Revision history [back]

click to hide/show revision 1
initial version

Can someone help me install keystone juno?

I am following this tutorial: http://docs.openstack.org/juno/install-guide/install/apt/content/keystone-install.html

and I am getting stuck at step 3, because when i enter the command I get su: Authentication failure I entered the same db pass in keystone.conf as I did in mysql database. I did get suspicious in keystone.conf because step b required me to write entirely on my own the line: connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone whereas everything else was just editing.

Anyway here is my entire keystone.conf:

[DEFAULT]

#

Options defined in keystone

#

A "shared secret" that can be used to bootstrap Keystone.

This "token" does not represent a user, and carries no

explicit authorization. To disable in production (highly

recommended), remove AdminTokenAuthMiddleware from your

paste application pipelines (for example, in keystone-

paste.ini). (string value)

admin_token=d84c154eff63ccfd933d

The IP Address of the network interface to for the public

service to listen on. (string value)

Deprecated group/name - [DEFAULT]/bind_host

public_bind_host=0.0.0.0

The IP Address of the network interface to for the admin

service to listen on. (string value)

Deprecated group/name - [DEFAULT]/bind_host

admin_bind_host=0.0.0.0

The port which the OpenStack Compute service listens on.

(integer value)

compute_port=8774

The port number which the admin service listens on. (integer

value)

admin_port=35357

The port number which the public service listens on.

(integer value)

public_port=5000

The base public endpoint URL for keystone that are

advertised to clients (NOTE: this does NOT affect how

keystone listens for connections) (string value).

Defaults to the base host URL of the request. Eg a

request to http://server:5000/v2.0/users will

default to http://server:5000. You should only need

to set this value if the base URL contains a path

(eg /prefix/v2.0) or the endpoint should be found on

a different server.

public_endpoint=http://localhost:%(public_port)s/

The base admin endpoint URL for keystone that are advertised

to clients (NOTE: this does NOT affect how keystone listens

for connections) (string value).

Defaults to the base host URL of the request. Eg a

request to http://server:35357/v2.0/users will

default to http://server:35357. You should only need

to set this value if the base URL contains a path

(eg /prefix/v2.0) or the endpoint should be found on

a different server.

admin_endpoint=http://localhost:%(admin_port)s/

onready allows you to send a notification when the process

is ready to serve For example, to have it notify using

systemd, one could set shell command: "onready = systemd-

notify --ready" or a module with notify() method: "onready =

keystone.common.systemd". (string value)

onready=<none>

enforced by optional sizelimit middleware

(keystone.middleware:RequestBodySizeLimiter). (integer

value)

max_request_body_size=114688

limit the sizes of user & tenant ID/names. (integer value)

max_param_size=64

similar to max_param_size, but provides an exception for

token values. (integer value)

max_token_size=8192

During a SQL upgrade member_role_id will be used to create a

new role that will replace records in the

user_tenant_membership table with explicit role grants.

After migration, the member_role_id will be used in the API

add_user_to_project. (string value)

member_role_id=9fe2ff9ee4384b1894a90878d3e92bab

During a SQL upgrade member_role_id will be used to create a

new role that will replace records in the

user_tenant_membership table with explicit role grants.

After migration, member_role_name will be ignored. (string

value)

member_role_name=_member_

The value passed as the keyword "rounds" to passlib encrypt

method. (integer value)

crypt_strength=40000

Set this to True if you want to enable TCP_KEEPALIVE on

server sockets i.e. sockets used by the keystone wsgi server

for client connections. (boolean value)

tcp_keepalive=false

Sets the value of TCP_KEEPIDLE in seconds for each server

socket. Only applies if tcp_keepalive is True. Not supported

on OS X. (integer value)

tcp_keepidle=600

The maximum number of entities that will be returned in a

collection can be set with list_limit, with no limit set by

default. This global limit may be then overridden for a

specific driver, by specifying a list_limit in the

appropriate section (e.g. [assignment]). (integer value)

list_limit=<none>

Set this to false if you want to enable the ability for

user, group and project entities to be moved between domains

by updating their domain_id. Allowing such movement is not

recommended if the scope of a domain admin is being

restricted by use of an appropriate policy file (see

policy.v3cloudsample as an example). (boolean value)

domain_id_immutable=true

#

Options defined in oslo.messaging

#

Use durable queues in amqp. (boolean value)

Deprecated group/name - [DEFAULT]/rabbit_durable_queues

amqp_durable_queues=false

Auto-delete queues in amqp. (boolean value)

amqp_auto_delete=false

Size of RPC connection pool. (integer value)

rpc_conn_pool_size=30

Modules of exceptions that are permitted to be recreated

upon receiving exception data from an rpc call. (list value)

allowed_rpc_exception_modules=oslo.messaging.exceptions,nova.exception,cinder.exception,exceptions

Qpid broker hostname. (string value)

qpid_hostname=localhost

Qpid broker port. (integer value)

qpid_port=5672

Qpid HA cluster host:port pairs. (list value)

qpid_hosts=$qpid_hostname:$qpid_port

Username for Qpid connection. (string value)

qpid_username=

Password for Qpid connection. (string value)

qpid_password=

Space separated list of SASL mechanisms to use for auth.

(string value)

qpid_sasl_mechanisms=

Seconds between connection keepalive heartbeats. (integer

value)

qpid_heartbeat=60

Transport to use, either 'tcp' or 'ssl'. (string value)

qpid_protocol=tcp

Whether to disable the Nagle algorithm. (boolean value)

qpid_tcp_nodelay=true

The qpid topology version to use. Version 1 is what was

originally used by impl_qpid. Version 2 includes some

backwards-incompatible changes that allow broker federation

to work. Users should update to version 2 when they are

able to take everything down, as it requires a clean break.

(integer value)

qpid_topology_version=1

SSL version to use (valid only if SSL enabled). valid values

are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some

distributions. (string value)

kombu_ssl_version=

SSL key file (valid only if SSL enabled). (string value)

kombu_ssl_keyfile=

SSL cert file (valid only if SSL enabled). (string value)

kombu_ssl_certfile=

SSL certification authority file (valid only if SSL

enabled). (string value)

kombu_ssl_ca_certs=

How long to wait before reconnecting in response to an AMQP

consumer cancel notification. (floating point value)

kombu_reconnect_delay=1.0

The RabbitMQ broker address where a single node is used.

(string value)

rabbit_host=localhost

The RabbitMQ broker port where a single node is used.

(integer value)

rabbit_port=5672

RabbitMQ HA cluster host:port pairs. (list value)

rabbit_hosts=$rabbit_host:$rabbit_port

Connect over SSL for RabbitMQ. (boolean value)

rabbit_use_ssl=false

The RabbitMQ userid. (string value)

rabbit_userid=guest

The RabbitMQ password. (string value)

rabbit_password=guest

the RabbitMQ login method (string value)

rabbit_login_method=AMQPLAIN

The RabbitMQ virtual host. (string value)

rabbit_virtual_host=/

How frequently to retry connecting with RabbitMQ. (integer

value)

rabbit_retry_interval=1

How long to backoff for between retries when connecting to

RabbitMQ. (integer value)

rabbit_retry_backoff=2

Maximum number of RabbitMQ connection retries. Default is 0

(infinite retry count). (integer value)

rabbit_max_retries=0

Use HA queues in RabbitMQ (x-ha-policy: all). If you change

this option, you must wipe the RabbitMQ database. (boolean

value)

rabbit_ha_queues=false

If passed, use a fake RabbitMQ provider. (boolean value)

fake_rabbit=false

ZeroMQ bind address. Should be a wildcard (*), an ethernet

interface, or IP. The "host" option should point or resolve

to this address. (string value)

rpc_zmq_bind_address=*

MatchMaker driver. (string value)

rpc_zmq_matchmaker=oslo.messaging._drivers.matchmaker.MatchMakerLocalhost

ZeroMQ receiver listening port. (integer value)

rpc_zmq_port=9501

Number of ZeroMQ contexts, defaults to 1. (integer value)

rpc_zmq_contexts=1

Maximum number of ingress messages to locally buffer per

topic. Default is unlimited. (integer value)

rpc_zmq_topic_backlog=<none>

Directory for holding IPC sockets. (string value)

rpc_zmq_ipc_dir=/var/run/openstack

Name of this node. Must be a valid hostname, FQDN, or IP

address. Must match "host" option, if running Nova. (string

value)

rpc_zmq_host=keystone

Seconds to wait before a cast expires (TTL). Only supported

by impl_zmq. (integer value)

rpc_cast_timeout=30

Heartbeat frequency. (integer value)

matchmaker_heartbeat_freq=300

Heartbeat time-to-live. (integer value)

matchmaker_heartbeat_ttl=600

Host to locate redis. (string value)

host=127.0.0.1

Use this port to connect to redis host. (integer value)

port=6379

Password for Redis server (optional). (string value)

password=<none>

Size of RPC greenthread pool. (integer value)

rpc_thread_pool_size=64

Driver or drivers to handle sending notifications. (multi

valued)

notification_driver=

AMQP topic used for OpenStack notifications. (list value)

Deprecated group/name - [rpc_notifier2]/topics

notification_topics=notifications

Seconds to wait for a response from a call. (integer value)

rpc_response_timeout=60

A URL representing the messaging driver to use and its full

configuration. If not set, we fall back to the rpc_backend

option and driver specific configuration. (string value)

transport_url=<none>

The messaging driver to use, defaults to rabbit. Other

drivers include qpid and zmq. (string value)

rpc_backend=rabbit

The default exchange under which topics are scoped. May be

overridden by an exchange name specified in the

transport_url option. (string value)

control_exchange=openstack

#

Options defined in keystone.notifications

#

Default publisher_id for outgoing notifications (string

value)

default_publisher_id=<none>

#

Options defined in keystone.middleware.ec2_token

#

URL to get token from ec2 request. (string value)

keystone_ec2_url=http://localhost:5000/v2.0/ec2tokens

Required if EC2 server requires client certificate. (string

value)

keystone_ec2_keyfile=<none>

Client certificate key filename. Required if EC2 server

requires client certificate. (string value)

keystone_ec2_certfile=<none>

A PEM encoded certificate authority to use when verifying

HTTPS connections. Defaults to the system CAs. (string

value)

keystone_ec2_cafile=<none>

Disable SSL certificate verification. (boolean value)

keystone_ec2_insecure=false

#

Options defined in keystone.openstack.common.eventlet_backdoor

#

Enable eventlet backdoor. Acceptable values are 0, <port>,

and <start>:<end>, where 0 results in listening on a random

tcp port number; <port> results in listening on the

specified port number (and not enabling backdoor if that

port is in use); and <start>:<end> results in listening on

the smallest unused port number within the specified range

of port numbers. The chosen port is displayed in the

service's log file. (string value)

backdoor_port=<none>

#

Options defined in keystone.openstack.common.lockutils

#

Whether to disable inter-process locks (boolean value)

disable_process_locking=false

Directory to use for lock files. (string value)

lock_path=<none>

#

Options defined in keystone.openstack.common.log

#

Print debugging output (set logging level to DEBUG instead

of default WARNING level). (boolean value)

debug=false

Print more verbose output (set logging level to INFO instead

of default WARNING level). (boolean value)

verbose=true

Log output to standard error (boolean value)

use_stderr=true

Format string to use for log messages with context (string

value)

logging_context_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s

Format string to use for log messages without context

(string value)

logging_default_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s

Data to append to log format when level is DEBUG (string

value)

logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d

Prefix each line of exception output with this format

(string value)

logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s

List of logger=LEVEL pairs (list value)

default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN

Publish error events (boolean value)

publish_errors=false

Make deprecations fatal (boolean value)

fatal_deprecations=false

If an instance is passed with the log message, format it

like this (string value)

instance_format="[instance: %(uuid)s] "

If an instance UUID is passed with the log message, format

it like this (string value)

instance_uuid_format="[instance: %(uuid)s] "

The name of logging configuration file. It does not disable

existing loggers, but just appends specified logging

configuration to any other existing logging options. Please

see the Python logging module documentation for details on

logging configuration files. (string value)

Deprecated group/name - [DEFAULT]/log_config

log_config_append=<none>

DEPRECATED. A logging.Formatter log message format string

which may use any of the available logging.LogRecord

attributes. This option is deprecated. Please use

logging_context_format_string and

logging_default_format_string instead. (string value)

log_format=<none>

Format string for %%(asctime)s in log records. Default:

%(default)s (string value)

log_date_format=%Y-%m-%d %H:%M:%S

(Optional) Name of log file to output to. If no default is

set, logging will go to stdout. (string value)

Deprecated group/name - [DEFAULT]/logfile

log_file=<none>

(Optional) The base directory used for relative --log-file

paths (string value)

Deprecated group/name - [DEFAULT]/logdir

log_dir=<none>

Use syslog for logging. Existing syslog format is DEPRECATED

during I, and then will be changed in J to honor RFC5424

(boolean value)

use_syslog=false

(Optional) Use syslog rfc5424 format for logging. If

enabled, will add APP-NAME (RFC5424) before the MSG part of

the syslog message. The old format without APP-NAME is

deprecated in I, and will be removed in J. (boolean value)

use_syslog_rfc_format=false

Syslog facility to receive log lines (string value)

syslog_log_facility=LOG_USER

#

Options defined in keystone.openstack.common.policy

#

JSON file containing policy (string value)

policy_file=policy.json

Rule enforced when requested rule is not found (string

value)

policy_default_rule=default

[assignment]

#

Options defined in keystone

#

Keystone Assignment backend driver. (string value)

driver=<none>

Toggle for assignment caching. This has no effect unless

global caching is enabled. (boolean value)

caching=true

TTL (in seconds) to cache assignment data. This has no

effect unless global caching is enabled. (integer value)

cache_time=<none>

Maximum number of entities that will be returned in an

assignment collection. (integer value)

list_limit=<none>

[auth]

#

Options defined in keystone

#

Default auth methods. (list value)

methods=external,password,token

The password auth plugin module. (string value)

password=keystone.auth.plugins.password.Password

The token auth plugin module. (string value)

token=keystone.auth.plugins.token.Token

The external (REMOTE_USER) auth plugin module. (string

value)

external=keystone.auth.plugins.external.DefaultDomain

[cache]

#

Options defined in keystone

#

Prefix for building the configuration dictionary for the

cache region. This should not need to be changed unless

there is another dogpile.cache region with the same

configuration name. (string value)

config_prefix=cache.keystone

Default TTL, in seconds, for any cached item in the

dogpile.cache region. This applies to any cached method that

doesn't have an explicit cache expiration time defined for

it. (integer value)

expiration_time=600

Dogpile.cache backend module. It is recommended that

Memcache (dogpile.cache.memcached) or Redis

(dogpile.cache.redis) be used in production deployments.

Small workloads (single process) like devstack can use the

dogpile.cache.memory backend. (string value)

backend=keystone.common.cache.noop

Use a key-mangling function (sha1) to ensure fixed length

cache-keys. This is toggle-able for debugging purposes, it

is highly recommended to always leave this set to True.

(boolean value)

use_key_mangler=true

Arguments supplied to the backend module. Specify this

option once per argument to be passed to the dogpile.cache

backend. Example format: "<argname>:<value>". (multi valued)

backend_argument=

Proxy Classes to import that will affect the way the

dogpile.cache backend functions. See the dogpile.cache

documentation on changing-backend-behavior. Comma delimited

list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2.

(list value)

proxies=

Global toggle for all caching using the should_cache_fn

mechanism. (boolean value)

enabled=false

Extra debugging from the cache backend (cache keys,

get/set/delete/etc calls) This is only really useful if you

need to see the specific cache-backend get/set/delete calls

with the keys/values. Typically this should be left set to

False. (boolean value)

debug_cache_backend=false

[catalog]

#

Options defined in keystone

#

Catalog template file name for use with the template catalog

backend. (string value)

template_file=default_catalog.templates

Keystone catalog backend driver. (string value)

driver=keystone.catalog.backends.sql.Catalog

Maximum number of entities that will be returned in a

catalog collection. (integer value)

list_limit=<none>

[credential]

#

Options defined in keystone

#

Keystone Credential backend driver. (string value)

driver=keystone.credential.backends.sql.Credential

[database]

#

Options defined in keystone.openstack.common.db.options

#

The file name to use with SQLite (string value)

sqlite_db=keystone.sqlite

If True, SQLite uses synchronous mode (boolean value)

sqlite_synchronous=true

The backend to use for db (string value)

Deprecated group/name - [DEFAULT]/db_backend

backend=sqlalchemy

The SQLAlchemy connection string used to connect to the

database (string value)

Deprecated group/name - [DEFAULT]/sql_connection

Deprecated group/name - [DATABASE]/sql_connection

Deprecated group/name - [sql]/connection

connection=mysql://keystone:klasika@controller/keystone

connection = sqlite:////var/lib/keystone/keystone.db

The SQL mode to be used for MySQL sessions. This option,

including the default, overrides any server-set SQL mode. To

use whatever SQL mode is set by the server configuration,

set this to no value. Example: mysql_sql_mode= (string

value)

mysql_sql_mode=TRADITIONAL

Timeout before idle sql connections are reaped (integer

value)

Deprecated group/name - [DEFAULT]/sql_idle_timeout

Deprecated group/name - [DATABASE]/sql_idle_timeout

Deprecated group/name - [sql]/idle_timeout

idle_timeout=3600

Minimum number of SQL connections to keep open in a pool

(integer value)

Deprecated group/name - [DEFAULT]/sql_min_pool_size

Deprecated group/name - [DATABASE]/sql_min_pool_size

min_pool_size=1

Maximum number of SQL connections to keep open in a pool

(integer value)

Deprecated group/name - [DEFAULT]/sql_max_pool_size

Deprecated group/name - [DATABASE]/sql_max_pool_size

max_pool_size=<none>

Maximum db connection retries during startup. (setting -1

implies an infinite retry count) (integer value)

Deprecated group/name - [DEFAULT]/sql_max_retries

Deprecated group/name - [DATABASE]/sql_max_retries

max_retries=10

Interval between retries of opening a sql connection

(integer value)

Deprecated group/name - [DEFAULT]/sql_retry_interval

Deprecated group/name - [DATABASE]/reconnect_interval

retry_interval=10

If set, use this value for max_overflow with sqlalchemy

(integer value)

Deprecated group/name - [DEFAULT]/sql_max_overflow

Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow

max_overflow=<none>

Verbosity of SQL debugging information. 0=None,

100=Everything (integer value)

Deprecated group/name - [DEFAULT]/sql_connection_debug

connection_debug=0

Add python stack traces to SQL as comment strings (boolean

value)

Deprecated group/name - [DEFAULT]/sql_connection_trace

connection_trace=false

If set, use this value for pool_timeout with sqlalchemy

(integer value)

Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout

pool_timeout=<none>

Enable the experimental use of database reconnect on

connection lost (boolean value)

use_db_reconnect=false

seconds between db connection retries (integer value)

db_retry_interval=1

Whether to increase interval between db connection retries,

up to db_max_retry_interval (boolean value)

db_inc_retry_interval=true

max seconds between db connection retries, if

db_inc_retry_interval is enabled (integer value)

db_max_retry_interval=10

maximum db connection retries before error is raised.

(setting -1 implies an infinite retry count) (integer value)

db_max_retries=20

[ec2]

#

Options defined in keystone

#

Keystone EC2Credential backend driver. (string value)

driver=keystone.contrib.ec2.backends.kvs.Ec2

[endpoint_filter]

#

Options defined in keystone

#

Keystone Endpoint Filter backend driver (string value)

driver=keystone.contrib.endpoint_filter.backends.sql.EndpointFilter

Toggle to return all active endpoints if no filter exists.

(boolean value)

return_all_endpoints_if_no_filter=true

[federation]

#

Options defined in keystone

#

Keystone Federation backend driver. (string value)

driver=keystone.contrib.federation.backends.sql.Federation

Value to be used when filtering assertion parameters from

the environment. (string value)

assertion_prefix=

[identity]

#

Options defined in keystone

#

This references the domain to use for all Identity API v2

requests (which are not aware of domains). A domain with

this ID will be created for you by keystone-manage db_sync

in migration 008. The domain referenced by this ID cannot

be deleted on the v3 API, to prevent accidentally breaking

the v2 API. There is nothing special about this domain,

other than the fact that it must exist to order to maintain

support for your v2 clients. (string value)

default_domain_id=default

A subset (or all) of domains can have their own identity

driver, each with their own partial configuration file in a

domain configuration directory. Only values specific to the

domain need to be placed in the domain specific

configuration file. This feature is disabled by default; set

to True to enable. (boolean value)

domain_specific_drivers_enabled=false

Path for Keystone to locate the domain specificidentity

configuration files if domain_specific_drivers_enabled is

set to true. (string value)

domain_config_dir=/etc/keystone/domains

Keystone Identity backend driver. (string value)

driver=keystone.identity.backends.sql.Identity

Maximum supported length for user passwords; decrease to

improve performance. (integer value)

max_password_length=4096

Maximum number of entities that will be returned in an

identity collection. (integer value)

list_limit=<none>

[kvs]

#

Options defined in keystone

#

Extra dogpile.cache backend modules to register with the

dogpile.cache library. (list value)

backends=

Prefix for building the configuration dictionary for the KVS

region. This should not need to be changed unless there is

another dogpile.cache region with the same configuration

name. (string value)

config_prefix=keystone.kvs

Toggle to disable using a key-mangling function to ensure

fixed length keys. This is toggle-able for debugging

purposes, it is highly recommended to always leave this set

to True. (boolean value)

enable_key_mangler=true

Default lock timeout for distributed locking. (integer

value)

default_lock_timeout=5

[ldap]

#

Options defined in keystone

#

URL for connecting to the LDAP server. (string value)

url=ldap://localhost

User BindDN to query the LDAP server. (string value)

user=<none>

Password for the BindDN to query the LDAP server. (string

value)

password=<none>

LDAP server suffix (string value)

suffix=cn=example,cn=com

If true, will add a dummy member to groups. This is required

if the objectclass for groups requires the "member"

attribute. (boolean value)

use_dumb_member=false

DN of the "dummy member" to use when "use_dumb_member" is

enabled. (string value)

dumb_member=cn=dumb,dc=nonexistent

allow deleting subtrees. (boolean value)

allow_subtree_delete=false

The LDAP scope for queries, this can be either "one"

(onelevel/singleLevel) or "sub" (subtree/wholeSubtree).

(string value)

query_scope=one

Maximum results per page; a value of zero ("0") disables

paging. (integer value)

page_size=0

The LDAP dereferencing option for queries. This can be

either "never", "searching", "always", "finding" or

"default". The "default" option falls back to using default

dereferencing configured by your ldap.conf. (string value)

alias_dereferencing=default

Override the system's default referral chasing behavior for

queries. (boolean value)

chase_referrals=<none>

Search base for users. (string value)

user_tree_dn=<none>

LDAP search filter for users. (string value)

user_filter=<none>

LDAP objectClass for users. (string value)

user_objectclass=inetOrgPerson

LDAP attribute mapped to user id. (string value)

user_id_attribute=cn

LDAP attribute mapped to user name. (string value)

user_name_attribute=sn

LDAP attribute mapped to user email. (string value)

user_mail_attribute=email

LDAP attribute mapped to password. (string value)

user_pass_attribute=userPassword

LDAP attribute mapped to user enabled flag. (string value)

user_enabled_attribute=enabled

Bitmask integer to indicate the bit that the enabled value

is stored in if the LDAP server represents "enabled" as a

bit on an integer rather than a boolean. A value of "0"

indicates the mask is not used. If this is not set to "0"

the typical value is "2". This is typically used when

"user_enabled_attribute = userAccountControl". (integer

value)

user_enabled_mask=0

Default value to enable users. This should match an

appropriate int value if the LDAP server uses non-boolean

(bitmask) values to indicate if a user is enabled or

disabled. If this is not set to "True"the typical value is

"512". This is typically used when "user_enabled_attribute =

userAccountControl". (string value)

user_enabled_default=True

List of attributes stripped off the user on update. (list

value)

user_attribute_ignore=default_project_id,tenants

LDAP attribute mapped to default_project_id for users.

(string value)

user_default_project_id_attribute=<none>

Allow user creation in LDAP backend. (boolean value)

user_allow_create=true

Allow user updates in LDAP backend. (boolean value)

user_allow_update=true

Allow user deletion in LDAP backend. (boolean value)

user_allow_delete=true

If True, Keystone uses an alternative method to determine if

a user is enabled or not by checking if they are a member of

the "user_enabled_emulation_dn" group. (boolean value)

user_enabled_emulation=false

DN of the group entry to hold enabled users when using

enabled emulation. (string value)

user_enabled_emulation_dn=<none>

List of additional LDAP attributes used for mapping

Additional attribute mappings for users. Attribute mapping

format is <ldap_attr>:<user_attr>, where ldap_attr is the

attribute in the LDAP entry and user_attr is the Identity

API attribute. (list value)

user_additional_attribute_mapping=

Search base for projects (string value)

tenant_tree_dn=<none>

LDAP search filter for projects. (string value)

tenant_filter=<none>

LDAP objectClass for projects. (string value)

tenant_objectclass=groupOfNames

LDAP attribute mapped to project id. (string value)

tenant_id_attribute=cn

LDAP attribute mapped to project membership for user.

(string value)

tenant_member_attribute=member

LDAP attribute mapped to project name. (string value)

tenant_name_attribute=ou

LDAP attribute mapped to project description. (string value)

tenant_desc_attribute=description

LDAP attribute mapped to project enabled. (string value)

tenant_enabled_attribute=enabled

LDAP attribute mapped to project domain_id. (string value)

tenant_domain_id_attribute=businessCategory

List of attributes stripped off the project on update. (list

value)

tenant_attribute_ignore=

Allow tenant creation in LDAP backend. (boolean value)

tenant_allow_create=true

Allow tenant update in LDAP backend. (boolean value)

tenant_allow_update=true

Allow tenant deletion in LDAP backend. (boolean value)

tenant_allow_delete=true

If True, Keystone uses an alternative method to determine if

a project is enabled or not by checking if they are a member

of the "tenant_enabled_emulation_dn" group. (boolean value)

tenant_enabled_emulation=false

DN of the group entry to hold enabled projects when using

enabled emulation. (string value)

tenant_enabled_emulation_dn=<none>

Additional attribute mappings for projects. Attribute

mapping format is <ldap_attr>:<user_attr>, where ldap_attr

is the attribute in the LDAP entry and user_attr is the

Identity API attribute. (list value)

tenant_additional_attribute_mapping=

Search base for roles. (string value)

role_tree_dn=<none>

LDAP search filter for roles. (string value)

role_filter=<none>

LDAP objectClass for roles. (string value)

role_objectclass=organizationalRole

LDAP attribute mapped to role id. (string value)

role_id_attribute=cn

LDAP attribute mapped to role name. (string value)

role_name_attribute=ou

LDAP attribute mapped to role membership. (string value)

role_member_attribute=roleOccupant

List of attributes stripped off the role on update. (list

value)

role_attribute_ignore=

Allow role creation in LDAP backend. (boolean value)

role_allow_create=true

Allow role update in LDAP backend. (boolean value)

role_allow_update=true

Allow role deletion in LDAP backend. (boolean value)

role_allow_delete=true

Additional attribute mappings for roles. Attribute mapping

format is <ldap_attr>:<user_attr>, where ldap_attr is the

attribute in the LDAP entry and user_attr is the Identity

API attribute. (list value)

role_additional_attribute_mapping=

Search base for groups. (string value)

group_tree_dn=<none>

LDAP search filter for groups. (string value)

group_filter=<none>

LDAP objectClass for groups. (string value)

group_objectclass=groupOfNames

LDAP attribute mapped to group id. (string value)

group_id_attribute=cn

LDAP attribute mapped to group name. (string value)

group_name_attribute=ou

LDAP attribute mapped to show group membership. (string

value)

group_member_attribute=member

LDAP attribute mapped to group description. (string value)

group_desc_attribute=description

List of attributes stripped off the group on update. (list

value)

group_attribute_ignore=

Allow group creation in LDAP backend. (boolean value)

group_allow_create=true

Allow group update in LDAP backend. (boolean value)

group_allow_update=true

Allow group deletion in LDAP backend. (boolean value)

group_allow_delete=true

Additional attribute mappings for groups. Attribute mapping

format is <ldap_attr>:<user_attr>, where ldap_attr is the

attribute in the LDAP entry and user_attr is the Identity

API attribute. (list value)

group_additional_attribute_mapping=

CA certificate file path for communicating with LDAP

servers. (string value)

tls_cacertfile=<none>

CA certificate directory path for communicating with LDAP

servers. (string value)

tls_cacertdir=<none>

Enable TLS for communicating with LDAP servers. (boolean

value)

use_tls=false

valid options for tls_req_cert are demand, never, and allow.

(string value)

tls_req_cert=demand

[matchmaker_ring]

#

Options defined in oslo.messaging

#

Matchmaker ring file (JSON). (string value)

Deprecated group/name - [DEFAULT]/matchmaker_ringfile

ringfile=/etc/oslo/matchmaker_ring.json

[memcache]

#

Options defined in keystone

#

Memcache servers in the format of "host:port" (list value)

servers=localhost:11211

Number of compare-and-set attempts to make when using

compare-and-set in the token memcache back end. (integer

value)

max_compare_and_set_retry=16

[oauth1]

#

Options defined in keystone

#

Keystone Credential backend driver. (string value)

driver=keystone.contrib.oauth1.backends.sql.OAuth1

Duration (in seconds) for the OAuth Request Token. (integer

value)

request_token_duration=28800

Duration (in seconds) for the OAuth Access Token. (integer

value)

access_token_duration=86400

[os_inherit]

#

Options defined in keystone

#

role-assignment inheritance to projects from owning domain

can be optionally enabled. (boolean value)

enabled=false

[paste_deploy]

#

Options defined in keystone

#

Name of the paste configuration file that defines the

available pipelines. (string value)

config_file=keystone-paste.ini

[policy]

#

Options defined in keystone

#

Keystone Policy backend driver. (string value)

driver=keystone.policy.backends.sql.Policy

Maximum number of entities that will be returned in a policy

collection. (integer value)

list_limit=<none>

[revoke]

#

Options defined in keystone

#

An implementation of the backend for persisting revocation

events. (string value)

driver=keystone.contrib.revoke.backends.sql.Revoke

This value (calculated in seconds) is added to token

expiration before a revocation event may be removed from the

backend. (integer value)

expiration_buffer=1800

Toggle for revocation event cacheing. This has no effect

unless global caching is enabled. (boolean value)

caching=true

[signing]

#

Options defined in keystone

#

Deprecated in favor of provider in the [token] section.

(string value)

token_format=<none>

Path of the certfile for token signing. (string value)

certfile=/etc/keystone/ssl/certs/signing_cert.pem

Path of the keyfile for token signing. (string value)

keyfile=/etc/keystone/ssl/private/signing_key.pem

Path of the CA for token signing. (string value)

ca_certs=/etc/keystone/ssl/certs/ca.pem

Path of the CA Key for token signing. (string value)

ca_key=/etc/keystone/ssl/private/cakey.pem

Key Size (in bits) for token signing cert (auto generated

certificate). (integer value)

key_size=2048

Day the token signing cert is valid for (auto generated

certificate). (integer value)

valid_days=3650

Certificate Subject (auto generated certificate) for token

signing. (string value)

cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com

[ssl]

#

Options defined in keystone

#

Toggle for SSL support on the keystone eventlet servers.

(boolean value)

enable=false

Path of the certfile for SSL. (string value)

certfile=/etc/keystone/ssl/certs/keystone.pem

Path of the keyfile for SSL. (string value)

keyfile=/etc/keystone/ssl/private/keystonekey.pem

Path of the ca cert file for SSL. (string value)

ca_certs=/etc/keystone/ssl/certs/ca.pem

Path of the CA key file for SSL. (string value)

ca_key=/etc/keystone/ssl/private/cakey.pem

Require client certificate. (boolean value)

cert_required=false

SSL Key Length (in bits) (auto generated certificate).

(integer value)

key_size=1024

Days the certificate is valid for once signed (auto

generated certificate). (integer value)

valid_days=3650

SSL Certificate Subject (auto generated certificate).

(string value)

cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost

[stats]

#

Options defined in keystone

#

Keystone stats backend driver. (string value)

driver=keystone.contrib.stats.backends.kvs.Stats

[token]

#

Options defined in keystone

#

External auth mechanisms that should add bind information to

token e.g. kerberos, x509. (list value)

bind=

Enforcement policy on tokens presented to keystone with bind

information. One of disabled, permissive, strict, required

or a specifically required bind mode e.g. kerberos or x509

to require binding to that authentication. (string value)

enforce_token_bind=permissive

Amount of time a token should remain valid (in seconds).

(integer value)

expiration=3600

Controls the token construction, validation, and revocation

operations. Core providers are

"keystone.token.providers.[pki|uuid].Provider". (string

value)

provider=keystone.token.providers.uuid.Provider

Keystone Token persistence backend driver. (string value)

driver=keystone.token.persistence.backends.sql.Token

Toggle for token system cacheing. This has no effect unless

global caching is enabled. (boolean value)

caching=true

Time to cache the revocation list and the revocation events

if revoke extension is enabled (in seconds). This has no

effect unless global and token caching are enabled. (integer

value)

revocation_cache_time=3600

Time to cache tokens (in seconds). This has no effect unless

global and token caching are enabled. (integer value)

cache_time=<none>

Revoke token by token identifier. Setting revoke_by_id to

True enables various forms of enumerating tokens, e.g. `list

tokens for user`. These enumerations are processed to

determine the list of tokens to revoke. Only disable if

you are switching to using the Revoke extension with a

backend other than KVS, which stores events in memory.

(boolean value)

revoke_by_id=true

[trust]

#

Options defined in keystone

#

delegation and impersonation features can be optionally

disabled. (boolean value)

enabled=true

Keystone Trust backend driver. (string value)

driver=keystone.trust.backends.sql.Trust

[extra_headers] Distribution = Ubuntu

click to hide/show revision 2
No.2 Revision

Can someone help me install keystone juno?

I am following this tutorial: http://docs.openstack.org/juno/install-guide/install/apt/content/keystone-install.html

and I am getting stuck at step 3, because when i enter the command I get su: Authentication failure I entered the same db pass in keystone.conf as I did in mysql database. I did get suspicious in keystone.conf because step b required me to write entirely on my own the line: connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone whereas everything else was just editing.

Anyway here is my entire keystone.conf:

[DEFAULT]

#

[DEFAULT]

#
# Options defined in keystone

#

keystone # # A "shared secret" that can be used to bootstrap Keystone.

Keystone. # This "token" does not represent a user, and carries no

no # explicit authorization. To disable in production (highly

(highly # recommended), remove AdminTokenAuthMiddleware from your

your # paste application pipelines (for example, in keystone-

keystone- # paste.ini). (string value)

admin_token=d84c154eff63ccfd933d

value) admin_token=d84c154eff63ccfd933d # The IP Address of the network interface to for the public

public # service to listen on. (string value)

value) # Deprecated group/name - [DEFAULT]/bind_host

public_bind_host=0.0.0.0

[DEFAULT]/bind_host #public_bind_host=0.0.0.0 # The IP Address of the network interface to for the admin

admin # service to listen on. (string value)

value) # Deprecated group/name - [DEFAULT]/bind_host

admin_bind_host=0.0.0.0

[DEFAULT]/bind_host #admin_bind_host=0.0.0.0 # The port which the OpenStack Compute service listens on.

on. # (integer value)

compute_port=8774

value) #compute_port=8774 # The port number which the admin service listens on. (integer

value)

admin_port=35357

(integer # value) #admin_port=35357 # The port number which the public service listens on.

on. # (integer value)

public_port=5000

value) #public_port=5000 # The base public endpoint URL for keystone that are

are # advertised to clients (NOTE: this does NOT affect how

how # keystone listens for connections) (string value).

value). # Defaults to the base host URL of the request. Eg a

a # request to http://server:5000/v2.0/users will

will # default to http://server:5000. You should only need

need # to set this value if the base URL contains a path

path # (eg /prefix/v2.0) or the endpoint should be found on

on # a different server.

public_endpoint=http://localhost:%(public_port)s/

server. #public_endpoint=http://localhost:%(public_port)s/ # The base admin endpoint URL for keystone that are advertised

advertised # to clients (NOTE: this does NOT affect how keystone listens

listens # for connections) (string value).

value). # Defaults to the base host URL of the request. Eg a

a # request to http://server:35357/v2.0/users will

will # default to http://server:35357. You should only need

need # to set this value if the base URL contains a path

path # (eg /prefix/v2.0) or the endpoint should be found on

on # a different server.

admin_endpoint=http://localhost:%(admin_port)s/

server. #admin_endpoint=http://localhost:%(admin_port)s/ # onready allows you to send a notification when the process

process # is ready to serve For example, to have it notify using

using # systemd, one could set shell command: "onready = systemd-

systemd- # notify --ready" or a module with notify() method: "onready =

= # keystone.common.systemd". (string value)

onready=<none>

value) #onready=<None> # enforced by optional sizelimit middleware

middleware # (keystone.middleware:RequestBodySizeLimiter). (integer

value)

max_request_body_size=114688

(integer # value) #max_request_body_size=114688 # limit the sizes of user & tenant ID/names. (integer value)

max_param_size=64

value) #max_param_size=64 # similar to max_param_size, but provides an exception for

for # token values. (integer value)

max_token_size=8192

value) #max_token_size=8192 # During a SQL upgrade member_role_id will be used to create a

a # new role that will replace records in the

the # user_tenant_membership table with explicit role grants.

grants. # After migration, the member_role_id will be used in the API

API # add_user_to_project. (string value)

member_role_id=9fe2ff9ee4384b1894a90878d3e92bab

value) #member_role_id=9fe2ff9ee4384b1894a90878d3e92bab # During a SQL upgrade member_role_id will be used to create a

a # new role that will replace records in the

the # user_tenant_membership table with explicit role grants.

grants. # After migration, member_role_name will be ignored. (string

value)

member_role_name=_member_

(string # value) #member_role_name=_member_ # The value passed as the keyword "rounds" to passlib encrypt

encrypt # method. (integer value)

crypt_strength=40000

value) #crypt_strength=40000 # Set this to True if you want to enable TCP_KEEPALIVE on

on # server sockets i.e. sockets used by the keystone wsgi server

server # for client connections. (boolean value)

tcp_keepalive=false

value) #tcp_keepalive=false # Sets the value of TCP_KEEPIDLE in seconds for each server

server # socket. Only applies if tcp_keepalive is True. Not supported

supported # on OS X. (integer value)

tcp_keepidle=600

value) #tcp_keepidle=600 # The maximum number of entities that will be returned in a

a # collection can be set with list_limit, with no limit set by

by # default. This global limit may be then overridden for a

a # specific driver, by specifying a list_limit in the

the # appropriate section (e.g. [assignment]). (integer value)

list_limit=<none>

value) #list_limit=<None> # Set this to false if you want to enable the ability for

for # user, group and project entities to be moved between domains

domains # by updating their domain_id. Allowing such movement is not

not # recommended if the scope of a domain admin is being

being # restricted by use of an appropriate policy file (see

(see # policy.v3cloudsample as an example). (boolean value)

domain_id_immutable=true

#

value) #domain_id_immutable=true # # Options defined in oslo.messaging

#

oslo.messaging # # Use durable queues in amqp. (boolean value)

value) # Deprecated group/name - [DEFAULT]/rabbit_durable_queues

amqp_durable_queues=false

[DEFAULT]/rabbit_durable_queues #amqp_durable_queues=false # Auto-delete queues in amqp. (boolean value)

amqp_auto_delete=false

value) #amqp_auto_delete=false # Size of RPC connection pool. (integer value)

rpc_conn_pool_size=30

value) #rpc_conn_pool_size=30 # Modules of exceptions that are permitted to be recreated

recreated # upon receiving exception data from an rpc call. (list value)

allowed_rpc_exception_modules=oslo.messaging.exceptions,nova.exception,cinder.exception,exceptions

value) #allowed_rpc_exception_modules=oslo.messaging.exceptions,nova.exception,cinder.exception,exceptions # Qpid broker hostname. (string value)

qpid_hostname=localhost

value) #qpid_hostname=localhost # Qpid broker port. (integer value)

qpid_port=5672

value) #qpid_port=5672 # Qpid HA cluster host:port pairs. (list value)

qpid_hosts=$qpid_hostname:$qpid_port

value) #qpid_hosts=$qpid_hostname:$qpid_port # Username for Qpid connection. (string value)

qpid_username=

value) #qpid_username= # Password for Qpid connection. (string value)

qpid_password=

value) #qpid_password= # Space separated list of SASL mechanisms to use for auth.

(string value)

qpid_sasl_mechanisms=

auth. # (string value) #qpid_sasl_mechanisms= # Seconds between connection keepalive heartbeats. (integer

value)

qpid_heartbeat=60

(integer # value) #qpid_heartbeat=60 # Transport to use, either 'tcp' or 'ssl'. (string value)

qpid_protocol=tcp

value) #qpid_protocol=tcp # Whether to disable the Nagle algorithm. (boolean value)

qpid_tcp_nodelay=true

value) #qpid_tcp_nodelay=true # The qpid topology version to use. Version 1 is what was

was # originally used by impl_qpid. Version 2 includes some

some # backwards-incompatible changes that allow broker federation

federation # to work. Users should update to version 2 when they are

are # able to take everything down, as it requires a clean break.

break. # (integer value)

qpid_topology_version=1

value) #qpid_topology_version=1 # SSL version to use (valid only if SSL enabled). valid values

values # are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some

some # distributions. (string value)

kombu_ssl_version=

value) #kombu_ssl_version= # SSL key file (valid only if SSL enabled). (string value)

kombu_ssl_keyfile=

value) #kombu_ssl_keyfile= # SSL cert file (valid only if SSL enabled). (string value)

kombu_ssl_certfile=

value) #kombu_ssl_certfile= # SSL certification authority file (valid only if SSL

SSL # enabled). (string value)

kombu_ssl_ca_certs=

value) #kombu_ssl_ca_certs= # How long to wait before reconnecting in response to an AMQP

AMQP # consumer cancel notification. (floating point value)

kombu_reconnect_delay=1.0

value) #kombu_reconnect_delay=1.0 # The RabbitMQ broker address where a single node is used.

(string value)

rabbit_host=localhost

used. # (string value) #rabbit_host=localhost # The RabbitMQ broker port where a single node is used.

used. # (integer value)

rabbit_port=5672

value) #rabbit_port=5672 # RabbitMQ HA cluster host:port pairs. (list value)

rabbit_hosts=$rabbit_host:$rabbit_port

value) #rabbit_hosts=$rabbit_host:$rabbit_port # Connect over SSL for RabbitMQ. (boolean value)

rabbit_use_ssl=false

value) #rabbit_use_ssl=false # The RabbitMQ userid. (string value)

rabbit_userid=guest

value) #rabbit_userid=guest # The RabbitMQ password. (string value)

rabbit_password=guest

value) #rabbit_password=guest # the RabbitMQ login method (string value)

rabbit_login_method=AMQPLAIN

value) #rabbit_login_method=AMQPLAIN # The RabbitMQ virtual host. (string value)

rabbit_virtual_host=/

value) #rabbit_virtual_host=/ # How frequently to retry connecting with RabbitMQ. (integer

value)

rabbit_retry_interval=1

(integer # value) #rabbit_retry_interval=1 # How long to backoff for between retries when connecting to

to # RabbitMQ. (integer value)

rabbit_retry_backoff=2

value) #rabbit_retry_backoff=2 # Maximum number of RabbitMQ connection retries. Default is 0

0 # (infinite retry count). (integer value)

rabbit_max_retries=0

value) #rabbit_max_retries=0 # Use HA queues in RabbitMQ (x-ha-policy: all). If you change

change # this option, you must wipe the RabbitMQ database. (boolean

value)

rabbit_ha_queues=false

(boolean # value) #rabbit_ha_queues=false # If passed, use a fake RabbitMQ provider. (boolean value)

fake_rabbit=false

value) #fake_rabbit=false # ZeroMQ bind address. Should be a wildcard (*), an ethernet

ethernet # interface, or IP. The "host" option should point or resolve

resolve # to this address. (string value)

rpc_zmq_bind_address=*

value) #rpc_zmq_bind_address=* # MatchMaker driver. (string value)

rpc_zmq_matchmaker=oslo.messaging._drivers.matchmaker.MatchMakerLocalhost

value) #rpc_zmq_matchmaker=oslo.messaging._drivers.matchmaker.MatchMakerLocalhost # ZeroMQ receiver listening port. (integer value)

rpc_zmq_port=9501

value) #rpc_zmq_port=9501 # Number of ZeroMQ contexts, defaults to 1. (integer value)

rpc_zmq_contexts=1

value) #rpc_zmq_contexts=1 # Maximum number of ingress messages to locally buffer per

per # topic. Default is unlimited. (integer value)

rpc_zmq_topic_backlog=<none>

value) #rpc_zmq_topic_backlog=<None> # Directory for holding IPC sockets. (string value)

rpc_zmq_ipc_dir=/var/run/openstack

value) #rpc_zmq_ipc_dir=/var/run/openstack # Name of this node. Must be a valid hostname, FQDN, or IP

IP # address. Must match "host" option, if running Nova. (string

value)

rpc_zmq_host=keystone

(string # value) #rpc_zmq_host=keystone # Seconds to wait before a cast expires (TTL). Only supported

supported # by impl_zmq. (integer value)

rpc_cast_timeout=30

value) #rpc_cast_timeout=30 # Heartbeat frequency. (integer value)

matchmaker_heartbeat_freq=300

value) #matchmaker_heartbeat_freq=300 # Heartbeat time-to-live. (integer value)

matchmaker_heartbeat_ttl=600

value) #matchmaker_heartbeat_ttl=600 # Host to locate redis. (string value)

host=127.0.0.1

value) #host=127.0.0.1 # Use this port to connect to redis host. (integer value)

port=6379

value) #port=6379 # Password for Redis server (optional). (string value)

password=<none>

value) #password=<None> # Size of RPC greenthread pool. (integer value)

rpc_thread_pool_size=64

value) #rpc_thread_pool_size=64 # Driver or drivers to handle sending notifications. (multi

valued)

notification_driver=

(multi # valued) #notification_driver= # AMQP topic used for OpenStack notifications. (list value)

value) # Deprecated group/name - [rpc_notifier2]/topics

notification_topics=notifications

[rpc_notifier2]/topics #notification_topics=notifications # Seconds to wait for a response from a call. (integer value)

rpc_response_timeout=60

value) #rpc_response_timeout=60 # A URL representing the messaging driver to use and its full

full # configuration. If not set, we fall back to the rpc_backend

rpc_backend # option and driver specific configuration. (string value)

transport_url=<none>

value) #transport_url=<None> # The messaging driver to use, defaults to rabbit. Other

Other # drivers include qpid and zmq. (string value)

rpc_backend=rabbit

value) #rpc_backend=rabbit # The default exchange under which topics are scoped. May be

be # overridden by an exchange name specified in the

the # transport_url option. (string value)

control_exchange=openstack

#

value) #control_exchange=openstack # # Options defined in keystone.notifications

#

keystone.notifications # # Default publisher_id for outgoing notifications (string

value)

default_publisher_id=<none>

#

(string # value) #default_publisher_id=<None> # # Options defined in keystone.middleware.ec2_token

#

keystone.middleware.ec2_token # # URL to get token from ec2 request. (string value)

keystone_ec2_url=http://localhost:5000/v2.0/ec2tokens

value) #keystone_ec2_url=http://localhost:5000/v2.0/ec2tokens # Required if EC2 server requires client certificate. (string

value)

keystone_ec2_keyfile=<none>

(string # value) #keystone_ec2_keyfile=<None> # Client certificate key filename. Required if EC2 server

server # requires client certificate. (string value)

keystone_ec2_certfile=<none>

value) #keystone_ec2_certfile=<None> # A PEM encoded certificate authority to use when verifying

verifying # HTTPS connections. Defaults to the system CAs. (string

value)

keystone_ec2_cafile=<none>

(string # value) #keystone_ec2_cafile=<None> # Disable SSL certificate verification. (boolean value)

keystone_ec2_insecure=false

#

value) #keystone_ec2_insecure=false # # Options defined in keystone.openstack.common.eventlet_backdoor

#

keystone.openstack.common.eventlet_backdoor # # Enable eventlet backdoor. Acceptable values are 0, <port>,

<port>, # and <start>:<end>, where 0 results in listening on a random

random # tcp port number; <port> results in listening on the

the # specified port number (and not enabling backdoor if that

that # port is in use); and <start>:<end> results in listening on

on # the smallest unused port number within the specified range

range # of port numbers. The chosen port is displayed in the

the # service's log file. (string value)

backdoor_port=<none>

#

value) #backdoor_port=<None> # # Options defined in keystone.openstack.common.lockutils

#

keystone.openstack.common.lockutils # # Whether to disable inter-process locks (boolean value)

disable_process_locking=false

value) #disable_process_locking=false # Directory to use for lock files. (string value)

lock_path=<none>

#

value) #lock_path=<None> # # Options defined in keystone.openstack.common.log

#

keystone.openstack.common.log # # Print debugging output (set logging level to DEBUG instead

instead # of default WARNING level). (boolean value)

debug=false

value) #debug=false # Print more verbose output (set logging level to INFO instead

instead # of default WARNING level). (boolean value)

verbose=true

value) verbose=true # Log output to standard error (boolean value)

use_stderr=true

value) #use_stderr=true # Format string to use for log messages with context (string

value)

logging_context_format_string=%(asctime)s.%(msecs)03d (string # value) #logging_context_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s

%(instance)s%(message)s # Format string to use for log messages without context

(string value)

logging_default_format_string=%(asctime)s.%(msecs)03d context # (string value) #logging_default_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s

%(instance)s%(message)s # Data to append to log format when level is DEBUG (string

value)

logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d

(string # value) #logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d # Prefix each line of exception output with this format

(string value)

logging_exception_prefix=%(asctime)s.%(msecs)03d format # (string value) #logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s

%(instance)s # List of logger=LEVEL pairs (list value)

default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN

value) #default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN # Publish error events (boolean value)

publish_errors=false

value) #publish_errors=false # Make deprecations fatal (boolean value)

fatal_deprecations=false

value) #fatal_deprecations=false # If an instance is passed with the log message, format it

it # like this (string value)

instance_format="[instance: value) #instance_format="[instance: %(uuid)s] "

" # If an instance UUID is passed with the log message, format

format # it like this (string value)

instance_uuid_format="[instance: value) #instance_uuid_format="[instance: %(uuid)s] "

" # The name of logging configuration file. It does not disable

disable # existing loggers, but just appends specified logging

logging # configuration to any other existing logging options. Please

Please # see the Python logging module documentation for details on

on # logging configuration files. (string value)

value) # Deprecated group/name - [DEFAULT]/log_config

log_config_append=<none>

[DEFAULT]/log_config #log_config_append=<None> # DEPRECATED. A logging.Formatter log message format string

string # which may use any of the available logging.LogRecord

logging.LogRecord # attributes. This option is deprecated. Please use

use # logging_context_format_string and

and # logging_default_format_string instead. (string value)

log_format=<none>

value) #log_format=<None> # Format string for %%(asctime)s in log records. Default:

Default: # %(default)s (string value)

log_date_format=%Y-%m-%d %H:%M:%S

value) #log_date_format=%Y-%m-%d %H:%M:%S # (Optional) Name of log file to output to. If no default is

is # set, logging will go to stdout. (string value)

value) # Deprecated group/name - [DEFAULT]/logfile

log_file=<none>

[DEFAULT]/logfile #log_file=<None> # (Optional) The base directory used for relative --log-file

--log-file # paths (string value)

value) # Deprecated group/name - [DEFAULT]/logdir

log_dir=<none>

[DEFAULT]/logdir #log_dir=<None> # Use syslog for logging. Existing syslog format is DEPRECATED

DEPRECATED # during I, and then will be changed in J to honor RFC5424

RFC5424 # (boolean value)

use_syslog=false

value) #use_syslog=false # (Optional) Use syslog rfc5424 format for logging. If

If # enabled, will add APP-NAME (RFC5424) before the MSG part of

of # the syslog message. The old format without APP-NAME is

is # deprecated in I, and will be removed in J. (boolean value)

use_syslog_rfc_format=false

value) #use_syslog_rfc_format=false # Syslog facility to receive log lines (string value)

syslog_log_facility=LOG_USER

#

value) #syslog_log_facility=LOG_USER # # Options defined in keystone.openstack.common.policy

#

keystone.openstack.common.policy # # JSON file containing policy (string value)

policy_file=policy.json

value) #policy_file=policy.json # Rule enforced when requested rule is not found (string

value)

policy_default_rule=default

[assignment]

#

(string # value) #policy_default_rule=default [assignment] # # Options defined in keystone

#

keystone # # Keystone Assignment backend driver. (string value)

driver=<none>

value) #driver=<None> # Toggle for assignment caching. This has no effect unless

unless # global caching is enabled. (boolean value)

caching=true

value) #caching=true # TTL (in seconds) to cache assignment data. This has no

no # effect unless global caching is enabled. (integer value)

cache_time=<none>

value) #cache_time=<None> # Maximum number of entities that will be returned in an

an # assignment collection. (integer value)

list_limit=<none>

[auth]

#

value) #list_limit=<None> [auth] # # Options defined in keystone

#

keystone # # Default auth methods. (list value)

methods=external,password,token

value) #methods=external,password,token # The password auth plugin module. (string value)

password=keystone.auth.plugins.password.Password

value) #password=keystone.auth.plugins.password.Password # The token auth plugin module. (string value)

token=keystone.auth.plugins.token.Token

value) #token=keystone.auth.plugins.token.Token # The external (REMOTE_USER) auth plugin module. (string

value)

external=keystone.auth.plugins.external.DefaultDomain

[cache]

#

(string # value) #external=keystone.auth.plugins.external.DefaultDomain [cache] # # Options defined in keystone

#

keystone # # Prefix for building the configuration dictionary for the

the # cache region. This should not need to be changed unless

unless # there is another dogpile.cache region with the same

same # configuration name. (string value)

config_prefix=cache.keystone

value) #config_prefix=cache.keystone # Default TTL, in seconds, for any cached item in the

the # dogpile.cache region. This applies to any cached method that

that # doesn't have an explicit cache expiration time defined for

for # it. (integer value)

expiration_time=600

value) #expiration_time=600 # Dogpile.cache backend module. It is recommended that

that # Memcache (dogpile.cache.memcached) or Redis

Redis # (dogpile.cache.redis) be used in production deployments.

deployments. # Small workloads (single process) like devstack can use the

the # dogpile.cache.memory backend. (string value)

backend=keystone.common.cache.noop

value) #backend=keystone.common.cache.noop # Use a key-mangling function (sha1) to ensure fixed length

length # cache-keys. This is toggle-able for debugging purposes, it

it # is highly recommended to always leave this set to True.

True. # (boolean value)

use_key_mangler=true

value) #use_key_mangler=true # Arguments supplied to the backend module. Specify this

this # option once per argument to be passed to the dogpile.cache

dogpile.cache # backend. Example format: "<argname>:<value>". (multi valued)

backend_argument=

valued) #backend_argument= # Proxy Classes to import that will affect the way the

the # dogpile.cache backend functions. See the dogpile.cache

dogpile.cache # documentation on changing-backend-behavior. Comma delimited

delimited # list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2.

my.dogpile.proxyClass2. # (list value)

proxies=

value) #proxies= # Global toggle for all caching using the should_cache_fn

should_cache_fn # mechanism. (boolean value)

enabled=false

value) #enabled=false # Extra debugging from the cache backend (cache keys,

keys, # get/set/delete/etc calls) This is only really useful if you

you # need to see the specific cache-backend get/set/delete calls

calls # with the keys/values. Typically this should be left set to

to # False. (boolean value)

debug_cache_backend=false

[catalog]

#

value) #debug_cache_backend=false [catalog] # # Options defined in keystone

#

keystone # # Catalog template file name for use with the template catalog

catalog # backend. (string value)

template_file=default_catalog.templates

value) #template_file=default_catalog.templates # Keystone catalog backend driver. (string value)

driver=keystone.catalog.backends.sql.Catalog

value) #driver=keystone.catalog.backends.sql.Catalog # Maximum number of entities that will be returned in a

a # catalog collection. (integer value)

list_limit=<none>

[credential]

#

value) #list_limit=<None> [credential] # # Options defined in keystone

#

keystone # # Keystone Credential backend driver. (string value)

driver=keystone.credential.backends.sql.Credential

[database]

#

value) #driver=keystone.credential.backends.sql.Credential [database] # # Options defined in keystone.openstack.common.db.options

#

keystone.openstack.common.db.options # # The file name to use with SQLite (string value)

sqlite_db=keystone.sqlite

value) #sqlite_db=keystone.sqlite # If True, SQLite uses synchronous mode (boolean value)

sqlite_synchronous=true

value) #sqlite_synchronous=true # The backend to use for db (string value)

value) # Deprecated group/name - [DEFAULT]/db_backend

backend=sqlalchemy

[DEFAULT]/db_backend #backend=sqlalchemy # The SQLAlchemy connection string used to connect to the

the # database (string value)

value) # Deprecated group/name - [DEFAULT]/sql_connection

[DEFAULT]/sql_connection # Deprecated group/name - [DATABASE]/sql_connection

[DATABASE]/sql_connection # Deprecated group/name - [sql]/connection

connection=mysql://keystone:klasika@controller/keystone

connection [sql]/connection connection=mysql://keystone:klasika@controller/keystone #connection = sqlite:////var/lib/keystone/keystone.db

sqlite:////var/lib/keystone/keystone.db # The SQL mode to be used for MySQL sessions. This option,

option, # including the default, overrides any server-set SQL mode. To

To # use whatever SQL mode is set by the server configuration,

configuration, # set this to no value. Example: mysql_sql_mode= (string

value)

mysql_sql_mode=TRADITIONAL

(string # value) mysql_sql_mode=TRADITIONAL # Timeout before idle sql connections are reaped (integer

value)

(integer # value) # Deprecated group/name - [DEFAULT]/sql_idle_timeout

[DEFAULT]/sql_idle_timeout # Deprecated group/name - [DATABASE]/sql_idle_timeout

[DATABASE]/sql_idle_timeout # Deprecated group/name - [sql]/idle_timeout

idle_timeout=3600

[sql]/idle_timeout #idle_timeout=3600 # Minimum number of SQL connections to keep open in a pool

pool # (integer value)

value) # Deprecated group/name - [DEFAULT]/sql_min_pool_size

[DEFAULT]/sql_min_pool_size # Deprecated group/name - [DATABASE]/sql_min_pool_size

min_pool_size=1

[DATABASE]/sql_min_pool_size #min_pool_size=1 # Maximum number of SQL connections to keep open in a pool

pool # (integer value)

value) # Deprecated group/name - [DEFAULT]/sql_max_pool_size

[DEFAULT]/sql_max_pool_size # Deprecated group/name - [DATABASE]/sql_max_pool_size

max_pool_size=<none>

[DATABASE]/sql_max_pool_size #max_pool_size=<None> # Maximum db connection retries during startup. (setting -1

-1 # implies an infinite retry count) (integer value)

value) # Deprecated group/name - [DEFAULT]/sql_max_retries

[DEFAULT]/sql_max_retries # Deprecated group/name - [DATABASE]/sql_max_retries

max_retries=10

[DATABASE]/sql_max_retries #max_retries=10 # Interval between retries of opening a sql connection

connection # (integer value)

value) # Deprecated group/name - [DEFAULT]/sql_retry_interval

[DEFAULT]/sql_retry_interval # Deprecated group/name - [DATABASE]/reconnect_interval

retry_interval=10

[DATABASE]/reconnect_interval #retry_interval=10 # If set, use this value for max_overflow with sqlalchemy

sqlalchemy # (integer value)

value) # Deprecated group/name - [DEFAULT]/sql_max_overflow

[DEFAULT]/sql_max_overflow # Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow

max_overflow=<none>

[DATABASE]/sqlalchemy_max_overflow #max_overflow=<None> # Verbosity of SQL debugging information. 0=None,

0=None, # 100=Everything (integer value)

value) # Deprecated group/name - [DEFAULT]/sql_connection_debug

connection_debug=0

[DEFAULT]/sql_connection_debug #connection_debug=0 # Add python stack traces to SQL as comment strings (boolean

value)

(boolean # value) # Deprecated group/name - [DEFAULT]/sql_connection_trace

connection_trace=false

[DEFAULT]/sql_connection_trace #connection_trace=false # If set, use this value for pool_timeout with sqlalchemy

sqlalchemy # (integer value)

value) # Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout

pool_timeout=<none>

[DATABASE]/sqlalchemy_pool_timeout #pool_timeout=<None> # Enable the experimental use of database reconnect on

on # connection lost (boolean value)

use_db_reconnect=false

value) #use_db_reconnect=false # seconds between db connection retries (integer value)

db_retry_interval=1

value) #db_retry_interval=1 # Whether to increase interval between db connection retries,

retries, # up to db_max_retry_interval (boolean value)

db_inc_retry_interval=true

value) #db_inc_retry_interval=true # max seconds between db connection retries, if

if # db_inc_retry_interval is enabled (integer value)

db_max_retry_interval=10

value) #db_max_retry_interval=10 # maximum db connection retries before error is raised.

raised. # (setting -1 implies an infinite retry count) (integer value)

db_max_retries=20

[ec2]

#

value) #db_max_retries=20 [ec2] # # Options defined in keystone

#

keystone # # Keystone EC2Credential backend driver. (string value)

driver=keystone.contrib.ec2.backends.kvs.Ec2

[endpoint_filter]

#

value) #driver=keystone.contrib.ec2.backends.kvs.Ec2 [endpoint_filter] # # Options defined in keystone

#

keystone # # Keystone Endpoint Filter backend driver (string value)

driver=keystone.contrib.endpoint_filter.backends.sql.EndpointFilter

value) #driver=keystone.contrib.endpoint_filter.backends.sql.EndpointFilter # Toggle to return all active endpoints if no filter exists.

exists. # (boolean value)

return_all_endpoints_if_no_filter=true

[federation]

#

value) #return_all_endpoints_if_no_filter=true [federation] # # Options defined in keystone

#

keystone # # Keystone Federation backend driver. (string value)

driver=keystone.contrib.federation.backends.sql.Federation

value) #driver=keystone.contrib.federation.backends.sql.Federation # Value to be used when filtering assertion parameters from

from # the environment. (string value)

assertion_prefix=

[identity]

#

value) #assertion_prefix= [identity] # # Options defined in keystone

#

keystone # # This references the domain to use for all Identity API v2

v2 # requests (which are not aware of domains). A domain with

with # this ID will be created for you by keystone-manage db_sync

db_sync # in migration 008. The domain referenced by this ID cannot

cannot # be deleted on the v3 API, to prevent accidentally breaking

breaking # the v2 API. There is nothing special about this domain,

domain, # other than the fact that it must exist to order to maintain

maintain # support for your v2 clients. (string value)

default_domain_id=default

value) #default_domain_id=default # A subset (or all) of domains can have their own identity

identity # driver, each with their own partial configuration file in a

a # domain configuration directory. Only values specific to the

the # domain need to be placed in the domain specific

specific # configuration file. This feature is disabled by default; set

set # to True to enable. (boolean value)

domain_specific_drivers_enabled=false

value) #domain_specific_drivers_enabled=false # Path for Keystone to locate the domain specificidentity

specificidentity # configuration files if domain_specific_drivers_enabled is

is # set to true. (string value)

domain_config_dir=/etc/keystone/domains

value) #domain_config_dir=/etc/keystone/domains # Keystone Identity backend driver. (string value)

driver=keystone.identity.backends.sql.Identity

value) #driver=keystone.identity.backends.sql.Identity # Maximum supported length for user passwords; decrease to

to # improve performance. (integer value)

max_password_length=4096

value) #max_password_length=4096 # Maximum number of entities that will be returned in an

an # identity collection. (integer value)

list_limit=<none>

[kvs]

#

value) #list_limit=<None> [kvs] # # Options defined in keystone

#

keystone # # Extra dogpile.cache backend modules to register with the

the # dogpile.cache library. (list value)

backends=

value) #backends= # Prefix for building the configuration dictionary for the KVS

KVS # region. This should not need to be changed unless there is

is # another dogpile.cache region with the same configuration

configuration # name. (string value)

config_prefix=keystone.kvs

value) #config_prefix=keystone.kvs # Toggle to disable using a key-mangling function to ensure

ensure # fixed length keys. This is toggle-able for debugging

debugging # purposes, it is highly recommended to always leave this set

set # to True. (boolean value)

enable_key_mangler=true

value) #enable_key_mangler=true # Default lock timeout for distributed locking. (integer

value)

default_lock_timeout=5

[ldap]

#

(integer # value) #default_lock_timeout=5 [ldap] # # Options defined in keystone

#

keystone # # URL for connecting to the LDAP server. (string value)

url=ldap://localhost

value) #url=ldap://localhost # User BindDN to query the LDAP server. (string value)

user=<none>

value) #user=<None> # Password for the BindDN to query the LDAP server. (string

value)

password=<none>

(string # value) #password=<None> # LDAP server suffix (string value)

suffix=cn=example,cn=com

value) #suffix=cn=example,cn=com # If true, will add a dummy member to groups. This is required

required # if the objectclass for groups requires the "member"

"member" # attribute. (boolean value)

use_dumb_member=false

value) #use_dumb_member=false # DN of the "dummy member" to use when "use_dumb_member" is

is # enabled. (string value)

dumb_member=cn=dumb,dc=nonexistent

value) #dumb_member=cn=dumb,dc=nonexistent # allow deleting subtrees. (boolean value)

allow_subtree_delete=false

value) #allow_subtree_delete=false # The LDAP scope for queries, this can be either "one"

"one" # (onelevel/singleLevel) or "sub" (subtree/wholeSubtree).

(string value)

query_scope=one

(subtree/wholeSubtree). # (string value) #query_scope=one # Maximum results per page; a value of zero ("0") disables

disables # paging. (integer value)

page_size=0

value) #page_size=0 # The LDAP dereferencing option for queries. This can be

be # either "never", "searching", "always", "finding" or

or # "default". The "default" option falls back to using default

default # dereferencing configured by your ldap.conf. (string value)

alias_dereferencing=default

value) #alias_dereferencing=default # Override the system's default referral chasing behavior for

for # queries. (boolean value)

chase_referrals=<none>

value) #chase_referrals=<None> # Search base for users. (string value)

user_tree_dn=<none>

value) #user_tree_dn=<None> # LDAP search filter for users. (string value)

user_filter=<none>

value) #user_filter=<None> # LDAP objectClass for users. (string value)

user_objectclass=inetOrgPerson

value) #user_objectclass=inetOrgPerson # LDAP attribute mapped to user id. (string value)

user_id_attribute=cn

value) #user_id_attribute=cn # LDAP attribute mapped to user name. (string value)

user_name_attribute=sn

value) #user_name_attribute=sn # LDAP attribute mapped to user email. (string value)

user_mail_attribute=email

value) #user_mail_attribute=email # LDAP attribute mapped to password. (string value)

user_pass_attribute=userPassword

value) #user_pass_attribute=userPassword # LDAP attribute mapped to user enabled flag. (string value)

user_enabled_attribute=enabled

value) #user_enabled_attribute=enabled # Bitmask integer to indicate the bit that the enabled value

value # is stored in if the LDAP server represents "enabled" as a

a # bit on an integer rather than a boolean. A value of "0"

"0" # indicates the mask is not used. If this is not set to "0"

"0" # the typical value is "2". This is typically used when

when # "user_enabled_attribute = userAccountControl". (integer

value)

user_enabled_mask=0

(integer # value) #user_enabled_mask=0 # Default value to enable users. This should match an

an # appropriate int value if the LDAP server uses non-boolean

non-boolean # (bitmask) values to indicate if a user is enabled or

or # disabled. If this is not set to "True"the typical value is

is # "512". This is typically used when "user_enabled_attribute =

= # userAccountControl". (string value)

user_enabled_default=True

value) #user_enabled_default=True # List of attributes stripped off the user on update. (list

value)

user_attribute_ignore=default_project_id,tenants

(list # value) #user_attribute_ignore=default_project_id,tenants # LDAP attribute mapped to default_project_id for users.

(string value)

user_default_project_id_attribute=<none>

users. # (string value) #user_default_project_id_attribute=<None> # Allow user creation in LDAP backend. (boolean value)

user_allow_create=true

value) #user_allow_create=true # Allow user updates in LDAP backend. (boolean value)

user_allow_update=true

value) #user_allow_update=true # Allow user deletion in LDAP backend. (boolean value)

user_allow_delete=true

value) #user_allow_delete=true # If True, Keystone uses an alternative method to determine if

if # a user is enabled or not by checking if they are a member of

of # the "user_enabled_emulation_dn" group. (boolean value)

user_enabled_emulation=false

value) #user_enabled_emulation=false # DN of the group entry to hold enabled users when using

using # enabled emulation. (string value)

user_enabled_emulation_dn=<none>

value) #user_enabled_emulation_dn=<None> # List of additional LDAP attributes used for mapping

mapping # Additional attribute mappings for users. Attribute mapping

mapping # format is <ldap_attr>:<user_attr>, where ldap_attr is the

the # attribute in the LDAP entry and user_attr is the Identity

Identity # API attribute. (list value)

user_additional_attribute_mapping=

value) #user_additional_attribute_mapping= # Search base for projects (string value)

tenant_tree_dn=<none>

value) #tenant_tree_dn=<None> # LDAP search filter for projects. (string value)

tenant_filter=<none>

value) #tenant_filter=<None> # LDAP objectClass for projects. (string value)

tenant_objectclass=groupOfNames

value) #tenant_objectclass=groupOfNames # LDAP attribute mapped to project id. (string value)

tenant_id_attribute=cn

value) #tenant_id_attribute=cn # LDAP attribute mapped to project membership for user.

(string value)

tenant_member_attribute=member

user. # (string value) #tenant_member_attribute=member # LDAP attribute mapped to project name. (string value)

tenant_name_attribute=ou

value) #tenant_name_attribute=ou # LDAP attribute mapped to project description. (string value)

tenant_desc_attribute=description

value) #tenant_desc_attribute=description # LDAP attribute mapped to project enabled. (string value)

tenant_enabled_attribute=enabled

value) #tenant_enabled_attribute=enabled # LDAP attribute mapped to project domain_id. (string value)

tenant_domain_id_attribute=businessCategory

value) #tenant_domain_id_attribute=businessCategory # List of attributes stripped off the project on update. (list

value)

tenant_attribute_ignore=

(list # value) #tenant_attribute_ignore= # Allow tenant creation in LDAP backend. (boolean value)

tenant_allow_create=true

value) #tenant_allow_create=true # Allow tenant update in LDAP backend. (boolean value)

tenant_allow_update=true

value) #tenant_allow_update=true # Allow tenant deletion in LDAP backend. (boolean value)

tenant_allow_delete=true

value) #tenant_allow_delete=true # If True, Keystone uses an alternative method to determine if

if # a project is enabled or not by checking if they are a member

member # of the "tenant_enabled_emulation_dn" group. (boolean value)

tenant_enabled_emulation=false

value) #tenant_enabled_emulation=false # DN of the group entry to hold enabled projects when using

using # enabled emulation. (string value)

tenant_enabled_emulation_dn=<none>

value) #tenant_enabled_emulation_dn=<None> # Additional attribute mappings for projects. Attribute

Attribute # mapping format is <ldap_attr>:<user_attr>, where ldap_attr

ldap_attr # is the attribute in the LDAP entry and user_attr is the

the # Identity API attribute. (list value)

tenant_additional_attribute_mapping=

value) #tenant_additional_attribute_mapping= # Search base for roles. (string value)

role_tree_dn=<none>

value) #role_tree_dn=<None> # LDAP search filter for roles. (string value)

role_filter=<none>

value) #role_filter=<None> # LDAP objectClass for roles. (string value)

role_objectclass=organizationalRole

value) #role_objectclass=organizationalRole # LDAP attribute mapped to role id. (string value)

role_id_attribute=cn

value) #role_id_attribute=cn # LDAP attribute mapped to role name. (string value)

role_name_attribute=ou

value) #role_name_attribute=ou # LDAP attribute mapped to role membership. (string value)

role_member_attribute=roleOccupant

value) #role_member_attribute=roleOccupant # List of attributes stripped off the role on update. (list

value)

role_attribute_ignore=

(list # value) #role_attribute_ignore= # Allow role creation in LDAP backend. (boolean value)

role_allow_create=true

value) #role_allow_create=true # Allow role update in LDAP backend. (boolean value)

role_allow_update=true

value) #role_allow_update=true # Allow role deletion in LDAP backend. (boolean value)

role_allow_delete=true

value) #role_allow_delete=true # Additional attribute mappings for roles. Attribute mapping

mapping # format is <ldap_attr>:<user_attr>, where ldap_attr is the

the # attribute in the LDAP entry and user_attr is the Identity

Identity # API attribute. (list value)

role_additional_attribute_mapping=

value) #role_additional_attribute_mapping= # Search base for groups. (string value)

group_tree_dn=<none>

value) #group_tree_dn=<None> # LDAP search filter for groups. (string value)

group_filter=<none>

value) #group_filter=<None> # LDAP objectClass for groups. (string value)

group_objectclass=groupOfNames

value) #group_objectclass=groupOfNames # LDAP attribute mapped to group id. (string value)

group_id_attribute=cn

value) #group_id_attribute=cn # LDAP attribute mapped to group name. (string value)

group_name_attribute=ou

value) #group_name_attribute=ou # LDAP attribute mapped to show group membership. (string

value)

group_member_attribute=member

(string # value) #group_member_attribute=member # LDAP attribute mapped to group description. (string value)

group_desc_attribute=description

value) #group_desc_attribute=description # List of attributes stripped off the group on update. (list

value)

group_attribute_ignore=

(list # value) #group_attribute_ignore= # Allow group creation in LDAP backend. (boolean value)

group_allow_create=true

value) #group_allow_create=true # Allow group update in LDAP backend. (boolean value)

group_allow_update=true

value) #group_allow_update=true # Allow group deletion in LDAP backend. (boolean value)

group_allow_delete=true

value) #group_allow_delete=true # Additional attribute mappings for groups. Attribute mapping

mapping # format is <ldap_attr>:<user_attr>, where ldap_attr is the

the # attribute in the LDAP entry and user_attr is the Identity

Identity # API attribute. (list value)

group_additional_attribute_mapping=

value) #group_additional_attribute_mapping= # CA certificate file path for communicating with LDAP

LDAP # servers. (string value)

tls_cacertfile=<none>

value) #tls_cacertfile=<None> # CA certificate directory path for communicating with LDAP

LDAP # servers. (string value)

tls_cacertdir=<none>

value) #tls_cacertdir=<None> # Enable TLS for communicating with LDAP servers. (boolean

value)

use_tls=false

(boolean # value) #use_tls=false # valid options for tls_req_cert are demand, never, and allow.

(string value)

tls_req_cert=demand

[matchmaker_ring]

#

allow. # (string value) #tls_req_cert=demand [matchmaker_ring] # # Options defined in oslo.messaging

#

oslo.messaging # # Matchmaker ring file (JSON). (string value)

value) # Deprecated group/name - [DEFAULT]/matchmaker_ringfile

ringfile=/etc/oslo/matchmaker_ring.json

[memcache]

#

[DEFAULT]/matchmaker_ringfile #ringfile=/etc/oslo/matchmaker_ring.json [memcache] # # Options defined in keystone

#

keystone # # Memcache servers in the format of "host:port" (list value)

servers=localhost:11211

value) #servers=localhost:11211 # Number of compare-and-set attempts to make when using

using # compare-and-set in the token memcache back end. (integer

value)

max_compare_and_set_retry=16

[oauth1]

#

(integer # value) #max_compare_and_set_retry=16 [oauth1] # # Options defined in keystone

#

keystone # # Keystone Credential backend driver. (string value)

driver=keystone.contrib.oauth1.backends.sql.OAuth1

value) #driver=keystone.contrib.oauth1.backends.sql.OAuth1 # Duration (in seconds) for the OAuth Request Token. (integer

value)

request_token_duration=28800

(integer # value) #request_token_duration=28800 # Duration (in seconds) for the OAuth Access Token. (integer

value)

access_token_duration=86400

[os_inherit]

#

(integer # value) #access_token_duration=86400 [os_inherit] # # Options defined in keystone

#

keystone # # role-assignment inheritance to projects from owning domain

domain # can be optionally enabled. (boolean value)

enabled=false

[paste_deploy]

#

value) #enabled=false [paste_deploy] # # Options defined in keystone

#

keystone # # Name of the paste configuration file that defines the

the # available pipelines. (string value)

config_file=keystone-paste.ini

[policy]

#

value) #config_file=keystone-paste.ini [policy] # # Options defined in keystone

#

keystone # # Keystone Policy backend driver. (string value)

driver=keystone.policy.backends.sql.Policy

value) #driver=keystone.policy.backends.sql.Policy # Maximum number of entities that will be returned in a policy

policy # collection. (integer value)

list_limit=<none>

[revoke]

#

value) #list_limit=<None> [revoke] # # Options defined in keystone

#

keystone # # An implementation of the backend for persisting revocation

revocation # events. (string value)

driver=keystone.contrib.revoke.backends.sql.Revoke

value) driver=keystone.contrib.revoke.backends.sql.Revoke # This value (calculated in seconds) is added to token

token # expiration before a revocation event may be removed from the

the # backend. (integer value)

expiration_buffer=1800

value) #expiration_buffer=1800 # Toggle for revocation event cacheing. This has no effect

effect # unless global caching is enabled. (boolean value)

caching=true

[signing]

#

value) #caching=true [signing] # # Options defined in keystone

#

keystone # # Deprecated in favor of provider in the [token] section.

(string value)

token_format=<none>

section. # (string value) #token_format=<None> # Path of the certfile for token signing. (string value)

certfile=/etc/keystone/ssl/certs/signing_cert.pem

value) #certfile=/etc/keystone/ssl/certs/signing_cert.pem # Path of the keyfile for token signing. (string value)

keyfile=/etc/keystone/ssl/private/signing_key.pem

value) #keyfile=/etc/keystone/ssl/private/signing_key.pem # Path of the CA for token signing. (string value)

ca_certs=/etc/keystone/ssl/certs/ca.pem

value) #ca_certs=/etc/keystone/ssl/certs/ca.pem # Path of the CA Key for token signing. (string value)

ca_key=/etc/keystone/ssl/private/cakey.pem

value) #ca_key=/etc/keystone/ssl/private/cakey.pem # Key Size (in bits) for token signing cert (auto generated

generated # certificate). (integer value)

key_size=2048

value) #key_size=2048 # Day the token signing cert is valid for (auto generated

generated # certificate). (integer value)

valid_days=3650

value) #valid_days=3650 # Certificate Subject (auto generated certificate) for token

token # signing. (string value)

cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com

[ssl]

#

value) #cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com [ssl] # # Options defined in keystone

#

keystone # # Toggle for SSL support on the keystone eventlet servers.

servers. # (boolean value)

enable=false

value) #enable=false # Path of the certfile for SSL. (string value)

certfile=/etc/keystone/ssl/certs/keystone.pem

value) #certfile=/etc/keystone/ssl/certs/keystone.pem # Path of the keyfile for SSL. (string value)

keyfile=/etc/keystone/ssl/private/keystonekey.pem

value) #keyfile=/etc/keystone/ssl/private/keystonekey.pem # Path of the ca cert file for SSL. (string value)

ca_certs=/etc/keystone/ssl/certs/ca.pem

value) #ca_certs=/etc/keystone/ssl/certs/ca.pem # Path of the CA key file for SSL. (string value)

ca_key=/etc/keystone/ssl/private/cakey.pem

value) #ca_key=/etc/keystone/ssl/private/cakey.pem # Require client certificate. (boolean value)

cert_required=false

value) #cert_required=false # SSL Key Length (in bits) (auto generated certificate).

certificate). # (integer value)

key_size=1024

value) #key_size=1024 # Days the certificate is valid for once signed (auto

(auto # generated certificate). (integer value)

valid_days=3650

value) #valid_days=3650 # SSL Certificate Subject (auto generated certificate).

(string value)

cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost

[stats]

#

certificate). # (string value) #cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost [stats] # # Options defined in keystone

#

keystone # # Keystone stats backend driver. (string value)

driver=keystone.contrib.stats.backends.kvs.Stats

[token]

#

value) #driver=keystone.contrib.stats.backends.kvs.Stats [token] # # Options defined in keystone

#

keystone # # External auth mechanisms that should add bind information to

to # token e.g. kerberos, x509. (list value)

bind=

value) #bind= # Enforcement policy on tokens presented to keystone with bind

bind # information. One of disabled, permissive, strict, required

required # or a specifically required bind mode e.g. kerberos or x509

x509 # to require binding to that authentication. (string value)

enforce_token_bind=permissive

value) #enforce_token_bind=permissive # Amount of time a token should remain valid (in seconds).

seconds). # (integer value)

expiration=3600

value) #expiration=3600 # Controls the token construction, validation, and revocation

revocation # operations. Core providers are

are # "keystone.token.providers.[pki|uuid].Provider". (string

value)

provider=keystone.token.providers.uuid.Provider

(string # value) provider=keystone.token.providers.uuid.Provider # Keystone Token persistence backend driver. (string value)

driver=keystone.token.persistence.backends.sql.Token

value) driver=keystone.token.persistence.backends.sql.Token # Toggle for token system cacheing. This has no effect unless

unless # global caching is enabled. (boolean value)

caching=true

value) #caching=true # Time to cache the revocation list and the revocation events

events # if revoke extension is enabled (in seconds). This has no

no # effect unless global and token caching are enabled. (integer

value)

revocation_cache_time=3600

(integer # value) #revocation_cache_time=3600 # Time to cache tokens (in seconds). This has no effect unless

unless # global and token caching are enabled. (integer value)

cache_time=<none>

value) #cache_time=<None> # Revoke token by token identifier. Setting revoke_by_id to

to # True enables various forms of enumerating tokens, e.g. `list

`list # tokens for user`. These enumerations are processed to

to # determine the list of tokens to revoke. Only disable if

if # you are switching to using the Revoke extension with a

a # backend other than KVS, which stores events in memory.

memory. # (boolean value)

revoke_by_id=true

[trust]

#

value) #revoke_by_id=true [trust] # # Options defined in keystone

#

keystone # # delegation and impersonation features can be optionally

optionally # disabled. (boolean value)

enabled=true

value) #enabled=true # Keystone Trust backend driver. (string value)

driver=keystone.trust.backends.sql.Trust

value) #driver=keystone.trust.backends.sql.Trust [extra_headers] Distribution = Ubuntu

Ubuntu