 and enabling the +# feature. +# This setting allows you to set the number of days that the user will be alerted +# prior to the password expiration. +# Once the password expires keystone will deny the access and users must +# contact an admin to change their password. +#PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = 0 diff --git a/conf_wagent/iotronic.conf b/conf_wagent/iotronic.conf new file mode 100644 index 0000000..c096c3c --- /dev/null +++ b/conf_wagent/iotronic.conf @@ -0,0 +1,96 @@ +[DEFAULT] +transport_url = rabbit://openstack:unime@rabbitmq + +debug=True +proxy=nginx +log_file = /var/log/iotronic/iotronic-wagent.log + +# Authentication strategy used by iotronic-api: one of +# "keystone" or "noauth". "noauth" should not be used in a +# production environment because all authentication will be +# disabled. (string value) +auth_strategy=keystone + +# Enable pecan debug mode. WARNING: this is insecure and +# should not be used in a production environment. (boolean +# value) +#pecan_debug=false + + +[wamp] +wamp_transport_url = wss://iotronic-wagent:8181/ +wamp_realm = s4t +skip_cert_verify= True +register_agent = True + + + +[database] +connection = mysql+pymysql://iotronic:unime@iotronic-db/iotronic + +[keystone_authtoken] +www_authenticate_uri = http://keystone:5000 +auth_url = http://keystone:5000 +auth_plugin = password +auth_type = password +project_domain_id = default +user_domain_id = default +project_name = service +username = iotronic +password = unime + + +[neutron] +auth_url = http://controller:5000 +url = http://controller:9696 +auth_strategy = password +project_domain_name = default +user_domain_name = default +region_name = RegionOne +project_name = service +username = neutron +password = netrn_pwd +retries = 3 +project_domain_id= default + + +[designate] +auth_url = http://controller:35357 +url = http://controller:9001 +auth_strategy = password +project_domain_name = default +user_domain_name = default +region_name = RegionOne +project_name = service +username = designate +password = password +retries = 3 +project_domain_id= default + + +[cors] +# Indicate whether this resource may be shared with the domain +# received in the requests "origin" header. Format: +# "://[:]", no trailing slash. Example: +# https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user +# credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. +# Defaults to HTTP Simple Headers. (list value) +#expose_headers = + +# Maximum cache age of CORS preflight requests. (integer +# value) +#max_age = 3600 + +# Indicate which methods can be used during the actual +# request. (list value) +#allow_methods = OPTIONS,GET,HEAD,POST,PUT,DELETE,TRACE,PATCH + +# Indicate which header field names may be used during the +# actual request. (list value) +#allow_headers = diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..b807a03 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,393 @@ +version: "3.8" + +services: + ca_service: + image: debian:buster + container_name: ca_service + networks: + - s4t + volumes: + - iotronic_ssl:/etc/ssl/iotronic # Condiviso con iotronic-wstun + entrypoint: ["/bin/bash", "-c"] + command: + - | + echo "[INFO] Installazione di OpenSSL..." + apt-get update && apt-get install -y openssl && + + echo "[INFO] Generazione della Root CA..." + mkdir -p /etc/ssl/iotronic && + cd /etc/ssl/iotronic && + + openssl genrsa -out iotronic_CA.key 2048 && + openssl req -x509 -new -nodes -key iotronic_CA.key -sha256 -days 18250 \ + -subj "/C=IT/O=iotronic" -out iotronic_CA.pem && + + echo "[INFO] Generazione della chiave privata e del certificato per Crossbar..." + openssl genrsa -out crossbar.key 2048 && + openssl req -new -key crossbar.key -subj "/C=IT/O=iotronic/CN=crossbar" -out crossbar.csr && + openssl x509 -req -in crossbar.csr -CA iotronic_CA.pem -CAkey iotronic_CA.key -CAcreateserial -out crossbar.pem -days 18250 -sha256 && + + echo "[INFO] Impostazione permessi certificati..." + chmod 644 iotronic_CA.key iotronic_CA.pem crossbar.key crossbar.pem + chmod 755 /etc/ssl/iotronic + + echo "[INFO] Certificati generati con successo." + tail -f /dev/null + + crossbar: + image: crossbario/crossbar + container_name: crossbar + restart: unless-stopped + networks: + - s4t + volumes: + - iotronic_ssl:/node/.crossbar/ssl # Condiviso con iotronic-wstun + - crossbar_data:/node/.crossbar + ports: + - "8181:8181" + entrypoint: ["/bin/sh", "-c"] + command: + - | + echo "[INFO] Attesa dei certificati..." + while [ ! -f /node/.crossbar/ssl/crossbar.pem ] || [ ! -f /node/.crossbar/ssl/crossbar.key ]; do + sleep 2 + done + echo "[INFO] Certificati trovati!" + + echo "[INFO] Scrittura configurazione Crossbar..." + cat < /node/.crossbar/config.json + { + "version": 2, + "controller": {}, + "workers": [ + { + "type": "router", + "realms": [ + { + "name": "s4t", + "roles": [ + { + "name": "anonymous", + "permissions": [ + { + "uri": "*", + "allow": { + "publish": true, + "subscribe": true, + "call": true, + "register": true + } + } + ] + } + ] + } + ], + "transports": [ + { + "type": "websocket", + "endpoint": { + "type": "tcp", + "port": 8181, + "tls": { + "chain_certificates": ["/node/.crossbar/ssl/iotronic_CA.pem"], + "key": "/node/.crossbar/ssl/crossbar.key", + "certificate": "/node/.crossbar/ssl/crossbar.pem" + } + }, + "options":{ + "enable_webstatus": true, + "fail_by_drop": true, + "open_handshake_timeout": 2500, + "close_handshake_timeout": 1000, + "auto_ping_interval": 30000, + "auto_ping_timeout": 5000, + "auto_ping_size": 13 + } + } + ] + } + ] + } + EOF + + echo "[INFO] Avvio di Crossbar..." + crossbar start + + iotronic-wstun: + image: lucadagati/iotronic-wstun:latest + container_name: iotronic-wstun + restart: unless-stopped + networks: + - s4t + ports: + - "8080:8080" + - "50000-50100:50000-50100" + volumes: + - iotronic_ssl:/var/lib/iotronic/ssl + entrypoint: ["/bin/sh", "-c"] + command: + - | + set -x # DEBUG: Mostra i comandi eseguiti + echo "[INFO] Verifica permessi certificati..." + ls -l /var/lib/iotronic/ssl + while [ ! -e /var/lib/iotronic/ssl/iotronic_CA.pem ] || [ ! -e /var/lib/iotronic/ssl/crossbar.key ]; do + echo "[DEBUG] Certificati mancanti:" + ls -l /var/lib/iotronic/ssl + sleep 2 + done + + echo "[INFO] Certificati SSL trovati!" + ls -l /var/lib/iotronic/ssl + + echo "[INFO] Avvio di iotronic-wstun..." + exec node /usr/local/lib/node_modules/@mdslab/wstun/bin/wstun.js -r -s 8080 --ssl=true --key=/var/lib/iotronic/ssl/iotronic_CA.key --cert=/var/lib/iotronic/ssl/iotronic_CA.pem + + iotronic-db: + image: mariadb:bionic + container_name: iotronic-db + restart: unless-stopped + networks: + - s4t + environment: + MYSQL_ROOT_PASSWORD: "s4t" + MYSQL_DATABASE: "unime" + MYSQL_USER: "admin" + MYSQL_PASSWORD: "s4t" + command: > + mysqld --bind-address=0.0.0.0 + --default-storage-engine=innodb + --innodb-file-per-table=on + --max-connections=4096 + --collation-server=utf8_general_ci + --character-set-server=utf8 + --max_allowed_packet=128M + --connect_timeout=120 + --wait_timeout=48800 + --interactive_timeout=48800 + ports: + - "3306:3306" + volumes: + - ./conf_mysql:/etc/mysql + - db_data:/var/lib/mysql + - ./init-db.sql:/docker-entrypoint-initdb.d/init-db.sql + healthcheck: + test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-ps4t"] + interval: 10s + retries: 5 + start_period: 20s + timeout: 5s + + rabbitmq: + image: rabbitmq:3 + container_name: rabbitmq + restart: unless-stopped + networks: + - s4t + ports: + - "5672:5672" + environment: + RABBIT_PASS: "unime" + healthcheck: + test: ["CMD", "rabbitmqctl", "status"] + interval: 10s + retries: 5 + start_period: 20s + timeout: 5s + entrypoint: ["/bin/bash", "-c"] + command: | + rabbitmq-server & + sleep 30 && + rabbitmqctl add_user openstack unime && + rabbitmqctl set_permissions openstack ".*" ".*" ".*" && + wait -n + + keystone: + image: lucadagati/iotronic-keystone + container_name: keystone + restart: unless-stopped + depends_on: + iotronic-db: + condition: service_healthy + rabbitmq: + condition: service_healthy + networks: + - s4t + environment: + # Credenziali admin e impostazioni Keystone + ADMIN_PASS: "s4t" + OS_USERNAME: "admin" + OS_PASSWORD: "s4t" + OS_PROJECT_NAME: "admin" + OS_USER_DOMAIN_NAME: "Default" + OS_PROJECT_DOMAIN_NAME: "Default" + OS_AUTH_URL: "http://keystone:5000/v3" + OS_IDENTITY_API_VERSION: "3" + + KEYSTONE_DB_NAME: "keystone" + KEYSTONE_DB_USER: "keystone" + KEYSTONE_DBPASS: "unime" + + DB_HOST: "iotronic-db" + RABBIT_PASS: "unime" + REGION_NAME: "RegionOne" + ports: + - "5000:5000" + volumes: + - ./conf_keystone:/etc/keystone + - keystone_data:/var/lib/keystone + - /var/log/keystone:/var/log/keystone + - /var/log/keystone-api:/var/log/apache2 + command: > + /bin/bash -c " + echo '[INFO] Attesa del database Keystone...'; + until mysql -h iotronic-db -uroot -ps4t -e 'SELECT 1' >/dev/null 2>&1; do + echo '[INFO] Database non ancora pronto, riprovo...'; + sleep 5; + done; + echo '[INFO] Database pronto!'; + mysql -u root -ps4t -h iotronic-db -e \"CREATE DATABASE IF NOT EXISTS keystone; + CREATE DATABASE IF NOT EXISTS iotronic; + DROP USER IF EXISTS 'keystone'@'localhost'; + DROP USER IF EXISTS 'keystone'@'%'; + CREATE USER 'keystone'@'localhost' IDENTIFIED BY 'unime'; + CREATE USER 'keystone'@'%' IDENTIFIED BY 'unime'; + GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost'; + GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%'; + DROP USER IF EXISTS 'iotronic'@'localhost'; + DROP USER IF EXISTS 'iotronic'@'%'; + CREATE USER 'iotronic'@'localhost' IDENTIFIED BY 'unime'; + CREATE USER 'iotronic'@'%' IDENTIFIED BY 'unime'; + GRANT ALL PRIVILEGES ON iotronic.* TO 'iotronic'@'localhost'; + GRANT ALL PRIVILEGES ON iotronic.* TO 'iotronic'@'%'; + FLUSH PRIVILEGES;\"; + echo '[INFO] Creazione delle cartelle per le chiavi Fernet e credenziali...'; + mkdir -p /etc/keystone/fernet-keys; + mkdir -p /etc/keystone/credential-keys; + chown -R keystone:keystone /etc/keystone; + + echo '[INFO] Verifica delle chiavi Fernet...'; + if [ ! -f /etc/keystone/fernet-keys/0 ]; then + echo '[INFO] Nessuna chiave Fernet trovata, eseguo fernet_setup...'; + su -s /bin/sh -c 'keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone' keystone; + else + echo '[INFO] Chiavi Fernet già presenti.'; + fi + + echo '[INFO] Verifica delle credenziali crittografate...'; + if [ ! -f /etc/keystone/credential-keys/0 ]; then + echo '[INFO] Nessuna chiave di credenziali trovata, eseguo credential_setup...'; + su -s /bin/sh -c 'keystone-manage credential_setup --keystone-user keystone --keystone-group keystone' keystone; + else + echo '[INFO] Chiavi di credenziali già presenti.'; + fi + + echo '[INFO] Sincronizzazione delle tabelle di Keystone...'; + su -s /bin/sh -c 'keystone-manage db_sync' keystone; + echo '[INFO] Configurazione dei token Fernet...'; + su -s /bin/sh -c 'keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone' keystone; + echo '[INFO] Configurazione delle credenziali crittografate...'; + su -s /bin/sh -c 'keystone-manage credential_setup --keystone-user keystone --keystone-group keystone' keystone; + echo '[INFO] Bootstrap di Keystone...'; + su -s /bin/sh -c 'keystone-manage bootstrap --bootstrap-password s4t --bootstrap-admin-url http://keystone:5000/v3 --bootstrap-internal-url http://keystone:5000/v3 --bootstrap-public-url http://keystone:5000/v3 --bootstrap-region-id RegionOne' keystone; + exec apache2ctl -D FOREGROUND" + + iotronic-conductor: + image: lucadagati/iotronic-conductor:latest + container_name: iotronic-conductor + restart: unless-stopped + networks: + - s4t + environment: + # Credenziali DB Iotronic + MYSQL_ROOT_PASSWORD: "s4t" + DB_HOST: "iotronic-db" + IOTRONIC_DB_NAME: "iotronic" + IOTRONIC_DB_USER: "iotronic" + IOTRONIC_DBPASS: "unime" + + # Credenziali OpenStack + OS_AUTH_URL: "http://keystone:5000/v3" + OS_USERNAME: "admin" + OS_PASSWORD: "s4t" + OS_PROJECT_NAME: "admin" + OS_USER_DOMAIN_NAME: "Default" + OS_PROJECT_DOMAIN_NAME: "Default" + + # Stringa di connessione + DB_CONNECTION_STRING: "mysql+pymysql://iotronic:unime@iotronic-db/iotronic" + ports: + - "8812:8812" + volumes: + - ./conf_conductor:/etc/iotronic + - iotronic_logs:/var/log/iotronic + command: > + /bin/bash -c " + echo '[INFO] Attesa del database MySQL...'; + until mysql -h iotronic-db -uroot -ps4t -e 'SELECT 1' >/dev/null 2>&1; do + echo '[INFO] Database non ancora pronto, riprovo...'; + sleep 5; + done; + iotronic-dbsync; + echo '[INFO] Configurazione dei permessi sui log...'; + chown -R iotronic:iotronic /var/log/iotronic; + echo '[INFO] Avvio di Iotronic Conductor...'; + iotronic-conductor" + + wagent: + image: lucadagati/iotronic-wagent:latest + container_name: iotronic-wagent + restart: unless-stopped + networks: + - s4t + environment: + # DB info + MYSQL_ROOT_PASSWORD: "s4t" + DB_HOST: "iotronic-db" + + # Stringa di connessione + DB_CONNECTION_STRING: "mysql+pymysql://iotronic:unime@iotronic-db/iotronic" + + # Credenziali OpenStack + OS_AUTH_URL: "http://keystone:5000/v3" + OS_USERNAME: "admin" + OS_PASSWORD: "s4t" + OS_PROJECT_NAME: "admin" + OS_USER_DOMAIN_NAME: "Default" + OS_PROJECT_DOMAIN_NAME: "Default" + volumes: + - ./conf_wagent:/etc/iotronic + - iotronic_logs:/var/log/iotronic + command: > + /bin/bash -c " + echo '[INFO] Configurazione dei permessi sui log...'; + chown -R iotronic:iotronic /var/log/iotronic; + echo '[INFO] Avvio del Wagent...'; + exec /usr/local/bin/iotronic-wamp-agent --config-file /etc/iotronic/iotronic.conf" + + iotronic-ui: + image: lucadagati/iotronic-ui:latest + container_name: iotronic-ui + restart: unless-stopped + networks: + - s4t + ports: + - "8585:80" + volumes: + - iotronic-ui_config:/etc/openstack-dashboard + - iotronic-ui_logs:/var/log/apache2 + - ./conf_ui:/etc/openstack-dashboard # <--- Monta tutta la cartella + +networks: + s4t: + driver: bridge + +volumes: + db_data: + keystone_data: + iotronic_logs: + iotronic-ui_logs: + iotronic-ui_config: + crossbar_data: + ca_data: + iotronic_ssl: From 64602a14c609cfb455ed0328beddfc03816943f8 Mon Sep 17 00:00:00 2001 From: Luca D'Agati <66645997+lucadagati@users.noreply.github.com> Date: Fri, 21 Feb 2025 17:21:39 +0100 Subject: [PATCH 02/18] Delete docker-compose.yml --- docker-compose.yml | 393 --------------------------------------------- 1 file changed, 393 deletions(-) delete mode 100644 docker-compose.yml diff --git a/docker-compose.yml b/docker-compose.yml deleted file mode 100644 index b807a03..0000000 --- a/docker-compose.yml +++ /dev/null @@ -1,393 +0,0 @@ -version: "3.8" - -services: - ca_service: - image: debian:buster - container_name: ca_service - networks: - - s4t - volumes: - - iotronic_ssl:/etc/ssl/iotronic # Condiviso con iotronic-wstun - entrypoint: ["/bin/bash", "-c"] - command: - - | - echo "[INFO] Installazione di OpenSSL..." - apt-get update && apt-get install -y openssl && - - echo "[INFO] Generazione della Root CA..." - mkdir -p /etc/ssl/iotronic && - cd /etc/ssl/iotronic && - - openssl genrsa -out iotronic_CA.key 2048 && - openssl req -x509 -new -nodes -key iotronic_CA.key -sha256 -days 18250 \ - -subj "/C=IT/O=iotronic" -out iotronic_CA.pem && - - echo "[INFO] Generazione della chiave privata e del certificato per Crossbar..." - openssl genrsa -out crossbar.key 2048 && - openssl req -new -key crossbar.key -subj "/C=IT/O=iotronic/CN=crossbar" -out crossbar.csr && - openssl x509 -req -in crossbar.csr -CA iotronic_CA.pem -CAkey iotronic_CA.key -CAcreateserial -out crossbar.pem -days 18250 -sha256 && - - echo "[INFO] Impostazione permessi certificati..." - chmod 644 iotronic_CA.key iotronic_CA.pem crossbar.key crossbar.pem - chmod 755 /etc/ssl/iotronic - - echo "[INFO] Certificati generati con successo." - tail -f /dev/null - - crossbar: - image: crossbario/crossbar - container_name: crossbar - restart: unless-stopped - networks: - - s4t - volumes: - - iotronic_ssl:/node/.crossbar/ssl # Condiviso con iotronic-wstun - - crossbar_data:/node/.crossbar - ports: - - "8181:8181" - entrypoint: ["/bin/sh", "-c"] - command: - - | - echo "[INFO] Attesa dei certificati..." - while [ ! -f /node/.crossbar/ssl/crossbar.pem ] || [ ! -f /node/.crossbar/ssl/crossbar.key ]; do - sleep 2 - done - echo "[INFO] Certificati trovati!" - - echo "[INFO] Scrittura configurazione Crossbar..." - cat < /node/.crossbar/config.json - { - "version": 2, - "controller": {}, - "workers": [ - { - "type": "router", - "realms": [ - { - "name": "s4t", - "roles": [ - { - "name": "anonymous", - "permissions": [ - { - "uri": "*", - "allow": { - "publish": true, - "subscribe": true, - "call": true, - "register": true - } - } - ] - } - ] - } - ], - "transports": [ - { - "type": "websocket", - "endpoint": { - "type": "tcp", - "port": 8181, - "tls": { - "chain_certificates": ["/node/.crossbar/ssl/iotronic_CA.pem"], - "key": "/node/.crossbar/ssl/crossbar.key", - "certificate": "/node/.crossbar/ssl/crossbar.pem" - } - }, - "options":{ - "enable_webstatus": true, - "fail_by_drop": true, - "open_handshake_timeout": 2500, - "close_handshake_timeout": 1000, - "auto_ping_interval": 30000, - "auto_ping_timeout": 5000, - "auto_ping_size": 13 - } - } - ] - } - ] - } - EOF - - echo "[INFO] Avvio di Crossbar..." - crossbar start - - iotronic-wstun: - image: lucadagati/iotronic-wstun:latest - container_name: iotronic-wstun - restart: unless-stopped - networks: - - s4t - ports: - - "8080:8080" - - "50000-50100:50000-50100" - volumes: - - iotronic_ssl:/var/lib/iotronic/ssl - entrypoint: ["/bin/sh", "-c"] - command: - - | - set -x # DEBUG: Mostra i comandi eseguiti - echo "[INFO] Verifica permessi certificati..." - ls -l /var/lib/iotronic/ssl - while [ ! -e /var/lib/iotronic/ssl/iotronic_CA.pem ] || [ ! -e /var/lib/iotronic/ssl/crossbar.key ]; do - echo "[DEBUG] Certificati mancanti:" - ls -l /var/lib/iotronic/ssl - sleep 2 - done - - echo "[INFO] Certificati SSL trovati!" - ls -l /var/lib/iotronic/ssl - - echo "[INFO] Avvio di iotronic-wstun..." - exec node /usr/local/lib/node_modules/@mdslab/wstun/bin/wstun.js -r -s 8080 --ssl=true --key=/var/lib/iotronic/ssl/iotronic_CA.key --cert=/var/lib/iotronic/ssl/iotronic_CA.pem - - iotronic-db: - image: mariadb:bionic - container_name: iotronic-db - restart: unless-stopped - networks: - - s4t - environment: - MYSQL_ROOT_PASSWORD: "s4t" - MYSQL_DATABASE: "unime" - MYSQL_USER: "admin" - MYSQL_PASSWORD: "s4t" - command: > - mysqld --bind-address=0.0.0.0 - --default-storage-engine=innodb - --innodb-file-per-table=on - --max-connections=4096 - --collation-server=utf8_general_ci - --character-set-server=utf8 - --max_allowed_packet=128M - --connect_timeout=120 - --wait_timeout=48800 - --interactive_timeout=48800 - ports: - - "3306:3306" - volumes: - - ./conf_mysql:/etc/mysql - - db_data:/var/lib/mysql - - ./init-db.sql:/docker-entrypoint-initdb.d/init-db.sql - healthcheck: - test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-ps4t"] - interval: 10s - retries: 5 - start_period: 20s - timeout: 5s - - rabbitmq: - image: rabbitmq:3 - container_name: rabbitmq - restart: unless-stopped - networks: - - s4t - ports: - - "5672:5672" - environment: - RABBIT_PASS: "unime" - healthcheck: - test: ["CMD", "rabbitmqctl", "status"] - interval: 10s - retries: 5 - start_period: 20s - timeout: 5s - entrypoint: ["/bin/bash", "-c"] - command: | - rabbitmq-server & - sleep 30 && - rabbitmqctl add_user openstack unime && - rabbitmqctl set_permissions openstack ".*" ".*" ".*" && - wait -n - - keystone: - image: lucadagati/iotronic-keystone - container_name: keystone - restart: unless-stopped - depends_on: - iotronic-db: - condition: service_healthy - rabbitmq: - condition: service_healthy - networks: - - s4t - environment: - # Credenziali admin e impostazioni Keystone - ADMIN_PASS: "s4t" - OS_USERNAME: "admin" - OS_PASSWORD: "s4t" - OS_PROJECT_NAME: "admin" - OS_USER_DOMAIN_NAME: "Default" - OS_PROJECT_DOMAIN_NAME: "Default" - OS_AUTH_URL: "http://keystone:5000/v3" - OS_IDENTITY_API_VERSION: "3" - - KEYSTONE_DB_NAME: "keystone" - KEYSTONE_DB_USER: "keystone" - KEYSTONE_DBPASS: "unime" - - DB_HOST: "iotronic-db" - RABBIT_PASS: "unime" - REGION_NAME: "RegionOne" - ports: - - "5000:5000" - volumes: - - ./conf_keystone:/etc/keystone - - keystone_data:/var/lib/keystone - - /var/log/keystone:/var/log/keystone - - /var/log/keystone-api:/var/log/apache2 - command: > - /bin/bash -c " - echo '[INFO] Attesa del database Keystone...'; - until mysql -h iotronic-db -uroot -ps4t -e 'SELECT 1' >/dev/null 2>&1; do - echo '[INFO] Database non ancora pronto, riprovo...'; - sleep 5; - done; - echo '[INFO] Database pronto!'; - mysql -u root -ps4t -h iotronic-db -e \"CREATE DATABASE IF NOT EXISTS keystone; - CREATE DATABASE IF NOT EXISTS iotronic; - DROP USER IF EXISTS 'keystone'@'localhost'; - DROP USER IF EXISTS 'keystone'@'%'; - CREATE USER 'keystone'@'localhost' IDENTIFIED BY 'unime'; - CREATE USER 'keystone'@'%' IDENTIFIED BY 'unime'; - GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost'; - GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%'; - DROP USER IF EXISTS 'iotronic'@'localhost'; - DROP USER IF EXISTS 'iotronic'@'%'; - CREATE USER 'iotronic'@'localhost' IDENTIFIED BY 'unime'; - CREATE USER 'iotronic'@'%' IDENTIFIED BY 'unime'; - GRANT ALL PRIVILEGES ON iotronic.* TO 'iotronic'@'localhost'; - GRANT ALL PRIVILEGES ON iotronic.* TO 'iotronic'@'%'; - FLUSH PRIVILEGES;\"; - echo '[INFO] Creazione delle cartelle per le chiavi Fernet e credenziali...'; - mkdir -p /etc/keystone/fernet-keys; - mkdir -p /etc/keystone/credential-keys; - chown -R keystone:keystone /etc/keystone; - - echo '[INFO] Verifica delle chiavi Fernet...'; - if [ ! -f /etc/keystone/fernet-keys/0 ]; then - echo '[INFO] Nessuna chiave Fernet trovata, eseguo fernet_setup...'; - su -s /bin/sh -c 'keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone' keystone; - else - echo '[INFO] Chiavi Fernet già presenti.'; - fi - - echo '[INFO] Verifica delle credenziali crittografate...'; - if [ ! -f /etc/keystone/credential-keys/0 ]; then - echo '[INFO] Nessuna chiave di credenziali trovata, eseguo credential_setup...'; - su -s /bin/sh -c 'keystone-manage credential_setup --keystone-user keystone --keystone-group keystone' keystone; - else - echo '[INFO] Chiavi di credenziali già presenti.'; - fi - - echo '[INFO] Sincronizzazione delle tabelle di Keystone...'; - su -s /bin/sh -c 'keystone-manage db_sync' keystone; - echo '[INFO] Configurazione dei token Fernet...'; - su -s /bin/sh -c 'keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone' keystone; - echo '[INFO] Configurazione delle credenziali crittografate...'; - su -s /bin/sh -c 'keystone-manage credential_setup --keystone-user keystone --keystone-group keystone' keystone; - echo '[INFO] Bootstrap di Keystone...'; - su -s /bin/sh -c 'keystone-manage bootstrap --bootstrap-password s4t --bootstrap-admin-url http://keystone:5000/v3 --bootstrap-internal-url http://keystone:5000/v3 --bootstrap-public-url http://keystone:5000/v3 --bootstrap-region-id RegionOne' keystone; - exec apache2ctl -D FOREGROUND" - - iotronic-conductor: - image: lucadagati/iotronic-conductor:latest - container_name: iotronic-conductor - restart: unless-stopped - networks: - - s4t - environment: - # Credenziali DB Iotronic - MYSQL_ROOT_PASSWORD: "s4t" - DB_HOST: "iotronic-db" - IOTRONIC_DB_NAME: "iotronic" - IOTRONIC_DB_USER: "iotronic" - IOTRONIC_DBPASS: "unime" - - # Credenziali OpenStack - OS_AUTH_URL: "http://keystone:5000/v3" - OS_USERNAME: "admin" - OS_PASSWORD: "s4t" - OS_PROJECT_NAME: "admin" - OS_USER_DOMAIN_NAME: "Default" - OS_PROJECT_DOMAIN_NAME: "Default" - - # Stringa di connessione - DB_CONNECTION_STRING: "mysql+pymysql://iotronic:unime@iotronic-db/iotronic" - ports: - - "8812:8812" - volumes: - - ./conf_conductor:/etc/iotronic - - iotronic_logs:/var/log/iotronic - command: > - /bin/bash -c " - echo '[INFO] Attesa del database MySQL...'; - until mysql -h iotronic-db -uroot -ps4t -e 'SELECT 1' >/dev/null 2>&1; do - echo '[INFO] Database non ancora pronto, riprovo...'; - sleep 5; - done; - iotronic-dbsync; - echo '[INFO] Configurazione dei permessi sui log...'; - chown -R iotronic:iotronic /var/log/iotronic; - echo '[INFO] Avvio di Iotronic Conductor...'; - iotronic-conductor" - - wagent: - image: lucadagati/iotronic-wagent:latest - container_name: iotronic-wagent - restart: unless-stopped - networks: - - s4t - environment: - # DB info - MYSQL_ROOT_PASSWORD: "s4t" - DB_HOST: "iotronic-db" - - # Stringa di connessione - DB_CONNECTION_STRING: "mysql+pymysql://iotronic:unime@iotronic-db/iotronic" - - # Credenziali OpenStack - OS_AUTH_URL: "http://keystone:5000/v3" - OS_USERNAME: "admin" - OS_PASSWORD: "s4t" - OS_PROJECT_NAME: "admin" - OS_USER_DOMAIN_NAME: "Default" - OS_PROJECT_DOMAIN_NAME: "Default" - volumes: - - ./conf_wagent:/etc/iotronic - - iotronic_logs:/var/log/iotronic - command: > - /bin/bash -c " - echo '[INFO] Configurazione dei permessi sui log...'; - chown -R iotronic:iotronic /var/log/iotronic; - echo '[INFO] Avvio del Wagent...'; - exec /usr/local/bin/iotronic-wamp-agent --config-file /etc/iotronic/iotronic.conf" - - iotronic-ui: - image: lucadagati/iotronic-ui:latest - container_name: iotronic-ui - restart: unless-stopped - networks: - - s4t - ports: - - "8585:80" - volumes: - - iotronic-ui_config:/etc/openstack-dashboard - - iotronic-ui_logs:/var/log/apache2 - - ./conf_ui:/etc/openstack-dashboard # <--- Monta tutta la cartella - -networks: - s4t: - driver: bridge - -volumes: - db_data: - keystone_data: - iotronic_logs: - iotronic-ui_logs: - iotronic-ui_config: - crossbar_data: - ca_data: - iotronic_ssl: From 1170dafd155e9ec79b5bb1c9bf21231d95308eba Mon Sep 17 00:00:00 2001 From: Luca D'Agati <66645997+lucadagati@users.noreply.github.com> Date: Fri, 21 Feb 2025 17:21:49 +0100 Subject: [PATCH 03/18] Delete conf_wagent directory --- conf_wagent/iotronic.conf | 96 --------------------------------------- 1 file changed, 96 deletions(-) delete mode 100644 conf_wagent/iotronic.conf diff --git a/conf_wagent/iotronic.conf b/conf_wagent/iotronic.conf deleted file mode 100644 index c096c3c..0000000 --- a/conf_wagent/iotronic.conf +++ /dev/null @@ -1,96 +0,0 @@ -[DEFAULT] -transport_url = rabbit://openstack:unime@rabbitmq - -debug=True -proxy=nginx -log_file = /var/log/iotronic/iotronic-wagent.log - -# Authentication strategy used by iotronic-api: one of -# "keystone" or "noauth". "noauth" should not be used in a -# production environment because all authentication will be -# disabled. (string value) -auth_strategy=keystone - -# Enable pecan debug mode. WARNING: this is insecure and -# should not be used in a production environment. (boolean -# value) -#pecan_debug=false - - -[wamp] -wamp_transport_url = wss://iotronic-wagent:8181/ -wamp_realm = s4t -skip_cert_verify= True -register_agent = True - - - -[database] -connection = mysql+pymysql://iotronic:unime@iotronic-db/iotronic - -[keystone_authtoken] -www_authenticate_uri = http://keystone:5000 -auth_url = http://keystone:5000 -auth_plugin = password -auth_type = password -project_domain_id = default -user_domain_id = default -project_name = service -username = iotronic -password = unime - - -[neutron] -auth_url = http://controller:5000 -url = http://controller:9696 -auth_strategy = password -project_domain_name = default -user_domain_name = default -region_name = RegionOne -project_name = service -username = neutron -password = netrn_pwd -retries = 3 -project_domain_id= default - - -[designate] -auth_url = http://controller:35357 -url = http://controller:9001 -auth_strategy = password -project_domain_name = default -user_domain_name = default -region_name = RegionOne -project_name = service -username = designate -password = password -retries = 3 -project_domain_id= default - - -[cors] -# Indicate whether this resource may be shared with the domain -# received in the requests "origin" header. Format: -# "://[:]", no trailing slash. Example: -# https://horizon.example.com (list value) -#allowed_origin = - -# Indicate that the actual request can include user -# credentials (boolean value) -#allow_credentials = true - -# Indicate which headers are safe to expose to the API. -# Defaults to HTTP Simple Headers. (list value) -#expose_headers = - -# Maximum cache age of CORS preflight requests. (integer -# value) -#max_age = 3600 - -# Indicate which methods can be used during the actual -# request. (list value) -#allow_methods = OPTIONS,GET,HEAD,POST,PUT,DELETE,TRACE,PATCH - -# Indicate which header field names may be used during the -# actual request. (list value) -#allow_headers = From 545692da4bb73e5a33815e61531953c3bf8c6960 Mon Sep 17 00:00:00 2001 From: Luca D'Agati <66645997+lucadagati@users.noreply.github.com> Date: Fri, 21 Feb 2025 17:21:58 +0100 Subject: [PATCH 04/18] Delete conf_ui directory --- conf_ui/local_settings.py | 916 -------------------------------------- 1 file changed, 916 deletions(-) delete mode 100644 conf_ui/local_settings.py diff --git a/conf_ui/local_settings.py b/conf_ui/local_settings.py deleted file mode 100644 index 042b682..0000000 --- a/conf_ui/local_settings.py +++ /dev/null @@ -1,916 +0,0 @@ -# -*- coding: utf-8 -*- - -import os - -from django.utils.translation import ugettext_lazy as _ - -from horizon.utils import secret_key - -from openstack_dashboard.settings import HORIZON_CONFIG - -DEBUG = False - -# This setting controls whether or not compression is enabled. Disabling -# compression makes Horizon considerably slower, but makes it much easier -# to debug JS and CSS changes -#COMPRESS_ENABLED = not DEBUG - -# This setting controls whether compression happens on the fly, or offline -# with `python manage.py compress` -# See https://django-compressor.readthedocs.io/en/latest/usage/#offline-compression -# for more information -#COMPRESS_OFFLINE = not DEBUG - -# WEBROOT is the location relative to Webserver root -# should end with a slash. -WEBROOT = '/' -#LOGIN_URL = WEBROOT + 'auth/login/' -#LOGOUT_URL = WEBROOT + 'auth/logout/' -# -# LOGIN_REDIRECT_URL can be used as an alternative for -# HORIZON_CONFIG.user_home, if user_home is not set. -# Do not set it to '/home/', as this will cause circular redirect loop -#LOGIN_REDIRECT_URL = WEBROOT - -# If horizon is running in production (DEBUG is False), set this -# with the list of host/domain names that the application can serve. -# For more information see: -# https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts -ALLOWED_HOSTS = ['*', ] - -# Set SSL proxy settings: -# Pass this header from the proxy after terminating the SSL, -# and don't forget to strip it from the client's request. -# For more information see: -# https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header -#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') - -# If Horizon is being served through SSL, then uncomment the following two -# settings to better secure the cookies from security exploits -#CSRF_COOKIE_SECURE = True -#SESSION_COOKIE_SECURE = True - -# The absolute path to the directory where message files are collected. -# The message file must have a .json file extension. When the user logins to -# horizon, the message files collected are processed and displayed to the user. -#MESSAGES_PATH=None - -# Overrides for OpenStack API versions. Use this setting to force the -# OpenStack dashboard to use a specific API version for a given service API. -# Versions specified here should be integers or floats, not strings. -# NOTE: The version should be formatted as it appears in the URL for the -# service API. For example, The identity service APIs have inconsistent -# use of the decimal point, so valid options would be 2.0 or 3. -# Minimum compute version to get the instance locked status is 2.9. -#OPENSTACK_API_VERSIONS = { -# "data-processing": 1.1, -# "identity": 3, -# "image": 2, -# "volume": 2, -# "compute": 2, -#} - -# Set this to True if running on a multi-domain model. When this is enabled, it -# will require the user to enter the Domain name in addition to the username -# for login. -#OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False - -# Set this to True if you want available domains displayed as a dropdown menu -# on the login screen. It is strongly advised NOT to enable this for public -# clouds, as advertising enabled domains to unauthenticated customers -# irresponsibly exposes private information. This should only be used for -# private clouds where the dashboard sits behind a corporate firewall. -#OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False - -# If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to -# set the available domains to choose from. This is a list of pairs whose first -# value is the domain name and the second is the display name. -#OPENSTACK_KEYSTONE_DOMAIN_CHOICES = ( -# ('Default', 'Default'), -#) - -# Overrides the default domain used when running on single-domain model -# with Keystone V3. All entities will be created in the default domain. -# NOTE: This value must be the name of the default domain, NOT the ID. -# Also, you will most likely have a value in the keystone policy file like this -# "cloud_admin": "rule:admin_required and domain_id:" -# This value must be the name of the domain whose ID is specified there. -#OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default' - -# Set this to True to enable panels that provide the ability for users to -# manage Identity Providers (IdPs) and establish a set of rules to map -# federation protocol attributes to Identity API attributes. -# This extension requires v3.0+ of the Identity API. -#OPENSTACK_KEYSTONE_FEDERATION_MANAGEMENT = False - -# Set Console type: -# valid options are "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL", "MKS" -# or None. Set to None explicitly if you want to deactivate the console. -#CONSOLE_TYPE = "AUTO" - -# Toggle showing the openrc file for Keystone V2. -# If set to false the link will be removed from the user dropdown menu -# and the API Access page -#SHOW_KEYSTONE_V2_RC = True - -# If provided, a "Report Bug" link will be displayed in the site header -# which links to the value of this setting (ideally a URL containing -# information on how to report issues). -#HORIZON_CONFIG["bug_url"] = "http://bug-report.example.com" - -# Show backdrop element outside the modal, do not close the modal -# after clicking on backdrop. -#HORIZON_CONFIG["modal_backdrop"] = "static" - -# Specify a regular expression to validate user passwords. -#HORIZON_CONFIG["password_validator"] = { -# "regex": '.*', -# "help_text": _("Your password does not meet the requirements."), -#} - -# Turn off browser autocompletion for forms including the login form and -# the database creation workflow if so desired. -#HORIZON_CONFIG["password_autocomplete"] = "off" - -# Setting this to True will disable the reveal button for password fields, -# including on the login form. -#HORIZON_CONFIG["disable_password_reveal"] = False - -LOCAL_PATH = os.path.dirname(os.path.abspath(__file__)) - -# Set custom secret key: -# You can either set it to a specific value or you can let horizon generate a -# default secret key that is unique on this machine, e.i. regardless of the -# amount of Python WSGI workers (if used behind Apache+mod_wsgi): However, -# there may be situations where you would want to set this explicitly, e.g. -# when multiple dashboard instances are distributed on different machines -# (usually behind a load-balancer). Either you have to make sure that a session -# gets all requests routed to the same dashboard instance or you set the same -# SECRET_KEY for all of them. -SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key') - -# We recommend you use memcached for development; otherwise after every reload -# of the django development server, you will have to login again. To use -# memcached set CACHES to something like - -CACHES = { - 'default': { - 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', - 'LOCATION': 'iotronic-ui:11211', - }, -} - -#CACHES = { -# 'default': { -# 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache', -# } -#} - -# Send email to the console by default -EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' -# Or send them to /dev/null -#EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend' - -# Configure these for your outgoing email host -#EMAIL_HOST = 'smtp.my-company.com' -#EMAIL_PORT = 25 -#EMAIL_HOST_USER = 'djangomail' -#EMAIL_HOST_PASSWORD = 'top-secret!' - -# For multiple regions uncomment this configuration, and add (endpoint, title). -#AVAILABLE_REGIONS = [ -# ('http://cluster1.example.com:5000/v3', 'cluster1'), -# ('http://cluster2.example.com:5000/v3', 'cluster2'), -#] - -OPENSTACK_HOST = "keystone" -OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST -OPENSTACK_KEYSTONE_DEFAULT_ROLE = "admin" - -# For setting the default service region on a per-endpoint basis. Note that the -# default value for this setting is {}, and below is just an example of how it -# should be specified. -# A key of '*' is an optional global default if no other key matches. -#DEFAULT_SERVICE_REGIONS = { -# '*': 'RegionOne' -# OPENSTACK_KEYSTONE_URL: 'RegionTwo' -#} - -# Enables keystone web single-sign-on if set to True. -#WEBSSO_ENABLED = False - -# Authentication mechanism to be selected as default. -# The value must be a key from WEBSSO_CHOICES. -#WEBSSO_INITIAL_CHOICE = "credentials" - -# The list of authentication mechanisms which include keystone -# federation protocols and identity provider/federation protocol -# mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol -# IDs are 'saml2' and 'oidc' which represent SAML 2.0, OpenID -# Connect respectively. -# Do not remove the mandatory credentials mechanism. -# Note: The last two tuples are sample mapping keys to a identity provider -# and federation protocol combination (WEBSSO_IDP_MAPPING). -#WEBSSO_CHOICES = ( -# ("credentials", _("Keystone Credentials")), -# ("oidc", _("OpenID Connect")), -# ("saml2", _("Security Assertion Markup Language")), -# ("acme_oidc", "ACME - OpenID Connect"), -# ("acme_saml2", "ACME - SAML2"), -#) - -# A dictionary of specific identity provider and federation protocol -# combinations. From the selected authentication mechanism, the value -# will be looked up as keys in the dictionary. If a match is found, -# it will redirect the user to a identity provider and federation protocol -# specific WebSSO endpoint in keystone, otherwise it will use the value -# as the protocol_id when redirecting to the WebSSO by protocol endpoint. -# NOTE: The value is expected to be a tuple formatted as: (, ). -#WEBSSO_IDP_MAPPING = { -# "acme_oidc": ("acme", "oidc"), -# "acme_saml2": ("acme", "saml2"), -#} - -# If set this URL will be used for web single-sign-on authentication -# instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment -# scenarios where network segmentation is used per security requirement. -# In this case, the controllers are not reachable from public network. -# Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL -# if it is set to the internal endpoint. -#WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3" - -# The Keystone Provider drop down uses Keystone to Keystone federation -# to switch between Keystone service providers. -# Set display name for Identity Provider (dropdown display name) -#KEYSTONE_PROVIDER_IDP_NAME = "Local Keystone" -# This id is used for only for comparison with the service provider IDs. This ID -# should not match any service provider IDs. -#KEYSTONE_PROVIDER_IDP_ID = "localkeystone" - -# Disable SSL certificate checks (useful for self-signed certificates): -#OPENSTACK_SSL_NO_VERIFY = True - -# The CA certificate to use to verify SSL connections -#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' - -# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the -# capabilities of the auth backend for Keystone. -# If Keystone has been configured to use LDAP as the auth backend then set -# can_edit_user to False and name to 'ldap'. -# -# TODO(tres): Remove these once Keystone has an API to identify auth backend. -OPENSTACK_KEYSTONE_BACKEND = { - 'name': 'native', - 'can_edit_user': True, - 'can_edit_group': True, - 'can_edit_project': True, - 'can_edit_domain': True, - 'can_edit_role': True, -} - -# Setting this to True, will add a new "Retrieve Password" action on instance, -# allowing Admin session password retrieval/decryption. -#OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False - -# The Launch Instance user experience has been significantly enhanced. -# You can choose whether to enable the new launch instance experience, -# the legacy experience, or both. The legacy experience will be removed -# in a future release, but is available as a temporary backup setting to ensure -# compatibility with existing deployments. Further development will not be -# done on the legacy experience. Please report any problems with the new -# experience via the Launchpad tracking system. -# -# Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to -# determine the experience to enable. Set them both to true to enable -# both. -#LAUNCH_INSTANCE_LEGACY_ENABLED = True -#LAUNCH_INSTANCE_NG_ENABLED = False - -# A dictionary of settings which can be used to provide the default values for -# properties found in the Launch Instance modal. -#LAUNCH_INSTANCE_DEFAULTS = { -# 'config_drive': False, -# 'enable_scheduler_hints': True, -# 'disable_image': False, -# 'disable_instance_snapshot': False, -# 'disable_volume': False, -# 'disable_volume_snapshot': False, -# 'create_volume': True, -#} - -# The Xen Hypervisor has the ability to set the mount point for volumes -# attached to instances (other Hypervisors currently do not). Setting -# can_set_mount_point to True will add the option to set the mount point -# from the UI. -OPENSTACK_HYPERVISOR_FEATURES = { - 'can_set_mount_point': False, - 'can_set_password': False, - 'requires_keypair': False, - 'enable_quotas': True -} - -# This settings controls whether IP addresses of servers are retrieved from -# neutron in the project instance table. Setting this to ``False`` may mitigate -# a performance issue in the project instance table in large deployments. -#OPENSTACK_INSTANCE_RETRIEVE_IP_ADDRESSES = True - -# The OPENSTACK_CINDER_FEATURES settings can be used to enable optional -# services provided by cinder that is not exposed by its extension API. -OPENSTACK_CINDER_FEATURES = { - 'enable_backup': False, -} - -# The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional -# services provided by neutron. Options currently available are load -# balancer service, security groups, quotas, VPN service. -OPENSTACK_NEUTRON_NETWORK = { - 'enable_router': True, - 'enable_quotas': True, - 'enable_ipv6': True, - 'enable_distributed_router': False, - 'enable_ha_router': False, - 'enable_fip_topology_check': True, - - # Default dns servers you would like to use when a subnet is - # created. This is only a default, users can still choose a different - # list of dns servers when creating a new subnet. - # The entries below are examples only, and are not appropriate for - # real deployments - # 'default_dns_nameservers': ["8.8.8.8", "8.8.4.4", "208.67.222.222"], - - # Set which provider network types are supported. Only the network types - # in this list will be available to choose from when creating a network. - # Network types include local, flat, vlan, gre, vxlan and geneve. - # 'supported_provider_types': ['*'], - - # You can configure available segmentation ID range per network type - # in your deployment. - # 'segmentation_id_range': { - # 'vlan': [1024, 2048], - # 'vxlan': [4094, 65536], - # }, - - # You can define additional provider network types here. - # 'extra_provider_types': { - # 'awesome_type': { - # 'display_name': 'Awesome New Type', - # 'require_physical_network': False, - # 'require_segmentation_id': True, - # } - # }, - - # Set which VNIC types are supported for port binding. Only the VNIC - # types in this list will be available to choose from when creating a - # port. - # VNIC types include 'normal', 'direct', 'direct-physical', 'macvtap', - # 'baremetal' and 'virtio-forwarder' - # Set to empty list or None to disable VNIC type selection. - 'supported_vnic_types': ['*'], - - # Set list of available physical networks to be selected in the physical - # network field on the admin create network modal. If it's set to an empty - # list, the field will be a regular input field. - # e.g. ['default', 'test'] - 'physical_networks': [], - -} - -# The OPENSTACK_HEAT_STACK settings can be used to disable password -# field required while launching the stack. -OPENSTACK_HEAT_STACK = { - 'enable_user_pass': True, -} - -# The OPENSTACK_IMAGE_BACKEND settings can be used to customize features -# in the OpenStack Dashboard related to the Image service, such as the list -# of supported image formats. -#OPENSTACK_IMAGE_BACKEND = { -# 'image_formats': [ -# ('', _('Select format')), -# ('aki', _('AKI - Amazon Kernel Image')), -# ('ami', _('AMI - Amazon Machine Image')), -# ('ari', _('ARI - Amazon Ramdisk Image')), -# ('docker', _('Docker')), -# ('iso', _('ISO - Optical Disk Image')), -# ('ova', _('OVA - Open Virtual Appliance')), -# ('qcow2', _('QCOW2 - QEMU Emulator')), -# ('raw', _('Raw')), -# ('vdi', _('VDI - Virtual Disk Image')), -# ('vhd', _('VHD - Virtual Hard Disk')), -# ('vhdx', _('VHDX - Large Virtual Hard Disk')), -# ('vmdk', _('VMDK - Virtual Machine Disk')), -# ], -#} - -# The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for -# image custom property attributes that appear on image detail pages. -IMAGE_CUSTOM_PROPERTY_TITLES = { - "architecture": _("Architecture"), - "kernel_id": _("Kernel ID"), - "ramdisk_id": _("Ramdisk ID"), - "image_state": _("Euca2ools state"), - "project_id": _("Project ID"), - "image_type": _("Image Type"), -} - -# The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image -# custom properties should not be displayed in the Image Custom Properties -# table. -IMAGE_RESERVED_CUSTOM_PROPERTIES = [] - -# Set to 'legacy' or 'direct' to allow users to upload images to glance via -# Horizon server. When enabled, a file form field will appear on the create -# image form. If set to 'off', there will be no file form field on the create -# image form. See documentation for deployment considerations. -#HORIZON_IMAGES_UPLOAD_MODE = 'legacy' - -# Allow a location to be set when creating or updating Glance images. -# If using Glance V2, this value should be False unless the Glance -# configuration and policies allow setting locations. -#IMAGES_ALLOW_LOCATION = False - -# A dictionary of default settings for create image modal. -#CREATE_IMAGE_DEFAULTS = { -# 'image_visibility': "public", -#} - -# OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints -# in the Keystone service catalog. Use this setting when Horizon is running -# external to the OpenStack environment. The default is 'publicURL'. -#OPENSTACK_ENDPOINT_TYPE = "publicURL" - -# SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the -# case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints -# in the Keystone service catalog. Use this setting when Horizon is running -# external to the OpenStack environment. The default is None. This -# value should differ from OPENSTACK_ENDPOINT_TYPE if used. -#SECONDARY_ENDPOINT_TYPE = None - -# The number of objects (Swift containers/objects or images) to display -# on a single page before providing a paging element (a "more" link) -# to paginate results. -API_RESULT_LIMIT = 1000 -API_RESULT_PAGE_SIZE = 20 - -# The size of chunk in bytes for downloading objects from Swift -SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024 - -# The default number of lines displayed for instance console log. -INSTANCE_LOG_LENGTH = 35 - -# Specify a maximum number of items to display in a dropdown. -DROPDOWN_MAX_ITEMS = 30 - -# The timezone of the server. This should correspond with the timezone -# of your entire OpenStack installation, and hopefully be in UTC. -TIME_ZONE = "UTC" - -# When launching an instance, the menu of available flavors is -# sorted by RAM usage, ascending. If you would like a different sort order, -# you can provide another flavor attribute as sorting key. Alternatively, you -# can provide a custom callback method to use for sorting. You can also provide -# a flag for reverse sort. For more info, see -# http://docs.python.org/2/library/functions.html#sorted -#CREATE_INSTANCE_FLAVOR_SORT = { -# 'key': 'name', -# # or -# 'key': my_awesome_callback_method, -# 'reverse': False, -#} - -# Set this to True to display an 'Admin Password' field on the Change Password -# form to verify that it is indeed the admin logged-in who wants to change -# the password. -#ENFORCE_PASSWORD_CHECK = False - -# Modules that provide /auth routes that can be used to handle different types -# of user authentication. Add auth plugins that require extra route handling to -# this list. -#AUTHENTICATION_URLS = [ -# 'openstack_auth.urls', -#] - -# The Horizon Policy Enforcement engine uses these values to load per service -# policy rule files. The content of these files should match the files the -# OpenStack services are using to determine role based access control in the -# target installation. - -# Path to directory containing policy.json files -#POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf") - -# Map of local copy of service policy files. -# Please insure that your identity policy file matches the one being used on -# your keystone servers. There is an alternate policy file that may be used -# in the Keystone v3 multi-domain case, policy.v3cloudsample.json. -# This file is not included in the Horizon repository by default but can be -# found at -# http://git.openstack.org/cgit/openstack/keystone/tree/etc/ \ -# policy.v3cloudsample.json -# Having matching policy files on the Horizon and Keystone servers is essential -# for normal operation. This holds true for all services and their policy files. -#POLICY_FILES = { -# 'identity': 'keystone_policy.json', -# 'compute': 'nova_policy.json', -# 'volume': 'cinder_policy.json', -# 'image': 'glance_policy.json', -# 'network': 'neutron_policy.json', -#} - -# Change this patch to the appropriate list of tuples containing -# a key, label and static directory containing two files: -# _variables.scss and _styles.scss -AVAILABLE_THEMES = [ - ('default', 'Default', 'themes/default'), -# ('material', 'Material', 'themes/material'), -] - -LOGGING = { - 'version': 1, - # When set to True this will disable all logging except - # for loggers specified in this configuration dictionary. Note that - # if nothing is specified here and disable_existing_loggers is True, - # django.db.backends will still log unless it is disabled explicitly. - 'disable_existing_loggers': False, - # If apache2 mod_wsgi is used to deploy OpenStack dashboard - # timestamp is output by mod_wsgi. If WSGI framework you use does not - # output timestamp for logging, add %(asctime)s in the following - # format definitions. - 'formatters': { - 'console': { - 'format': '%(levelname)s %(name)s %(message)s' - }, - 'operation': { - # The format of "%(message)s" is defined by - # OPERATION_LOG_OPTIONS['format'] - 'format': '%(message)s' - }, - }, - 'handlers': { - 'null': { - 'level': 'DEBUG', - 'class': 'logging.NullHandler', - }, - 'console': { - # Set the level to "DEBUG" for verbose output logging. - 'level': 'INFO', - 'class': 'logging.StreamHandler', - 'formatter': 'console', - }, - 'operation': { - 'level': 'INFO', - 'class': 'logging.StreamHandler', - 'formatter': 'operation', - }, - }, - 'loggers': { - 'horizon': { - 'handlers': ['console'], - 'level': 'DEBUG', - 'propagate': False, - }, - 'horizon.operation_log': { - 'handlers': ['operation'], - 'level': 'INFO', - 'propagate': False, - }, - 'openstack_dashboard': { - 'handlers': ['console'], - 'level': 'DEBUG', - 'propagate': False, - }, - 'novaclient': { - 'handlers': ['console'], - 'level': 'DEBUG', - 'propagate': False, - }, - 'cinderclient': { - 'handlers': ['console'], - 'level': 'DEBUG', - 'propagate': False, - }, - 'keystoneauth': { - 'handlers': ['console'], - 'level': 'DEBUG', - 'propagate': False, - }, - 'keystoneclient': { - 'handlers': ['console'], - 'level': 'DEBUG', - 'propagate': False, - }, - 'glanceclient': { - 'handlers': ['console'], - 'level': 'DEBUG', - 'propagate': False, - }, - 'neutronclient': { - 'handlers': ['console'], - 'level': 'DEBUG', - 'propagate': False, - }, - 'swiftclient': { - 'handlers': ['console'], - 'level': 'DEBUG', - 'propagate': False, - }, - 'oslo_policy': { - 'handlers': ['console'], - 'level': 'DEBUG', - 'propagate': False, - }, - 'openstack_auth': { - 'handlers': ['console'], - 'level': 'DEBUG', - 'propagate': False, - }, - 'django': { - 'handlers': ['console'], - 'level': 'DEBUG', - 'propagate': False, - }, - # Logging from django.db.backends is VERY verbose, send to null - # by default. - 'django.db.backends': { - 'handlers': ['null'], - 'propagate': False, - }, - 'requests': { - 'handlers': ['null'], - 'propagate': False, - }, - 'urllib3': { - 'handlers': ['null'], - 'propagate': False, - }, - 'chardet.charsetprober': { - 'handlers': ['null'], - 'propagate': False, - }, - 'iso8601': { - 'handlers': ['null'], - 'propagate': False, - }, - 'scss': { - 'handlers': ['null'], - 'propagate': False, - }, - }, -} - -# 'direction' should not be specified for all_tcp/udp/icmp. -# It is specified in the form. -SECURITY_GROUP_RULES = { - 'all_tcp': { - 'name': _('All TCP'), - 'ip_protocol': 'tcp', - 'from_port': '1', - 'to_port': '65535', - }, - 'all_udp': { - 'name': _('All UDP'), - 'ip_protocol': 'udp', - 'from_port': '1', - 'to_port': '65535', - }, - 'all_icmp': { - 'name': _('All ICMP'), - 'ip_protocol': 'icmp', - 'from_port': '-1', - 'to_port': '-1', - }, - 'ssh': { - 'name': 'SSH', - 'ip_protocol': 'tcp', - 'from_port': '22', - 'to_port': '22', - }, - 'smtp': { - 'name': 'SMTP', - 'ip_protocol': 'tcp', - 'from_port': '25', - 'to_port': '25', - }, - 'dns': { - 'name': 'DNS', - 'ip_protocol': 'tcp', - 'from_port': '53', - 'to_port': '53', - }, - 'http': { - 'name': 'HTTP', - 'ip_protocol': 'tcp', - 'from_port': '80', - 'to_port': '80', - }, - 'pop3': { - 'name': 'POP3', - 'ip_protocol': 'tcp', - 'from_port': '110', - 'to_port': '110', - }, - 'imap': { - 'name': 'IMAP', - 'ip_protocol': 'tcp', - 'from_port': '143', - 'to_port': '143', - }, - 'ldap': { - 'name': 'LDAP', - 'ip_protocol': 'tcp', - 'from_port': '389', - 'to_port': '389', - }, - 'https': { - 'name': 'HTTPS', - 'ip_protocol': 'tcp', - 'from_port': '443', - 'to_port': '443', - }, - 'smtps': { - 'name': 'SMTPS', - 'ip_protocol': 'tcp', - 'from_port': '465', - 'to_port': '465', - }, - 'imaps': { - 'name': 'IMAPS', - 'ip_protocol': 'tcp', - 'from_port': '993', - 'to_port': '993', - }, - 'pop3s': { - 'name': 'POP3S', - 'ip_protocol': 'tcp', - 'from_port': '995', - 'to_port': '995', - }, - 'ms_sql': { - 'name': 'MS SQL', - 'ip_protocol': 'tcp', - 'from_port': '1433', - 'to_port': '1433', - }, - 'mysql': { - 'name': 'MYSQL', - 'ip_protocol': 'tcp', - 'from_port': '3306', - 'to_port': '3306', - }, - 'rdp': { - 'name': 'RDP', - 'ip_protocol': 'tcp', - 'from_port': '3389', - 'to_port': '3389', - }, -} - -# Deprecation Notice: -# -# The setting FLAVOR_EXTRA_KEYS has been deprecated. -# Please load extra spec metadata into the Glance Metadata Definition Catalog. -# -# The sample quota definitions can be found in: -# /etc/metadefs/compute-quota.json -# -# The metadata definition catalog supports CLI and API: -# $glance --os-image-api-version 2 help md-namespace-import -# $glance-manage db_load_metadefs -# -# See Metadata Definitions on: -# https://docs.openstack.org/glance/latest/user/glancemetadefcatalogapi.html - -# The hash algorithm to use for authentication tokens. This must -# match the hash algorithm that the identity server and the -# auth_token middleware are using. Allowed values are the -# algorithms supported by Python's hashlib library. -#OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5' - -# AngularJS requires some settings to be made available to -# the client side. Some settings are required by in-tree / built-in horizon -# features. These settings must be added to REST_API_REQUIRED_SETTINGS in the -# form of ['SETTING_1','SETTING_2'], etc. -# -# You may remove settings from this list for security purposes, but do so at -# the risk of breaking a built-in horizon feature. These settings are required -# for horizon to function properly. Only remove them if you know what you -# are doing. These settings may in the future be moved to be defined within -# the enabled panel configuration. -# You should not add settings to this list for out of tree extensions. -# See: https://wiki.openstack.org/wiki/Horizon/RESTAPI -REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES', - 'LAUNCH_INSTANCE_DEFAULTS', - 'OPENSTACK_IMAGE_FORMATS', - 'OPENSTACK_KEYSTONE_BACKEND', - 'OPENSTACK_KEYSTONE_DEFAULT_DOMAIN', - 'CREATE_IMAGE_DEFAULTS', - 'ENFORCE_PASSWORD_CHECK'] - -# Additional settings can be made available to the client side for -# extensibility by specifying them in REST_API_ADDITIONAL_SETTINGS -# !! Please use extreme caution as the settings are transferred via HTTP/S -# and are not encrypted on the browser. This is an experimental API and -# may be deprecated in the future without notice. -#REST_API_ADDITIONAL_SETTINGS = [] - -############################################################################### -# Ubuntu Settings -############################################################################### - - # The default theme if no cookie is present -DEFAULT_THEME = 'default' - -# Default Ubuntu apache configuration uses /horizon as the application root. -WEBROOT='/horizon/' - -# By default, validation of the HTTP Host header is disabled. Production -# installations should have this set accordingly. For more information -# see https://docs.djangoproject.com/en/dev/ref/settings/. -ALLOWED_HOSTS = '*' - -# Compress all assets offline as part of packaging installation -COMPRESS_OFFLINE = True - -# DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded -# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame -# Scripting (XFS) vulnerability, so this option allows extra security hardening -# where iframes are not used in deployment. Default setting is True. -# For more information see: -# http://tinyurl.com/anticlickjack -#DISALLOW_IFRAME_EMBED = True - -# Help URL can be made available for the client. To provide a help URL, edit the -# following attribute to the URL of your choice. -#HORIZON_CONFIG["help_url"] = "http://openstack.mycompany.org" - -# Settings for OperationLogMiddleware -# OPERATION_LOG_ENABLED is flag to use the function to log an operation on -# Horizon. -# mask_targets is arrangement for appointing a target to mask. -# method_targets is arrangement of HTTP method to output log. -# format is the log contents. -#OPERATION_LOG_ENABLED = False -#OPERATION_LOG_OPTIONS = { -# 'mask_fields': ['password'], -# 'target_methods': ['POST'], -# 'ignored_urls': ['/js/', '/static/', '^/api/'], -# 'format': ("[%(client_ip)s] [%(domain_name)s]" -# " [%(domain_id)s] [%(project_name)s]" -# " [%(project_id)s] [%(user_name)s] [%(user_id)s] [%(request_scheme)s]" -# " [%(referer_url)s] [%(request_url)s] [%(message)s] [%(method)s]" -# " [%(http_status)s] [%(param)s]"), -#} - -# The default date range in the Overview panel meters - either minus N -# days (if the value is integer N), or from the beginning of the current month -# until today (if set to None). This setting should be used to limit the amount -# of data fetched by default when rendering the Overview panel. -#OVERVIEW_DAYS_RANGE = 1 - -# To allow operators to require users provide a search criteria first -# before loading any data into the views, set the following dict -# attributes to True in each one of the panels you want to enable this feature. -# Follow the convention . -#FILTER_DATA_FIRST = { -# 'admin.instances': False, -# 'admin.images': False, -# 'admin.networks': False, -# 'admin.routers': False, -# 'admin.volumes': False, -# 'identity.users': False, -# 'identity.projects': False, -# 'identity.groups': False, -# 'identity.roles': False -#} - -# Dict used to restrict user private subnet cidr range. -# An empty list means that user input will not be restricted -# for a corresponding IP version. By default, there is -# no restriction for IPv4 or IPv6. To restrict -# user private subnet cidr range set ALLOWED_PRIVATE_SUBNET_CIDR -# to something like -#ALLOWED_PRIVATE_SUBNET_CIDR = { -# 'ipv4': ['10.0.0.0/8', '192.168.0.0/16'], -# 'ipv6': ['fc00::/7'] -#} -ALLOWED_PRIVATE_SUBNET_CIDR = {'ipv4': [], 'ipv6': []} - -# Projects and users can have extra attributes as defined by keystone v3. -# Horizon has the ability to display these extra attributes via this setting. -# If you'd like to display extra data in the project or user tables, set the -# corresponding dict key to the attribute name, followed by the display name. -# For more information, see horizon's customization -# (https://docs.openstack.org/horizon/latest/configuration/customizing.html#horizon-customization-module-overrides) -#PROJECT_TABLE_EXTRA_INFO = { -# 'phone_num': _('Phone Number'), -#} -#USER_TABLE_EXTRA_INFO = { -# 'phone_num': _('Phone Number'), -#} - -# Password will have an expiration date when using keystone v3 and enabling the -# feature. -# This setting allows you to set the number of days that the user will be alerted -# prior to the password expiration. -# Once the password expires keystone will deny the access and users must -# contact an admin to change their password. -#PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = 0 From 915fb7149ef3175cada5d4183eb3eea7dbda2ca9 Mon Sep 17 00:00:00 2001 From: Luca D'Agati <66645997+lucadagati@users.noreply.github.com> Date: Fri, 21 Feb 2025 17:22:07 +0100 Subject: [PATCH 05/18] Delete conf_conductor directory --- conf_conductor/iotronic.conf | 102 ----------------------------------- 1 file changed, 102 deletions(-) delete mode 100644 conf_conductor/iotronic.conf diff --git a/conf_conductor/iotronic.conf b/conf_conductor/iotronic.conf deleted file mode 100644 index 30371a1..0000000 --- a/conf_conductor/iotronic.conf +++ /dev/null @@ -1,102 +0,0 @@ -[DEFAULT] -transport_url = rabbit://openstack:unime@rabbitmq - -debug=True -log_file = /var/log/iotronic/iotronic-conductor.log -proxy=nginx - - -# Authentication strategy used by iotronic-api: one of -# "keystone" or "noauth". "noauth" should not be used in a -# production environment because all authentication will be -# disabled. (string value) -auth_strategy=keystone - -# Enable pecan debug mode. WARNING: this is insecure and -# should not be used in a production environment. (boolean -# value) -#pecan_debug=false - - -[conductor] -service_port_min=50000 -service_port_max=50100 - -[wamp] -wamp_transport_url = ws://iotronic-wagent:8181/ -wamp_realm = s4t -#skip_cert_verify= False -register_agent = True - - - -[database] -connection = mysql+pymysql://iotronic:unime@iotronic-db/iotronic - -[keystone_authtoken] -www_authenticate_uri = http://keystone:5000 -auth_url = http://keystone:5000 -auth_plugin = password -auth_type = password -project_domain_id = default -user_domain_id = default -project_name = service -username = iotronic -password = unime - - -[neutron] -auth_url = http://controller:5000 -url = http://controller:9696 -auth_strategy = password -auth_type = password -project_domain_name = default -user_domain_name = default -region_name = RegionOne -project_name = service -username = neutron -password = NEUTRON_PASS -retries = 3 -project_domain_id= default - - -[designate] -auth_url = http://controller:5000 -url = http://controller:9001 -auth_strategy = password -project_domain_name = default -user_domain_name = default -region_name = RegionOne -project_name = service -username = designate -password = password -retries = 3 -project_domain_id= default - - -[cors] -# Indicate whether this resource may be shared with the domain -# received in the requests "origin" header. Format: -# "://[:]", no trailing slash. Example: -# https://horizon.example.com (list value) -#allowed_origin = - -# Indicate that the actual request can include user -# credentials (boolean value) -#allow_credentials = true - -# Indicate which headers are safe to expose to the API. -# Defaults to HTTP Simple Headers. (list value) -#expose_headers = - -# Maximum cache age of CORS preflight requests. (integer -# value) -#max_age = 3600 - -# Indicate which methods can be used during the actual -# request. (list value) -#allow_methods = OPTIONS,GET,HEAD,POST,PUT,DELETE,TRACE,PATCH - -# Indicate which header field names may be used during the -# actual request. (list value) -#allow_headers = From 9abb78af2bb0011e082b77fa61779d0b2c2e04a0 Mon Sep 17 00:00:00 2001 From: Luca D'Agati <66645997+lucadagati@users.noreply.github.com> Date: Fri, 21 Feb 2025 17:22:16 +0100 Subject: [PATCH 06/18] Delete conf_keystone directory --- conf_keystone/keystone.conf | 2715 ----------------------------------- 1 file changed, 2715 deletions(-) delete mode 100644 conf_keystone/keystone.conf diff --git a/conf_keystone/keystone.conf b/conf_keystone/keystone.conf deleted file mode 100644 index 01e3d6f..0000000 --- a/conf_keystone/keystone.conf +++ /dev/null @@ -1,2715 +0,0 @@ -[DEFAULT] -debug = True -#log_config = /etc/keystone/logging.conf -log_dir = /var/log/keystone - -# -# From keystone -# - -# Using this feature is *NOT* recommended. Instead, use the `keystone-manage -# bootstrap` command. The value of this option is treated as a "shared secret" -# that can be used to bootstrap Keystone through the API. This "token" does not -# represent a user (it has no identity), and carries no explicit authorization -# (it effectively bypasses most authorization checks). If set to `None`, the -# value is ignored and the `admin_token` middleware is effectively disabled. -# (string value) -#admin_token = - -# The base public endpoint URL for Keystone that is advertised to clients -# (NOTE: this does NOT affect how Keystone listens for connections). Defaults -# to the base host URL of the request. For example, if keystone receives a -# request to `http://server:5000/v3/users`, then this will option will be -# automatically treated as `http://server:5000`. You should only need to set -# option if either the value of the base URL contains a path that keystone does -# not automatically infer (`/prefix/v3`), or if the endpoint should be found on -# a different host. (uri value) -#public_endpoint = - -# DEPRECATED: The base admin endpoint URL for Keystone that is advertised to -# clients (NOTE: this does NOT affect how Keystone listens for connections). -# Defaults to the base host URL of the request. For example, if keystone -# receives a request to `http://server:35357/v3/users`, then this will option -# will be automatically treated as `http://server:35357`. You should only need -# to set option if either the value of the base URL contains a path that -# keystone does not automatically infer (`/prefix/v3`), or if the endpoint -# should be found on a different host. (uri value) -# This option is deprecated for removal since R. -# Its value may be silently ignored in the future. -# Reason: With the removal of the 2.0 API keystone does not distinguish between -# admin and public endpoints. -#admin_endpoint = - -# Maximum depth of the project hierarchy, excluding the project acting as a -# domain at the top of the hierarchy. WARNING: Setting it to a large value may -# adversely impact performance. (integer value) -#max_project_tree_depth = 5 - -# Limit the sizes of user & project ID/names. (integer value) -#max_param_size = 64 - -# Similar to `[DEFAULT] max_param_size`, but provides an exception for token -# values. With Fernet tokens, this can be set as low as 255. With UUID tokens, -# this should be set to 32). (integer value) -#max_token_size = 255 - -# The maximum number of entities that will be returned in a collection. This -# global limit may be then overridden for a specific driver, by specifying a -# list_limit in the appropriate section (for example, `[assignment]`). No limit -# is set by default. In larger deployments, it is recommended that you set this -# to a reasonable number to prevent operations like listing all users and -# projects from placing an unnecessary load on the system. (integer value) -#list_limit = - -# If set to true, strict password length checking is performed for password -# manipulation. If a password exceeds the maximum length, the operation will -# fail with an HTTP 403 Forbidden error. If set to false, passwords are -# automatically truncated to the maximum length. (boolean value) -#strict_password_check = false - -# If set to true, then the server will return information in HTTP responses -# that may allow an unauthenticated or authenticated user to get more -# information than normal, such as additional details about why authentication -# failed. This may be useful for debugging but is insecure. (boolean value) -#insecure_debug = false - -# Default `publisher_id` for outgoing notifications. If left undefined, -# Keystone will default to using the server's host name. (string value) -#default_publisher_id = - -# Define the notification format for identity service events. A `basic` -# notification only has information about the resource being operated on. A -# `cadf` notification has the same information, as well as information about -# the initiator of the event. The `cadf` option is entirely backwards -# compatible with the `basic` option, but is fully CADF-compliant, and is -# recommended for auditing use cases. (string value) -# Possible values: -# basic - -# cadf - -#notification_format = cadf - -# You can reduce the number of notifications keystone emits by explicitly -# opting out. Keystone will not emit notifications that match the patterns -# expressed in this list. Values are expected to be in the form of -# `identity..`. By default, all notifications related -# to authentication are automatically suppressed. This field can be set -# multiple times in order to opt-out of multiple notification topics. For -# example, the following suppresses notifications describing user creation or -# successful authentication events: notification_opt_out=identity.user.create -# notification_opt_out=identity.authenticate.success (multi valued) -#notification_opt_out = identity.authenticate.success -#notification_opt_out = identity.authenticate.pending -#notification_opt_out = identity.authenticate.failed - -# -# From oslo.log -# - -# If set to true, the logging level will be set to DEBUG instead of the default -# INFO level. (boolean value) -# Note: This option can be changed without restarting. -#debug = false - -# The name of a logging configuration file. This file is appended to any -# existing logging configuration files. For details about logging configuration -# files, see the Python logging module documentation. Note that when logging -# configuration files are used then all logging configuration is set in the -# configuration file and other logging configuration options are ignored (for -# example, log-date-format). (string value) -# Note: This option can be changed without restarting. -# Deprecated group/name - [DEFAULT]/log_config -#log_config_append = - -# Defines the format string for %%(asctime)s in log records. Default: -# %(default)s . This option is ignored if log_config_append is set. (string -# value) -#log_date_format = %Y-%m-%d %H:%M:%S - -# (Optional) Name of log file to send logging output to. If no default is set, -# logging will go to stderr as defined by use_stderr. This option is ignored if -# log_config_append is set. (string value) -# Deprecated group/name - [DEFAULT]/logfile -#log_file = - -# (Optional) The base directory used for relative log_file paths. This option -# is ignored if log_config_append is set. (string value) -# Deprecated group/name - [DEFAULT]/logdir -#log_dir = - -# Uses logging handler designed to watch file system. When log file is moved or -# removed this handler will open a new log file with specified path -# instantaneously. It makes sense only if log_file option is specified and -# Linux platform is used. This option is ignored if log_config_append is set. -# (boolean value) -#watch_log_file = false - -# Use syslog for logging. Existing syslog format is DEPRECATED and will be -# changed later to honor RFC5424. This option is ignored if log_config_append -# is set. (boolean value) -#use_syslog = false - -# Enable journald for logging. If running in a systemd environment you may wish -# to enable journal support. Doing so will use the journal native protocol -# which includes structured metadata in addition to log messages.This option is -# ignored if log_config_append is set. (boolean value) -#use_journal = false - -# Syslog facility to receive log lines. This option is ignored if -# log_config_append is set. (string value) -#syslog_log_facility = LOG_USER - -# Use JSON formatting for logging. This option is ignored if log_config_append -# is set. (boolean value) -#use_json = false - -# Log output to standard error. This option is ignored if log_config_append is -# set. (boolean value) -#use_stderr = false - -# Log output to Windows Event Log. (boolean value) -#use_eventlog = false - -# The amount of time before the log files are rotated. This option is ignored -# unless log_rotation_type is setto "interval". (integer value) -#log_rotate_interval = 1 - -# Rotation interval type. The time of the last file change (or the time when -# the service was started) is used when scheduling the next rotation. (string -# value) -# Possible values: -# Seconds - -# Minutes - -# Hours - -# Days - -# Weekday - -# Midnight - -#log_rotate_interval_type = days - -# Maximum number of rotated log files. (integer value) -#max_logfile_count = 30 - -# Log file maximum size in MB. This option is ignored if "log_rotation_type" is -# not set to "size". (integer value) -#max_logfile_size_mb = 200 - -# Log rotation type. (string value) -# Possible values: -# interval - Rotate logs at predefined time intervals. -# size - Rotate logs once they reach a predefined size. -# none - Do not rotate log files. -#log_rotation_type = none - -# Format string to use for log messages with context. Used by -# oslo_log.formatters.ContextFormatter (string value) -#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s - -# Format string to use for log messages when context is undefined. Used by -# oslo_log.formatters.ContextFormatter (string value) -#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s - -# Additional data to append to log message when logging level for the message -# is DEBUG. Used by oslo_log.formatters.ContextFormatter (string value) -#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d - -# Prefix each line of exception output with this format. Used by -# oslo_log.formatters.ContextFormatter (string value) -#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s - -# Defines the format string for %(user_identity)s that is used in -# logging_context_format_string. Used by oslo_log.formatters.ContextFormatter -# (string value) -#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s - -# List of package logging levels in logger=LEVEL pairs. This option is ignored -# if log_config_append is set. (list value) -#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,oslo_policy=INFO,dogpile.core.dogpile=INFO - -# Enables or disables publication of error events. (boolean value) -#publish_errors = false - -# The format for an instance that is passed with the log message. (string -# value) -#instance_format = "[instance: %(uuid)s] " - -# The format for an instance UUID that is passed with the log message. (string -# value) -#instance_uuid_format = "[instance: %(uuid)s] " - -# Interval, number of seconds, of log rate limiting. (integer value) -#rate_limit_interval = 0 - -# Maximum number of logged messages per rate_limit_interval. (integer value) -#rate_limit_burst = 0 - -# Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG -# or empty string. Logs with level greater or equal to rate_limit_except_level -# are not filtered. An empty string means that all levels are filtered. (string -# value) -#rate_limit_except_level = CRITICAL - -# Enables or disables fatal status of deprecations. (boolean value) -#fatal_deprecations = false - -# -# From oslo.messaging -# - -# Size of RPC connection pool. (integer value) -#rpc_conn_pool_size = 30 - -# The pool size limit for connections expiration policy (integer value) -#conn_pool_min_size = 2 - -# The time-to-live in sec of idle connections in the pool (integer value) -#conn_pool_ttl = 1200 - -# Size of executor thread pool when executor is threading or eventlet. (integer -# value) -# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size -#executor_thread_pool_size = 64 - -# Seconds to wait for a response from a call. (integer value) -#rpc_response_timeout = 60 - -# The network address and optional user credentials for connecting to the -# messaging backend, in URL format. The expected format is: -# -# driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query -# -# Example: rabbit://rabbitmq:password@127.0.0.1:5672// -# -# For full details on the fields in the URL see the documentation of -# oslo_messaging.TransportURL at -# https://docs.openstack.org/oslo.messaging/latest/reference/transport.html -# (string value) -#transport_url = rabbit:// - -# The default exchange under which topics are scoped. May be overridden by an -# exchange name specified in the transport_url option. (string value) -#control_exchange = keystone - - -[access_rules_config] - -# -# From keystone -# - -# Entry point for the access rules config backend driver in the -# `keystone.access_rules_config` namespace. Keystone only provides a `json` -# driver, so there is no reason to change this unless you are providing a -# custom entry point. (string value) -#driver = json - -# Toggle for access rules caching. This has no effect unless global caching is -# enabled. (boolean value) -#caching = true - -# Time to cache access rule data in seconds. This has no effect unless global -# caching is enabled. (integer value) -#cache_time = - -# Path to access rules configuration. If not present, no access rule -# configuration will be loaded and application credential access rules will be -# unavailable. (string value) -#rules_file = /etc/keystone/access_rules.json - -# Toggles permissive mode for access rules. When enabled, application -# credentials can be created with any access rules regardless of operator's -# configuration. (boolean value) -#permissive = false - - -[application_credential] - -# -# From keystone -# - -# Entry point for the application credential backend driver in the -# `keystone.application_credential` namespace. Keystone only provides a `sql` -# driver, so there is no reason to change this unless you are providing a -# custom entry point. (string value) -#driver = sql - -# Toggle for application credential caching. This has no effect unless global -# caching is enabled. (boolean value) -#caching = true - -# Time to cache application credential data in seconds. This has no effect -# unless global caching is enabled. (integer value) -#cache_time = - -# Maximum number of application credentials a user is permitted to create. A -# value of -1 means unlimited. If a limit is not set, users are permitted to -# create application credentials at will, which could lead to bloat in the -# keystone database or open keystone to a DoS attack. (integer value) -#user_limit = -1 - - -[assignment] - -# -# From keystone -# - -# Entry point for the assignment backend driver (where role assignments are -# stored) in the `keystone.assignment` namespace. Only a SQL driver is supplied -# by keystone itself. Unless you are writing proprietary drivers for keystone, -# you do not need to set this option. (string value) -#driver = sql - -# A list of role names which are prohibited from being an implied role. (list -# value) -#prohibited_implied_role = admin - - -[auth] - -# -# From keystone -# - -# Allowed authentication methods. Note: You should disable the `external` auth -# method if you are currently using federation. External auth and federation -# both use the REMOTE_USER variable. Since both the mapped and external plugin -# are being invoked to validate attributes in the request environment, it can -# cause conflicts. (list value) -#methods = external,password,token,oauth1,mapped,application_credential - -# Entry point for the password auth plugin module in the -# `keystone.auth.password` namespace. You do not need to set this unless you -# are overriding keystone's own password authentication plugin. (string value) -#password = - -# Entry point for the token auth plugin module in the `keystone.auth.token` -# namespace. You do not need to set this unless you are overriding keystone's -# own token authentication plugin. (string value) -#token = - -# Entry point for the external (`REMOTE_USER`) auth plugin module in the -# `keystone.auth.external` namespace. Supplied drivers are `DefaultDomain` and -# `Domain`. The default driver is `DefaultDomain`, which assumes that all users -# identified by the username specified to keystone in the `REMOTE_USER` -# variable exist within the context of the default domain. The `Domain` option -# expects an additional environment variable be presented to keystone, -# `REMOTE_DOMAIN`, containing the domain name of the `REMOTE_USER` (if -# `REMOTE_DOMAIN` is not set, then the default domain will be used instead). -# You do not need to set this unless you are taking advantage of "external -# authentication", where the application server (such as Apache) is handling -# authentication instead of keystone. (string value) -#external = - -# Entry point for the OAuth 1.0a auth plugin module in the -# `keystone.auth.oauth1` namespace. You do not need to set this unless you are -# overriding keystone's own `oauth1` authentication plugin. (string value) -#oauth1 = - -# Entry point for the mapped auth plugin module in the `keystone.auth.mapped` -# namespace. You do not need to set this unless you are overriding keystone's -# own `mapped` authentication plugin. (string value) -#mapped = - -# Entry point for the application_credential auth plugin module in the -# `keystone.auth.application_credential` namespace. You do not need to set this -# unless you are overriding keystone's own `application_credential` -# authentication plugin. (string value) -#application_credential = - - -[cache] - -# -# From oslo.cache -# - -# Prefix for building the configuration dictionary for the cache region. This -# should not need to be changed unless there is another dogpile.cache region -# with the same configuration name. (string value) -#config_prefix = cache.oslo - -# Default TTL, in seconds, for any cached item in the dogpile.cache region. -# This applies to any cached method that doesn't have an explicit cache -# expiration time defined for it. (integer value) -#expiration_time = 600 - -# Cache backend module. For eventlet-based or environments with hundreds of -# threaded servers, Memcache with pooling (oslo_cache.memcache_pool) is -# recommended. For environments with less than 100 threaded servers, Memcached -# (dogpile.cache.memcached) or Redis (dogpile.cache.redis) is recommended. Test -# environments with a single instance of the server can use the -# dogpile.cache.memory backend. (string value) -# Possible values: -# oslo_cache.memcache_pool - -# oslo_cache.dict - -# oslo_cache.mongo - -# oslo_cache.etcd3gw - -# dogpile.cache.memcached - -# dogpile.cache.pylibmc - -# dogpile.cache.bmemcached - -# dogpile.cache.dbm - -# dogpile.cache.redis - -# dogpile.cache.memory - -# dogpile.cache.memory_pickle - -# dogpile.cache.null - -#backend = dogpile.cache.null - -# Arguments supplied to the backend module. Specify this option once per -# argument to be passed to the dogpile.cache backend. Example format: -# ":". (multi valued) -#backend_argument = - -# Proxy classes to import that will affect the way the dogpile.cache backend -# functions. See the dogpile.cache documentation on changing-backend-behavior. -# (list value) -#proxies = - -# Global toggle for caching. (boolean value) -#enabled = true - -# Extra debugging from the cache backend (cache keys, get/set/delete/etc -# calls). This is only really useful if you need to see the specific cache- -# backend get/set/delete calls with the keys/values. Typically this should be -# left set to false. (boolean value) -#debug_cache_backend = false - -# Memcache servers in the format of "host:port". (dogpile.cache.memcache and -# oslo_cache.memcache_pool backends only). (list value) -#memcache_servers = localhost:11211 - -# Number of seconds memcached server is considered dead before it is tried -# again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only). -# (integer value) -#memcache_dead_retry = 300 - -# Timeout in seconds for every call to a server. (dogpile.cache.memcache and -# oslo_cache.memcache_pool backends only). (floating point value) -#memcache_socket_timeout = 3.0 - -# Max total number of open connections to every memcached server. -# (oslo_cache.memcache_pool backend only). (integer value) -#memcache_pool_maxsize = 10 - -# Number of seconds a connection to memcached is held unused in the pool before -# it is closed. (oslo_cache.memcache_pool backend only). (integer value) -#memcache_pool_unused_timeout = 60 - -# Number of seconds that an operation will wait to get a memcache client -# connection. (integer value) -#memcache_pool_connection_get_timeout = 10 - - -[catalog] - -# -# From keystone -# - -# Absolute path to the file used for the templated catalog backend. This option -# is only used if the `[catalog] driver` is set to `templated`. (string value) -#template_file = default_catalog.templates - -# Entry point for the catalog driver in the `keystone.catalog` namespace. -# Keystone provides a `sql` option (which supports basic CRUD operations -# through SQL), a `templated` option (which loads the catalog from a templated -# catalog file on disk), and a `endpoint_filter.sql` option (which supports -# arbitrary service catalogs per project). (string value) -#driver = sql - -# Toggle for catalog caching. This has no effect unless global caching is -# enabled. In a typical deployment, there is no reason to disable this. -# (boolean value) -#caching = true - -# Time to cache catalog data (in seconds). This has no effect unless global and -# catalog caching are both enabled. Catalog data (services, endpoints, etc.) -# typically does not change frequently, and so a longer duration than the -# global default may be desirable. (integer value) -#cache_time = - -# Maximum number of entities that will be returned in a catalog collection. -# There is typically no reason to set this, as it would be unusual for a -# deployment to have enough services or endpoints to exceed a reasonable limit. -# (integer value) -#list_limit = - - -[cors] - -# -# From oslo.middleware -# - -# Indicate whether this resource may be shared with the domain received in the -# requests "origin" header. Format: "://[:]", no trailing -# slash. Example: https://horizon.example.com (list value) -#allowed_origin = - -# Indicate that the actual request can include user credentials (boolean value) -#allow_credentials = true - -# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple -# Headers. (list value) -#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,Openstack-Auth-Receipt - -# Maximum cache age of CORS preflight requests. (integer value) -#max_age = 3600 - -# Indicate which methods can be used during the actual request. (list value) -#allow_methods = GET,PUT,POST,DELETE,PATCH - -# Indicate which header field names may be used during the actual request. -# (list value) -#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name,Openstack-Auth-Receipt - - -[credential] - -# -# From keystone -# - -# Entry point for the credential backend driver in the `keystone.credential` -# namespace. Keystone only provides a `sql` driver, so there's no reason to -# change this unless you are providing a custom entry point. (string value) -#driver = sql - -# Entry point for credential encryption and decryption operations in the -# `keystone.credential.provider` namespace. Keystone only provides a `fernet` -# driver, so there's no reason to change this unless you are providing a custom -# entry point to encrypt and decrypt credentials. (string value) -#provider = fernet - -# Directory containing Fernet keys used to encrypt and decrypt credentials -# stored in the credential backend. Fernet keys used to encrypt credentials -# have no relationship to Fernet keys used to encrypt Fernet tokens. Both sets -# of keys should be managed separately and require different rotation policies. -# Do not share this repository with the repository used to manage keys for -# Fernet tokens. (string value) -#key_repository = /etc/keystone/credential-keys/ - - -[database] -connection = mysql+pymysql://keystone:unime@iotronic-db/keystone - -# -# From oslo.db -# - -# If True, SQLite uses synchronous mode. (boolean value) -#sqlite_synchronous = true - -# The back end to use for the database. (string value) -# Deprecated group/name - [DEFAULT]/db_backend -#backend = sqlalchemy - -# The SQLAlchemy connection string to use to connect to the database. (string -# value) -# Deprecated group/name - [DEFAULT]/sql_connection -# Deprecated group/name - [DATABASE]/sql_connection -# Deprecated group/name - [sql]/connection -#connection = - -# The SQLAlchemy connection string to use to connect to the slave database. -# (string value) -#slave_connection = - -# The SQL mode to be used for MySQL sessions. This option, including the -# default, overrides any server-set SQL mode. To use whatever SQL mode is set -# by the server configuration, set this to no value. Example: mysql_sql_mode= -# (string value) -#mysql_sql_mode = TRADITIONAL - -# If True, transparently enables support for handling MySQL Cluster (NDB). -# (boolean value) -#mysql_enable_ndb = false - -# Connections which have been present in the connection pool longer than this -# number of seconds will be replaced with a new one the next time they are -# checked out from the pool. (integer value) -# Deprecated group/name - [DATABASE]/idle_timeout -# Deprecated group/name - [database]/idle_timeout -# Deprecated group/name - [DEFAULT]/sql_idle_timeout -# Deprecated group/name - [DATABASE]/sql_idle_timeout -# Deprecated group/name - [sql]/idle_timeout -#connection_recycle_time = 3600 - -# DEPRECATED: Minimum number of SQL connections to keep open in a pool. -# (integer value) -# Deprecated group/name - [DEFAULT]/sql_min_pool_size -# Deprecated group/name - [DATABASE]/sql_min_pool_size -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: The option to set the minimum pool size is not supported by -# sqlalchemy. -#min_pool_size = 1 - -# Maximum number of SQL connections to keep open in a pool. Setting a value of -# 0 indicates no limit. (integer value) -# Deprecated group/name - [DEFAULT]/sql_max_pool_size -# Deprecated group/name - [DATABASE]/sql_max_pool_size -#max_pool_size = 5 - -# Maximum number of database connection retries during startup. Set to -1 to -# specify an infinite retry count. (integer value) -# Deprecated group/name - [DEFAULT]/sql_max_retries -# Deprecated group/name - [DATABASE]/sql_max_retries -#max_retries = 10 - -# Interval between retries of opening a SQL connection. (integer value) -# Deprecated group/name - [DEFAULT]/sql_retry_interval -# Deprecated group/name - [DATABASE]/reconnect_interval -#retry_interval = 10 - -# If set, use this value for max_overflow with SQLAlchemy. (integer value) -# Deprecated group/name - [DEFAULT]/sql_max_overflow -# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow -#max_overflow = 50 - -# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer -# value) -# Minimum value: 0 -# Maximum value: 100 -# Deprecated group/name - [DEFAULT]/sql_connection_debug -#connection_debug = 0 - -# Add Python stack traces to SQL as comment strings. (boolean value) -# Deprecated group/name - [DEFAULT]/sql_connection_trace -#connection_trace = false - -# If set, use this value for pool_timeout with SQLAlchemy. (integer value) -# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout -#pool_timeout = - -# Enable the experimental use of database reconnect on connection lost. -# (boolean value) -#use_db_reconnect = false - -# Seconds between retries of a database transaction. (integer value) -#db_retry_interval = 1 - -# If True, increases the interval between retries of a database operation up to -# db_max_retry_interval. (boolean value) -#db_inc_retry_interval = true - -# If db_inc_retry_interval is set, the maximum seconds between retries of a -# database operation. (integer value) -#db_max_retry_interval = 10 - -# Maximum retries in case of connection error or deadlock error before error is -# raised. Set to -1 to specify an infinite retry count. (integer value) -#db_max_retries = 20 - -# Optional URL parameters to append onto the connection URL at connect time; -# specify as param1=value1¶m2=value2&... (string value) -#connection_parameters = - - -[domain_config] - -# -# From keystone -# - -# Entry point for the domain-specific configuration driver in the -# `keystone.resource.domain_config` namespace. Only a `sql` option is provided -# by keystone, so there is no reason to set this unless you are providing a -# custom entry point. (string value) -#driver = sql - -# Toggle for caching of the domain-specific configuration backend. This has no -# effect unless global caching is enabled. There is normally no reason to -# disable this. (boolean value) -#caching = true - -# Time-to-live (TTL, in seconds) to cache domain-specific configuration data. -# This has no effect unless `[domain_config] caching` is enabled. (integer -# value) -#cache_time = 300 - - -[endpoint_filter] - -# -# From keystone -# - -# Entry point for the endpoint filter driver in the `keystone.endpoint_filter` -# namespace. Only a `sql` option is provided by keystone, so there is no reason -# to set this unless you are providing a custom entry point. (string value) -#driver = sql - -# This controls keystone's behavior if the configured endpoint filters do not -# result in any endpoints for a user + project pair (and therefore a -# potentially empty service catalog). If set to true, keystone will return the -# entire service catalog. If set to false, keystone will return an empty -# service catalog. (boolean value) -#return_all_endpoints_if_no_filter = true - - -[endpoint_policy] - -# -# From keystone -# - -# Entry point for the endpoint policy driver in the `keystone.endpoint_policy` -# namespace. Only a `sql` driver is provided by keystone, so there is no reason -# to set this unless you are providing a custom entry point. (string value) -#driver = sql - - -[eventlet_server] - -# -# From keystone -# - -# DEPRECATED: The IP address of the network interface for the public service to -# listen on. (host address value) -# Deprecated group/name - [DEFAULT]/bind_host -# Deprecated group/name - [DEFAULT]/public_bind_host -# This option is deprecated for removal since K. -# Its value may be silently ignored in the future. -# Reason: Support for running keystone under eventlet has been removed in the -# Newton release. These options remain for backwards compatibility because they -# are used for URL substitutions. -#public_bind_host = 0.0.0.0 - -# DEPRECATED: The port number for the public service to listen on. (port value) -# Minimum value: 0 -# Maximum value: 65535 -# Deprecated group/name - [DEFAULT]/public_port -# This option is deprecated for removal since K. -# Its value may be silently ignored in the future. -# Reason: Support for running keystone under eventlet has been removed in the -# Newton release. These options remain for backwards compatibility because they -# are used for URL substitutions. -#public_port = 5000 - -# DEPRECATED: The IP address of the network interface for the admin service to -# listen on. (host address value) -# Deprecated group/name - [DEFAULT]/bind_host -# Deprecated group/name - [DEFAULT]/admin_bind_host -# This option is deprecated for removal since K. -# Its value may be silently ignored in the future. -# Reason: Support for running keystone under eventlet has been removed in the -# Newton release. These options remain for backwards compatibility because they -# are used for URL substitutions. -#admin_bind_host = 0.0.0.0 - -# DEPRECATED: The port number for the admin service to listen on. (port value) -# Minimum value: 0 -# Maximum value: 65535 -# Deprecated group/name - [DEFAULT]/admin_port -# This option is deprecated for removal since K. -# Its value may be silently ignored in the future. -# Reason: Support for running keystone under eventlet has been removed in the -# Newton release. These options remain for backwards compatibility because they -# are used for URL substitutions. -#admin_port = 35357 - - -[extra_headers] -Distribution = Ubuntu - -# -# From keystone -# - -# Specifies the distribution of the keystone server. (string value) -#Distribution = Ubuntu - - -[federation] - -# -# From keystone -# - -# Entry point for the federation backend driver in the `keystone.federation` -# namespace. Keystone only provides a `sql` driver, so there is no reason to -# set this option unless you are providing a custom entry point. (string value) -#driver = sql - -# Prefix to use when filtering environment variable names for federated -# assertions. Matched variables are passed into the federated mapping engine. -# (string value) -#assertion_prefix = - -# Value to be used to obtain the entity ID of the Identity Provider from the -# environment. For `mod_shib`, this would be `Shib-Identity-Provider`. For -# `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`, -# this could be `MELLON_IDP`. (string value) -#remote_id_attribute = - -# An arbitrary domain name that is reserved to allow federated ephemeral users -# to have a domain concept. Note that an admin will not be able to create a -# domain with this name or update an existing domain to this name. You are not -# advised to change this value unless you really have to. (string value) -#federated_domain_name = Federated - -# A list of trusted dashboard hosts. Before accepting a Single Sign-On request -# to return a token, the origin host must be a member of this list. This -# configuration option may be repeated for multiple values. You must set this -# in order to use web-based SSO flows. For example: -# trusted_dashboard=https://acme.example.com/auth/websso -# trusted_dashboard=https://beta.example.com/auth/websso (multi valued) -#trusted_dashboard = - -# Absolute path to an HTML file used as a Single Sign-On callback handler. This -# page is expected to redirect the user from keystone back to a trusted -# dashboard host, by form encoding a token in a POST request. Keystone's -# default value should be sufficient for most deployments. (string value) -#sso_callback_template = /etc/keystone/sso_callback_template.html - -# Toggle for federation caching. This has no effect unless global caching is -# enabled. There is typically no reason to disable this. (boolean value) -#caching = true - - -[fernet_receipts] - -# -# From keystone -# - -# Directory containing Fernet receipt keys. This directory must exist before -# using `keystone-manage fernet_setup` for the first time, must be writable by -# the user running `keystone-manage fernet_setup` or `keystone-manage -# fernet_rotate`, and of course must be readable by keystone's server process. -# The repository may contain keys in one of three states: a single staged key -# (always index 0) used for receipt validation, a single primary key (always -# the highest index) used for receipt creation and validation, and any number -# of secondary keys (all other index values) used for receipt validation. With -# multiple keystone nodes, each node must share the same key repository -# contents, with the exception of the staged key (index 0). It is safe to run -# `keystone-manage fernet_rotate` once on any one node to promote a staged key -# (index 0) to be the new primary (incremented from the previous highest -# index), and produce a new staged key (a new key with index 0); the resulting -# repository can then be atomically replicated to other nodes without any risk -# of race conditions (for example, it is safe to run `keystone-manage -# fernet_rotate` on host A, wait any amount of time, create a tarball of the -# directory on host A, unpack it on host B to a temporary location, and -# atomically move (`mv`) the directory into place on host B). Running -# `keystone-manage fernet_rotate` *twice* on a key repository without syncing -# other nodes will result in receipts that can not be validated by all nodes. -# (string value) -#key_repository = /etc/keystone/fernet-keys/ - -# This controls how many keys are held in rotation by `keystone-manage -# fernet_rotate` before they are discarded. The default value of 3 means that -# keystone will maintain one staged key (always index 0), one primary key (the -# highest numerical index), and one secondary key (every other index). -# Increasing this value means that additional secondary keys will be kept in -# the rotation. (integer value) -# Minimum value: 1 -#max_active_keys = 3 - - -[fernet_tokens] - -# -# From keystone -# - -# Directory containing Fernet token keys. This directory must exist before -# using `keystone-manage fernet_setup` for the first time, must be writable by -# the user running `keystone-manage fernet_setup` or `keystone-manage -# fernet_rotate`, and of course must be readable by keystone's server process. -# The repository may contain keys in one of three states: a single staged key -# (always index 0) used for token validation, a single primary key (always the -# highest index) used for token creation and validation, and any number of -# secondary keys (all other index values) used for token validation. With -# multiple keystone nodes, each node must share the same key repository -# contents, with the exception of the staged key (index 0). It is safe to run -# `keystone-manage fernet_rotate` once on any one node to promote a staged key -# (index 0) to be the new primary (incremented from the previous highest -# index), and produce a new staged key (a new key with index 0); the resulting -# repository can then be atomically replicated to other nodes without any risk -# of race conditions (for example, it is safe to run `keystone-manage -# fernet_rotate` on host A, wait any amount of time, create a tarball of the -# directory on host A, unpack it on host B to a temporary location, and -# atomically move (`mv`) the directory into place on host B). Running -# `keystone-manage fernet_rotate` *twice* on a key repository without syncing -# other nodes will result in tokens that can not be validated by all nodes. -# (string value) -#key_repository = /etc/keystone/fernet-keys/ - -# This controls how many keys are held in rotation by `keystone-manage -# fernet_rotate` before they are discarded. The default value of 3 means that -# keystone will maintain one staged key (always index 0), one primary key (the -# highest numerical index), and one secondary key (every other index). -# Increasing this value means that additional secondary keys will be kept in -# the rotation. (integer value) -# Minimum value: 1 -#max_active_keys = 3 - - -[healthcheck] - -# -# From oslo.middleware -# - -# DEPRECATED: The path to respond to healtcheck requests on. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#path = /healthcheck - -# Show more detailed information as part of the response. Security note: -# Enabling this option may expose sensitive details about the service being -# monitored. Be sure to verify that it will not violate your security policies. -# (boolean value) -#detailed = false - -# Additional backends that can perform health checks and report that -# information back as part of a request. (list value) -#backends = - -# Check the presence of a file to determine if an application is running on a -# port. Used by DisableByFileHealthcheck plugin. (string value) -#disable_by_file_path = - -# Check the presence of a file based on a port to determine if an application -# is running on a port. Expects a "port:path" list of strings. Used by -# DisableByFilesPortsHealthcheck plugin. (list value) -#disable_by_file_paths = - - -[identity] - -# -# From keystone -# - -# This references the domain to use for all Identity API v2 requests (which are -# not aware of domains). A domain with this ID can optionally be created for -# you by `keystone-manage bootstrap`. The domain referenced by this ID cannot -# be deleted on the v3 API, to prevent accidentally breaking the v2 API. There -# is nothing special about this domain, other than the fact that it must exist -# to order to maintain support for your v2 clients. There is typically no -# reason to change this value. (string value) -#default_domain_id = default - -# A subset (or all) of domains can have their own identity driver, each with -# their own partial configuration options, stored in either the resource -# backend or in a file in a domain configuration directory (depending on the -# setting of `[identity] domain_configurations_from_database`). Only values -# specific to the domain need to be specified in this manner. This feature is -# disabled by default, but may be enabled by default in a future release; set -# to true to enable. (boolean value) -#domain_specific_drivers_enabled = false - -# By default, domain-specific configuration data is read from files in the -# directory identified by `[identity] domain_config_dir`. Enabling this -# configuration option allows you to instead manage domain-specific -# configurations through the API, which are then persisted in the backend -# (typically, a SQL database), rather than using configuration files on disk. -# (boolean value) -#domain_configurations_from_database = false - -# Absolute path where keystone should locate domain-specific `[identity]` -# configuration files. This option has no effect unless `[identity] -# domain_specific_drivers_enabled` is set to true. There is typically no reason -# to change this value. (string value) -#domain_config_dir = /etc/keystone/domains - -# Entry point for the identity backend driver in the `keystone.identity` -# namespace. Keystone provides a `sql` and `ldap` driver. This option is also -# used as the default driver selection (along with the other configuration -# variables in this section) in the event that `[identity] -# domain_specific_drivers_enabled` is enabled, but no applicable domain- -# specific configuration is defined for the domain in question. Unless your -# deployment primarily relies on `ldap` AND is not using domain-specific -# configuration, you should typically leave this set to `sql`. (string value) -#driver = sql - -# Toggle for identity caching. This has no effect unless global caching is -# enabled. There is typically no reason to disable this. (boolean value) -#caching = true - -# Time to cache identity data (in seconds). This has no effect unless global -# and identity caching are enabled. (integer value) -#cache_time = 600 - -# Maximum allowed length for user passwords. Decrease this value to improve -# performance. Changing this value does not effect existing passwords. (integer -# value) -# Maximum value: 4096 -#max_password_length = 4096 - -# Maximum number of entities that will be returned in an identity collection. -# (integer value) -#list_limit = - -# The password hashing algorithm to use for passwords stored within keystone. -# (string value) -# Possible values: -# bcrypt - -# scrypt - -# pbkdf2_sha512 - -#password_hash_algorithm = bcrypt - -# This option represents a trade off between security and performance. Higher -# values lead to slower performance, but higher security. Changing this option -# will only affect newly created passwords as existing password hashes already -# have a fixed number of rounds applied, so it is safe to tune this option in a -# running cluster. The default for bcrypt is 12, must be between 4 and 31, -# inclusive. The default for scrypt is 16, must be within `range(1,32)`. The -# default for pbkdf_sha512 is 60000, must be within `range(1,1<<32)` WARNING: -# If using scrypt, increasing this value increases BOTH time AND memory -# requirements to hash a password. (integer value) -#password_hash_rounds = - -# Optional block size to pass to scrypt hash function (the `r` parameter). -# Useful for tuning scrypt to optimal performance for your CPU architecture. -# This option is only used when the `password_hash_algorithm` option is set to -# `scrypt`. Defaults to 8. (integer value) -#scrypt_block_size = - -# Optional parallelism to pass to scrypt hash function (the `p` parameter). -# This option is only used when the `password_hash_algorithm` option is set to -# `scrypt`. Defaults to 1. (integer value) -#scrypt_parallelism = - -# Number of bytes to use in scrypt and pbkfd2_sha512 hashing salt. Default for -# scrypt is 16 bytes. Default for pbkfd2_sha512 is 16 bytes. Limited to a -# maximum of 96 bytes due to the size of the column used to store password -# hashes. (integer value) -# Minimum value: 0 -# Maximum value: 96 -#salt_bytesize = - - -[identity_mapping] - -# -# From keystone -# - -# Entry point for the identity mapping backend driver in the -# `keystone.identity.id_mapping` namespace. Keystone only provides a `sql` -# driver, so there is no reason to change this unless you are providing a -# custom entry point. (string value) -#driver = sql - -# Entry point for the public ID generator for user and group entities in the -# `keystone.identity.id_generator` namespace. The Keystone identity mapper only -# supports generators that produce 64 bytes or less. Keystone only provides a -# `sha256` entry point, so there is no reason to change this value unless -# you're providing a custom entry point. (string value) -#generator = sha256 - -# The format of user and group IDs changed in Juno for backends that do not -# generate UUIDs (for example, LDAP), with keystone providing a hash mapping to -# the underlying attribute in LDAP. By default this mapping is disabled, which -# ensures that existing IDs will not change. Even when the mapping is enabled -# by using domain-specific drivers (`[identity] -# domain_specific_drivers_enabled`), any users and groups from the default -# domain being handled by LDAP will still not be mapped to ensure their IDs -# remain backward compatible. Setting this value to false will enable the new -# mapping for all backends, including the default LDAP driver. It is only -# guaranteed to be safe to enable this option if you do not already have -# assignments for users and groups from the default LDAP domain, and you -# consider it to be acceptable for Keystone to provide the different IDs to -# clients than it did previously (existing IDs in the API will suddenly -# change). Typically this means that the only time you can set this value to -# false is when configuring a fresh installation, although that is the -# recommended value. (boolean value) -#backward_compatible_ids = true - - -[jwt_tokens] - -# -# From keystone -# - -# Directory containing public keys for validating JWS token signatures. This -# directory must exist in order for keystone's server process to start. It must -# also be readable by keystone's server process. It must contain at least one -# public key that corresponds to a private key in `keystone.conf [jwt_tokens] -# jws_private_key_repository`. This option is only applicable in deployments -# issuing JWS tokens and setting `keystone.conf [tokens] provider = jws`. -# (string value) -#jws_public_key_repository = /etc/keystone/jws-keys/public - -# Directory containing private keys for signing JWS tokens. This directory must -# exist in order for keystone's server process to start. It must also be -# readable by keystone's server process. It must contain at least one private -# key that corresponds to a public key in `keystone.conf [jwt_tokens] -# jws_public_key_repository`. In the event there are multiple private keys in -# this directory, keystone will use a key named `private.pem` to sign tokens. -# In the future, keystone may support the ability to sign tokens with multiple -# private keys. For now, only a key named `private.pem` within this directory -# is required to issue JWS tokens. This option is only applicable in -# deployments issuing JWS tokens and setting `keystone.conf [tokens] provider = -# jws`. (string value) -#jws_private_key_repository = /etc/keystone/jws-keys/private - - -[ldap] - -# -# From keystone -# - -# URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified -# as a comma separated string. The first URL to successfully bind is used for -# the connection. (string value) -#url = ldap://localhost - -# The user name of the administrator bind DN to use when querying the LDAP -# server, if your LDAP server requires it. (string value) -#user = - -# The password of the administrator bind DN to use when querying the LDAP -# server, if your LDAP server requires it. (string value) -#password = - -# The default LDAP server suffix to use, if a DN is not defined via either -# `[ldap] user_tree_dn` or `[ldap] group_tree_dn`. (string value) -#suffix = cn=example,cn=com - -# The search scope which defines how deep to search within the search base. A -# value of `one` (representing `oneLevel` or `singleLevel`) indicates a search -# of objects immediately below to the base object, but does not include the -# base object itself. A value of `sub` (representing `subtree` or -# `wholeSubtree`) indicates a search of both the base object itself and the -# entire subtree below it. (string value) -# Possible values: -# one - -# sub - -#query_scope = one - -# Defines the maximum number of results per page that keystone should request -# from the LDAP server when listing objects. A value of zero (`0`) disables -# paging. (integer value) -# Minimum value: 0 -#page_size = 0 - -# The LDAP dereferencing option to use for queries involving aliases. A value -# of `default` falls back to using default dereferencing behavior configured by -# your `ldap.conf`. A value of `never` prevents aliases from being dereferenced -# at all. A value of `searching` dereferences aliases only after name -# resolution. A value of `finding` dereferences aliases only during name -# resolution. A value of `always` dereferences aliases in all cases. (string -# value) -# Possible values: -# never - -# searching - -# always - -# finding - -# default - -#alias_dereferencing = default - -# Sets the LDAP debugging level for LDAP calls. A value of 0 means that -# debugging is not enabled. This value is a bitmask, consult your LDAP -# documentation for possible values. (integer value) -# Minimum value: -1 -#debug_level = - -# Sets keystone's referral chasing behavior across directory partitions. If -# left unset, the system's default behavior will be used. (boolean value) -#chase_referrals = - -# The search base to use for users. Defaults to the `[ldap] suffix` value. -# (string value) -#user_tree_dn = - -# The LDAP search filter to use for users. (string value) -#user_filter = - -# The LDAP object class to use for users. (string value) -#user_objectclass = inetOrgPerson - -# The LDAP attribute mapped to user IDs in keystone. This must NOT be a -# multivalued attribute. User IDs are expected to be globally unique across -# keystone domains and URL-safe. (string value) -#user_id_attribute = cn - -# The LDAP attribute mapped to user names in keystone. User names are expected -# to be unique only within a keystone domain and are not expected to be URL- -# safe. (string value) -#user_name_attribute = sn - -# The LDAP attribute mapped to user descriptions in keystone. (string value) -#user_description_attribute = description - -# The LDAP attribute mapped to user emails in keystone. (string value) -#user_mail_attribute = mail - -# The LDAP attribute mapped to user passwords in keystone. (string value) -#user_pass_attribute = userPassword - -# The LDAP attribute mapped to the user enabled attribute in keystone. If -# setting this option to `userAccountControl`, then you may be interested in -# setting `[ldap] user_enabled_mask` and `[ldap] user_enabled_default` as well. -# (string value) -#user_enabled_attribute = enabled - -# Logically negate the boolean value of the enabled attribute obtained from the -# LDAP server. Some LDAP servers use a boolean lock attribute where "true" -# means an account is disabled. Setting `[ldap] user_enabled_invert = true` -# will allow these lock attributes to be used. This option will have no effect -# if either the `[ldap] user_enabled_mask` or `[ldap] user_enabled_emulation` -# options are in use. (boolean value) -#user_enabled_invert = false - -# Bitmask integer to select which bit indicates the enabled value if the LDAP -# server represents "enabled" as a bit on an integer rather than as a discrete -# boolean. A value of `0` indicates that the mask is not used. If this is not -# set to `0` the typical value is `2`. This is typically used when `[ldap] -# user_enabled_attribute = userAccountControl`. Setting this option causes -# keystone to ignore the value of `[ldap] user_enabled_invert`. (integer value) -# Minimum value: 0 -#user_enabled_mask = 0 - -# The default value to enable users. This should match an appropriate integer -# value if the LDAP server uses non-boolean (bitmask) values to indicate if a -# user is enabled or disabled. If this is not set to `True`, then the typical -# value is `512`. This is typically used when `[ldap] user_enabled_attribute = -# userAccountControl`. (string value) -#user_enabled_default = True - -# List of user attributes to ignore on create and update, or whether a specific -# user attribute should be filtered for list or show user. (list value) -#user_attribute_ignore = default_project_id - -# The LDAP attribute mapped to a user's default_project_id in keystone. This is -# most commonly used when keystone has write access to LDAP. (string value) -#user_default_project_id_attribute = - -# If enabled, keystone uses an alternative method to determine if a user is -# enabled or not by checking if they are a member of the group defined by the -# `[ldap] user_enabled_emulation_dn` option. Enabling this option causes -# keystone to ignore the value of `[ldap] user_enabled_invert`. (boolean value) -#user_enabled_emulation = false - -# DN of the group entry to hold enabled users when using enabled emulation. -# Setting this option has no effect unless `[ldap] user_enabled_emulation` is -# also enabled. (string value) -#user_enabled_emulation_dn = - -# Use the `[ldap] group_member_attribute` and `[ldap] group_objectclass` -# settings to determine membership in the emulated enabled group. Enabling this -# option has no effect unless `[ldap] user_enabled_emulation` is also enabled. -# (boolean value) -#user_enabled_emulation_use_group_config = false - -# A list of LDAP attribute to keystone user attribute pairs used for mapping -# additional attributes to users in keystone. The expected format is -# `:`, where `ldap_attr` is the attribute in the LDAP -# object and `user_attr` is the attribute which should appear in the identity -# API. (list value) -#user_additional_attribute_mapping = - -# The search base to use for groups. Defaults to the `[ldap] suffix` value. -# (string value) -#group_tree_dn = - -# The LDAP search filter to use for groups. (string value) -#group_filter = - -# The LDAP object class to use for groups. If setting this option to -# `posixGroup`, you may also be interested in enabling the `[ldap] -# group_members_are_ids` option. (string value) -#group_objectclass = groupOfNames - -# The LDAP attribute mapped to group IDs in keystone. This must NOT be a -# multivalued attribute. Group IDs are expected to be globally unique across -# keystone domains and URL-safe. (string value) -#group_id_attribute = cn - -# The LDAP attribute mapped to group names in keystone. Group names are -# expected to be unique only within a keystone domain and are not expected to -# be URL-safe. (string value) -#group_name_attribute = ou - -# The LDAP attribute used to indicate that a user is a member of the group. -# (string value) -#group_member_attribute = member - -# Enable this option if the members of the group object class are keystone user -# IDs rather than LDAP DNs. This is the case when using `posixGroup` as the -# group object class in Open Directory. (boolean value) -#group_members_are_ids = false - -# The LDAP attribute mapped to group descriptions in keystone. (string value) -#group_desc_attribute = description - -# List of group attributes to ignore on create and update. or whether a -# specific group attribute should be filtered for list or show group. (list -# value) -#group_attribute_ignore = - -# A list of LDAP attribute to keystone group attribute pairs used for mapping -# additional attributes to groups in keystone. The expected format is -# `:`, where `ldap_attr` is the attribute in the LDAP -# object and `group_attr` is the attribute which should appear in the identity -# API. (list value) -#group_additional_attribute_mapping = - -# If enabled, group queries will use Active Directory specific filters for -# nested groups. (boolean value) -#group_ad_nesting = false - -# An absolute path to a CA certificate file to use when communicating with LDAP -# servers. This option will take precedence over `[ldap] tls_cacertdir`, so -# there is no reason to set both. (string value) -#tls_cacertfile = - -# An absolute path to a CA certificate directory to use when communicating with -# LDAP servers. There is no reason to set this option if you've also set -# `[ldap] tls_cacertfile`. (string value) -#tls_cacertdir = - -# Enable TLS when communicating with LDAP servers. You should also set the -# `[ldap] tls_cacertfile` and `[ldap] tls_cacertdir` options when using this -# option. Do not set this option if you are using LDAP over SSL (LDAPS) instead -# of TLS. (boolean value) -#use_tls = false - -# Specifies which checks to perform against client certificates on incoming TLS -# sessions. If set to `demand`, then a certificate will always be requested and -# required from the LDAP server. If set to `allow`, then a certificate will -# always be requested but not required from the LDAP server. If set to `never`, -# then a certificate will never be requested. (string value) -# Possible values: -# demand - -# never - -# allow - -#tls_req_cert = demand - -# The connection timeout to use with the LDAP server. A value of `-1` means -# that connections will never timeout. (integer value) -# Minimum value: -1 -#connection_timeout = -1 - -# Enable LDAP connection pooling for queries to the LDAP server. There is -# typically no reason to disable this. (boolean value) -#use_pool = true - -# The size of the LDAP connection pool. This option has no effect unless -# `[ldap] use_pool` is also enabled. (integer value) -# Minimum value: 1 -#pool_size = 10 - -# The maximum number of times to attempt reconnecting to the LDAP server before -# aborting. A value of zero prevents retries. This option has no effect unless -# `[ldap] use_pool` is also enabled. (integer value) -# Minimum value: 0 -#pool_retry_max = 3 - -# The number of seconds to wait before attempting to reconnect to the LDAP -# server. This option has no effect unless `[ldap] use_pool` is also enabled. -# (floating point value) -#pool_retry_delay = 0.1 - -# The connection timeout to use when pooling LDAP connections. A value of `-1` -# means that connections will never timeout. This option has no effect unless -# `[ldap] use_pool` is also enabled. (integer value) -# Minimum value: -1 -#pool_connection_timeout = -1 - -# The maximum connection lifetime to the LDAP server in seconds. When this -# lifetime is exceeded, the connection will be unbound and removed from the -# connection pool. This option has no effect unless `[ldap] use_pool` is also -# enabled. (integer value) -# Minimum value: 1 -#pool_connection_lifetime = 600 - -# Enable LDAP connection pooling for end user authentication. There is -# typically no reason to disable this. (boolean value) -#use_auth_pool = true - -# The size of the connection pool to use for end user authentication. This -# option has no effect unless `[ldap] use_auth_pool` is also enabled. (integer -# value) -# Minimum value: 1 -#auth_pool_size = 100 - -# The maximum end user authentication connection lifetime to the LDAP server in -# seconds. When this lifetime is exceeded, the connection will be unbound and -# removed from the connection pool. This option has no effect unless `[ldap] -# use_auth_pool` is also enabled. (integer value) -# Minimum value: 1 -#auth_pool_connection_lifetime = 60 - - -[memcache] - -# -# From keystone -# - -# Number of seconds memcached server is considered dead before it is tried -# again. This is used by the key value store system. (integer value) -#dead_retry = 300 - -# Timeout in seconds for every call to a server. This is used by the key value -# store system. (integer value) -#socket_timeout = 3 - -# Max total number of open connections to every memcached server. This is used -# by the key value store system. (integer value) -#pool_maxsize = 10 - -# Number of seconds a connection to memcached is held unused in the pool before -# it is closed. This is used by the key value store system. (integer value) -#pool_unused_timeout = 60 - -# Number of seconds that an operation will wait to get a memcache client -# connection. This is used by the key value store system. (integer value) -#pool_connection_get_timeout = 10 - - -[oauth1] - -# -# From keystone -# - -# Entry point for the OAuth backend driver in the `keystone.oauth1` namespace. -# Typically, there is no reason to set this option unless you are providing a -# custom entry point. (string value) -#driver = sql - -# Number of seconds for the OAuth Request Token to remain valid after being -# created. This is the amount of time the user has to authorize the token. -# Setting this option to zero means that request tokens will last forever. -# (integer value) -# Minimum value: 0 -#request_token_duration = 28800 - -# Number of seconds for the OAuth Access Token to remain valid after being -# created. This is the amount of time the consumer has to interact with the -# service provider (which is typically keystone). Setting this option to zero -# means that access tokens will last forever. (integer value) -# Minimum value: 0 -#access_token_duration = 86400 - - -[oslo_messaging_amqp] - -# -# From oslo.messaging -# - -# Name for the AMQP container. must be globally unique. Defaults to a generated -# UUID (string value) -#container_name = - -# Timeout for inactive connections (in seconds) (integer value) -#idle_timeout = 0 - -# Debug: dump AMQP frames to stdout (boolean value) -#trace = false - -# Attempt to connect via SSL. If no other ssl-related parameters are given, it -# will use the system's CA-bundle to verify the server's certificate. (boolean -# value) -#ssl = false - -# CA certificate PEM file used to verify the server's certificate (string -# value) -#ssl_ca_file = - -# Self-identifying certificate PEM file for client authentication (string -# value) -#ssl_cert_file = - -# Private key PEM file used to sign ssl_cert_file certificate (optional) -# (string value) -#ssl_key_file = - -# Password for decrypting ssl_key_file (if encrypted) (string value) -#ssl_key_password = - -# By default SSL checks that the name in the server's certificate matches the -# hostname in the transport_url. In some configurations it may be preferable to -# use the virtual hostname instead, for example if the server uses the Server -# Name Indication TLS extension (rfc6066) to provide a certificate per virtual -# host. Set ssl_verify_vhost to True if the server's SSL certificate uses the -# virtual host name instead of the DNS name. (boolean value) -#ssl_verify_vhost = false - -# Space separated list of acceptable SASL mechanisms (string value) -#sasl_mechanisms = - -# Path to directory that contains the SASL configuration (string value) -#sasl_config_dir = - -# Name of configuration file (without .conf suffix) (string value) -#sasl_config_name = - -# SASL realm to use if no realm present in username (string value) -#sasl_default_realm = - -# Seconds to pause before attempting to re-connect. (integer value) -# Minimum value: 1 -#connection_retry_interval = 1 - -# Increase the connection_retry_interval by this many seconds after each -# unsuccessful failover attempt. (integer value) -# Minimum value: 0 -#connection_retry_backoff = 2 - -# Maximum limit for connection_retry_interval + connection_retry_backoff -# (integer value) -# Minimum value: 1 -#connection_retry_interval_max = 30 - -# Time to pause between re-connecting an AMQP 1.0 link that failed due to a -# recoverable error. (integer value) -# Minimum value: 1 -#link_retry_delay = 10 - -# The maximum number of attempts to re-send a reply message which failed due to -# a recoverable error. (integer value) -# Minimum value: -1 -#default_reply_retry = 0 - -# The deadline for an rpc reply message delivery. (integer value) -# Minimum value: 5 -#default_reply_timeout = 30 - -# The deadline for an rpc cast or call message delivery. Only used when caller -# does not provide a timeout expiry. (integer value) -# Minimum value: 5 -#default_send_timeout = 30 - -# The deadline for a sent notification message delivery. Only used when caller -# does not provide a timeout expiry. (integer value) -# Minimum value: 5 -#default_notify_timeout = 30 - -# The duration to schedule a purge of idle sender links. Detach link after -# expiry. (integer value) -# Minimum value: 1 -#default_sender_link_timeout = 600 - -# Indicates the addressing mode used by the driver. -# Permitted values: -# 'legacy' - use legacy non-routable addressing -# 'routable' - use routable addresses -# 'dynamic' - use legacy addresses if the message bus does not support routing -# otherwise use routable addressing (string value) -#addressing_mode = dynamic - -# Enable virtual host support for those message buses that do not natively -# support virtual hosting (such as qpidd). When set to true the virtual host -# name will be added to all message bus addresses, effectively creating a -# private 'subnet' per virtual host. Set to False if the message bus supports -# virtual hosting using the 'hostname' field in the AMQP 1.0 Open performative -# as the name of the virtual host. (boolean value) -#pseudo_vhost = true - -# address prefix used when sending to a specific server (string value) -#server_request_prefix = exclusive - -# address prefix used when broadcasting to all servers (string value) -#broadcast_prefix = broadcast - -# address prefix when sending to any server in group (string value) -#group_request_prefix = unicast - -# Address prefix for all generated RPC addresses (string value) -#rpc_address_prefix = openstack.org/om/rpc - -# Address prefix for all generated Notification addresses (string value) -#notify_address_prefix = openstack.org/om/notify - -# Appended to the address prefix when sending a fanout message. Used by the -# message bus to identify fanout messages. (string value) -#multicast_address = multicast - -# Appended to the address prefix when sending to a particular RPC/Notification -# server. Used by the message bus to identify messages sent to a single -# destination. (string value) -#unicast_address = unicast - -# Appended to the address prefix when sending to a group of consumers. Used by -# the message bus to identify messages that should be delivered in a round- -# robin fashion across consumers. (string value) -#anycast_address = anycast - -# Exchange name used in notification addresses. -# Exchange name resolution precedence: -# Target.exchange if set -# else default_notification_exchange if set -# else control_exchange if set -# else 'notify' (string value) -#default_notification_exchange = - -# Exchange name used in RPC addresses. -# Exchange name resolution precedence: -# Target.exchange if set -# else default_rpc_exchange if set -# else control_exchange if set -# else 'rpc' (string value) -#default_rpc_exchange = - -# Window size for incoming RPC Reply messages. (integer value) -# Minimum value: 1 -#reply_link_credit = 200 - -# Window size for incoming RPC Request messages (integer value) -# Minimum value: 1 -#rpc_server_credit = 100 - -# Window size for incoming Notification messages (integer value) -# Minimum value: 1 -#notify_server_credit = 100 - -# Send messages of this type pre-settled. -# Pre-settled messages will not receive acknowledgement -# from the peer. Note well: pre-settled messages may be -# silently discarded if the delivery fails. -# Permitted values: -# 'rpc-call' - send RPC Calls pre-settled -# 'rpc-reply'- send RPC Replies pre-settled -# 'rpc-cast' - Send RPC Casts pre-settled -# 'notify' - Send Notifications pre-settled -# (multi valued) -#pre_settled = rpc-cast -#pre_settled = rpc-reply - - -[oslo_messaging_kafka] - -# -# From oslo.messaging -# - -# Max fetch bytes of Kafka consumer (integer value) -#kafka_max_fetch_bytes = 1048576 - -# Default timeout(s) for Kafka consumers (floating point value) -#kafka_consumer_timeout = 1.0 - -# DEPRECATED: Pool Size for Kafka Consumers (integer value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Driver no longer uses connection pool. -#pool_size = 10 - -# DEPRECATED: The pool size limit for connections expiration policy (integer -# value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Driver no longer uses connection pool. -#conn_pool_min_size = 2 - -# DEPRECATED: The time-to-live in sec of idle connections in the pool (integer -# value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Driver no longer uses connection pool. -#conn_pool_ttl = 1200 - -# Group id for Kafka consumer. Consumers in one group will coordinate message -# consumption (string value) -#consumer_group = oslo_messaging_consumer - -# Upper bound on the delay for KafkaProducer batching in seconds (floating -# point value) -#producer_batch_timeout = 0.0 - -# Size of batch for the producer async send (integer value) -#producer_batch_size = 16384 - -# Enable asynchronous consumer commits (boolean value) -#enable_auto_commit = false - -# The maximum number of records returned in a poll call (integer value) -#max_poll_records = 500 - -# Protocol used to communicate with brokers (string value) -# Possible values: -# PLAINTEXT - -# SASL_PLAINTEXT - -# SSL - -# SASL_SSL - -#security_protocol = PLAINTEXT - -# Mechanism when security protocol is SASL (string value) -#sasl_mechanism = PLAIN - -# CA certificate PEM file used to verify the server certificate (string value) -#ssl_cafile = - - -[oslo_messaging_notifications] - -# -# From oslo.messaging -# - -# The Drivers(s) to handle sending notifications. Possible values are -# messaging, messagingv2, routing, log, test, noop (multi valued) -# Deprecated group/name - [DEFAULT]/notification_driver -#driver = - -# A URL representing the messaging driver to use for notifications. If not set, -# we fall back to the same configuration used for RPC. (string value) -# Deprecated group/name - [DEFAULT]/notification_transport_url -#transport_url = - -# AMQP topic used for OpenStack notifications. (list value) -# Deprecated group/name - [rpc_notifier2]/topics -# Deprecated group/name - [DEFAULT]/notification_topics -#topics = notifications - -# The maximum number of attempts to re-send a notification message which failed -# to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite -# (integer value) -#retry = -1 - - -[oslo_messaging_rabbit] - -# -# From oslo.messaging -# - -# Use durable queues in AMQP. (boolean value) -#amqp_durable_queues = false - -# Auto-delete queues in AMQP. (boolean value) -#amqp_auto_delete = false - -# Connect over SSL. (boolean value) -# Deprecated group/name - [oslo_messaging_rabbit]/rabbit_use_ssl -#ssl = false - -# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and -# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some -# distributions. (string value) -# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_version -#ssl_version = - -# SSL key file (valid only if SSL enabled). (string value) -# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_keyfile -#ssl_key_file = - -# SSL cert file (valid only if SSL enabled). (string value) -# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_certfile -#ssl_cert_file = - -# SSL certification authority file (valid only if SSL enabled). (string value) -# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_ca_certs -#ssl_ca_file = - -# How long to wait before reconnecting in response to an AMQP consumer cancel -# notification. (floating point value) -#kombu_reconnect_delay = 1.0 - -# EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not -# be used. This option may not be available in future versions. (string value) -#kombu_compression = - -# How long to wait a missing client before abandoning to send it its replies. -# This value should not be longer than rpc_response_timeout. (integer value) -# Deprecated group/name - [oslo_messaging_rabbit]/kombu_reconnect_timeout -#kombu_missing_consumer_retry_timeout = 60 - -# Determines how the next RabbitMQ node is chosen in case the one we are -# currently connected to becomes unavailable. Takes effect only if more than -# one RabbitMQ node is provided in config. (string value) -# Possible values: -# round-robin - -# shuffle - -#kombu_failover_strategy = round-robin - -# The RabbitMQ login method. (string value) -# Possible values: -# PLAIN - -# AMQPLAIN - -# RABBIT-CR-DEMO - -#rabbit_login_method = AMQPLAIN - -# How frequently to retry connecting with RabbitMQ. (integer value) -#rabbit_retry_interval = 1 - -# How long to backoff for between retries when connecting to RabbitMQ. (integer -# value) -#rabbit_retry_backoff = 2 - -# Maximum interval of RabbitMQ connection retries. Default is 30 seconds. -# (integer value) -#rabbit_interval_max = 30 - -# Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this -# option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring -# is no longer controlled by the x-ha-policy argument when declaring a queue. -# If you just want to make sure that all queues (except those with auto- -# generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy -# HA '^(?!amq\.).*' '{"ha-mode": "all"}' " (boolean value) -#rabbit_ha_queues = false - -# Positive integer representing duration in seconds for queue TTL (x-expires). -# Queues which are unused for the duration of the TTL are automatically -# deleted. The parameter affects only reply and fanout queues. (integer value) -# Minimum value: 1 -#rabbit_transient_queues_ttl = 1800 - -# Specifies the number of messages to prefetch. Setting to zero allows -# unlimited messages. (integer value) -#rabbit_qos_prefetch_count = 0 - -# Number of seconds after which the Rabbit broker is considered down if -# heartbeat's keep-alive fails (0 disable the heartbeat). EXPERIMENTAL (integer -# value) -#heartbeat_timeout_threshold = 60 - -# How often times during the heartbeat_timeout_threshold we check the -# heartbeat. (integer value) -#heartbeat_rate = 2 - - -[oslo_middleware] - -# -# From oslo.middleware -# - -# The maximum body size for each request, in bytes. (integer value) -# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size -# Deprecated group/name - [DEFAULT]/max_request_body_size -#max_request_body_size = 114688 - -# DEPRECATED: The HTTP Header that will be used to determine what the original -# request protocol scheme was, even if it was hidden by a SSL termination -# proxy. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#secure_proxy_ssl_header = X-Forwarded-Proto - -# Whether the application is behind a proxy or not. This determines if the -# middleware should parse the headers or not. (boolean value) -#enable_proxy_headers_parsing = false - - -[oslo_policy] - -# -# From oslo.policy -# - -# This option controls whether or not to enforce scope when evaluating -# policies. If ``True``, the scope of the token used in the request is compared -# to the ``scope_types`` of the policy being enforced. If the scopes do not -# match, an ``InvalidScope`` exception will be raised. If ``False``, a message -# will be logged informing operators that policies are being invoked with -# mismatching scope. (boolean value) -#enforce_scope = false - -# The file that defines policies. (string value) -#policy_file = policy.json - -# Default rule. Enforced when a requested rule is not found. (string value) -#policy_default_rule = default - -# Directories where policy configuration files are stored. They can be relative -# to any directory in the search path defined by the config_dir option, or -# absolute paths. The file defined by policy_file must exist for these -# directories to be searched. Missing or empty directories are ignored. (multi -# valued) -#policy_dirs = policy.d - -# Content Type to send and receive data for REST based policy check (string -# value) -# Possible values: -# application/x-www-form-urlencoded - -# application/json - -#remote_content_type = application/x-www-form-urlencoded - -# server identity verification for REST based policy check (boolean value) -#remote_ssl_verify_server_crt = false - -# Absolute path to ca cert file for REST based policy check (string value) -#remote_ssl_ca_crt_file = - -# Absolute path to client cert for REST based policy check (string value) -#remote_ssl_client_crt_file = - -# Absolute path client key file REST based policy check (string value) -#remote_ssl_client_key_file = - - -[policy] - -# -# From keystone -# - -# Entry point for the policy backend driver in the `keystone.policy` namespace. -# Supplied drivers are `rules` (which does not support any CRUD operations for -# the v3 policy API) and `sql`. Typically, there is no reason to set this -# option unless you are providing a custom entry point. (string value) -#driver = sql - -# Maximum number of entities that will be returned in a policy collection. -# (integer value) -#list_limit = - - -[profiler] - -# -# From osprofiler -# - -# -# Enable the profiling for all services on this node. -# -# Default value is False (fully disable the profiling feature). -# -# Possible values: -# -# * True: Enables the feature -# * False: Disables the feature. The profiling cannot be started via this -# project -# operations. If the profiling is triggered by another project, this project -# part will be empty. -# (boolean value) -# Deprecated group/name - [profiler]/profiler_enabled -#enabled = false - -# -# Enable SQL requests profiling in services. -# -# Default value is False (SQL requests won't be traced). -# -# Possible values: -# -# * True: Enables SQL requests profiling. Each SQL query will be part of the -# trace and can the be analyzed by how much time was spent for that. -# * False: Disables SQL requests profiling. The spent time is only shown on a -# higher level of operations. Single SQL queries cannot be analyzed this way. -# (boolean value) -#trace_sqlalchemy = false - -# -# Secret key(s) to use for encrypting context data for performance profiling. -# -# This string value should have the following format: -# [,,...], -# where each key is some random string. A user who triggers the profiling via -# the REST API has to set one of these keys in the headers of the REST API call -# to include profiling results of this node for this particular project. -# -# Both "enabled" flag and "hmac_keys" config options should be set to enable -# profiling. Also, to generate correct profiling information across all -# services -# at least one key needs to be consistent between OpenStack projects. This -# ensures it can be used from client side to generate the trace, containing -# information from all possible resources. -# (string value) -#hmac_keys = SECRET_KEY - -# -# Connection string for a notifier backend. -# -# Default value is ``messaging://`` which sets the notifier to oslo_messaging. -# -# Examples of possible values: -# -# * ``messaging://`` - use oslo_messaging driver for sending spans. -# * ``redis://127.0.0.1:6379`` - use redis driver for sending spans. -# * ``mongodb://127.0.0.1:27017`` - use mongodb driver for sending spans. -# * ``elasticsearch://127.0.0.1:9200`` - use elasticsearch driver for sending -# spans. -# * ``jaeger://127.0.0.1:6831`` - use jaeger tracing as driver for sending -# spans. -# (string value) -#connection_string = messaging:// - -# -# Document type for notification indexing in elasticsearch. -# (string value) -#es_doc_type = notification - -# -# This parameter is a time value parameter (for example: es_scroll_time=2m), -# indicating for how long the nodes that participate in the search will -# maintain -# relevant resources in order to continue and support it. -# (string value) -#es_scroll_time = 2m - -# -# Elasticsearch splits large requests in batches. This parameter defines -# maximum size of each batch (for example: es_scroll_size=10000). -# (integer value) -#es_scroll_size = 10000 - -# -# Redissentinel provides a timeout option on the connections. -# This parameter defines that timeout (for example: socket_timeout=0.1). -# (floating point value) -#socket_timeout = 0.1 - -# -# Redissentinel uses a service name to identify a master redis service. -# This parameter defines the name (for example: -# ``sentinal_service_name=mymaster``). -# (string value) -#sentinel_service_name = mymaster - -# -# Enable filter traces that contain error/exception to a separated place. -# -# Default value is set to False. -# -# Possible values: -# -# * True: Enable filter traces that contain error/exception. -# * False: Disable the filter. -# (boolean value) -#filter_error_trace = false - - -[receipt] - -# -# From keystone -# - -# The amount of time that a receipt should remain valid (in seconds). This -# value should always be very short, as it represents how long a user has to -# reattempt auth with the missing auth methods. (integer value) -# Minimum value: 0 -# Maximum value: 86400 -#expiration = 300 - -# Entry point for the receipt provider in the `keystone.receipt.provider` -# namespace. The receipt provider controls the receipt construction and -# validation operations. Keystone includes just the `fernet` receipt provider -# for now. `fernet` receipts do not need to be persisted at all, but require -# that you run `keystone-manage fernet_setup` (also see the `keystone-manage -# fernet_rotate` command). (string value) -#provider = fernet - -# Toggle for caching receipt creation and validation data. This has no effect -# unless global caching is enabled, or if cache_on_issue is disabled as we only -# cache receipts on issue. (boolean value) -#caching = true - -# The number of seconds to cache receipt creation and validation data. This has -# no effect unless both global and `[receipt] caching` are enabled. (integer -# value) -# Minimum value: 0 -#cache_time = 300 - -# Enable storing issued receipt data to receipt validation cache so that first -# receipt validation doesn't actually cause full validation cycle. This option -# has no effect unless global caching and receipt caching are enabled. (boolean -# value) -#cache_on_issue = true - - -[resource] - -# -# From keystone -# - -# DEPRECATED: Entry point for the resource driver in the `keystone.resource` -# namespace. Only a `sql` driver is supplied by keystone. Unless you are -# writing proprietary drivers for keystone, you do not need to set this option. -# (string value) -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -# Reason: Non-SQL resource cannot be used with SQL Identity and has been unable -# to be used since Ocata. SQL Resource backend is a requirement as of Pike. -# Setting this option no longer has an effect on how Keystone operates. -#driver = sql - -# Toggle for resource caching. This has no effect unless global caching is -# enabled. (boolean value) -# Deprecated group/name - [assignment]/caching -#caching = true - -# Time to cache resource data in seconds. This has no effect unless global -# caching is enabled. (integer value) -# Deprecated group/name - [assignment]/cache_time -#cache_time = - -# Maximum number of entities that will be returned in a resource collection. -# (integer value) -# Deprecated group/name - [assignment]/list_limit -#list_limit = - -# Name of the domain that owns the `admin_project_name`. If left unset, then -# there is no admin project. `[resource] admin_project_name` must also be set -# to use this option. (string value) -#admin_project_domain_name = - -# This is a special project which represents cloud-level administrator -# privileges across services. Tokens scoped to this project will contain a true -# `is_admin_project` attribute to indicate to policy systems that the role -# assignments on that specific project should apply equally across every -# project. If left unset, then there is no admin project, and thus no explicit -# means of cross-project role assignments. `[resource] -# admin_project_domain_name` must also be set to use this option. (string -# value) -#admin_project_name = - -# This controls whether the names of projects are restricted from containing -# URL-reserved characters. If set to `new`, attempts to create or update a -# project with a URL-unsafe name will fail. If set to `strict`, attempts to -# scope a token with a URL-unsafe project name will fail, thereby forcing all -# project names to be updated to be URL-safe. (string value) -# Possible values: -# off - -# new - -# strict - -#project_name_url_safe = off - -# This controls whether the names of domains are restricted from containing -# URL-reserved characters. If set to `new`, attempts to create or update a -# domain with a URL-unsafe name will fail. If set to `strict`, attempts to -# scope a token with a URL-unsafe domain name will fail, thereby forcing all -# domain names to be updated to be URL-safe. (string value) -# Possible values: -# off - -# new - -# strict - -#domain_name_url_safe = off - - -[revoke] - -# -# From keystone -# - -# Entry point for the token revocation backend driver in the `keystone.revoke` -# namespace. Keystone only provides a `sql` driver, so there is no reason to -# set this option unless you are providing a custom entry point. (string value) -#driver = sql - -# The number of seconds after a token has expired before a corresponding -# revocation event may be purged from the backend. (integer value) -# Minimum value: 0 -#expiration_buffer = 1800 - -# Toggle for revocation event caching. This has no effect unless global caching -# is enabled. (boolean value) -#caching = true - -# Time to cache the revocation list and the revocation events (in seconds). -# This has no effect unless global and `[revoke] caching` are both enabled. -# (integer value) -# Deprecated group/name - [token]/revocation_cache_time -#cache_time = 3600 - - -[role] - -# -# From keystone -# - -# Entry point for the role backend driver in the `keystone.role` namespace. -# Keystone only provides a `sql` driver, so there's no reason to change this -# unless you are providing a custom entry point. (string value) -#driver = - -# Toggle for role caching. This has no effect unless global caching is enabled. -# In a typical deployment, there is no reason to disable this. (boolean value) -#caching = true - -# Time to cache role data, in seconds. This has no effect unless both global -# caching and `[role] caching` are enabled. (integer value) -#cache_time = - -# Maximum number of entities that will be returned in a role collection. This -# may be useful to tune if you have a large number of discrete roles in your -# deployment. (integer value) -#list_limit = - - -[saml] - -# -# From keystone -# - -# Determines the lifetime for any SAML assertions generated by keystone, using -# `NotOnOrAfter` attributes. (integer value) -#assertion_expiration_time = 3600 - -# Name of, or absolute path to, the binary to be used for XML signing. Although -# only the XML Security Library (`xmlsec1`) is supported, it may have a non- -# standard name or path on your system. If keystone cannot find the binary -# itself, you may need to install the appropriate package, use this option to -# specify an absolute path, or adjust keystone's PATH environment variable. -# (string value) -#xmlsec1_binary = xmlsec1 - -# Absolute path to the public certificate file to use for SAML signing. The -# value cannot contain a comma (`,`). (string value) -#certfile = /etc/keystone/ssl/certs/signing_cert.pem - -# Absolute path to the private key file to use for SAML signing. The value -# cannot contain a comma (`,`). (string value) -#keyfile = /etc/keystone/ssl/private/signing_key.pem - -# This is the unique entity identifier of the identity provider (keystone) to -# use when generating SAML assertions. This value is required to generate -# identity provider metadata and must be a URI (a URL is recommended). For -# example: `https://keystone.example.com/v3/OS-FEDERATION/saml2/idp`. (uri -# value) -#idp_entity_id = - -# This is the single sign-on (SSO) service location of the identity provider -# which accepts HTTP POST requests. A value is required to generate identity -# provider metadata. For example: `https://keystone.example.com/v3/OS- -# FEDERATION/saml2/sso`. (uri value) -#idp_sso_endpoint = - -# This is the language used by the identity provider's organization. (string -# value) -#idp_lang = en - -# This is the name of the identity provider's organization. (string value) -#idp_organization_name = SAML Identity Provider - -# This is the name of the identity provider's organization to be displayed. -# (string value) -#idp_organization_display_name = OpenStack SAML Identity Provider - -# This is the URL of the identity provider's organization. The URL referenced -# here should be useful to humans. (uri value) -#idp_organization_url = https://example.com/ - -# This is the company name of the identity provider's contact person. (string -# value) -#idp_contact_company = Example, Inc. - -# This is the given name of the identity provider's contact person. (string -# value) -#idp_contact_name = SAML Identity Provider Support - -# This is the surname of the identity provider's contact person. (string value) -#idp_contact_surname = Support - -# This is the email address of the identity provider's contact person. (string -# value) -#idp_contact_email = support@example.com - -# This is the telephone number of the identity provider's contact person. -# (string value) -#idp_contact_telephone = +1 800 555 0100 - -# This is the type of contact that best describes the identity provider's -# contact person. (string value) -# Possible values: -# technical - -# support - -# administrative - -# billing - -# other - -#idp_contact_type = other - -# Absolute path to the identity provider metadata file. This file should be -# generated with the `keystone-manage saml_idp_metadata` command. There is -# typically no reason to change this value. (string value) -#idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml - -# The prefix of the RelayState SAML attribute to use when generating enhanced -# client and proxy (ECP) assertions. In a typical deployment, there is no -# reason to change this value. (string value) -#relay_state_prefix = ss:mem: - - -[security_compliance] - -# -# From keystone -# - -# The maximum number of days a user can go without authenticating before being -# considered "inactive" and automatically disabled (locked). This feature is -# disabled by default; set any value to enable it. This feature depends on the -# `sql` backend for the `[identity] driver`. When a user exceeds this threshold -# and is considered "inactive", the user's `enabled` attribute in the HTTP API -# may not match the value of the user's `enabled` column in the user table. -# (integer value) -# Minimum value: 1 -#disable_user_account_days_inactive = - -# The maximum number of times that a user can fail to authenticate before the -# user account is locked for the number of seconds specified by -# `[security_compliance] lockout_duration`. This feature is disabled by -# default. If this feature is enabled and `[security_compliance] -# lockout_duration` is not set, then users may be locked out indefinitely until -# the user is explicitly enabled via the API. This feature depends on the `sql` -# backend for the `[identity] driver`. (integer value) -# Minimum value: 1 -#lockout_failure_attempts = - -# The number of seconds a user account will be locked when the maximum number -# of failed authentication attempts (as specified by `[security_compliance] -# lockout_failure_attempts`) is exceeded. Setting this option will have no -# effect unless you also set `[security_compliance] lockout_failure_attempts` -# to a non-zero value. This feature depends on the `sql` backend for the -# `[identity] driver`. (integer value) -# Minimum value: 1 -#lockout_duration = 1800 - -# The number of days for which a password will be considered valid before -# requiring it to be changed. This feature is disabled by default. If enabled, -# new password changes will have an expiration date, however existing passwords -# would not be impacted. This feature depends on the `sql` backend for the -# `[identity] driver`. (integer value) -# Minimum value: 1 -#password_expires_days = - -# This controls the number of previous user password iterations to keep in -# history, in order to enforce that newly created passwords are unique. The -# total number which includes the new password should not be greater or equal -# to this value. Setting the value to zero (the default) disables this feature. -# Thus, to enable this feature, values must be greater than 0. This feature -# depends on the `sql` backend for the `[identity] driver`. (integer value) -# Minimum value: 0 -#unique_last_password_count = 0 - -# The number of days that a password must be used before the user can change -# it. This prevents users from changing their passwords immediately in order to -# wipe out their password history and reuse an old password. This feature does -# not prevent administrators from manually resetting passwords. It is disabled -# by default and allows for immediate password changes. This feature depends on -# the `sql` backend for the `[identity] driver`. Note: If -# `[security_compliance] password_expires_days` is set, then the value for this -# option should be less than the `password_expires_days`. (integer value) -# Minimum value: 0 -#minimum_password_age = 0 - -# The regular expression used to validate password strength requirements. By -# default, the regular expression will match any password. The following is an -# example of a pattern which requires at least 1 letter, 1 digit, and have a -# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature -# depends on the `sql` backend for the `[identity] driver`. (string value) -#password_regex = - -# Describe your password regular expression here in language for humans. If a -# password fails to match the regular expression, the contents of this -# configuration variable will be returned to users to explain why their -# requested password was insufficient. (string value) -#password_regex_description = - -# Enabling this option requires users to change their password when the user is -# created, or upon administrative reset. Before accessing any services, -# affected users will have to change their password. To ignore this requirement -# for specific users, such as service users, set the `options` attribute -# `ignore_change_password_upon_first_use` to `True` for the desired user via -# the update user API. This feature is disabled by default. This feature is -# only applicable with the `sql` backend for the `[identity] driver`. (boolean -# value) -#change_password_upon_first_use = false - - -[shadow_users] - -# -# From keystone -# - -# Entry point for the shadow users backend driver in the -# `keystone.identity.shadow_users` namespace. This driver is used for -# persisting local user references to externally-managed identities (via -# federation, LDAP, etc). Keystone only provides a `sql` driver, so there is no -# reason to change this option unless you are providing a custom entry point. -# (string value) -#driver = sql - - -[signing] - -# -# From keystone -# - -# DEPRECATED: Absolute path to the public certificate file to use for signing -# responses to revocation lists requests. Set this together with `[signing] -# keyfile`. For non-production environments, you may be interested in using -# `keystone-manage pki_setup` to generate self-signed certificates. (string -# value) -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in -# Pike. These options remain for backwards compatibility. -#certfile = /etc/keystone/ssl/certs/signing_cert.pem - -# DEPRECATED: Absolute path to the private key file to use for signing -# responses to revocation lists requests. Set this together with `[signing] -# certfile`. (string value) -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in -# Pike. These options remain for backwards compatibility. -#keyfile = /etc/keystone/ssl/private/signing_key.pem - -# DEPRECATED: Absolute path to the public certificate authority (CA) file to -# use when creating self-signed certificates with `keystone-manage pki_setup`. -# Set this together with `[signing] ca_key`. There is no reason to set this -# option unless you are requesting revocation lists in a non-production -# environment. Use a `[signing] certfile` issued from a trusted certificate -# authority instead. (string value) -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in -# Pike. These options remain for backwards compatibility. -#ca_certs = /etc/keystone/ssl/certs/ca.pem - -# DEPRECATED: Absolute path to the private certificate authority (CA) key file -# to use when creating self-signed certificates with `keystone-manage -# pki_setup`. Set this together with `[signing] ca_certs`. There is no reason -# to set this option unless you are requesting revocation lists in a non- -# production environment. Use a `[signing] certfile` issued from a trusted -# certificate authority instead. (string value) -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in -# Pike. These options remain for backwards compatibility. -#ca_key = /etc/keystone/ssl/private/cakey.pem - -# DEPRECATED: Key size (in bits) to use when generating a self-signed token -# signing certificate. There is no reason to set this option unless you are -# requesting revocation lists in a non-production environment. Use a `[signing] -# certfile` issued from a trusted certificate authority instead. (integer -# value) -# Minimum value: 1024 -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in -# Pike. These options remain for backwards compatibility. -#key_size = 2048 - -# DEPRECATED: The validity period (in days) to use when generating a self- -# signed token signing certificate. There is no reason to set this option -# unless you are requesting revocation lists in a non-production environment. -# Use a `[signing] certfile` issued from a trusted certificate authority -# instead. (integer value) -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in -# Pike. These options remain for backwards compatibility. -#valid_days = 3650 - -# DEPRECATED: The certificate subject to use when generating a self-signed -# token signing certificate. There is no reason to set this option unless you -# are requesting revocation lists in a non-production environment. Use a -# `[signing] certfile` issued from a trusted certificate authority instead. -# (string value) -# This option is deprecated for removal since P. -# Its value may be silently ignored in the future. -# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in -# Pike. These options remain for backwards compatibility. -#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com - - -[token] - -provider = fernet - -# -# From keystone -# - -# The amount of time that a token should remain valid (in seconds). Drastically -# reducing this value may break "long-running" operations that involve multiple -# services to coordinate together, and will force users to authenticate with -# keystone more frequently. Drastically increasing this value will increase the -# number of tokens that will be simultaneously valid. Keystone tokens are also -# bearer tokens, so a shorter duration will also reduce the potential security -# impact of a compromised token. (integer value) -# Minimum value: 0 -# Maximum value: 9223372036854775807 -#expiration = 3600 - -# Entry point for the token provider in the `keystone.token.provider` -# namespace. The token provider controls the token construction, validation, -# and revocation operations. Supported upstream providers are `fernet` and -# `jws`. Neither `fernet` or `jws` tokens require persistence and both require -# additional setup. If using `fernet`, you're required to run `keystone-manage -# fernet_setup`, which creates symmetric keys used to encrypt tokens. If using -# `jws`, you're required to generate an ECDSA keypair using a SHA-256 hash -# algorithm for signing and validating token, which can be done with `keystone- -# manage create_jws_keypair`. Note that `fernet` tokens are encrypted and `jws` -# tokens are only signed. Please be sure to consider this if your deployment -# has security requirements regarding payload contents used to generate token -# IDs. (string value) -#provider = fernet - -# Toggle for caching token creation and validation data. This has no effect -# unless global caching is enabled. (boolean value) -#caching = true - -# The number of seconds to cache token creation and validation data. This has -# no effect unless both global and `[token] caching` are enabled. (integer -# value) -# Minimum value: 0 -# Maximum value: 9223372036854775807 -#cache_time = - -# This toggles support for revoking individual tokens by the token identifier -# and thus various token enumeration operations (such as listing all tokens -# issued to a specific user). These operations are used to determine the list -# of tokens to consider revoked. Do not disable this option if you're using the -# `kvs` `[revoke] driver`. (boolean value) -#revoke_by_id = true - -# This toggles whether scoped tokens may be re-scoped to a new project or -# domain, thereby preventing users from exchanging a scoped token (including -# those with a default project scope) for any other token. This forces users to -# either authenticate for unscoped tokens (and later exchange that unscoped -# token for tokens with a more specific scope) or to provide their credentials -# in every request for a scoped token to avoid re-scoping altogether. (boolean -# value) -#allow_rescope_scoped_token = true - -# DEPRECATED: This controls whether roles should be included with tokens that -# are not directly assigned to the token's scope, but are instead linked -# implicitly to other role assignments. (boolean value) -# This option is deprecated for removal since R. -# Its value may be silently ignored in the future. -# Reason: Default roles depend on a chain of implied role assignments. Ex: an -# admin user will also have the reader and member role. By ensuring that all -# these roles will always appear on the token validation response, we can -# improve the simplicity and readability of policy files. -#infer_roles = true - -# DEPRECATED: Enable storing issued token data to token validation cache so -# that first token validation doesn't actually cause full validation cycle. -# This option has no effect unless global caching is enabled and will still -# cache tokens even if `[token] caching = False`. (boolean value) -# This option is deprecated for removal since S. -# Its value may be silently ignored in the future. -# Reason: Keystone already exposes a configuration option for caching tokens. -# Having a separate configuration option to cache tokens when they are issued -# is redundant, unnecessarily complicated, and is misleading if token caching -# is disabled because tokens will still be pre-cached by default when they are -# issued. The ability to pre-cache tokens when they are issued is going to rely -# exclusively on the ``keystone.conf [token] caching`` option in the future. -#cache_on_issue = true - -# This controls the number of seconds that a token can be retrieved for beyond -# the built-in expiry time. This allows long running operations to succeed. -# Defaults to two days. (integer value) -#allow_expired_window = 172800 - - -[tokenless_auth] - -# -# From keystone -# - -# The list of distinguished names which identify trusted issuers of client -# certificates allowed to use X.509 tokenless authorization. If the option is -# absent then no certificates will be allowed. The format for the values of a -# distinguished name (DN) must be separated by a comma and contain no spaces. -# Furthermore, because an individual DN may contain commas, this configuration -# option may be repeated multiple times to represent multiple values. For -# example, keystone.conf would include two consecutive lines in order to trust -# two different DNs, such as `trusted_issuer = CN=john,OU=keystone,O=openstack` -# and `trusted_issuer = CN=mary,OU=eng,O=abc`. (multi valued) -#trusted_issuer = - -# The federated protocol ID used to represent X.509 tokenless authorization. -# This is used in combination with the value of `[tokenless_auth] -# issuer_attribute` to find a corresponding federated mapping. In a typical -# deployment, there is no reason to change this value. (string value) -#protocol = x509 - -# The name of the WSGI environment variable used to pass the issuer of the -# client certificate to keystone. This attribute is used as an identity -# provider ID for the X.509 tokenless authorization along with the protocol to -# look up its corresponding mapping. In a typical deployment, there is no -# reason to change this value. (string value) -#issuer_attribute = SSL_CLIENT_I_DN - - -[trust] - -# -# From keystone -# - -# Allows authorization to be redelegated from one user to another, effectively -# chaining trusts together. When disabled, the `remaining_uses` attribute of a -# trust is constrained to be zero. (boolean value) -#allow_redelegation = false - -# Maximum number of times that authorization can be redelegated from one user -# to another in a chain of trusts. This number may be reduced further for a -# specific trust. (integer value) -#max_redelegation_count = 3 - -# Entry point for the trust backend driver in the `keystone.trust` namespace. -# Keystone only provides a `sql` driver, so there is no reason to change this -# unless you are providing a custom entry point. (string value) -#driver = sql - - -[unified_limit] - -# -# From keystone -# - -# Entry point for the unified limit backend driver in the -# `keystone.unified_limit` namespace. Keystone only provides a `sql` driver, so -# there's no reason to change this unless you are providing a custom entry -# point. (string value) -#driver = sql - -# Toggle for unified limit caching. This has no effect unless global caching is -# enabled. In a typical deployment, there is no reason to disable this. -# (boolean value) -#caching = true - -# Time to cache unified limit data, in seconds. This has no effect unless both -# global caching and `[unified_limit] caching` are enabled. (integer value) -#cache_time = - -# Maximum number of entities that will be returned in a role collection. This -# may be useful to tune if you have a large number of unified limits in your -# deployment. (integer value) -#list_limit = - -# The enforcement model to use when validating limits associated to projects. -# Enforcement models will behave differently depending on the existing limits, -# which may result in backwards incompatible changes if a model is switched in -# a running deployment. (string value) -# Possible values: -# flat - -# strict_two_level - -#enforcement_model = flat - - -[wsgi] - -# -# From keystone -# - -# If set to true, this enables the oslo debug middleware in Keystone. This -# Middleware prints a lot of information about the request and the response. It -# is useful for getting information about the data on the wire (decoded) and -# passed to the WSGI application pipeline. This middleware has no effect on the -# "debug" setting in the [DEFAULT] section of the config file or setting -# Keystone's log-level to "DEBUG"; it is specific to debugging the WSGI data as -# it enters and leaves Keystone (specific request-related data). This option is -# used for introspection on the request and response data between the web -# server (apache, nginx, etc) and Keystone. This middleware is inserted as the -# first element in the middleware chain and will show the data closest to the -# wire. WARNING: NOT INTENDED FOR USE IN PRODUCTION. THIS MIDDLEWARE CAN AND -# WILL EMIT SENSITIVE/PRIVILEGED DATA. (boolean value) -#debug_middleware = false From 65f20384faa28e469b1f47713825706c157275cd Mon Sep 17 00:00:00 2001 From: Luca D'Agati <66645997+lucadagati@users.noreply.github.com> Date: Fri, 21 Feb 2025 17:22:25 +0100 Subject: [PATCH 07/18] Delete conf_mysql directory --- conf_mysql/99-openstack.conf | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 conf_mysql/99-openstack.conf diff --git a/conf_mysql/99-openstack.conf b/conf_mysql/99-openstack.conf deleted file mode 100644 index 4cd6688..0000000 --- a/conf_mysql/99-openstack.conf +++ /dev/null @@ -1,13 +0,0 @@ -[mysqld] -bind-address = 0.0.0.0 - -default-storage-engine = innodb -innodb_file_per_table = on -max_connections = 4096 -collation-server = utf8_general_ci -character-set-server = utf8 -wait_timeout = 600 -interactive_timeout = 600 -net_read_timeout = 600 -net_write_timeout = 600 - From 98fb9e15b8f011ccf102e7b88f215c6462da8f4f Mon Sep 17 00:00:00 2001 From: Luca D'Agati <66645997+lucadagati@users.noreply.github.com> Date: Fri, 21 Feb 2025 17:22:59 +0100 Subject: [PATCH 08/18] Add files via upload added the compose dir for deployment --- .../conf_conductor/iotronic.conf | 102 + .../conf_keystone/keystone.conf | 2715 +++++++++++++++++ .../conf_mysql/99-openstack.conf | 13 + compose_deployment/conf_ui/local_settings.py | 916 ++++++ compose_deployment/conf_wagent/iotronic.conf | 96 + compose_deployment/docker-compose.yml | 393 +++ 6 files changed, 4235 insertions(+) create mode 100644 compose_deployment/conf_conductor/iotronic.conf create mode 100644 compose_deployment/conf_keystone/keystone.conf create mode 100644 compose_deployment/conf_mysql/99-openstack.conf create mode 100644 compose_deployment/conf_ui/local_settings.py create mode 100644 compose_deployment/conf_wagent/iotronic.conf create mode 100644 compose_deployment/docker-compose.yml diff --git a/compose_deployment/conf_conductor/iotronic.conf b/compose_deployment/conf_conductor/iotronic.conf new file mode 100644 index 0000000..30371a1 --- /dev/null +++ b/compose_deployment/conf_conductor/iotronic.conf @@ -0,0 +1,102 @@ +[DEFAULT] +transport_url = rabbit://openstack:unime@rabbitmq + +debug=True +log_file = /var/log/iotronic/iotronic-conductor.log +proxy=nginx + + +# Authentication strategy used by iotronic-api: one of +# "keystone" or "noauth". "noauth" should not be used in a +# production environment because all authentication will be +# disabled. (string value) +auth_strategy=keystone + +# Enable pecan debug mode. WARNING: this is insecure and +# should not be used in a production environment. (boolean +# value) +#pecan_debug=false + + +[conductor] +service_port_min=50000 +service_port_max=50100 + +[wamp] +wamp_transport_url = ws://iotronic-wagent:8181/ +wamp_realm = s4t +#skip_cert_verify= False +register_agent = True + + + +[database] +connection = mysql+pymysql://iotronic:unime@iotronic-db/iotronic + +[keystone_authtoken] +www_authenticate_uri = http://keystone:5000 +auth_url = http://keystone:5000 +auth_plugin = password +auth_type = password +project_domain_id = default +user_domain_id = default +project_name = service +username = iotronic +password = unime + + +[neutron] +auth_url = http://controller:5000 +url = http://controller:9696 +auth_strategy = password +auth_type = password +project_domain_name = default +user_domain_name = default +region_name = RegionOne +project_name = service +username = neutron +password = NEUTRON_PASS +retries = 3 +project_domain_id= default + + +[designate] +auth_url = http://controller:5000 +url = http://controller:9001 +auth_strategy = password +project_domain_name = default +user_domain_name = default +region_name = RegionOne +project_name = service +username = designate +password = password +retries = 3 +project_domain_id= default + + +[cors] +# Indicate whether this resource may be shared with the domain +# received in the requests "origin" header. Format: +# "://[:]", no trailing slash. Example: +# https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user +# credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. +# Defaults to HTTP Simple Headers. (list value) +#expose_headers = + +# Maximum cache age of CORS preflight requests. (integer +# value) +#max_age = 3600 + +# Indicate which methods can be used during the actual +# request. (list value) +#allow_methods = OPTIONS,GET,HEAD,POST,PUT,DELETE,TRACE,PATCH + +# Indicate which header field names may be used during the +# actual request. (list value) +#allow_headers = diff --git a/compose_deployment/conf_keystone/keystone.conf b/compose_deployment/conf_keystone/keystone.conf new file mode 100644 index 0000000..01e3d6f --- /dev/null +++ b/compose_deployment/conf_keystone/keystone.conf @@ -0,0 +1,2715 @@ +[DEFAULT] +debug = True +#log_config = /etc/keystone/logging.conf +log_dir = /var/log/keystone + +# +# From keystone +# + +# Using this feature is *NOT* recommended. Instead, use the `keystone-manage +# bootstrap` command. The value of this option is treated as a "shared secret" +# that can be used to bootstrap Keystone through the API. This "token" does not +# represent a user (it has no identity), and carries no explicit authorization +# (it effectively bypasses most authorization checks). If set to `None`, the +# value is ignored and the `admin_token` middleware is effectively disabled. +# (string value) +#admin_token = + +# The base public endpoint URL for Keystone that is advertised to clients +# (NOTE: this does NOT affect how Keystone listens for connections). Defaults +# to the base host URL of the request. For example, if keystone receives a +# request to `http://server:5000/v3/users`, then this will option will be +# automatically treated as `http://server:5000`. You should only need to set +# option if either the value of the base URL contains a path that keystone does +# not automatically infer (`/prefix/v3`), or if the endpoint should be found on +# a different host. (uri value) +#public_endpoint = + +# DEPRECATED: The base admin endpoint URL for Keystone that is advertised to +# clients (NOTE: this does NOT affect how Keystone listens for connections). +# Defaults to the base host URL of the request. For example, if keystone +# receives a request to `http://server:35357/v3/users`, then this will option +# will be automatically treated as `http://server:35357`. You should only need +# to set option if either the value of the base URL contains a path that +# keystone does not automatically infer (`/prefix/v3`), or if the endpoint +# should be found on a different host. (uri value) +# This option is deprecated for removal since R. +# Its value may be silently ignored in the future. +# Reason: With the removal of the 2.0 API keystone does not distinguish between +# admin and public endpoints. +#admin_endpoint = + +# Maximum depth of the project hierarchy, excluding the project acting as a +# domain at the top of the hierarchy. WARNING: Setting it to a large value may +# adversely impact performance. (integer value) +#max_project_tree_depth = 5 + +# Limit the sizes of user & project ID/names. (integer value) +#max_param_size = 64 + +# Similar to `[DEFAULT] max_param_size`, but provides an exception for token +# values. With Fernet tokens, this can be set as low as 255. With UUID tokens, +# this should be set to 32). (integer value) +#max_token_size = 255 + +# The maximum number of entities that will be returned in a collection. This +# global limit may be then overridden for a specific driver, by specifying a +# list_limit in the appropriate section (for example, `[assignment]`). No limit +# is set by default. In larger deployments, it is recommended that you set this +# to a reasonable number to prevent operations like listing all users and +# projects from placing an unnecessary load on the system. (integer value) +#list_limit = + +# If set to true, strict password length checking is performed for password +# manipulation. If a password exceeds the maximum length, the operation will +# fail with an HTTP 403 Forbidden error. If set to false, passwords are +# automatically truncated to the maximum length. (boolean value) +#strict_password_check = false + +# If set to true, then the server will return information in HTTP responses +# that may allow an unauthenticated or authenticated user to get more +# information than normal, such as additional details about why authentication +# failed. This may be useful for debugging but is insecure. (boolean value) +#insecure_debug = false + +# Default `publisher_id` for outgoing notifications. If left undefined, +# Keystone will default to using the server's host name. (string value) +#default_publisher_id = + +# Define the notification format for identity service events. A `basic` +# notification only has information about the resource being operated on. A +# `cadf` notification has the same information, as well as information about +# the initiator of the event. The `cadf` option is entirely backwards +# compatible with the `basic` option, but is fully CADF-compliant, and is +# recommended for auditing use cases. (string value) +# Possible values: +# basic - +# cadf - +#notification_format = cadf + +# You can reduce the number of notifications keystone emits by explicitly +# opting out. Keystone will not emit notifications that match the patterns +# expressed in this list. Values are expected to be in the form of +# `identity..`. By default, all notifications related +# to authentication are automatically suppressed. This field can be set +# multiple times in order to opt-out of multiple notification topics. For +# example, the following suppresses notifications describing user creation or +# successful authentication events: notification_opt_out=identity.user.create +# notification_opt_out=identity.authenticate.success (multi valued) +#notification_opt_out = identity.authenticate.success +#notification_opt_out = identity.authenticate.pending +#notification_opt_out = identity.authenticate.failed + +# +# From oslo.log +# + +# If set to true, the logging level will be set to DEBUG instead of the default +# INFO level. (boolean value) +# Note: This option can be changed without restarting. +#debug = false + +# The name of a logging configuration file. This file is appended to any +# existing logging configuration files. For details about logging configuration +# files, see the Python logging module documentation. Note that when logging +# configuration files are used then all logging configuration is set in the +# configuration file and other logging configuration options are ignored (for +# example, log-date-format). (string value) +# Note: This option can be changed without restarting. +# Deprecated group/name - [DEFAULT]/log_config +#log_config_append = + +# Defines the format string for %%(asctime)s in log records. Default: +# %(default)s . This option is ignored if log_config_append is set. (string +# value) +#log_date_format = %Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to send logging output to. If no default is set, +# logging will go to stderr as defined by use_stderr. This option is ignored if +# log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logfile +#log_file = + +# (Optional) The base directory used for relative log_file paths. This option +# is ignored if log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logdir +#log_dir = + +# Uses logging handler designed to watch file system. When log file is moved or +# removed this handler will open a new log file with specified path +# instantaneously. It makes sense only if log_file option is specified and +# Linux platform is used. This option is ignored if log_config_append is set. +# (boolean value) +#watch_log_file = false + +# Use syslog for logging. Existing syslog format is DEPRECATED and will be +# changed later to honor RFC5424. This option is ignored if log_config_append +# is set. (boolean value) +#use_syslog = false + +# Enable journald for logging. If running in a systemd environment you may wish +# to enable journal support. Doing so will use the journal native protocol +# which includes structured metadata in addition to log messages.This option is +# ignored if log_config_append is set. (boolean value) +#use_journal = false + +# Syslog facility to receive log lines. This option is ignored if +# log_config_append is set. (string value) +#syslog_log_facility = LOG_USER + +# Use JSON formatting for logging. This option is ignored if log_config_append +# is set. (boolean value) +#use_json = false + +# Log output to standard error. This option is ignored if log_config_append is +# set. (boolean value) +#use_stderr = false + +# Log output to Windows Event Log. (boolean value) +#use_eventlog = false + +# The amount of time before the log files are rotated. This option is ignored +# unless log_rotation_type is setto "interval". (integer value) +#log_rotate_interval = 1 + +# Rotation interval type. The time of the last file change (or the time when +# the service was started) is used when scheduling the next rotation. (string +# value) +# Possible values: +# Seconds - +# Minutes - +# Hours - +# Days - +# Weekday - +# Midnight - +#log_rotate_interval_type = days + +# Maximum number of rotated log files. (integer value) +#max_logfile_count = 30 + +# Log file maximum size in MB. This option is ignored if "log_rotation_type" is +# not set to "size". (integer value) +#max_logfile_size_mb = 200 + +# Log rotation type. (string value) +# Possible values: +# interval - Rotate logs at predefined time intervals. +# size - Rotate logs once they reach a predefined size. +# none - Do not rotate log files. +#log_rotation_type = none + +# Format string to use for log messages with context. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages when context is undefined. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Additional data to append to log message when logging level for the message +# is DEBUG. Used by oslo_log.formatters.ContextFormatter (string value) +#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s + +# Defines the format string for %(user_identity)s that is used in +# logging_context_format_string. Used by oslo_log.formatters.ContextFormatter +# (string value) +#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s + +# List of package logging levels in logger=LEVEL pairs. This option is ignored +# if log_config_append is set. (list value) +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,oslo_policy=INFO,dogpile.core.dogpile=INFO + +# Enables or disables publication of error events. (boolean value) +#publish_errors = false + +# The format for an instance that is passed with the log message. (string +# value) +#instance_format = "[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log message. (string +# value) +#instance_uuid_format = "[instance: %(uuid)s] " + +# Interval, number of seconds, of log rate limiting. (integer value) +#rate_limit_interval = 0 + +# Maximum number of logged messages per rate_limit_interval. (integer value) +#rate_limit_burst = 0 + +# Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG +# or empty string. Logs with level greater or equal to rate_limit_except_level +# are not filtered. An empty string means that all levels are filtered. (string +# value) +#rate_limit_except_level = CRITICAL + +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations = false + +# +# From oslo.messaging +# + +# Size of RPC connection pool. (integer value) +#rpc_conn_pool_size = 30 + +# The pool size limit for connections expiration policy (integer value) +#conn_pool_min_size = 2 + +# The time-to-live in sec of idle connections in the pool (integer value) +#conn_pool_ttl = 1200 + +# Size of executor thread pool when executor is threading or eventlet. (integer +# value) +# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size +#executor_thread_pool_size = 64 + +# Seconds to wait for a response from a call. (integer value) +#rpc_response_timeout = 60 + +# The network address and optional user credentials for connecting to the +# messaging backend, in URL format. The expected format is: +# +# driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query +# +# Example: rabbit://rabbitmq:password@127.0.0.1:5672// +# +# For full details on the fields in the URL see the documentation of +# oslo_messaging.TransportURL at +# https://docs.openstack.org/oslo.messaging/latest/reference/transport.html +# (string value) +#transport_url = rabbit:// + +# The default exchange under which topics are scoped. May be overridden by an +# exchange name specified in the transport_url option. (string value) +#control_exchange = keystone + + +[access_rules_config] + +# +# From keystone +# + +# Entry point for the access rules config backend driver in the +# `keystone.access_rules_config` namespace. Keystone only provides a `json` +# driver, so there is no reason to change this unless you are providing a +# custom entry point. (string value) +#driver = json + +# Toggle for access rules caching. This has no effect unless global caching is +# enabled. (boolean value) +#caching = true + +# Time to cache access rule data in seconds. This has no effect unless global +# caching is enabled. (integer value) +#cache_time = + +# Path to access rules configuration. If not present, no access rule +# configuration will be loaded and application credential access rules will be +# unavailable. (string value) +#rules_file = /etc/keystone/access_rules.json + +# Toggles permissive mode for access rules. When enabled, application +# credentials can be created with any access rules regardless of operator's +# configuration. (boolean value) +#permissive = false + + +[application_credential] + +# +# From keystone +# + +# Entry point for the application credential backend driver in the +# `keystone.application_credential` namespace. Keystone only provides a `sql` +# driver, so there is no reason to change this unless you are providing a +# custom entry point. (string value) +#driver = sql + +# Toggle for application credential caching. This has no effect unless global +# caching is enabled. (boolean value) +#caching = true + +# Time to cache application credential data in seconds. This has no effect +# unless global caching is enabled. (integer value) +#cache_time = + +# Maximum number of application credentials a user is permitted to create. A +# value of -1 means unlimited. If a limit is not set, users are permitted to +# create application credentials at will, which could lead to bloat in the +# keystone database or open keystone to a DoS attack. (integer value) +#user_limit = -1 + + +[assignment] + +# +# From keystone +# + +# Entry point for the assignment backend driver (where role assignments are +# stored) in the `keystone.assignment` namespace. Only a SQL driver is supplied +# by keystone itself. Unless you are writing proprietary drivers for keystone, +# you do not need to set this option. (string value) +#driver = sql + +# A list of role names which are prohibited from being an implied role. (list +# value) +#prohibited_implied_role = admin + + +[auth] + +# +# From keystone +# + +# Allowed authentication methods. Note: You should disable the `external` auth +# method if you are currently using federation. External auth and federation +# both use the REMOTE_USER variable. Since both the mapped and external plugin +# are being invoked to validate attributes in the request environment, it can +# cause conflicts. (list value) +#methods = external,password,token,oauth1,mapped,application_credential + +# Entry point for the password auth plugin module in the +# `keystone.auth.password` namespace. You do not need to set this unless you +# are overriding keystone's own password authentication plugin. (string value) +#password = + +# Entry point for the token auth plugin module in the `keystone.auth.token` +# namespace. You do not need to set this unless you are overriding keystone's +# own token authentication plugin. (string value) +#token = + +# Entry point for the external (`REMOTE_USER`) auth plugin module in the +# `keystone.auth.external` namespace. Supplied drivers are `DefaultDomain` and +# `Domain`. The default driver is `DefaultDomain`, which assumes that all users +# identified by the username specified to keystone in the `REMOTE_USER` +# variable exist within the context of the default domain. The `Domain` option +# expects an additional environment variable be presented to keystone, +# `REMOTE_DOMAIN`, containing the domain name of the `REMOTE_USER` (if +# `REMOTE_DOMAIN` is not set, then the default domain will be used instead). +# You do not need to set this unless you are taking advantage of "external +# authentication", where the application server (such as Apache) is handling +# authentication instead of keystone. (string value) +#external = + +# Entry point for the OAuth 1.0a auth plugin module in the +# `keystone.auth.oauth1` namespace. You do not need to set this unless you are +# overriding keystone's own `oauth1` authentication plugin. (string value) +#oauth1 = + +# Entry point for the mapped auth plugin module in the `keystone.auth.mapped` +# namespace. You do not need to set this unless you are overriding keystone's +# own `mapped` authentication plugin. (string value) +#mapped = + +# Entry point for the application_credential auth plugin module in the +# `keystone.auth.application_credential` namespace. You do not need to set this +# unless you are overriding keystone's own `application_credential` +# authentication plugin. (string value) +#application_credential = + + +[cache] + +# +# From oslo.cache +# + +# Prefix for building the configuration dictionary for the cache region. This +# should not need to be changed unless there is another dogpile.cache region +# with the same configuration name. (string value) +#config_prefix = cache.oslo + +# Default TTL, in seconds, for any cached item in the dogpile.cache region. +# This applies to any cached method that doesn't have an explicit cache +# expiration time defined for it. (integer value) +#expiration_time = 600 + +# Cache backend module. For eventlet-based or environments with hundreds of +# threaded servers, Memcache with pooling (oslo_cache.memcache_pool) is +# recommended. For environments with less than 100 threaded servers, Memcached +# (dogpile.cache.memcached) or Redis (dogpile.cache.redis) is recommended. Test +# environments with a single instance of the server can use the +# dogpile.cache.memory backend. (string value) +# Possible values: +# oslo_cache.memcache_pool - +# oslo_cache.dict - +# oslo_cache.mongo - +# oslo_cache.etcd3gw - +# dogpile.cache.memcached - +# dogpile.cache.pylibmc - +# dogpile.cache.bmemcached - +# dogpile.cache.dbm - +# dogpile.cache.redis - +# dogpile.cache.memory - +# dogpile.cache.memory_pickle - +# dogpile.cache.null - +#backend = dogpile.cache.null + +# Arguments supplied to the backend module. Specify this option once per +# argument to be passed to the dogpile.cache backend. Example format: +# ":". (multi valued) +#backend_argument = + +# Proxy classes to import that will affect the way the dogpile.cache backend +# functions. See the dogpile.cache documentation on changing-backend-behavior. +# (list value) +#proxies = + +# Global toggle for caching. (boolean value) +#enabled = true + +# Extra debugging from the cache backend (cache keys, get/set/delete/etc +# calls). This is only really useful if you need to see the specific cache- +# backend get/set/delete calls with the keys/values. Typically this should be +# left set to false. (boolean value) +#debug_cache_backend = false + +# Memcache servers in the format of "host:port". (dogpile.cache.memcache and +# oslo_cache.memcache_pool backends only). (list value) +#memcache_servers = localhost:11211 + +# Number of seconds memcached server is considered dead before it is tried +# again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only). +# (integer value) +#memcache_dead_retry = 300 + +# Timeout in seconds for every call to a server. (dogpile.cache.memcache and +# oslo_cache.memcache_pool backends only). (floating point value) +#memcache_socket_timeout = 3.0 + +# Max total number of open connections to every memcached server. +# (oslo_cache.memcache_pool backend only). (integer value) +#memcache_pool_maxsize = 10 + +# Number of seconds a connection to memcached is held unused in the pool before +# it is closed. (oslo_cache.memcache_pool backend only). (integer value) +#memcache_pool_unused_timeout = 60 + +# Number of seconds that an operation will wait to get a memcache client +# connection. (integer value) +#memcache_pool_connection_get_timeout = 10 + + +[catalog] + +# +# From keystone +# + +# Absolute path to the file used for the templated catalog backend. This option +# is only used if the `[catalog] driver` is set to `templated`. (string value) +#template_file = default_catalog.templates + +# Entry point for the catalog driver in the `keystone.catalog` namespace. +# Keystone provides a `sql` option (which supports basic CRUD operations +# through SQL), a `templated` option (which loads the catalog from a templated +# catalog file on disk), and a `endpoint_filter.sql` option (which supports +# arbitrary service catalogs per project). (string value) +#driver = sql + +# Toggle for catalog caching. This has no effect unless global caching is +# enabled. In a typical deployment, there is no reason to disable this. +# (boolean value) +#caching = true + +# Time to cache catalog data (in seconds). This has no effect unless global and +# catalog caching are both enabled. Catalog data (services, endpoints, etc.) +# typically does not change frequently, and so a longer duration than the +# global default may be desirable. (integer value) +#cache_time = + +# Maximum number of entities that will be returned in a catalog collection. +# There is typically no reason to set this, as it would be unusual for a +# deployment to have enough services or endpoints to exceed a reasonable limit. +# (integer value) +#list_limit = + + +[cors] + +# +# From oslo.middleware +# + +# Indicate whether this resource may be shared with the domain received in the +# requests "origin" header. Format: "://[:]", no trailing +# slash. Example: https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple +# Headers. (list value) +#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,Openstack-Auth-Receipt + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list value) +#allow_methods = GET,PUT,POST,DELETE,PATCH + +# Indicate which header field names may be used during the actual request. +# (list value) +#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name,Openstack-Auth-Receipt + + +[credential] + +# +# From keystone +# + +# Entry point for the credential backend driver in the `keystone.credential` +# namespace. Keystone only provides a `sql` driver, so there's no reason to +# change this unless you are providing a custom entry point. (string value) +#driver = sql + +# Entry point for credential encryption and decryption operations in the +# `keystone.credential.provider` namespace. Keystone only provides a `fernet` +# driver, so there's no reason to change this unless you are providing a custom +# entry point to encrypt and decrypt credentials. (string value) +#provider = fernet + +# Directory containing Fernet keys used to encrypt and decrypt credentials +# stored in the credential backend. Fernet keys used to encrypt credentials +# have no relationship to Fernet keys used to encrypt Fernet tokens. Both sets +# of keys should be managed separately and require different rotation policies. +# Do not share this repository with the repository used to manage keys for +# Fernet tokens. (string value) +#key_repository = /etc/keystone/credential-keys/ + + +[database] +connection = mysql+pymysql://keystone:unime@iotronic-db/keystone + +# +# From oslo.db +# + +# If True, SQLite uses synchronous mode. (boolean value) +#sqlite_synchronous = true + +# The back end to use for the database. (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. (string +# value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +#connection = + +# The SQLAlchemy connection string to use to connect to the slave database. +# (string value) +#slave_connection = + +# The SQL mode to be used for MySQL sessions. This option, including the +# default, overrides any server-set SQL mode. To use whatever SQL mode is set +# by the server configuration, set this to no value. Example: mysql_sql_mode= +# (string value) +#mysql_sql_mode = TRADITIONAL + +# If True, transparently enables support for handling MySQL Cluster (NDB). +# (boolean value) +#mysql_enable_ndb = false + +# Connections which have been present in the connection pool longer than this +# number of seconds will be replaced with a new one the next time they are +# checked out from the pool. (integer value) +# Deprecated group/name - [DATABASE]/idle_timeout +# Deprecated group/name - [database]/idle_timeout +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout +#connection_recycle_time = 3600 + +# DEPRECATED: Minimum number of SQL connections to keep open in a pool. +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: The option to set the minimum pool size is not supported by +# sqlalchemy. +#min_pool_size = 1 + +# Maximum number of SQL connections to keep open in a pool. Setting a value of +# 0 indicates no limit. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size +#max_pool_size = 5 + +# Maximum number of database connection retries during startup. Set to -1 to +# specify an infinite retry count. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a SQL connection. (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = 50 + +# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer +# value) +# Minimum value: 0 +# Maximum value: 100 +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = + +# Enable the experimental use of database reconnect on connection lost. +# (boolean value) +#use_db_reconnect = false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval = 1 + +# If True, increases the interval between retries of a database operation up to +# db_max_retry_interval. (boolean value) +#db_inc_retry_interval = true + +# If db_inc_retry_interval is set, the maximum seconds between retries of a +# database operation. (integer value) +#db_max_retry_interval = 10 + +# Maximum retries in case of connection error or deadlock error before error is +# raised. Set to -1 to specify an infinite retry count. (integer value) +#db_max_retries = 20 + +# Optional URL parameters to append onto the connection URL at connect time; +# specify as param1=value1¶m2=value2&... (string value) +#connection_parameters = + + +[domain_config] + +# +# From keystone +# + +# Entry point for the domain-specific configuration driver in the +# `keystone.resource.domain_config` namespace. Only a `sql` option is provided +# by keystone, so there is no reason to set this unless you are providing a +# custom entry point. (string value) +#driver = sql + +# Toggle for caching of the domain-specific configuration backend. This has no +# effect unless global caching is enabled. There is normally no reason to +# disable this. (boolean value) +#caching = true + +# Time-to-live (TTL, in seconds) to cache domain-specific configuration data. +# This has no effect unless `[domain_config] caching` is enabled. (integer +# value) +#cache_time = 300 + + +[endpoint_filter] + +# +# From keystone +# + +# Entry point for the endpoint filter driver in the `keystone.endpoint_filter` +# namespace. Only a `sql` option is provided by keystone, so there is no reason +# to set this unless you are providing a custom entry point. (string value) +#driver = sql + +# This controls keystone's behavior if the configured endpoint filters do not +# result in any endpoints for a user + project pair (and therefore a +# potentially empty service catalog). If set to true, keystone will return the +# entire service catalog. If set to false, keystone will return an empty +# service catalog. (boolean value) +#return_all_endpoints_if_no_filter = true + + +[endpoint_policy] + +# +# From keystone +# + +# Entry point for the endpoint policy driver in the `keystone.endpoint_policy` +# namespace. Only a `sql` driver is provided by keystone, so there is no reason +# to set this unless you are providing a custom entry point. (string value) +#driver = sql + + +[eventlet_server] + +# +# From keystone +# + +# DEPRECATED: The IP address of the network interface for the public service to +# listen on. (host address value) +# Deprecated group/name - [DEFAULT]/bind_host +# Deprecated group/name - [DEFAULT]/public_bind_host +# This option is deprecated for removal since K. +# Its value may be silently ignored in the future. +# Reason: Support for running keystone under eventlet has been removed in the +# Newton release. These options remain for backwards compatibility because they +# are used for URL substitutions. +#public_bind_host = 0.0.0.0 + +# DEPRECATED: The port number for the public service to listen on. (port value) +# Minimum value: 0 +# Maximum value: 65535 +# Deprecated group/name - [DEFAULT]/public_port +# This option is deprecated for removal since K. +# Its value may be silently ignored in the future. +# Reason: Support for running keystone under eventlet has been removed in the +# Newton release. These options remain for backwards compatibility because they +# are used for URL substitutions. +#public_port = 5000 + +# DEPRECATED: The IP address of the network interface for the admin service to +# listen on. (host address value) +# Deprecated group/name - [DEFAULT]/bind_host +# Deprecated group/name - [DEFAULT]/admin_bind_host +# This option is deprecated for removal since K. +# Its value may be silently ignored in the future. +# Reason: Support for running keystone under eventlet has been removed in the +# Newton release. These options remain for backwards compatibility because they +# are used for URL substitutions. +#admin_bind_host = 0.0.0.0 + +# DEPRECATED: The port number for the admin service to listen on. (port value) +# Minimum value: 0 +# Maximum value: 65535 +# Deprecated group/name - [DEFAULT]/admin_port +# This option is deprecated for removal since K. +# Its value may be silently ignored in the future. +# Reason: Support for running keystone under eventlet has been removed in the +# Newton release. These options remain for backwards compatibility because they +# are used for URL substitutions. +#admin_port = 35357 + + +[extra_headers] +Distribution = Ubuntu + +# +# From keystone +# + +# Specifies the distribution of the keystone server. (string value) +#Distribution = Ubuntu + + +[federation] + +# +# From keystone +# + +# Entry point for the federation backend driver in the `keystone.federation` +# namespace. Keystone only provides a `sql` driver, so there is no reason to +# set this option unless you are providing a custom entry point. (string value) +#driver = sql + +# Prefix to use when filtering environment variable names for federated +# assertions. Matched variables are passed into the federated mapping engine. +# (string value) +#assertion_prefix = + +# Value to be used to obtain the entity ID of the Identity Provider from the +# environment. For `mod_shib`, this would be `Shib-Identity-Provider`. For +# `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`, +# this could be `MELLON_IDP`. (string value) +#remote_id_attribute = + +# An arbitrary domain name that is reserved to allow federated ephemeral users +# to have a domain concept. Note that an admin will not be able to create a +# domain with this name or update an existing domain to this name. You are not +# advised to change this value unless you really have to. (string value) +#federated_domain_name = Federated + +# A list of trusted dashboard hosts. Before accepting a Single Sign-On request +# to return a token, the origin host must be a member of this list. This +# configuration option may be repeated for multiple values. You must set this +# in order to use web-based SSO flows. For example: +# trusted_dashboard=https://acme.example.com/auth/websso +# trusted_dashboard=https://beta.example.com/auth/websso (multi valued) +#trusted_dashboard = + +# Absolute path to an HTML file used as a Single Sign-On callback handler. This +# page is expected to redirect the user from keystone back to a trusted +# dashboard host, by form encoding a token in a POST request. Keystone's +# default value should be sufficient for most deployments. (string value) +#sso_callback_template = /etc/keystone/sso_callback_template.html + +# Toggle for federation caching. This has no effect unless global caching is +# enabled. There is typically no reason to disable this. (boolean value) +#caching = true + + +[fernet_receipts] + +# +# From keystone +# + +# Directory containing Fernet receipt keys. This directory must exist before +# using `keystone-manage fernet_setup` for the first time, must be writable by +# the user running `keystone-manage fernet_setup` or `keystone-manage +# fernet_rotate`, and of course must be readable by keystone's server process. +# The repository may contain keys in one of three states: a single staged key +# (always index 0) used for receipt validation, a single primary key (always +# the highest index) used for receipt creation and validation, and any number +# of secondary keys (all other index values) used for receipt validation. With +# multiple keystone nodes, each node must share the same key repository +# contents, with the exception of the staged key (index 0). It is safe to run +# `keystone-manage fernet_rotate` once on any one node to promote a staged key +# (index 0) to be the new primary (incremented from the previous highest +# index), and produce a new staged key (a new key with index 0); the resulting +# repository can then be atomically replicated to other nodes without any risk +# of race conditions (for example, it is safe to run `keystone-manage +# fernet_rotate` on host A, wait any amount of time, create a tarball of the +# directory on host A, unpack it on host B to a temporary location, and +# atomically move (`mv`) the directory into place on host B). Running +# `keystone-manage fernet_rotate` *twice* on a key repository without syncing +# other nodes will result in receipts that can not be validated by all nodes. +# (string value) +#key_repository = /etc/keystone/fernet-keys/ + +# This controls how many keys are held in rotation by `keystone-manage +# fernet_rotate` before they are discarded. The default value of 3 means that +# keystone will maintain one staged key (always index 0), one primary key (the +# highest numerical index), and one secondary key (every other index). +# Increasing this value means that additional secondary keys will be kept in +# the rotation. (integer value) +# Minimum value: 1 +#max_active_keys = 3 + + +[fernet_tokens] + +# +# From keystone +# + +# Directory containing Fernet token keys. This directory must exist before +# using `keystone-manage fernet_setup` for the first time, must be writable by +# the user running `keystone-manage fernet_setup` or `keystone-manage +# fernet_rotate`, and of course must be readable by keystone's server process. +# The repository may contain keys in one of three states: a single staged key +# (always index 0) used for token validation, a single primary key (always the +# highest index) used for token creation and validation, and any number of +# secondary keys (all other index values) used for token validation. With +# multiple keystone nodes, each node must share the same key repository +# contents, with the exception of the staged key (index 0). It is safe to run +# `keystone-manage fernet_rotate` once on any one node to promote a staged key +# (index 0) to be the new primary (incremented from the previous highest +# index), and produce a new staged key (a new key with index 0); the resulting +# repository can then be atomically replicated to other nodes without any risk +# of race conditions (for example, it is safe to run `keystone-manage +# fernet_rotate` on host A, wait any amount of time, create a tarball of the +# directory on host A, unpack it on host B to a temporary location, and +# atomically move (`mv`) the directory into place on host B). Running +# `keystone-manage fernet_rotate` *twice* on a key repository without syncing +# other nodes will result in tokens that can not be validated by all nodes. +# (string value) +#key_repository = /etc/keystone/fernet-keys/ + +# This controls how many keys are held in rotation by `keystone-manage +# fernet_rotate` before they are discarded. The default value of 3 means that +# keystone will maintain one staged key (always index 0), one primary key (the +# highest numerical index), and one secondary key (every other index). +# Increasing this value means that additional secondary keys will be kept in +# the rotation. (integer value) +# Minimum value: 1 +#max_active_keys = 3 + + +[healthcheck] + +# +# From oslo.middleware +# + +# DEPRECATED: The path to respond to healtcheck requests on. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#path = /healthcheck + +# Show more detailed information as part of the response. Security note: +# Enabling this option may expose sensitive details about the service being +# monitored. Be sure to verify that it will not violate your security policies. +# (boolean value) +#detailed = false + +# Additional backends that can perform health checks and report that +# information back as part of a request. (list value) +#backends = + +# Check the presence of a file to determine if an application is running on a +# port. Used by DisableByFileHealthcheck plugin. (string value) +#disable_by_file_path = + +# Check the presence of a file based on a port to determine if an application +# is running on a port. Expects a "port:path" list of strings. Used by +# DisableByFilesPortsHealthcheck plugin. (list value) +#disable_by_file_paths = + + +[identity] + +# +# From keystone +# + +# This references the domain to use for all Identity API v2 requests (which are +# not aware of domains). A domain with this ID can optionally be created for +# you by `keystone-manage bootstrap`. The domain referenced by this ID cannot +# be deleted on the v3 API, to prevent accidentally breaking the v2 API. There +# is nothing special about this domain, other than the fact that it must exist +# to order to maintain support for your v2 clients. There is typically no +# reason to change this value. (string value) +#default_domain_id = default + +# A subset (or all) of domains can have their own identity driver, each with +# their own partial configuration options, stored in either the resource +# backend or in a file in a domain configuration directory (depending on the +# setting of `[identity] domain_configurations_from_database`). Only values +# specific to the domain need to be specified in this manner. This feature is +# disabled by default, but may be enabled by default in a future release; set +# to true to enable. (boolean value) +#domain_specific_drivers_enabled = false + +# By default, domain-specific configuration data is read from files in the +# directory identified by `[identity] domain_config_dir`. Enabling this +# configuration option allows you to instead manage domain-specific +# configurations through the API, which are then persisted in the backend +# (typically, a SQL database), rather than using configuration files on disk. +# (boolean value) +#domain_configurations_from_database = false + +# Absolute path where keystone should locate domain-specific `[identity]` +# configuration files. This option has no effect unless `[identity] +# domain_specific_drivers_enabled` is set to true. There is typically no reason +# to change this value. (string value) +#domain_config_dir = /etc/keystone/domains + +# Entry point for the identity backend driver in the `keystone.identity` +# namespace. Keystone provides a `sql` and `ldap` driver. This option is also +# used as the default driver selection (along with the other configuration +# variables in this section) in the event that `[identity] +# domain_specific_drivers_enabled` is enabled, but no applicable domain- +# specific configuration is defined for the domain in question. Unless your +# deployment primarily relies on `ldap` AND is not using domain-specific +# configuration, you should typically leave this set to `sql`. (string value) +#driver = sql + +# Toggle for identity caching. This has no effect unless global caching is +# enabled. There is typically no reason to disable this. (boolean value) +#caching = true + +# Time to cache identity data (in seconds). This has no effect unless global +# and identity caching are enabled. (integer value) +#cache_time = 600 + +# Maximum allowed length for user passwords. Decrease this value to improve +# performance. Changing this value does not effect existing passwords. (integer +# value) +# Maximum value: 4096 +#max_password_length = 4096 + +# Maximum number of entities that will be returned in an identity collection. +# (integer value) +#list_limit = + +# The password hashing algorithm to use for passwords stored within keystone. +# (string value) +# Possible values: +# bcrypt - +# scrypt - +# pbkdf2_sha512 - +#password_hash_algorithm = bcrypt + +# This option represents a trade off between security and performance. Higher +# values lead to slower performance, but higher security. Changing this option +# will only affect newly created passwords as existing password hashes already +# have a fixed number of rounds applied, so it is safe to tune this option in a +# running cluster. The default for bcrypt is 12, must be between 4 and 31, +# inclusive. The default for scrypt is 16, must be within `range(1,32)`. The +# default for pbkdf_sha512 is 60000, must be within `range(1,1<<32)` WARNING: +# If using scrypt, increasing this value increases BOTH time AND memory +# requirements to hash a password. (integer value) +#password_hash_rounds = + +# Optional block size to pass to scrypt hash function (the `r` parameter). +# Useful for tuning scrypt to optimal performance for your CPU architecture. +# This option is only used when the `password_hash_algorithm` option is set to +# `scrypt`. Defaults to 8. (integer value) +#scrypt_block_size = + +# Optional parallelism to pass to scrypt hash function (the `p` parameter). +# This option is only used when the `password_hash_algorithm` option is set to +# `scrypt`. Defaults to 1. (integer value) +#scrypt_parallelism = + +# Number of bytes to use in scrypt and pbkfd2_sha512 hashing salt. Default for +# scrypt is 16 bytes. Default for pbkfd2_sha512 is 16 bytes. Limited to a +# maximum of 96 bytes due to the size of the column used to store password +# hashes. (integer value) +# Minimum value: 0 +# Maximum value: 96 +#salt_bytesize = + + +[identity_mapping] + +# +# From keystone +# + +# Entry point for the identity mapping backend driver in the +# `keystone.identity.id_mapping` namespace. Keystone only provides a `sql` +# driver, so there is no reason to change this unless you are providing a +# custom entry point. (string value) +#driver = sql + +# Entry point for the public ID generator for user and group entities in the +# `keystone.identity.id_generator` namespace. The Keystone identity mapper only +# supports generators that produce 64 bytes or less. Keystone only provides a +# `sha256` entry point, so there is no reason to change this value unless +# you're providing a custom entry point. (string value) +#generator = sha256 + +# The format of user and group IDs changed in Juno for backends that do not +# generate UUIDs (for example, LDAP), with keystone providing a hash mapping to +# the underlying attribute in LDAP. By default this mapping is disabled, which +# ensures that existing IDs will not change. Even when the mapping is enabled +# by using domain-specific drivers (`[identity] +# domain_specific_drivers_enabled`), any users and groups from the default +# domain being handled by LDAP will still not be mapped to ensure their IDs +# remain backward compatible. Setting this value to false will enable the new +# mapping for all backends, including the default LDAP driver. It is only +# guaranteed to be safe to enable this option if you do not already have +# assignments for users and groups from the default LDAP domain, and you +# consider it to be acceptable for Keystone to provide the different IDs to +# clients than it did previously (existing IDs in the API will suddenly +# change). Typically this means that the only time you can set this value to +# false is when configuring a fresh installation, although that is the +# recommended value. (boolean value) +#backward_compatible_ids = true + + +[jwt_tokens] + +# +# From keystone +# + +# Directory containing public keys for validating JWS token signatures. This +# directory must exist in order for keystone's server process to start. It must +# also be readable by keystone's server process. It must contain at least one +# public key that corresponds to a private key in `keystone.conf [jwt_tokens] +# jws_private_key_repository`. This option is only applicable in deployments +# issuing JWS tokens and setting `keystone.conf [tokens] provider = jws`. +# (string value) +#jws_public_key_repository = /etc/keystone/jws-keys/public + +# Directory containing private keys for signing JWS tokens. This directory must +# exist in order for keystone's server process to start. It must also be +# readable by keystone's server process. It must contain at least one private +# key that corresponds to a public key in `keystone.conf [jwt_tokens] +# jws_public_key_repository`. In the event there are multiple private keys in +# this directory, keystone will use a key named `private.pem` to sign tokens. +# In the future, keystone may support the ability to sign tokens with multiple +# private keys. For now, only a key named `private.pem` within this directory +# is required to issue JWS tokens. This option is only applicable in +# deployments issuing JWS tokens and setting `keystone.conf [tokens] provider = +# jws`. (string value) +#jws_private_key_repository = /etc/keystone/jws-keys/private + + +[ldap] + +# +# From keystone +# + +# URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified +# as a comma separated string. The first URL to successfully bind is used for +# the connection. (string value) +#url = ldap://localhost + +# The user name of the administrator bind DN to use when querying the LDAP +# server, if your LDAP server requires it. (string value) +#user = + +# The password of the administrator bind DN to use when querying the LDAP +# server, if your LDAP server requires it. (string value) +#password = + +# The default LDAP server suffix to use, if a DN is not defined via either +# `[ldap] user_tree_dn` or `[ldap] group_tree_dn`. (string value) +#suffix = cn=example,cn=com + +# The search scope which defines how deep to search within the search base. A +# value of `one` (representing `oneLevel` or `singleLevel`) indicates a search +# of objects immediately below to the base object, but does not include the +# base object itself. A value of `sub` (representing `subtree` or +# `wholeSubtree`) indicates a search of both the base object itself and the +# entire subtree below it. (string value) +# Possible values: +# one - +# sub - +#query_scope = one + +# Defines the maximum number of results per page that keystone should request +# from the LDAP server when listing objects. A value of zero (`0`) disables +# paging. (integer value) +# Minimum value: 0 +#page_size = 0 + +# The LDAP dereferencing option to use for queries involving aliases. A value +# of `default` falls back to using default dereferencing behavior configured by +# your `ldap.conf`. A value of `never` prevents aliases from being dereferenced +# at all. A value of `searching` dereferences aliases only after name +# resolution. A value of `finding` dereferences aliases only during name +# resolution. A value of `always` dereferences aliases in all cases. (string +# value) +# Possible values: +# never - +# searching - +# always - +# finding - +# default - +#alias_dereferencing = default + +# Sets the LDAP debugging level for LDAP calls. A value of 0 means that +# debugging is not enabled. This value is a bitmask, consult your LDAP +# documentation for possible values. (integer value) +# Minimum value: -1 +#debug_level = + +# Sets keystone's referral chasing behavior across directory partitions. If +# left unset, the system's default behavior will be used. (boolean value) +#chase_referrals = + +# The search base to use for users. Defaults to the `[ldap] suffix` value. +# (string value) +#user_tree_dn = + +# The LDAP search filter to use for users. (string value) +#user_filter = + +# The LDAP object class to use for users. (string value) +#user_objectclass = inetOrgPerson + +# The LDAP attribute mapped to user IDs in keystone. This must NOT be a +# multivalued attribute. User IDs are expected to be globally unique across +# keystone domains and URL-safe. (string value) +#user_id_attribute = cn + +# The LDAP attribute mapped to user names in keystone. User names are expected +# to be unique only within a keystone domain and are not expected to be URL- +# safe. (string value) +#user_name_attribute = sn + +# The LDAP attribute mapped to user descriptions in keystone. (string value) +#user_description_attribute = description + +# The LDAP attribute mapped to user emails in keystone. (string value) +#user_mail_attribute = mail + +# The LDAP attribute mapped to user passwords in keystone. (string value) +#user_pass_attribute = userPassword + +# The LDAP attribute mapped to the user enabled attribute in keystone. If +# setting this option to `userAccountControl`, then you may be interested in +# setting `[ldap] user_enabled_mask` and `[ldap] user_enabled_default` as well. +# (string value) +#user_enabled_attribute = enabled + +# Logically negate the boolean value of the enabled attribute obtained from the +# LDAP server. Some LDAP servers use a boolean lock attribute where "true" +# means an account is disabled. Setting `[ldap] user_enabled_invert = true` +# will allow these lock attributes to be used. This option will have no effect +# if either the `[ldap] user_enabled_mask` or `[ldap] user_enabled_emulation` +# options are in use. (boolean value) +#user_enabled_invert = false + +# Bitmask integer to select which bit indicates the enabled value if the LDAP +# server represents "enabled" as a bit on an integer rather than as a discrete +# boolean. A value of `0` indicates that the mask is not used. If this is not +# set to `0` the typical value is `2`. This is typically used when `[ldap] +# user_enabled_attribute = userAccountControl`. Setting this option causes +# keystone to ignore the value of `[ldap] user_enabled_invert`. (integer value) +# Minimum value: 0 +#user_enabled_mask = 0 + +# The default value to enable users. This should match an appropriate integer +# value if the LDAP server uses non-boolean (bitmask) values to indicate if a +# user is enabled or disabled. If this is not set to `True`, then the typical +# value is `512`. This is typically used when `[ldap] user_enabled_attribute = +# userAccountControl`. (string value) +#user_enabled_default = True + +# List of user attributes to ignore on create and update, or whether a specific +# user attribute should be filtered for list or show user. (list value) +#user_attribute_ignore = default_project_id + +# The LDAP attribute mapped to a user's default_project_id in keystone. This is +# most commonly used when keystone has write access to LDAP. (string value) +#user_default_project_id_attribute = + +# If enabled, keystone uses an alternative method to determine if a user is +# enabled or not by checking if they are a member of the group defined by the +# `[ldap] user_enabled_emulation_dn` option. Enabling this option causes +# keystone to ignore the value of `[ldap] user_enabled_invert`. (boolean value) +#user_enabled_emulation = false + +# DN of the group entry to hold enabled users when using enabled emulation. +# Setting this option has no effect unless `[ldap] user_enabled_emulation` is +# also enabled. (string value) +#user_enabled_emulation_dn = + +# Use the `[ldap] group_member_attribute` and `[ldap] group_objectclass` +# settings to determine membership in the emulated enabled group. Enabling this +# option has no effect unless `[ldap] user_enabled_emulation` is also enabled. +# (boolean value) +#user_enabled_emulation_use_group_config = false + +# A list of LDAP attribute to keystone user attribute pairs used for mapping +# additional attributes to users in keystone. The expected format is +# `:`, where `ldap_attr` is the attribute in the LDAP +# object and `user_attr` is the attribute which should appear in the identity +# API. (list value) +#user_additional_attribute_mapping = + +# The search base to use for groups. Defaults to the `[ldap] suffix` value. +# (string value) +#group_tree_dn = + +# The LDAP search filter to use for groups. (string value) +#group_filter = + +# The LDAP object class to use for groups. If setting this option to +# `posixGroup`, you may also be interested in enabling the `[ldap] +# group_members_are_ids` option. (string value) +#group_objectclass = groupOfNames + +# The LDAP attribute mapped to group IDs in keystone. This must NOT be a +# multivalued attribute. Group IDs are expected to be globally unique across +# keystone domains and URL-safe. (string value) +#group_id_attribute = cn + +# The LDAP attribute mapped to group names in keystone. Group names are +# expected to be unique only within a keystone domain and are not expected to +# be URL-safe. (string value) +#group_name_attribute = ou + +# The LDAP attribute used to indicate that a user is a member of the group. +# (string value) +#group_member_attribute = member + +# Enable this option if the members of the group object class are keystone user +# IDs rather than LDAP DNs. This is the case when using `posixGroup` as the +# group object class in Open Directory. (boolean value) +#group_members_are_ids = false + +# The LDAP attribute mapped to group descriptions in keystone. (string value) +#group_desc_attribute = description + +# List of group attributes to ignore on create and update. or whether a +# specific group attribute should be filtered for list or show group. (list +# value) +#group_attribute_ignore = + +# A list of LDAP attribute to keystone group attribute pairs used for mapping +# additional attributes to groups in keystone. The expected format is +# `:`, where `ldap_attr` is the attribute in the LDAP +# object and `group_attr` is the attribute which should appear in the identity +# API. (list value) +#group_additional_attribute_mapping = + +# If enabled, group queries will use Active Directory specific filters for +# nested groups. (boolean value) +#group_ad_nesting = false + +# An absolute path to a CA certificate file to use when communicating with LDAP +# servers. This option will take precedence over `[ldap] tls_cacertdir`, so +# there is no reason to set both. (string value) +#tls_cacertfile = + +# An absolute path to a CA certificate directory to use when communicating with +# LDAP servers. There is no reason to set this option if you've also set +# `[ldap] tls_cacertfile`. (string value) +#tls_cacertdir = + +# Enable TLS when communicating with LDAP servers. You should also set the +# `[ldap] tls_cacertfile` and `[ldap] tls_cacertdir` options when using this +# option. Do not set this option if you are using LDAP over SSL (LDAPS) instead +# of TLS. (boolean value) +#use_tls = false + +# Specifies which checks to perform against client certificates on incoming TLS +# sessions. If set to `demand`, then a certificate will always be requested and +# required from the LDAP server. If set to `allow`, then a certificate will +# always be requested but not required from the LDAP server. If set to `never`, +# then a certificate will never be requested. (string value) +# Possible values: +# demand - +# never - +# allow -

+ Log in +