Atom feed of this document
 

 Chapter 1. Identity Service

The OpenStack Identity Service has several configuration options.

 Identity Service configuration files

keystone.conf

The Identity Service /etc/keystone/keystone.conf configuration file is an INI-format file with sections.

The [DEFAULT] section configures general configuration values.

Specific sections, such as the [sql] and [ec2] sections, configure individual services.

Table 1.1. keystone.conf file sections
Section Description
[DEFAULT] General configuration.
[sql] Optional storage back-end configuration.
[ec2] Amazon EC2 authentication driver configuration.
[s3] Amazon S3 authentication driver configuration.
[identity] Identity Service system driver configuration.
[catalog] Service catalog driver configuration.
[token] Token driver configuration.
[policy] Policy system driver configuration for RBAC.
[signing] Cryptographic signatures for PKI based tokens.
[ssl] SSL configuration.

When you start the Identity Service, you can use the --config-file parameter to specify a configuration file.

If you do not specify a configuration file, the Identity Service looks for the keystone.conf configuration file in these directories in this order:

  1. ~/.keystone

  2. ~/

  3. /etc/keystone

  4. /etc

keystone-paste.ini

The /etc/keystone/keystone-paste.ini file configures the Identity Service WSGI middleware pipeline.

 Certificates for PKI

PKI stands for Public Key Infrastructure. Tokens are documents, cryptographically signed using the X509 standard. In order to work correctly token generation requires a public/private key pair. The public key must be signed in an X509 certificate, and the certificate used to sign it must be available as Certificate Authority (CA) certificate. These files can be generated either using the keystone-manage utility, or externally generated. The files need to be in the locations specified by the top level Identity Service configuration file keystone.conf as specified in the above section. Additionally, the private key should only be readable by the system user that will run the Identity Service.

[Warning]Warning

The certificates can be world readable, but the private key cannot be. The private key should only be readable by the account that is going to sign tokens. When generating files with the keystone-mange pki_setup command, your best option is to run as the pki user. If you run nova-manage as root, you can append --keystone-user and --keystone-group parameters to set the username and group keystone is going to run under.

The values that specify where to read the certificates are under the [signing] section of the configuration file. The configuration values are:

  • token_format - Determines the algorithm used to generate tokens. Can be either UUID or PKI. Defaults to PKI.

  • certfile - Location of certificate used to verify tokens. Default is /etc/keystone/ssl/certs/signing_cert.pem.

  • keyfile - Location of private key used to sign tokens. Default is /etc/keystone/ssl/private/signing_key.pem.

  • ca_certs - Location of certificate for the authority that issued the above certificate. Default is /etc/keystone/ssl/certs/ca.pem.

  • key_size - Default is 1024.

  • valid_days - Default is 3650.

  • ca_password - Password required to read the ca_file. Default is None.

If token_format=UUID, a typical token looks like 53f7f6ef0cc344b5be706bcc8b1479e1. If token_format=PKI, a typical token is a much longer string, such as:

MIIKtgYJKoZIhvcNAQcCoIIKpzCCCqMCAQExCTAHBgUrDgMCGjCCCY8GCSqGSIb3DQEHAaCCCYAEggl8eyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxMy0wNS0z
MFQxNTo1MjowNi43MzMxOTgiLCAiZXhwaXJlcyI6ICIyMDEzLTA1LTMxVDE1OjUyOjA2WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogbnVs
bCwgImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiYzJjNTliNGQzZDI4NGQ4ZmEwOWYxNjljYjE4MDBlMDYiLCAibmFtZSI6ICJkZW1vIn19LCAic2VydmljZUNhdGFsb2ciOiBbeyJlbmRw
b2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTkyLjE2OC4yNy4xMDA6ODc3NC92Mi9jMmM1OWI0ZDNkMjg0ZDhmYTA5ZjE2OWNiMTgwMGUwNiIsICJyZWdpb24iOiAiUmVnaW9u
T25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8xOTIuMTY4LjI3LjEwMDo4Nzc0L3YyL2MyYzU5YjRkM2QyODRkOGZhMDlmMTY5Y2IxODAwZTA2IiwgImlkIjogIjFmYjMzYmM5M2Y5
ODRhNGNhZTk3MmViNzcwOTgzZTJlIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTkyLjE2OC4yNy4xMDA6ODc3NC92Mi9jMmM1OWI0ZDNkMjg0ZDhmYTA5ZjE2OWNiMTgwMGUwNiJ9XSwg
ImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJjb21wdXRlIiwgIm5hbWUiOiAibm92YSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xOTIuMTY4LjI3
LjEwMDozMzMzIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzE5Mi4xNjguMjcuMTAwOjMzMzMiLCAiaWQiOiAiN2JjMThjYzk1NWFiNDNkYjhm
MGU2YWNlNDU4NjZmMzAiLCAicHVibGljVVJMIjogImh0dHA6Ly8xOTIuMTY4LjI3LjEwMDozMzMzIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogInMzIiwgIm5hbWUi
OiAiczMifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTkyLjE2OC4yNy4xMDA6OTI5MiIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjog
Imh0dHA6Ly8xOTIuMTY4LjI3LjEwMDo5MjkyIiwgImlkIjogIjczODQzNTJhNTQ0MjQ1NzVhM2NkOTVkN2E0YzNjZGY1IiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTkyLjE2OC4yNy4x
MDA6OTI5MiJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpbWFnZSIsICJuYW1lIjogImdsYW5jZSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6
Ly8xOTIuMTY4LjI3LjEwMDo4Nzc2L3YxL2MyYzU5YjRkM2QyODRkOGZhMDlmMTY5Y2IxODAwZTA2IiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDov
LzE5Mi4xNjguMjcuMTAwOjg3NzYvdjEvYzJjNTliNGQzZDI4NGQ4ZmEwOWYxNjljYjE4MDBlMDYiLCAiaWQiOiAiMzQ3ZWQ2ZThjMjkxNGU1MGFlMmJiNjA2YWQxNDdjNTQiLCAicHVi
bGljVVJMIjogImh0dHA6Ly8xOTIuMTY4LjI3LjEwMDo4Nzc2L3YxL2MyYzU5YjRkM2QyODRkOGZhMDlmMTY5Y2IxODAwZTA2In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBl
IjogInZvbHVtZSIsICJuYW1lIjogImNpbmRlciJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xOTIuMTY4LjI3LjEwMDo4NzczL3NlcnZpY2VzL0FkbWluIiwg
InJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzE5Mi4xNjguMjcuMTAwOjg3NzMvc2VydmljZXMvQ2xvdWQiLCAiaWQiOiAiMmIwZGMyYjNlY2U4NGJj
YWE1NDAzMDMzNzI5YzY3MjIiLCAicHVibGljVVJMIjogImh0dHA6Ly8xOTIuMTY4LjI3LjEwMDo4NzczL3NlcnZpY2VzL0Nsb3VkIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0
eXBlIjogImVjMiIsICJuYW1lIjogImVjMiJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xOTIuMTY4LjI3LjEwMDozNTM1Ny92Mi4wIiwgInJlZ2lvbiI6ICJS
ZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzE5Mi4xNjguMjcuMTAwOjUwMDAvdjIuMCIsICJpZCI6ICJiNTY2Y2JlZjA2NjQ0ZmY2OWMyOTMxNzY2Yjc5MTIyOSIsICJw
dWJsaWNVUkwiOiAiaHR0cDovLzE5Mi4xNjguMjcuMTAwOjUwMDAvdjIuMCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpZGVudGl0eSIsICJuYW1lIjogImtleXN0
b25lIn1dLCAidXNlciI6IHsidXNlcm5hbWUiOiAiZGVtbyIsICJyb2xlc19saW5rcyI6IFtdLCAiaWQiOiAiZTVhMTM3NGE4YTRmNDI4NWIzYWQ3MzQ1MWU2MDY4YjEiLCAicm9sZXMi
OiBbeyJuYW1lIjogImFub3RoZXJyb2xlIn0sIHsibmFtZSI6ICJNZW1iZXIifV0sICJuYW1lIjogImRlbW8ifSwgIm1ldGFkYXRhIjogeyJpc19hZG1pbiI6IDAsICJyb2xlcyI6IFsi
YWRiODM3NDVkYzQzNGJhMzk5ODllNjBjOTIzYWZhMjgiLCAiMzM2ZTFiNjE1N2Y3NGFmZGJhNWUwYTYwMWUwNjM5MmYiXX19fTGB-zCB-AIBATBcMFcxCzAJBgNVBAYTAlVTMQ4wDAYD
VQQIEwVVbnNldDEOMAwGA1UEBxMFVW5zZXQxDjAMBgNVBAoTBVVuc2V0MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20CAQEwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEgYCAHLpsEs2R
nouriuiCgFayIqCssK3SVdhOMINiuJtqv0sE-wBDFiEj-Prcudqlz-n+6q7VgV4mwMPszz39-rwp+P5l4AjrJasUm7FrO-4l02tPLaaZXU1gBQ1jUG5e5aL5jPDP08HbCWuX6wr-QQQB
SrWY8lF3HrTcJT23sZIleg==

 Sign certificate issued by external CA

You can use a signing certificate issued by an external CA instead of generated by keystone-manage. However, certificate issued by external CA must satisfy the following conditions:

  • all certificate and key files must be in Privacy Enhanced Mail (PEM) format

  • private key files must not be protected by a password

When using signing certificate issued by an external CA, you do not need to specify key_size, valid_days, and ca_password as they will be ignored.

The basic workflow for using a signing certificate issued by an external CA involves:

  1. Request Signing Certificate from External CA

  2. Convert certificate and private key to PEM if needed

  3. Install External Signing Certificate

 Request a signing certificate from an external CA

One way to request a signing certificate from an external CA is to first generate a PKCS #10 Certificate Request Syntax (CRS) using OpenSSL CLI.

First create a certificate request configuration file (e.g. cert_req.conf):

[ req ]
default_bits            = 1024
default_keyfile         = keystonekey.pem
default_md              = sha1

prompt                  = no
distinguished_name      = distinguished_name

[ distinguished_name ]
countryName             = US
stateOrProvinceName     = CA
localityName            = Sunnyvale
organizationName        = OpenStack
organizationalUnitName  = Keystone
commonName              = Keystone Signing
emailAddress            = [email protected]

Then generate a CRS with OpenSSL CLI. Do not encrypt the generated private key. Must use the -nodes option.

For example:

$ openssl req -newkey rsa:1024 -keyout signing_key.pem -keyform PEM \
  -out signing_cert_req.pem -outform PEM -config cert_req.conf -nodes

If everything is successfully, you should end up with signing_cert_req.pem and signing_key.pem. Send signing_cert_req.pem to your CA to request a token signing certificate and make sure to ask the certificate to be in PEM format. Also, make sure your trusted CA certificate chain is also in PEM format.

 Install an external signing certificate

Assuming you have the following already:

  • signing_cert.pem - (Keystone token) signing certificate in PEM format

  • signing_key.pem - corresponding (non-encrypted) private key in PEM format

  • cacert.pem - trust CA certificate chain in PEM format

Copy the above to your certificate directory. For example:

# mkdir -p /etc/keystone/ssl/certs
# cp signing_cert.pem /etc/keystone/ssl/certs/
# cp signing_key.pem /etc/keystone/ssl/certs/
# cp cacert.pem /etc/keystone/ssl/certs/
# chmod -R 700 /etc/keystone/ssl/certs
[Note]Note

Make sure the certificate directory is only accessible by root.

If your certificate directory path is different from the default /etc/keystone/ssl/certs, make sure it is reflected in the [signing] section of the configuration file.

 Configure the Identity Service with SSL

You can configure the Identity Service to support two-way SSL.

You must obtain the x509 certificates externally and configure them.

The Identity Service provides a set of sample certificates in the examples/pki/certs and examples/pki/private directories:

Certificate types

cacert.pem

Certificate Authority chain to validate against.

ssl_cert.pem

Public certificate for Identity Service server.

middleware.pem

Public and private certificate for Identity Service middleware/client.

cakey.pem

Private key for the CA.

ssl_key.pem

Private key for the Identity Service server.

[Note]Note

You can choose names for these certificates. You can also combine the public/private keys in the same file, if you wish. These certificates are provided as an example.

 SSL configuration

To enable SSL with client authentication, modify the [ssl] section in the etc/keystone.conf file. The following SSL configuration example uses the included sample certificates:

[ssl]
enable = True
certfile = <path to keystone.pem>
keyfile = <path to keystonekey.pem>
ca_certs = <path to ca.pem>
cert_required = True

Options

  • enable. True enables SSL. Default is False.

  • certfile. Path to the Identity Service public certificate file.

  • keyfile. Path to the Identity Service private certificate file. If you include the private key in the certfile, you can omit the keyfile.

  • ca_certs. Path to the CA trust chain.

  • cert_required. Requires client certificate. Default is False.

 External authentication with the Identity Service

When the Identity Service runs in apache-httpd, you can use external authentication methods that differ from the authentication provided by the identity store back-end. For example, you can use an SQL identity back-end together with X.509 authentication, Kerberos, and so on instead of using the user name and password combination.

 Use HTTPD authentication

Web servers, like Apache HTTP, support many methods of authentication. The Identity Service can allow the web server to perform the authentication. The web server then passes the authenticated user to the Identity Service by using the REMOTE_USER environment variable. This user must already exist in the Identity Service back-end so as to get a token from the controller. To use this method, the Identity Service should run on apache-httpd.

 Use X.509

The following Apache configuration snippet authenticates the user based on a valid X.509 certificate from a known CA:

    <VirtualHost _default_:5000>
        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/ssl.cert
        SSLCertificateKeyFile /etc/ssl/private/ssl.key

        SSLCACertificatePath /etc/ssl/allowed_cas
        SSLCARevocationPath  /etc/ssl/allowed_cas
        SSLUserName          SSL_CLIENT_S_DN_CN
        SSLVerifyClient      require
        SSLVerifyDepth       10

        (...)
    </VirtualHost>

 Configure the Identity Service with an LDAP back-end

As an alternative to the SQL database backing store, the Identity Service can use a directory server to provide the Identity Service, for example:

dn: dc=AcmeExample,dc=org
dc: AcmeExample
objectClass: dcObject
objectClass: organizationalUnit
ou: AcmeExample

dn: ou=Groups,dc=AcmeExample,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=Users,dc=AcmeExample,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=Roles,dc=AcmeExample,dc=org
objectClass: top
objectClass: organizationalUnit
ou: roles

The corresponding entries in the keystone.conf configuration file are:

[ldap]
url = ldap://localhost
user = dc=Manager,dc=AcmeExample,dc=org
password = badpassword
suffix = dc=AcmeExample,dc=org
use_dumb_member = False
allow_subtree_delete = False

user_tree_dn = ou=Users,dc=AcmeExample,dc=com
user_objectclass = inetOrgPerson

tenant_tree_dn = ou=Groups,dc=AcmeExample,dc=com
tenant_objectclass = groupOfNames

role_tree_dn = ou=Roles,dc=AcmeExample,dc=com
role_objectclass = organizationalRole

The default object classes and attributes are intentionally simple. They reflect the common standard objects according to the LDAP RFCs. However, in a live deployment, you can override the correct attributes to support a preexisting, complex schema. For example, in the user object, the objectClass posixAccount from RFC2307 is very common. If this is the underlying objectclass, then the uid field should probably be uidNumber and username field either uid or cn. To change these two fields, the corresponding entries in the Keystone configuration file are:

[ldap]
user_id_attribute = uidNumber
user_name_attribute = cn

Depending on your deployment, you can modify a set of allowed actions for each object type. For example, you might set the following options:

[ldap]
user_allow_create = False
user_allow_update = False
user_allow_delete = False

tenant_allow_create = True
tenant_allow_update = True
tenant_allow_delete = True

role_allow_create = True
role_allow_update = True
role_allow_delete = True

If the back-end provides too much output, you can filter users, tenants, and roles. For example:

[ldap]
user_filter = (memberof=CN=acme-users,OU=workgroups,DC=AcmeExample,DC=com)
tenant_filter =
role_filter =

If the directory server has not enabled the boolean type for the user, you can use configuration options to extract the value from an integer attribute. For example, in an Active Directory, as follows:

[ldap]
user_enabled_attribute = userAccountControl
user_enabled_mask      = 2
user_enabled_default   = 512

The attribute is an integer. Bit 1 contains the enabled attribute. If the user_enabled_mask mask is not 0, it gets its value from the user_enabled_attribute field and it performs an ADD operation by using the user_enabled_mask value. If the value matches the mask, the account is disabled.

It also saves the value without mask to the identity user in the enabled_nomask attribute. In case you must change it to enable or disable a user, you can use this value because it contains more information than the status such as, password expiration. The user_enabled_mask value is required to create a default value on the integer attribute (512 = NORMAL ACCOUNT on AD).

If Active Directory classes and attributes do not match the specified classes in the LDAP module, so you can modify them, as follows:

[ldap]
user_objectclass         = person
user_id_attribute        = cn
user_name_attribute      = cn
user_mail_attribute      = mail
user_enabled_attribute   = userAccountControl
user_enabled_mask        = 2
user_enabled_default     = 512
user_attribute_ignore    = tenant_id,tenants
tenant_objectclass       = groupOfNames
tenant_id_attribute      = cn
tenant_member_attribute  = member
tenant_name_attribute    = ou
tenant_desc_attribute    = description
tenant_enabled_attribute = extensionName
tenant_attribute_ignore  =
role_objectclass         = organizationalRole
role_id_attribute        = cn
role_name_attribute      = ou
role_member_attribute    = roleOccupant
role_attribute_ignore    =

 Configure the Identity Service for token binding

Token binding refers to the practice of embedding information from external authentication providers (like a company's Kerberos server) inside the token such that a client may enforce that the token only be used in conjunction with that specified authentication. This is an additional security mechanism as it means that if a token is stolen it will not be usable without also providing the external authentication.

To activate token binding you must specify the types of authentication that token binding should be used for in keystone.conf:

[token]
    bind = kerberos

Currently only kerberos is supported.

To enforce checking of token binding the enforce_token_bind parameter should be set to one of the following modes:

  • disabled disable token bind checking

  • permissive enable bind checking, if a token is bound to a mechanism that is unknown to the server then ignore it. This is the default.

  • strict enable bind checking, if a token is bound to a mechanism that is unknown to the server then this token should be rejected.

  • required enable bind checking and require that at least 1 bind mechanism is used for tokens.

  • named enable bind checking and require that the specified authentication mechanism is used:

    [token]
        enforce_token_bind = kerberos

[Note]Note

Do not set enforce_token_bind = named as there is not an authentication mechanism called named.

 Identity Service sample configuration files

  • etc/keystone.conf.sample

    [DEFAULT]
    
    #
    # Options defined in keystone
    #
    
    # A "shared secret" that can be used to bootstrap Keystone.
    # This "token" does not represent a user, and carries no
    # explicit authorization. To disable in production (highly
    # recommended), remove AdminTokenAuthMiddleware from your
    # paste application pipelines (for example, in keystone-
    # paste.ini). (string value)
    #admin_token=ADMIN
    
    # The IP address of the network interface for the public
    # service to listen on. (string value)
    # Deprecated group/name - [DEFAULT]/bind_host
    #public_bind_host=0.0.0.0
    
    # The IP address of the network interface for the admin
    # service to listen on. (string value)
    # Deprecated group/name - [DEFAULT]/bind_host
    #admin_bind_host=0.0.0.0
    
    # The port which the OpenStack Compute service listens on.
    # (integer value)
    #compute_port=8774
    
    # The port number which the admin service listens on. (integer
    # value)
    #admin_port=35357
    
    # The port number which the public service listens on.
    # (integer value)
    #public_port=5000
    
    # The base public endpoint URL for Keystone that is advertised
    # to clients (NOTE: this does NOT affect how Keystone listens
    # for connections). Defaults to the base host URL of the
    # request. E.g. a request to http://server:5000/v2.0/users
    # will default to http://server:5000. You should only need to
    # set this value if the base URL contains a path (e.g.
    # /prefix/v2.0) or the endpoint should be found on a different
    # server. (string value)
    #public_endpoint=<None>
    
    # The base admin endpoint URL for Keystone that is advertised
    # to clients (NOTE: this does NOT affect how Keystone listens
    # for connections). Defaults to the base host URL of the
    # request. E.g. a request to http://server:35357/v2.0/users
    # will default to http://server:35357. You should only need to
    # set this value if the base URL contains a path (e.g.
    # /prefix/v2.0) or the endpoint should be found on a different
    # server. (string value)
    #admin_endpoint=<None>
    
    # onready allows you to send a notification when the process
    # is ready to serve. For example, to have it notify using
    # systemd, one could set shell command: "onready = systemd-
    # notify --ready" or a module with notify() method: "onready =
    # keystone.common.systemd". (string value)
    #onready=<None>
    
    # Enforced by optional sizelimit middleware
    # (keystone.middleware:RequestBodySizeLimiter). (integer
    # value)
    #max_request_body_size=114688
    
    # Limit the sizes of user & project ID/names. (integer value)
    #max_param_size=64
    
    # Similar to max_param_size, but provides an exception for
    # token values. (integer value)
    #max_token_size=8192
    
    # During a SQL upgrade member_role_id will be used to create a
    # new role that will replace records in the
    # user_tenant_membership table with explicit role grants.
    # After migration, the member_role_id will be used in the API
    # add_user_to_project. (string value)
    #member_role_id=9fe2ff9ee4384b1894a90878d3e92bab
    
    # During a SQL upgrade member_role_name will be used to create
    # a new role that will replace records in the
    # user_tenant_membership table with explicit role grants.
    # After migration, member_role_name will be ignored. (string
    # value)
    #member_role_name=_member_
    
    # The value passed as the keyword "rounds" to passlib's
    # encrypt method. (integer value)
    #crypt_strength=40000
    
    # Set this to true if you want to enable TCP_KEEPALIVE on
    # server sockets, i.e. sockets used by the Keystone wsgi
    # server for client connections. (boolean value)
    #tcp_keepalive=false
    
    # Sets the value of TCP_KEEPIDLE in seconds for each server
    # socket. Only applies if tcp_keepalive is true. Not supported
    # on OS X. (integer value)
    #tcp_keepidle=600
    
    # The maximum number of entities that will be returned in a
    # collection, with no limit set by default. This global limit
    # may be then overridden for a specific driver, by specifying
    # a list_limit in the appropriate section (e.g. [assignment]).
    # (integer value)
    #list_limit=<None>
    
    # Set this to false if you want to enable the ability for
    # user, group and project entities to be moved between domains
    # by updating their domain_id. Allowing such movement is not
    # recommended if the scope of a domain admin is being
    # restricted by use of an appropriate policy file (see
    # policy.v3cloudsample as an example). (boolean value)
    #domain_id_immutable=true
    
    
    #
    # Options defined in oslo.messaging
    #
    
    # Use durable queues in amqp. (boolean value)
    # Deprecated group/name - [DEFAULT]/rabbit_durable_queues
    #amqp_durable_queues=false
    
    # Auto-delete queues in amqp. (boolean value)
    #amqp_auto_delete=false
    
    # Size of RPC connection pool. (integer value)
    #rpc_conn_pool_size=30
    
    # Modules of exceptions that are permitted to be recreated
    # upon receiving exception data from an rpc call. (list value)
    #allowed_rpc_exception_modules=oslo.messaging.exceptions,nova.exception,cinder.exception,exceptions
    
    # Qpid broker hostname. (string value)
    #qpid_hostname=localhost
    
    # Qpid broker port. (integer value)
    #qpid_port=5672
    
    # Qpid HA cluster host:port pairs. (list value)
    #qpid_hosts=$qpid_hostname:$qpid_port
    
    # Username for Qpid connection. (string value)
    #qpid_username=
    
    # Password for Qpid connection. (string value)
    #qpid_password=
    
    # Space separated list of SASL mechanisms to use for auth.
    # (string value)
    #qpid_sasl_mechanisms=
    
    # Seconds between connection keepalive heartbeats. (integer
    # value)
    #qpid_heartbeat=60
    
    # Transport to use, either 'tcp' or 'ssl'. (string value)
    #qpid_protocol=tcp
    
    # Whether to disable the Nagle algorithm. (boolean value)
    #qpid_tcp_nodelay=true
    
    # The qpid topology version to use.  Version 1 is what was
    # originally used by impl_qpid.  Version 2 includes some
    # backwards-incompatible changes that allow broker federation
    # to work.  Users should update to version 2 when they are
    # able to take everything down, as it requires a clean break.
    # (integer value)
    #qpid_topology_version=1
    
    # SSL version to use (valid only if SSL enabled). valid values
    # are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
    # distributions. (string value)
    #kombu_ssl_version=
    
    # SSL key file (valid only if SSL enabled). (string value)
    #kombu_ssl_keyfile=
    
    # SSL cert file (valid only if SSL enabled). (string value)
    #kombu_ssl_certfile=
    
    # SSL certification authority file (valid only if SSL
    # enabled). (string value)
    #kombu_ssl_ca_certs=
    
    # How long to wait before reconnecting in response to an AMQP
    # consumer cancel notification. (floating point value)
    #kombu_reconnect_delay=1.0
    
    # The RabbitMQ broker address where a single node is used.
    # (string value)
    #rabbit_host=localhost
    
    # The RabbitMQ broker port where a single node is used.
    # (integer value)
    #rabbit_port=5672
    
    # RabbitMQ HA cluster host:port pairs. (list value)
    #rabbit_hosts=$rabbit_host:$rabbit_port
    
    # Connect over SSL for RabbitMQ. (boolean value)
    #rabbit_use_ssl=false
    
    # The RabbitMQ userid. (string value)
    #rabbit_userid=guest
    
    # The RabbitMQ password. (string value)
    #rabbit_password=guest
    
    # the RabbitMQ login method (string value)
    #rabbit_login_method=AMQPLAIN
    
    # The RabbitMQ virtual host. (string value)
    #rabbit_virtual_host=/
    
    # How frequently to retry connecting with RabbitMQ. (integer
    # value)
    #rabbit_retry_interval=1
    
    # How long to backoff for between retries when connecting to
    # RabbitMQ. (integer value)
    #rabbit_retry_backoff=2
    
    # Maximum number of RabbitMQ connection retries. Default is 0
    # (infinite retry count). (integer value)
    #rabbit_max_retries=0
    
    # Use HA queues in RabbitMQ (x-ha-policy: all). If you change
    # this option, you must wipe the RabbitMQ database. (boolean
    # value)
    #rabbit_ha_queues=false
    
    # If passed, use a fake RabbitMQ provider. (boolean value)
    #fake_rabbit=false
    
    # ZeroMQ bind address. Should be a wildcard (*), an ethernet
    # interface, or IP. The "host" option should point or resolve
    # to this address. (string value)
    #rpc_zmq_bind_address=*
    
    # MatchMaker driver. (string value)
    #rpc_zmq_matchmaker=oslo.messaging._drivers.matchmaker.MatchMakerLocalhost
    
    # ZeroMQ receiver listening port. (integer value)
    #rpc_zmq_port=9501
    
    # Number of ZeroMQ contexts, defaults to 1. (integer value)
    #rpc_zmq_contexts=1
    
    # Maximum number of ingress messages to locally buffer per
    # topic. Default is unlimited. (integer value)
    #rpc_zmq_topic_backlog=<None>
    
    # Directory for holding IPC sockets. (string value)
    #rpc_zmq_ipc_dir=/var/run/openstack
    
    # Name of this node. Must be a valid hostname, FQDN, or IP
    # address. Must match "host" option, if running Nova. (string
    # value)
    #rpc_zmq_host=keystone
    
    # Seconds to wait before a cast expires (TTL). Only supported
    # by impl_zmq. (integer value)
    #rpc_cast_timeout=30
    
    # Heartbeat frequency. (integer value)
    #matchmaker_heartbeat_freq=300
    
    # Heartbeat time-to-live. (integer value)
    #matchmaker_heartbeat_ttl=600
    
    # Host to locate redis. (string value)
    #host=127.0.0.1
    
    # Use this port to connect to redis host. (integer value)
    #port=6379
    
    # Password for Redis server (optional). (string value)
    #password=<None>
    
    # Size of RPC greenthread pool. (integer value)
    #rpc_thread_pool_size=64
    
    # Driver or drivers to handle sending notifications. (multi
    # valued)
    #notification_driver=
    
    # AMQP topic used for OpenStack notifications. (list value)
    # Deprecated group/name - [rpc_notifier2]/topics
    #notification_topics=notifications
    
    # Seconds to wait for a response from a call. (integer value)
    #rpc_response_timeout=60
    
    # A URL representing the messaging driver to use and its full
    # configuration. If not set, we fall back to the rpc_backend
    # option and driver specific configuration. (string value)
    #transport_url=<None>
    
    # The messaging driver to use, defaults to rabbit. Other
    # drivers include qpid and zmq. (string value)
    #rpc_backend=rabbit
    
    # The default exchange under which topics are scoped. May be
    # overridden by an exchange name specified in the
    # transport_url option. (string value)
    #control_exchange=openstack
    
    
    #
    # Options defined in keystone.notifications
    #
    
    # Default publisher_id for outgoing notifications (string
    # value)
    #default_publisher_id=<None>
    
    
    #
    # Options defined in keystone.middleware.ec2_token
    #
    
    # URL to get token from ec2 request. (string value)
    #keystone_ec2_url=http://localhost:5000/v2.0/ec2tokens
    
    # Required if EC2 server requires client certificate. (string
    # value)
    #keystone_ec2_keyfile=<None>
    
    # Client certificate key filename. Required if EC2 server
    # requires client certificate. (string value)
    #keystone_ec2_certfile=<None>
    
    # A PEM encoded certificate authority to use when verifying
    # HTTPS connections. Defaults to the system CAs. (string
    # value)
    #keystone_ec2_cafile=<None>
    
    # Disable SSL certificate verification. (boolean value)
    #keystone_ec2_insecure=false
    
    
    #
    # Options defined in keystone.openstack.common.eventlet_backdoor
    #
    
    # Enable eventlet backdoor.  Acceptable values are 0, <port>,
    # and <start>:<end>, where 0 results in listening on a random
    # tcp port number; <port> results in listening on the
    # specified port number (and not enabling backdoor if that
    # port is in use); and <start>:<end> results in listening on
    # the smallest unused port number within the specified range
    # of port numbers.  The chosen port is displayed in the
    # service's log file. (string value)
    #backdoor_port=<None>
    
    
    #
    # Options defined in keystone.openstack.common.lockutils
    #
    
    # Whether to disable inter-process locks (boolean value)
    #disable_process_locking=false
    
    # Directory to use for lock files. (string value)
    #lock_path=<None>
    
    
    #
    # Options defined in keystone.openstack.common.log
    #
    
    # Print debugging output (set logging level to DEBUG instead
    # of default WARNING level). (boolean value)
    #debug=false
    
    # Print more verbose output (set logging level to INFO instead
    # of default WARNING level). (boolean value)
    #verbose=false
    
    # Log output to standard error (boolean value)
    #use_stderr=true
    
    # Format string to use for log messages with context (string
    # value)
    #logging_context_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
    
    # Format string to use for log messages without context
    # (string value)
    #logging_default_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
    
    # Data to append to log format when level is DEBUG (string
    # value)
    #logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d
    
    # Prefix each line of exception output with this format
    # (string value)
    #logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s
    
    # List of logger=LEVEL pairs (list value)
    #default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN
    
    # Publish error events (boolean value)
    #publish_errors=false
    
    # Make deprecations fatal (boolean value)
    #fatal_deprecations=false
    
    # If an instance is passed with the log message, format it
    # like this (string value)
    #instance_format="[instance: %(uuid)s] "
    
    # If an instance UUID is passed with the log message, format
    # it like this (string value)
    #instance_uuid_format="[instance: %(uuid)s] "
    
    # The name of logging configuration file. It does not disable
    # existing loggers, but just appends specified logging
    # configuration to any other existing logging options. Please
    # see the Python logging module documentation for details on
    # logging configuration files. (string value)
    # Deprecated group/name - [DEFAULT]/log_config
    #log_config_append=<None>
    
    # DEPRECATED. A logging.Formatter log message format string
    # which may use any of the available logging.LogRecord
    # attributes. This option is deprecated.  Please use
    # logging_context_format_string and
    # logging_default_format_string instead. (string value)
    #log_format=<None>
    
    # Format string for %%(asctime)s in log records. Default:
    # %(default)s (string value)
    #log_date_format=%Y-%m-%d %H:%M:%S
    
    # (Optional) Name of log file to output to. If no default is
    # set, logging will go to stdout. (string value)
    # Deprecated group/name - [DEFAULT]/logfile
    #log_file=<None>
    
    # (Optional) The base directory used for relative --log-file
    # paths (string value)
    # Deprecated group/name - [DEFAULT]/logdir
    #log_dir=<None>
    
    # Use syslog for logging. Existing syslog format is DEPRECATED
    # during I, and then will be changed in J to honor RFC5424
    # (boolean value)
    #use_syslog=false
    
    # (Optional) Use syslog rfc5424 format for logging. If
    # enabled, will add APP-NAME (RFC5424) before the MSG part of
    # the syslog message.  The old format without APP-NAME is
    # deprecated in I, and will be removed in J. (boolean value)
    #use_syslog_rfc_format=false
    
    # Syslog facility to receive log lines (string value)
    #syslog_log_facility=LOG_USER
    
    
    #
    # Options defined in keystone.openstack.common.policy
    #
    
    # JSON file containing policy (string value)
    #policy_file=policy.json
    
    # Rule enforced when requested rule is not found (string
    # value)
    #policy_default_rule=default
    
    
    [assignment]
    
    #
    # Options defined in keystone
    #
    
    # Assignment backend driver. (string value)
    #driver=<None>
    
    # Toggle for assignment caching. This has no effect unless
    # global caching is enabled. (boolean value)
    #caching=true
    
    # TTL (in seconds) to cache assignment data. This has no
    # effect unless global caching is enabled. (integer value)
    #cache_time=<None>
    
    # Maximum number of entities that will be returned in an
    # assignment collection. (integer value)
    #list_limit=<None>
    
    
    [auth]
    
    #
    # Options defined in keystone
    #
    
    # Default auth methods. (list value)
    #methods=external,password,token
    
    # The password auth plugin module. (string value)
    #password=keystone.auth.plugins.password.Password
    
    # The token auth plugin module. (string value)
    #token=keystone.auth.plugins.token.Token
    
    # The external (REMOTE_USER) auth plugin module. (string
    # value)
    #external=keystone.auth.plugins.external.DefaultDomain
    
    
    [cache]
    
    #
    # Options defined in keystone
    #
    
    # Prefix for building the configuration dictionary for the
    # cache region. This should not need to be changed unless
    # there is another dogpile.cache region with the same
    # configuration name. (string value)
    #config_prefix=cache.keystone
    
    # Default TTL, in seconds, for any cached item in the
    # dogpile.cache region. This applies to any cached method that
    # doesn't have an explicit cache expiration time defined for
    # it. (integer value)
    #expiration_time=600
    
    # Dogpile.cache backend module. It is recommended that
    # Memcache (dogpile.cache.memcache) or Redis
    # (dogpile.cache.redis) be used in production deployments.
    # Small workloads (single process) like devstack can use the
    # dogpile.cache.memory backend. (string value)
    #backend=keystone.common.cache.noop
    
    # Use a key-mangling function (sha1) to ensure fixed length
    # cache-keys. This is toggle-able for debugging purposes, it
    # is highly recommended to always leave this set to true.
    # (boolean value)
    #use_key_mangler=true
    
    # Arguments supplied to the backend module. Specify this
    # option once per argument to be passed to the dogpile.cache
    # backend. Example format: "<argname>:<value>". (multi valued)
    #backend_argument=
    
    # Proxy classes to import that will affect the way the
    # dogpile.cache backend functions. See the dogpile.cache
    # documentation on changing-backend-behavior. (list value)
    #proxies=
    
    # Global toggle for all caching using the should_cache_fn
    # mechanism. (boolean value)
    #enabled=false
    
    # Extra debugging from the cache backend (cache keys,
    # get/set/delete/etc calls). This is only really useful if you
    # need to see the specific cache-backend get/set/delete calls
    # with the keys/values.  Typically this should be left set to
    # false. (boolean value)
    #debug_cache_backend=false
    
    
    [catalog]
    
    #
    # Options defined in keystone
    #
    
    # Catalog template file name for use with the template catalog
    # backend. (string value)
    #template_file=default_catalog.templates
    
    # Catalog backend driver. (string value)
    #driver=keystone.catalog.backends.sql.Catalog
    
    # Maximum number of entities that will be returned in a
    # catalog collection. (integer value)
    #list_limit=<None>
    
    
    [credential]
    
    #
    # Options defined in keystone
    #
    
    # Credential backend driver. (string value)
    #driver=keystone.credential.backends.sql.Credential
    
    
    [database]
    
    #
    # Options defined in keystone.openstack.common.db.options
    #
    
    # The file name to use with SQLite (string value)
    #sqlite_db=keystone.sqlite
    
    # If True, SQLite uses synchronous mode (boolean value)
    #sqlite_synchronous=true
    
    # The backend to use for db (string value)
    # Deprecated group/name - [DEFAULT]/db_backend
    #backend=sqlalchemy
    
    # The SQLAlchemy connection string used to connect to the
    # database (string value)
    # Deprecated group/name - [DEFAULT]/sql_connection
    # Deprecated group/name - [DATABASE]/sql_connection
    # Deprecated group/name - [sql]/connection
    #connection=<None>
    
    # The SQL mode to be used for MySQL sessions. This option,
    # including the default, overrides any server-set SQL mode. To
    # use whatever SQL mode is set by the server configuration,
    # set this to no value. Example: mysql_sql_mode= (string
    # value)
    #mysql_sql_mode=TRADITIONAL
    
    # Timeout before idle sql connections are reaped (integer
    # value)
    # Deprecated group/name - [DEFAULT]/sql_idle_timeout
    # Deprecated group/name - [DATABASE]/sql_idle_timeout
    # Deprecated group/name - [sql]/idle_timeout
    #idle_timeout=3600
    
    # Minimum number of SQL connections to keep open in a pool
    # (integer value)
    # Deprecated group/name - [DEFAULT]/sql_min_pool_size
    # Deprecated group/name - [DATABASE]/sql_min_pool_size
    #min_pool_size=1
    
    # Maximum number of SQL connections to keep open in a pool
    # (integer value)
    # Deprecated group/name - [DEFAULT]/sql_max_pool_size
    # Deprecated group/name - [DATABASE]/sql_max_pool_size
    #max_pool_size=<None>
    
    # Maximum db connection retries during startup. (setting -1
    # implies an infinite retry count) (integer value)
    # Deprecated group/name - [DEFAULT]/sql_max_retries
    # Deprecated group/name - [DATABASE]/sql_max_retries
    #max_retries=10
    
    # Interval between retries of opening a sql connection
    # (integer value)
    # Deprecated group/name - [DEFAULT]/sql_retry_interval
    # Deprecated group/name - [DATABASE]/reconnect_interval
    #retry_interval=10
    
    # If set, use this value for max_overflow with sqlalchemy
    # (integer value)
    # Deprecated group/name - [DEFAULT]/sql_max_overflow
    # Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
    #max_overflow=<None>
    
    # Verbosity of SQL debugging information. 0=None,
    # 100=Everything (integer value)
    # Deprecated group/name - [DEFAULT]/sql_connection_debug
    #connection_debug=0
    
    # Add python stack traces to SQL as comment strings (boolean
    # value)
    # Deprecated group/name - [DEFAULT]/sql_connection_trace
    #connection_trace=false
    
    # If set, use this value for pool_timeout with sqlalchemy
    # (integer value)
    # Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout
    #pool_timeout=<None>
    
    # Enable the experimental use of database reconnect on
    # connection lost (boolean value)
    #use_db_reconnect=false
    
    # seconds between db connection retries (integer value)
    #db_retry_interval=1
    
    # Whether to increase interval between db connection retries,
    # up to db_max_retry_interval (boolean value)
    #db_inc_retry_interval=true
    
    # max seconds between db connection retries, if
    # db_inc_retry_interval is enabled (integer value)
    #db_max_retry_interval=10
    
    # maximum db connection retries before error is raised.
    # (setting -1 implies an infinite retry count) (integer value)
    #db_max_retries=20
    
    
    [ec2]
    
    #
    # Options defined in keystone
    #
    
    # EC2Credential backend driver. (string value)
    #driver=keystone.contrib.ec2.backends.kvs.Ec2
    
    
    [endpoint_filter]
    
    #
    # Options defined in keystone
    #
    
    # Endpoint Filter backend driver (string value)
    #driver=keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
    
    # Toggle to return all active endpoints if no filter exists.
    # (boolean value)
    #return_all_endpoints_if_no_filter=true
    
    
    [federation]
    
    #
    # Options defined in keystone
    #
    
    # Federation backend driver. (string value)
    #driver=keystone.contrib.federation.backends.sql.Federation
    
    # Value to be used when filtering assertion parameters from
    # the environment. (string value)
    #assertion_prefix=
    
    
    [identity]
    
    #
    # Options defined in keystone
    #
    
    # This references the domain to use for all Identity API v2
    # requests (which are not aware of domains). A domain with
    # this ID will be created for you by keystone-manage db_sync
    # in migration 008. The domain referenced by this ID cannot be
    # deleted on the v3 API, to prevent accidentally breaking the
    # v2 API. There is nothing special about this domain, other
    # than the fact that it must exist to order to maintain
    # support for your v2 clients. (string value)
    #default_domain_id=default
    
    # A subset (or all) of domains can have their own identity
    # driver, each with their own partial configuration file in a
    # domain configuration directory. Only values specific to the
    # domain need to be placed in the domain specific
    # configuration file. This feature is disabled by default; set
    # to true to enable. (boolean value)
    #domain_specific_drivers_enabled=false
    
    # Path for Keystone to locate the domain specific identity
    # configuration files if domain_specific_drivers_enabled is
    # set to true. (string value)
    #domain_config_dir=/etc/keystone/domains
    
    # Identity backend driver. (string value)
    #driver=keystone.identity.backends.sql.Identity
    
    # Maximum supported length for user passwords; decrease to
    # improve performance. (integer value)
    #max_password_length=4096
    
    # Maximum number of entities that will be returned in an
    # identity collection. (integer value)
    #list_limit=<None>
    
    
    [kvs]
    
    #
    # Options defined in keystone
    #
    
    # Extra dogpile.cache backend modules to register with the
    # dogpile.cache library. (list value)
    #backends=
    
    # Prefix for building the configuration dictionary for the KVS
    # region. This should not need to be changed unless there is
    # another dogpile.cache region with the same configuration
    # name. (string value)
    #config_prefix=keystone.kvs
    
    # Toggle to disable using a key-mangling function to ensure
    # fixed length keys. This is toggle-able for debugging
    # purposes, it is highly recommended to always leave this set
    # to true. (boolean value)
    #enable_key_mangler=true
    
    # Default lock timeout for distributed locking. (integer
    # value)
    #default_lock_timeout=5
    
    
    [ldap]
    
    #
    # Options defined in keystone
    #
    
    # URL for connecting to the LDAP server. (string value)
    #url=ldap://localhost
    
    # User BindDN to query the LDAP server. (string value)
    #user=<None>
    
    # Password for the BindDN to query the LDAP server. (string
    # value)
    #password=<None>
    
    # LDAP server suffix (string value)
    #suffix=cn=example,cn=com
    
    # If true, will add a dummy member to groups. This is required
    # if the objectclass for groups requires the "member"
    # attribute. (boolean value)
    #use_dumb_member=false
    
    # DN of the "dummy member" to use when "use_dumb_member" is
    # enabled. (string value)
    #dumb_member=cn=dumb,dc=nonexistent
    
    # Delete subtrees using the subtree delete control. Only
    # enable this option if your LDAP server supports subtree
    # deletion. (boolean value)
    #allow_subtree_delete=false
    
    # The LDAP scope for queries, this can be either "one"
    # (onelevel/singleLevel) or "sub" (subtree/wholeSubtree).
    # (string value)
    #query_scope=one
    
    # Maximum results per page; a value of zero ("0") disables
    # paging. (integer value)
    #page_size=0
    
    # The LDAP dereferencing option for queries. This can be
    # either "never", "searching", "always", "finding" or
    # "default". The "default" option falls back to using default
    # dereferencing configured by your ldap.conf. (string value)
    #alias_dereferencing=default
    
    # Override the system's default referral chasing behavior for
    # queries. (boolean value)
    #chase_referrals=<None>
    
    # Search base for users. (string value)
    #user_tree_dn=<None>
    
    # LDAP search filter for users. (string value)
    #user_filter=<None>
    
    # LDAP objectclass for users. (string value)
    #user_objectclass=inetOrgPerson
    
    # LDAP attribute mapped to user id. (string value)
    #user_id_attribute=cn
    
    # LDAP attribute mapped to user name. (string value)
    #user_name_attribute=sn
    
    # LDAP attribute mapped to user email. (string value)
    #user_mail_attribute=email
    
    # LDAP attribute mapped to password. (string value)
    #user_pass_attribute=userPassword
    
    # LDAP attribute mapped to user enabled flag. (string value)
    #user_enabled_attribute=enabled
    
    # Bitmask integer to indicate the bit that the enabled value
    # is stored in if the LDAP server represents "enabled" as a
    # bit on an integer rather than a boolean. A value of "0"
    # indicates the mask is not used. If this is not set to "0"
    # the typical value is "2". This is typically used when
    # "user_enabled_attribute = userAccountControl". (integer
    # value)
    #user_enabled_mask=0
    
    # Default value to enable users. This should match an
    # appropriate int value if the LDAP server uses non-boolean
    # (bitmask) values to indicate if a user is enabled or
    # disabled. If this is not set to "True" the typical value is
    # "512". This is typically used when "user_enabled_attribute =
    # userAccountControl". (string value)
    #user_enabled_default=True
    
    # List of attributes stripped off the user on update. (list
    # value)
    #user_attribute_ignore=default_project_id,tenants
    
    # LDAP attribute mapped to default_project_id for users.
    # (string value)
    #user_default_project_id_attribute=<None>
    
    # Allow user creation in LDAP backend. (boolean value)
    #user_allow_create=true
    
    # Allow user updates in LDAP backend. (boolean value)
    #user_allow_update=true
    
    # Allow user deletion in LDAP backend. (boolean value)
    #user_allow_delete=true
    
    # If true, Keystone uses an alternative method to determine if
    # a user is enabled or not by checking if they are a member of
    # the "user_enabled_emulation_dn" group. (boolean value)
    #user_enabled_emulation=false
    
    # DN of the group entry to hold enabled users when using
    # enabled emulation. (string value)
    #user_enabled_emulation_dn=<None>
    
    # List of additional LDAP attributes used for mapping
    # additional attribute mappings for users. Attribute mapping
    # format is <ldap_attr>:<user_attr>, where ldap_attr is the
    # attribute in the LDAP entry and user_attr is the Identity
    # API attribute. (list value)
    #user_additional_attribute_mapping=
    
    # Search base for projects (string value)
    #tenant_tree_dn=<None>
    
    # LDAP search filter for projects. (string value)
    #tenant_filter=<None>
    
    # LDAP objectclass for projects. (string value)
    #tenant_objectclass=groupOfNames
    
    # LDAP attribute mapped to project id. (string value)
    #tenant_id_attribute=cn
    
    # LDAP attribute mapped to project membership for user.
    # (string value)
    #tenant_member_attribute=member
    
    # LDAP attribute mapped to project name. (string value)
    #tenant_name_attribute=ou
    
    # LDAP attribute mapped to project description. (string value)
    #tenant_desc_attribute=description
    
    # LDAP attribute mapped to project enabled. (string value)
    #tenant_enabled_attribute=enabled
    
    # LDAP attribute mapped to project domain_id. (string value)
    #tenant_domain_id_attribute=businessCategory
    
    # List of attributes stripped off the project on update. (list
    # value)
    #tenant_attribute_ignore=
    
    # Allow project creation in LDAP backend. (boolean value)
    #tenant_allow_create=true
    
    # Allow project update in LDAP backend. (boolean value)
    #tenant_allow_update=true
    
    # Allow project deletion in LDAP backend. (boolean value)
    #tenant_allow_delete=true
    
    # If true, Keystone uses an alternative method to determine if
    # a project is enabled or not by checking if they are a member
    # of the "tenant_enabled_emulation_dn" group. (boolean value)
    #tenant_enabled_emulation=false
    
    # DN of the group entry to hold enabled projects when using
    # enabled emulation. (string value)
    #tenant_enabled_emulation_dn=<None>
    
    # Additional attribute mappings for projects. Attribute
    # mapping format is <ldap_attr>:<user_attr>, where ldap_attr
    # is the attribute in the LDAP entry and user_attr is the
    # Identity API attribute. (list value)
    #tenant_additional_attribute_mapping=
    
    # Search base for roles. (string value)
    #role_tree_dn=<None>
    
    # LDAP search filter for roles. (string value)
    #role_filter=<None>
    
    # LDAP objectclass for roles. (string value)
    #role_objectclass=organizationalRole
    
    # LDAP attribute mapped to role id. (string value)
    #role_id_attribute=cn
    
    # LDAP attribute mapped to role name. (string value)
    #role_name_attribute=ou
    
    # LDAP attribute mapped to role membership. (string value)
    #role_member_attribute=roleOccupant
    
    # List of attributes stripped off the role on update. (list
    # value)
    #role_attribute_ignore=
    
    # Allow role creation in LDAP backend. (boolean value)
    #role_allow_create=true
    
    # Allow role update in LDAP backend. (boolean value)
    #role_allow_update=true
    
    # Allow role deletion in LDAP backend. (boolean value)
    #role_allow_delete=true
    
    # Additional attribute mappings for roles. Attribute mapping
    # format is <ldap_attr>:<user_attr>, where ldap_attr is the
    # attribute in the LDAP entry and user_attr is the Identity
    # API attribute. (list value)
    #role_additional_attribute_mapping=
    
    # Search base for groups. (string value)
    #group_tree_dn=<None>
    
    # LDAP search filter for groups. (string value)
    #group_filter=<None>
    
    # LDAP objectclass for groups. (string value)
    #group_objectclass=groupOfNames
    
    # LDAP attribute mapped to group id. (string value)
    #group_id_attribute=cn
    
    # LDAP attribute mapped to group name. (string value)
    #group_name_attribute=ou
    
    # LDAP attribute mapped to show group membership. (string
    # value)
    #group_member_attribute=member
    
    # LDAP attribute mapped to group description. (string value)
    #group_desc_attribute=description
    
    # List of attributes stripped off the group on update. (list
    # value)
    #group_attribute_ignore=
    
    # Allow group creation in LDAP backend. (boolean value)
    #group_allow_create=true
    
    # Allow group update in LDAP backend. (boolean value)
    #group_allow_update=true
    
    # Allow group deletion in LDAP backend. (boolean value)
    #group_allow_delete=true
    
    # Additional attribute mappings for groups. Attribute mapping
    # format is <ldap_attr>:<user_attr>, where ldap_attr is the
    # attribute in the LDAP entry and user_attr is the Identity
    # API attribute. (list value)
    #group_additional_attribute_mapping=
    
    # CA certificate file path for communicating with LDAP
    # servers. (string value)
    #tls_cacertfile=<None>
    
    # CA certificate directory path for communicating with LDAP
    # servers. (string value)
    #tls_cacertdir=<None>
    
    # Enable TLS for communicating with LDAP servers. (boolean
    # value)
    #use_tls=false
    
    # Valid options for tls_req_cert are demand, never, and allow.
    # (string value)
    #tls_req_cert=demand
    
    
    [matchmaker_ring]
    
    #
    # Options defined in oslo.messaging
    #
    
    # Matchmaker ring file (JSON). (string value)
    # Deprecated group/name - [DEFAULT]/matchmaker_ringfile
    #ringfile=/etc/oslo/matchmaker_ring.json
    
    
    [memcache]
    
    #
    # Options defined in keystone
    #
    
    # Memcache servers in the format of "host:port". (list value)
    #servers=localhost:11211
    
    # Number of compare-and-set attempts to make when using
    # compare-and-set in the token memcache back end. (integer
    # value)
    #max_compare_and_set_retry=16
    
    
    [oauth1]
    
    #
    # Options defined in keystone
    #
    
    # Credential backend driver. (string value)
    #driver=keystone.contrib.oauth1.backends.sql.OAuth1
    
    # Duration (in seconds) for the OAuth Request Token. (integer
    # value)
    #request_token_duration=28800
    
    # Duration (in seconds) for the OAuth Access Token. (integer
    # value)
    #access_token_duration=86400
    
    
    [os_inherit]
    
    #
    # Options defined in keystone
    #
    
    # role-assignment inheritance to projects from owning domain
    # can be optionally enabled. (boolean value)
    #enabled=false
    
    
    [paste_deploy]
    
    #
    # Options defined in keystone
    #
    
    # Name of the paste configuration file that defines the
    # available pipelines. (string value)
    #config_file=keystone-paste.ini
    
    
    [policy]
    
    #
    # Options defined in keystone
    #
    
    # Policy backend driver. (string value)
    #driver=keystone.policy.backends.sql.Policy
    
    # Maximum number of entities that will be returned in a policy
    # collection. (integer value)
    #list_limit=<None>
    
    
    [revoke]
    
    #
    # Options defined in keystone
    #
    
    # An implementation of the backend for persisting revocation
    # events. (string value)
    #driver=keystone.contrib.revoke.backends.kvs.Revoke
    
    # This value (calculated in seconds) is added to token
    # expiration before a revocation event may be removed from the
    # backend. (integer value)
    #expiration_buffer=1800
    
    # Toggle for revocation event cacheing. This has no effect
    # unless global caching is enabled. (boolean value)
    #caching=true
    
    
    [signing]
    
    #
    # Options defined in keystone
    #
    
    # Deprecated in favor of provider in the [token] section.
    # (string value)
    #token_format=<None>
    
    # Path of the certfile for token signing. (string value)
    #certfile=/etc/keystone/ssl/certs/signing_cert.pem
    
    # Path of the keyfile for token signing. (string value)
    #keyfile=/etc/keystone/ssl/private/signing_key.pem
    
    # Path of the CA for token signing. (string value)
    #ca_certs=/etc/keystone/ssl/certs/ca.pem
    
    # Path of the CA key for token signing. (string value)
    #ca_key=/etc/keystone/ssl/private/cakey.pem
    
    # Key size (in bits) for token signing cert (auto generated
    # certificate). (integer value)
    #key_size=2048
    
    # Days the token signing cert is valid for (auto generated
    # certificate). (integer value)
    #valid_days=3650
    
    # Certificate subject (auto generated certificate) for token
    # signing. (string value)
    #cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
    
    
    [ssl]
    
    #
    # Options defined in keystone
    #
    
    # Toggle for SSL support on the Keystone eventlet servers.
    # (boolean value)
    #enable=false
    
    # Path of the certfile for SSL. (string value)
    #certfile=/etc/keystone/ssl/certs/keystone.pem
    
    # Path of the keyfile for SSL. (string value)
    #keyfile=/etc/keystone/ssl/private/keystonekey.pem
    
    # Path of the ca cert file for SSL. (string value)
    #ca_certs=/etc/keystone/ssl/certs/ca.pem
    
    # Path of the CA key file for SSL. (string value)
    #ca_key=/etc/keystone/ssl/private/cakey.pem
    
    # Require client certificate. (boolean value)
    #cert_required=false
    
    # SSL key length (in bits) (auto generated certificate).
    # (integer value)
    #key_size=1024
    
    # Days the certificate is valid for once signed (auto
    # generated certificate). (integer value)
    #valid_days=3650
    
    # SSL certificate subject (auto generated certificate).
    # (string value)
    #cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
    
    
    [stats]
    
    #
    # Options defined in keystone
    #
    
    # Stats backend driver. (string value)
    #driver=keystone.contrib.stats.backends.kvs.Stats
    
    
    [token]
    
    #
    # Options defined in keystone
    #
    
    # External auth mechanisms that should add bind information to
    # token, e.g., kerberos,x509. (list value)
    #bind=
    
    # Enforcement policy on tokens presented to Keystone with bind
    # information. One of disabled, permissive, strict, required
    # or a specifically required bind mode, e.g., kerberos or x509
    # to require binding to that authentication. (string value)
    #enforce_token_bind=permissive
    
    # Amount of time a token should remain valid (in seconds).
    # (integer value)
    #expiration=3600
    
    # Controls the token construction, validation, and revocation
    # operations. Core providers are
    # "keystone.token.providers.[pki|uuid].Provider". (string
    # value)
    #provider=<None>
    
    # Token persistence backend driver. (string value)
    #driver=keystone.token.backends.sql.Token
    
    # Toggle for token system cacheing. This has no effect unless
    # global caching is enabled. (boolean value)
    #caching=true
    
    # Time to cache the revocation list and the revocation events
    # if revoke extension is enabled (in seconds). This has no
    # effect unless global and token caching are enabled. (integer
    # value)
    #revocation_cache_time=3600
    
    # Time to cache tokens (in seconds). This has no effect unless
    # global and token caching are enabled. (integer value)
    #cache_time=<None>
    
    # Revoke token by token identifier. Setting revoke_by_id to
    # true enables various forms of enumerating tokens, e.g. `list
    # tokens for user`. These enumerations are processed to
    # determine the list of tokens to revoke. Only disable if you
    # are switching to using the Revoke extension with a backend
    # other than KVS, which stores events in memory. (boolean
    # value)
    #revoke_by_id=true
    
    
    [trust]
    
    #
    # Options defined in keystone
    #
    
    # Delegation and impersonation features can be optionally
    # disabled. (boolean value)
    #enabled=true
    
    # Trust backend driver. (string value)
    #driver=keystone.trust.backends.sql.Trust
    
    
    
  • etc/keystone-paste.ini

    # Keystone PasteDeploy configuration file.
    
    [filter:debug]
    paste.filter_factory = keystone.common.wsgi:Debug.factory
    
    [filter:build_auth_context]
    paste.filter_factory = keystone.middleware:AuthContextMiddleware.factory
    
    [filter:token_auth]
    paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
    
    [filter:admin_token_auth]
    paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
    
    [filter:xml_body]
    paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
    
    [filter:xml_body_v2]
    paste.filter_factory = keystone.middleware:XmlBodyMiddlewareV2.factory
    
    [filter:xml_body_v3]
    paste.filter_factory = keystone.middleware:XmlBodyMiddlewareV3.factory
    
    [filter:json_body]
    paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
    
    [filter:user_crud_extension]
    paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
    
    [filter:crud_extension]
    paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
    
    [filter:ec2_extension]
    paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
    
    [filter:ec2_extension_v3]
    paste.filter_factory = keystone.contrib.ec2:Ec2ExtensionV3.factory
    
    [filter:federation_extension]
    paste.filter_factory = keystone.contrib.federation.routers:FederationExtension.factory
    
    [filter:oauth1_extension]
    paste.filter_factory = keystone.contrib.oauth1.routers:OAuth1Extension.factory
    
    [filter:s3_extension]
    paste.filter_factory = keystone.contrib.s3:S3Extension.factory
    
    [filter:endpoint_filter_extension]
    paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
    
    [filter:simple_cert_extension]
    paste.filter_factory = keystone.contrib.simple_cert:SimpleCertExtension.factory
    
    [filter:revoke_extension]
    paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory
    
    [filter:url_normalize]
    paste.filter_factory = keystone.middleware:NormalizingFilter.factory
    
    [filter:sizelimit]
    paste.filter_factory = keystone.middleware:RequestBodySizeLimiter.factory
    
    [filter:stats_monitoring]
    paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
    
    [filter:stats_reporting]
    paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
    
    [filter:access_log]
    paste.filter_factory = keystone.contrib.access:AccessLogMiddleware.factory
    
    [app:public_service]
    paste.app_factory = keystone.service:public_app_factory
    
    [app:service_v3]
    paste.app_factory = keystone.service:v3_app_factory
    
    [app:admin_service]
    paste.app_factory = keystone.service:admin_app_factory
    
    [pipeline:public_api]
    pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v2 json_body ec2_extension user_crud_extension public_service
    
    [pipeline:admin_api]
    pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v2 json_body ec2_extension s3_extension crud_extension admin_service
    
    [pipeline:api_v3]
    pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v3 json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3
    
    [app:public_version_service]
    paste.app_factory = keystone.service:public_version_app_factory
    
    [app:admin_version_service]
    paste.app_factory = keystone.service:admin_version_app_factory
    
    [pipeline:public_version_api]
    pipeline = sizelimit url_normalize xml_body public_version_service
    
    [pipeline:admin_version_api]
    pipeline = sizelimit url_normalize xml_body admin_version_service
    
    [composite:main]
    use = egg:Paste#urlmap
    /v2.0 = public_api
    /v3 = api_v3
    / = public_version_api
    
    [composite:admin]
    use = egg:Paste#urlmap
    /v2.0 = admin_api
    /v3 = api_v3
    / = admin_version_api
    
  • etc/logging.conf.sample

    [loggers]
    keys=root,access
    
    [handlers]
    keys=production,file,access_file,devel
    
    [formatters]
    keys=minimal,normal,debug
    
    
    ###########
    # Loggers #
    ###########
    
    [logger_root]
    level=WARNING
    handlers=file
    
    [logger_access]
    level=INFO
    qualname=access
    handlers=access_file
    
    
    ################
    # Log Handlers #
    ################
    
    [handler_production]
    class=handlers.SysLogHandler
    level=ERROR
    formatter=normal
    args=(('localhost', handlers.SYSLOG_UDP_PORT), handlers.SysLogHandler.LOG_USER)
    
    [handler_file]
    class=handlers.WatchedFileHandler
    level=WARNING
    formatter=normal
    args=('error.log',)
    
    [handler_access_file]
    class=handlers.WatchedFileHandler
    level=INFO
    formatter=minimal
    args=('access.log',)
    
    [handler_devel]
    class=StreamHandler
    level=NOTSET
    formatter=debug
    args=(sys.stdout,)
    
    
    ##################
    # Log Formatters #
    ##################
    
    [formatter_minimal]
    format=%(message)s
    
    [formatter_normal]
    format=(%(name)s): %(asctime)s %(levelname)s %(message)s
    
    [formatter_debug]
    format=(%(name)s): %(asctime)s %(levelname)s %(module)s %(funcName)s %(message)s
    
Log a bug against this page


loading table of contents...