Identity API configuration¶
Configuration options¶
The Identity API can be configured by changing the following options:
| Configuration option = Default value | Description |
|---|---|
| [DEFAULT] | |
admin_endpoint = None |
(String) The base admin endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to http://server:35357/v3/users, then this will option will be automatically treated as http://server:35357. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (/prefix/v3), or if the endpoint should be found on a different host. |
admin_token = None |
(String) Using this feature is NOT recommended. Instead, use the keystone-manage bootstrap command. The value of this option is treated as a “shared secret” that can be used to bootstrap Keystone through the API. This “token” does not represent a user (it has no identity), and carries no explicit authorization (it effectively bypasses most authorization checks). If set to None, the value is ignored and the admin_token middleware is effectively disabled. However, to completely disable admin_token in production (highly recommended, as it presents a security risk), remove AdminTokenAuthMiddleware (the admin_token_auth filter) from your paste application pipelines (for example, in keystone-paste.ini). |
domain_id_immutable = True |
(Boolean) DEPRECATED: Set this to false if you want to enable the ability for user, group and project entities to be moved between domains by updating their domain_id attribute. Allowing such movement is not recommended if the scope of a domain admin is being restricted by use of an appropriate policy file (see etc/policy.v3cloudsample.json as an example). This feature is deprecated and will be removed in a future release, in favor of strictly immutable domain IDs. The option to set domain_id_immutable to false has been deprecated in the M release and will be removed in the O release. |
list_limit = None |
(Integer) The maximum number of entities that will be returned in a collection. This global limit may be then overridden for a specific driver, by specifying a list_limit in the appropriate section (for example, [assignment]). No limit is set by default. In larger deployments, it is recommended that you set this to a reasonable number to prevent operations like listing all users and projects from placing an unnecessary load on the system. |
max_param_size = 64 |
(Integer) Limit the sizes of user & project ID/names. |
max_project_tree_depth = 5 |
(Integer) Maximum depth of the project hierarchy, excluding the project acting as a domain at the top of the hierarchy. WARNING: Setting it to a large value may adversely impact performance. |
max_token_size = 8192 |
(Integer) Similar to [DEFAULT] max_param_size, but provides an exception for token values. With PKI / PKIZ tokens, this needs to be set close to 8192 (any higher, and other HTTP implementations may break), depending on the size of your service catalog and other factors. With Fernet tokens, this can be set as low as 255. With UUID tokens, this should be set to 32). |
member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab |
(String) Similar to the [DEFAULT] member_role_name option, this represents the default role ID used to associate users with their default projects in the v2 API. This will be used as the explicit role where one is not specified by the v2 API. You do not need to set this value unless you want keystone to use an existing role with a different ID, other than the arbitrarily defined _member_ role (in which case, you should set [DEFAULT] member_role_name as well). |
member_role_name = _member_ |
(String) This is the role name used in combination with the [DEFAULT] member_role_id option; see that option for more detail. You do not need to set this option unless you want keystone to use an existing role (in which case, you should set [DEFAULT] member_role_id as well). |
public_endpoint = None |
(String) The base public endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to http://server:5000/v3/users, then this will option will be automatically treated as http://server:5000. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (/prefix/v3), or if the endpoint should be found on a different host. |
secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO |
(String) DEPRECATED: The HTTP header used to determine the scheme for the original request, even if it was removed by an SSL terminating proxy. This option has been deprecated in the N release and will be removed in the P release. Use oslo.middleware.http_proxy_to_wsgi configuration instead. |
strict_password_check = False |
(Boolean) If set to true, strict password length checking is performed for password manipulation. If a password exceeds the maximum length, the operation will fail with an HTTP 403 Forbidden error. If set to false, passwords are automatically truncated to the maximum length. |
| [oslo_middleware] | |
enable_proxy_headers_parsing = False |
(Boolean) Whether the application is behind a proxy or not. This determines if the middleware should parse the headers or not. |
max_request_body_size = 114688 |
(Integer) The maximum body size for each request, in bytes. |
secure_proxy_ssl_header = X-Forwarded-Proto |
(String) DEPRECATED: The HTTP Header that will be used to determine what the original request protocol scheme was, even if it was hidden by a SSL termination proxy. |
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.