Table 6.36. New options
| Option = default value |
(Type) Help string |
| [DEFAULT] admin_workers = None |
(IntOpt) The number of worker processes to serve the admin WSGI application. Defaults to number of CPUs (minimum of 2). |
| [DEFAULT] public_workers = None |
(IntOpt) The number of worker processes to serve the public WSGI application. Defaults to number of CPUs (minimum of 2). |
| [DEFAULT] strict_password_check = False |
(BoolOpt) If set to true, strict password length checking is performed for password manipulation. If a password exceeds the maximum length, the operation will fail with an HTTP 403 Forbidden error. If set to false, passwords are automatically truncated to the maximum length. |
| [cache] memcache_dead_retry = 300 |
(IntOpt) Number of seconds memcached server is considered dead before it is tried again. (dogpile.cache.memcache and keystone.cache.memcache_pool backends only) |
| [cache] memcache_pool_connection_get_timeout = 10 |
(IntOpt) Number of seconds that an operation will wait to get a memcache client connection. |
| [cache] memcache_pool_maxsize = 10 |
(IntOpt) Max total number of open connections to every memcached server. (keystone.cache.memcache_pool backend only) |
| [cache] memcache_pool_unused_timeout = 60 |
(IntOpt) Number of seconds a connection to memcached is held unused in the pool before it is closed. (keystone.cache.memcache_pool backend only) |
| [cache] memcache_servers = localhost:11211 |
(ListOpt) Memcache servers in the format of "host:port". (dogpile.cache.memcache and keystone.cache.memcache_pool backends only) |
| [cache] memcache_socket_timeout = 3 |
(IntOpt) Timeout in seconds for every call to a server. (dogpile.cache.memcache and keystone.cache.memcache_pool backends only) |
| [catalog] cache_time = None |
(IntOpt) Time to cache catalog data (in seconds). This has no effect unless global and catalog caching are enabled. |
| [catalog] caching = True |
(BoolOpt) Toggle for catalog caching. This has no effect unless global caching is enabled. |
| [database] slave_connection = None |
(StrOpt) The SQLAlchemy connection string to use to connect to the slave database. |
| [endpoint_policy] driver = keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy |
(StrOpt) Endpoint policy backend driver |
| [identity_mapping] backward_compatible_ids = True |
(BoolOpt) The format of user and group IDs changed in Juno for backends that do not generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the underlying attribute in LDAP. By default this mapping is disabled, which ensures that existing IDs will not change. Even when the mapping is enabled by using domain specific drivers, any users and groups from the default domain being handled by LDAP will still not be mapped to ensure their IDs remain backward compatible. Setting this value to False will enable the mapping for even the default LDAP driver. It is only safe to do this if you do not already have assignments for users and groups from the default LDAP domain, and it is acceptable for Keystone to provide the different IDs to clients than it did previously. Typically this means that the only time you can set this value to False is when configuring a fresh installation. |
| [identity_mapping] driver = keystone.identity.mapping_backends.sql.Mapping |
(StrOpt) Keystone Identity Mapping backend driver. |
| [identity_mapping] generator = keystone.identity.id_generators.sha256.Generator |
(StrOpt) Public ID generator for user and group entities. The Keystone identity mapper only supports generators that produce no more than 64 characters. |
| [keystone_authtoken] check_revocations_for_cached = False |
(BoolOpt) If true, the revocation list will be checked for cached tokens. This requires that PKI tokens are configured on the Keystone server. |
| [keystone_authtoken] hash_algorithms = md5 |
(ListOpt) Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance. |
| [keystone_authtoken] identity_uri = None |
(StrOpt) Complete admin Identity API endpoint. This should specify the unversioned root endpoint e.g. https://localhost:35357/ |
| [keystone_ec2_token] cafile = None |
(StrOpt) A PEM encoded certificate authority to use when verifying HTTPS connections. Defaults to the system CAs. |
| [keystone_ec2_token] certfile = None |
(StrOpt) Client certificate key filename. Required if EC2 server requires client certificate. |
| [keystone_ec2_token] insecure = False |
(BoolOpt) Disable SSL certificate verification. |
| [keystone_ec2_token] keyfile = None |
(StrOpt) Required if EC2 server requires client certificate. |
| [keystone_ec2_token] url = http://localhost:5000/v2.0/ec2tokens |
(StrOpt) URL to get token from ec2 request. |
| [ldap] auth_pool_connection_lifetime = 60 |
(IntOpt) End user auth connection lifetime in seconds. |
| [ldap] auth_pool_size = 100 |
(IntOpt) End user auth connection pool size. |
| [ldap] debug_level = None |
(IntOpt) Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging is not enabled. This value is a bitmask, consult your LDAP documentation for possible values. |
| [ldap] pool_connection_lifetime = 600 |
(IntOpt) Connection lifetime in seconds. |
| [ldap] pool_connection_timeout = -1 |
(IntOpt) Connector timeout in seconds. Value -1 indicates indefinite wait for response. |
| [ldap] pool_retry_delay = 0.1 |
(FloatOpt) Time span in seconds to wait between two reconnect trials. |
| [ldap] pool_retry_max = 3 |
(IntOpt) Maximum count of reconnect trials. |
| [ldap] pool_size = 10 |
(IntOpt) Connection pool size. |
| [ldap] project_additional_attribute_mapping = |
(ListOpt) Additional attribute mappings for projects. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute. |
| [ldap] project_allow_create = True |
(BoolOpt) Allow project creation in LDAP backend. |
| [ldap] project_allow_delete = True |
(BoolOpt) Allow project deletion in LDAP backend. |
| [ldap] project_allow_update = True |
(BoolOpt) Allow project update in LDAP backend. |
| [ldap] project_attribute_ignore = |
(ListOpt) List of attributes stripped off the project on update. |
| [ldap] project_desc_attribute = description |
(StrOpt) LDAP attribute mapped to project description. |
| [ldap] project_domain_id_attribute = businessCategory |
(StrOpt) LDAP attribute mapped to project domain_id. |
| [ldap] project_enabled_attribute = enabled |
(StrOpt) LDAP attribute mapped to project enabled. |
| [ldap] project_enabled_emulation = False |
(BoolOpt) If true, Keystone uses an alternative method to determine if a project is enabled or not by checking if they are a member of the "project_enabled_emulation_dn" group. |
| [ldap] project_enabled_emulation_dn = None |
(StrOpt) DN of the group entry to hold enabled projects when using enabled emulation. |
| [ldap] project_filter = None |
(StrOpt) LDAP search filter for projects. |
| [ldap] project_id_attribute = cn |
(StrOpt) LDAP attribute mapped to project id. |
| [ldap] project_member_attribute = member |
(StrOpt) LDAP attribute mapped to project membership for user. |
| [ldap] project_name_attribute = ou |
(StrOpt) LDAP attribute mapped to project name. |
| [ldap] project_objectclass = groupOfNames |
(StrOpt) LDAP objectclass for projects. |
| [ldap] project_tree_dn = None |
(StrOpt) Search base for projects |
| [ldap] use_auth_pool = False |
(BoolOpt) Enable LDAP connection pooling for end user authentication. If use_pool is disabled, then this setting is meaningless and is not used at all. |
| [ldap] use_pool = False |
(BoolOpt) Enable LDAP connection pooling. |
| [ldap] user_enabled_invert = False |
(BoolOpt) Invert the meaning of the boolean enabled values. Some LDAP servers use a boolean lock attribute where "true" means an account is disabled. Setting "user_enabled_invert = true" will allow these lock attributes to be used. This setting will have no effect if "user_enabled_mask" or "user_enabled_emulation" settings are in use. |
| [memcache] dead_retry = 300 |
(IntOpt) Number of seconds memcached server is considered dead before it is tried again. This is used by the key value store system (e.g. token pooled memcached persistence backend). |
| [memcache] pool_connection_get_timeout = 10 |
(IntOpt) Number of seconds that an operation will wait to get a memcache client connection. This is used by the key value store system (e.g. token pooled memcached persistence backend). |
| [memcache] pool_maxsize = 10 |
(IntOpt) Max total number of open connections to every memcached server. This is used by the key value store system (e.g. token pooled memcached persistence backend). |
| [memcache] pool_unused_timeout = 60 |
(IntOpt) Number of seconds a connection to memcached is held unused in the pool before it is closed. This is used by the key value store system (e.g. token pooled memcached persistence backend). |
| [memcache] socket_timeout = 3 |
(IntOpt) Timeout in seconds for every call to a server. This is used by the key value store system (e.g. token pooled memcached persistence backend). |
| [saml] assertion_expiration_time = 3600 |
(IntOpt) Default TTL, in seconds, for any generated SAML assertion created by Keystone. |
| [saml] certfile = /etc/keystone/ssl/certs/signing_cert.pem |
(StrOpt) Path of the certfile for SAML signing. For non-production environments, you may be interested in using `keystone-manage pki_setup` to generate self-signed certificates. Note, the path cannot contain a comma. |
| [saml] idp_contact_company = None |
(StrOpt) Company of contact person. |
| [saml] idp_contact_email = None |
(StrOpt) Email address of contact person. |
| [saml] idp_contact_name = None |
(StrOpt) Given name of contact person |
| [saml] idp_contact_surname = None |
(StrOpt) Surname of contact person. |
| [saml] idp_contact_telephone = None |
(StrOpt) Telephone number of contact person. |
| [saml] idp_contact_type = other |
(StrOpt) Contact type. Allowed values are: technical, support, administrative billing, and other |
| [saml] idp_entity_id = None |
(StrOpt) Entity ID value for unique Identity Provider identification. Usually FQDN is set with a suffix. A value is required to generate IDP Metadata. For example: https://keystone.example.com/v3/OS-FEDERATION/saml2/idp |
| [saml] idp_lang = en |
(StrOpt) Language used by the organization. |
| [saml] idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml |
(StrOpt) Path to the Identity Provider Metadata file. This file should be generated with the keystone-manage saml_idp_metadata command. |
| [saml] idp_organization_display_name = None |
(StrOpt) Organization name to be displayed. |
| [saml] idp_organization_name = None |
(StrOpt) Organization name the installation belongs to. |
| [saml] idp_organization_url = None |
(StrOpt) URL of the organization. |
| [saml] idp_sso_endpoint = None |
(StrOpt) Identity Provider Single-Sign-On service value, required in the Identity Provider's metadata. A value is required to generate IDP Metadata. For example: https://keystone.example.com/v3/OS-FEDERATION/saml2/sso |
| [saml] keyfile = /etc/keystone/ssl/private/signing_key.pem |
(StrOpt) Path of the keyfile for SAML signing. Note, the path cannot contain a comma. |
| [saml] xmlsec1_binary = xmlsec1 |
(StrOpt) Binary to be called for XML signing. Install the appropriate package, specify absolute path or adjust your PATH environment variable if the binary cannot be found. |
| [token] hash_algorithm = md5 |
(StrOpt) The hash algorithm to use for PKI tokens. This can be set to any algorithm that hashlib supports. WARNING: Before changing this value, the auth_token middleware must be configured with the hash_algorithms, otherwise token revocation will not be processed correctly. |
