Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

keystone ImportError: No module named urlmap

Dear all; I am going to setup openstack swtift keystone,according to official document,but after configing keystone.conf and doing keystone-all i got the following error in log. i google alot,but no useful solution i found.is there any body to help me?

2016-02-03 12:33:02.911 8962 CRITICAL keystone [-] ImportError: No module named urlmap 2016-02-03 12:33:02.911 8962 TRACE keystone Traceback (most recent call last): 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/bin/keystone-all", line 36, in <module> 2016-02-03 12:33:02.911 8962 TRACE keystone eventlet_server.run(possible_topdir) 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/lib/python2.7/dist-packages/keystone/server/eventlet.py", line 155, in run 2016-02-03 12:33:02.911 8962 TRACE keystone startup_application_fn=create_servers) 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/lib/python2.7/dist-packages/keystone/server/common.py", line 43, in setup_backends 2016-02-03 12:33:02.911 8962 TRACE keystone res = startup_application_fn() 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/lib/python2.7/dist-packages/keystone/server/eventlet.py", line 146, in create_servers 2016-02-03 12:33:02.911 8962 TRACE keystone admin_worker_count)) 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/lib/python2.7/dist-packages/keystone/server/eventlet.py", line 64, in create_server 2016-02-03 12:33:02.911 8962 TRACE keystone app = keystone_service.loadapp('config:%s' % conf, name) 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/lib/python2.7/dist-packages/keystone/service.py", line 45, in loadapp 2016-02-03 12:33:02.911 8962 TRACE keystone controllers.latest_app = deploy.loadapp(conf, name=name) 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 247, in loadapp 2016-02-03 12:33:02.911 8962 TRACE keystone return loadobj(APP, uri, name=name, **kw) 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 271, in loadobj 2016-02-03 12:33:02.911 8962 TRACE keystone global_conf=global_conf) 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 296, in loadcontext 2016-02-03 12:33:02.911 8962 TRACE keystone global_conf=global_conf) 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 320, in _loadconfig 2016-02-03 12:33:02.911 8962 TRACE keystone return loader.get_context(object_type, name, global_conf) 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 454, in get_context 2016-02-03 12:33:02.911 8962 TRACE keystone section) 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 476, in _context_from_use 2016-02-03 12:33:02.911 8962 TRACE keystone object_type, name=use, global_conf=global_conf) 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 406, in get_context 2016-02-03 12:33:02.911 8962 TRACE keystone global_conf=global_conf) 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 296, in loadcontext 2016-02-03 12:33:02.911 8962 TRACE keystone global_conf=global_conf) 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 328, in _loadegg 2016-02-03 12:33:02.911 8962 TRACE keystone return loader.get_context(object_type, name, global_conf) 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 620, in get_context 2016-02-03 12:33:02.911 8962 TRACE keystone object_type, name=name) 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 646, in find_egg_entry_point 2016-02-03 12:33:02.911 8962 TRACE keystone possible.append((entry.load(), protocol, entry.name)) 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2312, in load 2016-02-03 12:33:02.911 8962 TRACE keystone return self.resolve() 2016-02-03 12:33:02.911 8962 TRACE keystone File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2318, in resolve 2016-02-03 12:33:02.911 8962 TRACE keystone module = __import__(self.module_name, fromlist=['__name__'], level=0)

2016-02-03 12:33:02.911 8962 TRACE keystone ImportError: No module named urlmap

keystone.conf file

[DEFAULT]

#

Options defined in keystone

#

A "shared secret" that can be used to bootstrap Keystone.

This "token" does not represent a user, and carries no

explicit authorization. To disable in production (highly

recommended), remove AdminTokenAuthMiddleware from your

paste application pipelines (for example, in keystone-

paste.ini). (string value)

admin_token=b9736eb78baf33cee1a0

The IP address of the network interface for the public

service to listen on. (string value)

Deprecated group/name - [DEFAULT]/bind_host

public_bind_host=0.0.0.0

The IP address of the network interface for the admin

service to listen on. (string value)

Deprecated group/name - [DEFAULT]/bind_host

admin_bind_host=0.0.0.0

(Deprecated) The port which the OpenStack Compute service

listens on. This option was only used for string replacement

in the templated catalog backend. Templated catalogs should

replace the "$(compute_port)s" substitution with the static

port of the compute service. As of Juno, this option is

deprecated and will be removed in the L release. (integer

value)

compute_port=8774

The port number which the admin service listens on. (integer

value)

admin_port=35357

The port number which the public service listens on.

(integer value)

public_port=5000

The base public endpoint URL for Keystone that is advertised

to clients (NOTE: this does NOT affect how Keystone listens

for connections). Defaults to the base host URL of the

request. E.g. a request to http://server:5000/v2.0/users

will default to http://server:5000. You should only need to

set this value if the base URL contains a path (e.g.

/prefix/v2.0) or the endpoint should be found on a different

server. (string value)

public_endpoint=<none>

The base admin endpoint URL for Keystone that is advertised

to clients (NOTE: this does NOT affect how Keystone listens

for connections). Defaults to the base host URL of the

request. E.g. a request to http://server:35357/v2.0/users

will default to http://server:35357. You should only need to

set this value if the base URL contains a path (e.g.

/prefix/v2.0) or the endpoint should be found on a different

server. (string value)

admin_endpoint=<none>

The number of worker processes to serve the public WSGI

application. Defaults to number of CPUs (minimum of 2).

(integer value)

public_workers=<none>

The number of worker processes to serve the admin WSGI

application. Defaults to number of CPUs (minimum of 2).

(integer value)

admin_workers=<none>

Enforced by optional sizelimit middleware

(keystone.middleware:RequestBodySizeLimiter). (integer

value)

max_request_body_size=114688

Limit the sizes of user & project ID/names. (integer value)

max_param_size=64

Similar to max_param_size, but provides an exception for

token values. (integer value)

max_token_size=8192

During a SQL upgrade member_role_id will be used to create a

new role that will replace records in the assignment table

with explicit role grants. After migration, the

member_role_id will be used in the API add_user_to_project.

(string value)

member_role_id=9fe2ff9ee4384b1894a90878d3e92bab

During a SQL upgrade member_role_name will be used to create

a new role that will replace records in the assignment table

with explicit role grants. After migration, member_role_name

will be ignored. (string value)

member_role_name=_member_

The value passed as the keyword "rounds" to passlib's

encrypt method. (integer value)

crypt_strength=40000

Set this to true if you want to enable TCP_KEEPALIVE on

server sockets, i.e. sockets used by the Keystone wsgi

server for client connections. (boolean value)

tcp_keepalive=false

Sets the value of TCP_KEEPIDLE in seconds for each server

socket. Only applies if tcp_keepalive is true. Not supported

on OS X. (integer value)

tcp_keepidle=600

The maximum number of entities that will be returned in a

collection, with no limit set by default. This global limit

may be then overridden for a specific driver, by specifying

a list_limit in the appropriate section (e.g. [assignment]).

(integer value)

list_limit=<none>

Set this to false if you want to enable the ability for

user, group and project entities to be moved between domains

by updating their domain_id. Allowing such movement is not

recommended if the scope of a domain admin is being

restricted by use of an appropriate policy file (see

policy.v3cloudsample as an example). (boolean value)

domain_id_immutable=true

If set to true, strict password length checking is performed

for password manipulation. If a password exceeds the maximum

length, the operation will fail with an HTTP 403 Forbidden

error. If set to false, passwords are automatically

truncated to the maximum length. (boolean value)

strict_password_check=false

#

Options defined in oslo.messaging

#

Use durable queues in amqp. (boolean value)

Deprecated group/name - [DEFAULT]/rabbit_durable_queues

amqp_durable_queues=false

Auto-delete queues in amqp. (boolean value)

amqp_auto_delete=false

Size of RPC connection pool. (integer value)

rpc_conn_pool_size=30

Qpid broker hostname. (string value)

qpid_hostname=localhost

Qpid broker port. (integer value)

qpid_port=5672

Qpid HA cluster host:port pairs. (list value)

qpid_hosts=$qpid_hostname:$qpid_port

Username for Qpid connection. (string value)

qpid_username=

Password for Qpid connection. (string value)

qpid_password=

Space separated list of SASL mechanisms to use for auth.

(string value)

qpid_sasl_mechanisms=

Seconds between connection keepalive heartbeats. (integer

value)

qpid_heartbeat=60

Transport to use, either 'tcp' or 'ssl'. (string value)

qpid_protocol=tcp

Whether to disable the Nagle algorithm. (boolean value)

qpid_tcp_nodelay=true

The number of prefetched messages held by receiver. (integer

value)

qpid_receiver_capacity=1

The qpid topology version to use. Version 1 is what was

originally used by impl_qpid. Version 2 includes some

backwards-incompatible changes that allow broker federation

to work. Users should update to version 2 when they are

able to take everything down, as it requires a clean break.

(integer value)

qpid_topology_version=1

SSL version to use (valid only if SSL enabled). valid values

are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some

distributions. (string value)

kombu_ssl_version=

SSL key file (valid only if SSL enabled). (string value)

kombu_ssl_keyfile=

SSL cert file (valid only if SSL enabled). (string value)

kombu_ssl_certfile=

SSL certification authority file (valid only if SSL

enabled). (string value)

kombu_ssl_ca_certs=

How long to wait before reconnecting in response to an AMQP

consumer cancel notification. (floating point value)

kombu_reconnect_delay=1.0

The RabbitMQ broker address where a single node is used.

(string value)

rabbit_host=localhost

The RabbitMQ broker port where a single node is used.

(integer value)

rabbit_port=5672

RabbitMQ HA cluster host:port pairs. (list value)

rabbit_hosts=$rabbit_host:$rabbit_port

Connect over SSL for RabbitMQ. (boolean value)

rabbit_use_ssl=false

The RabbitMQ userid. (string value)

rabbit_userid=guest

The RabbitMQ password. (string value)

rabbit_password=guest

the RabbitMQ login method (string value)

rabbit_login_method=AMQPLAIN

The RabbitMQ virtual host. (string value)

rabbit_virtual_host=/

How frequently to retry connecting with RabbitMQ. (integer

value)

rabbit_retry_interval=1

How long to backoff for between retries when connecting to

RabbitMQ. (integer value)

rabbit_retry_backoff=2

Maximum number of RabbitMQ connection retries. Default is 0

(infinite retry count). (integer value)

rabbit_max_retries=0

Use HA queues in RabbitMQ (x-ha-policy: all). If you change

this option, you must wipe the RabbitMQ database. (boolean

value)

rabbit_ha_queues=false

If passed, use a fake RabbitMQ provider. (boolean value)

fake_rabbit=false

ZeroMQ bind address. Should be a wildcard (*), an ethernet

interface, or IP. The "host" option should point or resolve

to this address. (string value)

rpc_zmq_bind_address=*

MatchMaker driver. (string value)

rpc_zmq_matchmaker=oslo.messaging._drivers.matchmaker.MatchMakerLocalhost

ZeroMQ receiver listening port. (integer value)

rpc_zmq_port=9501

Number of ZeroMQ contexts, defaults to 1. (integer value)

rpc_zmq_contexts=1

Maximum number of ingress messages to locally buffer per

topic. Default is unlimited. (integer value)

rpc_zmq_topic_backlog=<none>

Directory for holding IPC sockets. (string value)

rpc_zmq_ipc_dir=/var/run/openstack

Name of this node. Must be a valid hostname, FQDN, or IP

address. Must match "host" option, if running Nova. (string

value)

rpc_zmq_host=keystone

Seconds to wait before a cast expires (TTL). Only supported

by impl_zmq. (integer value)

rpc_cast_timeout=30

Heartbeat frequency. (integer value)

matchmaker_heartbeat_freq=300

Heartbeat time-to-live. (integer value)

matchmaker_heartbeat_ttl=600

Size of RPC greenthread pool. (integer value)

rpc_thread_pool_size=64

Driver or drivers to handle sending notifications. (multi

valued)

notification_driver=

AMQP topic used for OpenStack notifications. (list value)

Deprecated group/name - [rpc_notifier2]/topics

notification_topics=notifications

Seconds to wait for a response from a call. (integer value)

rpc_response_timeout=60

A URL representing the messaging driver to use and its full

configuration. If not set, we fall back to the rpc_backend

option and driver specific configuration. (string value)

transport_url=<none>

The messaging driver to use, defaults to rabbit. Other

drivers include qpid and zmq. (string value)

rpc_backend=rabbit

The default exchange under which topics are scoped. May be

overridden by an exchange name specified in the

transport_url option. (string value)

control_exchange=keystone

#

Options defined in keystone.notifications

#

Default publisher_id for outgoing notifications (string

value)

default_publisher_id=<none>

#

Options defined in keystone.openstack.common.eventlet_backdoor

#

Enable eventlet backdoor. Acceptable values are 0, <port>,

and <start>:<end>, where 0 results in listening on a random

tcp port number; <port> results in listening on the

specified port number (and not enabling backdoor if that

port is in use); and <start>:<end> results in listening on

the smallest unused port number within the specified range

of port numbers. The chosen port is displayed in the

service's log file. (string value)

backdoor_port=<none>

#

Options defined in keystone.openstack.common.log

#

Print debugging output (set logging level to DEBUG instead

of default WARNING level). (boolean value)

debug=false

Print more verbose output (set logging level to INFO instead

of default WARNING level). (boolean value)

verbose=true

Log output to standard error. (boolean value)

use_stderr=true

Format string to use for log messages with context. (string

value)

logging_context_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s

Format string to use for log messages without context.

(string value)

logging_default_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s

Data to append to log format when level is DEBUG. (string

value)

logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d

Prefix each line of exception output with this format.

(string value)

logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s

List of logger=LEVEL pairs. (list value)

default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN

Enables or disables publication of error events. (boolean

value)

publish_errors=false

Enables or disables fatal status of deprecations. (boolean

value)

fatal_deprecations=false

The format for an instance that is passed with the log

message. (string value)

instance_format="[instance: %(uuid)s] "

The format for an instance UUID that is passed with the log

message. (string value)

instance_uuid_format="[instance: %(uuid)s] "

The name of a logging configuration file. This file is

appended to any existing logging configuration files. For

details about logging configuration files, see the Python

logging module documentation. (string value)

Deprecated group/name - [DEFAULT]/log_config

log_config_append=<none>

DEPRECATED. A logging.Formatter log message format string

which may use any of the available logging.LogRecord

attributes. This option is deprecated. Please use

logging_context_format_string and

logging_default_format_string instead. (string value)

log_format=<none>

Format string for %%(asctime)s in log records. Default:

%(default)s . (string value)

log_date_format=%Y-%m-%d %H:%M:%S

(Optional) Name of log file to output to. If no default is

set, logging will go to stdout. (string value)

Deprecated group/name - [DEFAULT]/logfile

log_file=<none>

(Optional) The base directory used for relative --log-file

paths. (string value)

Deprecated group/name - [DEFAULT]/logdir

log_dir=<none>

Use syslog for logging. Existing syslog format is DEPRECATED

during I, and will change in J to honor RFC5424. (boolean

value)

use_syslog=false

(Optional) Enables or disables syslog rfc5424 format for

logging. If enabled, prefixes the MSG part of the syslog

message with APP-NAME (RFC5424). The format without the APP-

NAME is deprecated in I, and will be removed in J. (boolean

value)

use_syslog_rfc_format=false

Syslog facility to receive log lines. (string value)

syslog_log_facility=LOG_USER

#

Options defined in keystone.openstack.common.policy

#

The JSON file that defines policies. (string value)

policy_file=policy.json

Default rule. Enforced when a requested rule is not found.

(string value)

policy_default_rule=default

[assignment]

#

Options defined in keystone

#

Assignment backend driver. (string value)

driver=<none>

Toggle for assignment caching. This has no effect unless

global caching is enabled. (boolean value)

caching=true

TTL (in seconds) to cache assignment data. This has no

effect unless global caching is enabled. (integer value)

cache_time=<none>

Maximum number of entities that will be returned in an

assignment collection. (integer value)

list_limit=<none>

[auth]

#

Options defined in keystone

#

Default auth methods. (list value)

methods=external,password,token

The password auth plugin module. (string value)

password=keystone.auth.plugins.password.Password

The token auth plugin module. (string value)

token=keystone.auth.plugins.token.Token

The external (REMOTE_USER) auth plugin module. (string

value)

external=keystone.auth.plugins.external.DefaultDomain

[cache]

#

Options defined in keystone

#

Prefix for building the configuration dictionary for the

cache region. This should not need to be changed unless

there is another dogpile.cache region with the same

configuration name. (string value)

config_prefix=cache.keystone

Default TTL, in seconds, for any cached item in the

dogpile.cache region. This applies to any cached method that

doesn't have an explicit cache expiration time defined for

it. (integer value)

expiration_time=600

Dogpile.cache backend module. It is recommended that

Memcache with pooling (keystone.cache.memcache_pool) or

Redis (dogpile.cache.redis) be used in production

deployments. Small workloads (single process) like devstack

can use the dogpile.cache.memory backend. (string value)

backend=keystone.common.cache.noop

Arguments supplied to the backend module. Specify this

option once per argument to be passed to the dogpile.cache

backend. Example format: "<argname>:<value>". (multi valued)

backend_argument=

Proxy classes to import that will affect the way the

dogpile.cache backend functions. See the dogpile.cache

documentation on changing-backend-behavior. (list value)

proxies=

Global toggle for all caching using the should_cache_fn

mechanism. (boolean value)

enabled=false

Extra debugging from the cache backend (cache keys,

get/set/delete/etc calls). This is only really useful if you

need to see the specific cache-backend get/set/delete calls

with the keys/values. Typically this should be left set to

false. (boolean value)

debug_cache_backend=false

Memcache servers in the format of "host:port".

(dogpile.cache.memcache and keystone.cache.memcache_pool

backends only) (list value)

memcache_servers=localhost:11211

Number of seconds memcached server is considered dead before

it is tried again. (dogpile.cache.memcache and

keystone.cache.memcache_pool backends only) (integer value)

memcache_dead_retry=300

Timeout in seconds for every call to a server.

(dogpile.cache.memcache and keystone.cache.memcache_pool

backends only) (integer value)

memcache_socket_timeout=3

Max total number of open connections to every memcached

server. (keystone.cache.memcache_pool backend only) (integer

value)

memcache_pool_maxsize=10

Number of seconds a connection to memcached is held unused

in the pool before it is closed.

(keystone.cache.memcache_pool backend only) (integer value)

memcache_pool_unused_timeout=60

Number of seconds that an operation will wait to get a

memcache client connection. (integer value)

memcache_pool_connection_get_timeout=10

[catalog]

#

Options defined in keystone

#

Catalog template file name for use with the template catalog

backend. (string value)

template_file=default_catalog.templates

Catalog backend driver. (string value)

driver=keystone.catalog.backends.sql.Catalog

Toggle for catalog caching. This has no effect unless global

caching is enabled. (boolean value)

caching=true

Time to cache catalog data (in seconds). This has no effect

unless global and catalog caching are enabled. (integer

value)

cache_time=<none>

Maximum number of entities that will be returned in a

catalog collection. (integer value)

list_limit=<none>

(Deprecated) List of possible substitutions for use in

formatting endpoints. Use caution when modifying this list.

It will give users with permission to create endpoints the

ability to see those values in your configuration file. This

option will be removed in Juno. (list value)

endpoint_substitution_whitelist=tenant_id,user_id,public_bind_host,admin_bind_host,compute_host,compute_port,admin_port,public_port,public_endpoint,admin_endpoint

[credential]

#

Options defined in keystone

#

Credential backend driver. (string value)

driver=keystone.credential.backends.sql.Credential

[database]

#

Options defined in oslo.db

#

The file name to use with SQLite. (string value)

sqlite_db=oslo.sqlite

If True, SQLite uses synchronous mode. (boolean value)

sqlite_synchronous=true

The back end to use for the database. (string value)

Deprecated group/name - [DEFAULT]/db_backend

backend=sqlalchemy

The SQLAlchemy connection string to use to connect to the

database. (string value)

Deprecated group/name - [DEFAULT]/sql_connection

Deprecated group/name - [DATABASE]/sql_connection

Deprecated group/name - [sql]/connection

connection= mysql://keystone:root@127.0.0.1/keystone

The SQLAlchemy connection string to use to connect to the

slave database. (string value)

slave_connection=<none>

The SQL mode to be used for MySQL sessions. This option,

including the default, overrides any server-set SQL mode. To

use whatever SQL mode is set by the server configuration,

set this to no value. Example: mysql_sql_mode= (string

value)

mysql_sql_mode=TRADITIONAL

Timeout before idle SQL connections are reaped. (integer

value)

Deprecated group/name - [DEFAULT]/sql_idle_timeout

Deprecated group/name - [DATABASE]/sql_idle_timeout

Deprecated group/name - [sql]/idle_timeout

idle_timeout=3600

Minimum number of SQL connections to keep open in a pool.

(integer value)

Deprecated group/name - [DEFAULT]/sql_min_pool_size

Deprecated group/name - [DATABASE]/sql_min_pool_size

min_pool_size=1

Maximum number of SQL connections to keep open in a pool.

(integer value)

Deprecated group/name - [DEFAULT]/sql_max_pool_size

Deprecated group/name - [DATABASE]/sql_max_pool_size

max_pool_size=<none>

Maximum db connection retries during startup. Set to -1 to

specify an infinite retry count. (integer value)

Deprecated group/name - [DEFAULT]/sql_max_retries

Deprecated group/name - [DATABASE]/sql_max_retries

max_retries=10

Interval between retries of opening a SQL connection.

(integer value)

Deprecated group/name - [DEFAULT]/sql_retry_interval

Deprecated group/name - [DATABASE]/reconnect_interval

retry_interval=10

If set, use this value for max_overflow with SQLAlchemy.

(integer value)

Deprecated group/name - [DEFAULT]/sql_max_overflow

Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow

max_overflow=<none>

Verbosity of SQL debugging information: 0=None,

100=Everything. (integer value)

Deprecated group/name - [DEFAULT]/sql_connection_debug

connection_debug=0

Add Python stack traces to SQL as comment strings. (boolean

value)

Deprecated group/name - [DEFAULT]/sql_connection_trace

connection_trace=false

If set, use this value for pool_timeout with SQLAlchemy.

(integer value)

Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout

pool_timeout=<none>

Enable the experimental use of database reconnect on

connection lost. (boolean value)

use_db_reconnect=false

Seconds between database connection retries. (integer value)

db_retry_interval=1

If True, increases the interval between database connection

retries up to db_max_retry_interval. (boolean value)

db_inc_retry_interval=true

If db_inc_retry_interval is set, the maximum seconds between

database connection retries. (integer value)

db_max_retry_interval=10

Maximum database connection retries before error is raised.

Set to -1 to specify an infinite retry count. (integer

value)

db_max_retries=20

[ec2]

#

Options defined in keystone

#

EC2Credential backend driver. (string value)

driver=keystone.contrib.ec2.backends.kvs.Ec2

[endpoint_filter]

#

Options defined in keystone

#

Endpoint Filter backend driver (string value)

driver=keystone.contrib.endpoint_filter.backends.sql.EndpointFilter

Toggle to return all active endpoints if no filter exists.

(boolean value)

return_all_endpoints_if_no_filter=true

[endpoint_policy]

#

Options defined in keystone

#

Endpoint policy backend driver (string value)

driver=keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy

[federation]

#

Options defined in keystone

#

Federation backend driver. (string value)

driver=keystone.contrib.federation.backends.sql.Federation

Value to be used when filtering assertion parameters from

the environment. (string value)

assertion_prefix=

[identity]

#

Options defined in keystone

#

This references the domain to use for all Identity API v2

requests (which are not aware of domains). A domain with

this ID will be created for you by keystone-manage db_sync

in migration 008. The domain referenced by this ID cannot be

deleted on the v3 API, to prevent accidentally breaking the

v2 API. There is nothing special about this domain, other

than the fact that it must exist to order to maintain

support for your v2 clients. (string value)

default_domain_id=default

A subset (or all) of domains can have their own identity

driver, each with their own partial configuration file in a

domain configuration directory. Only values specific to the

domain need to be placed in the domain specific

configuration file. This feature is disabled by default; set

to true to enable. (boolean value)

domain_specific_drivers_enabled=false

Path for Keystone to locate the domain specific identity

configuration files if domain_specific_drivers_enabled is

set to true. (string value)

domain_config_dir=/etc/keystone/domains

Identity backend driver. (string value)

driver=keystone.identity.backends.sql.Identity

Maximum supported length for user passwords; decrease to

improve performance. (integer value)

max_password_length=4096

Maximum number of entities that will be returned in an

identity collection. (integer value)

list_limit=<none>

[identity_mapping]

#

Options defined in keystone

#

Keystone Identity Mapping backend driver. (string value)

driver=keystone.identity.mapping_backends.sql.Mapping

Public ID generator for user and group entities. The

Keystone identity mapper only supports generators that

produce no more than 64 characters. (string value)

generator=keystone.identity.id_generators.sha256.Generator

The format of user and group IDs changed in Juno for

backends that do not generate UUIDs (e.g. LDAP), with

keystone providing a hash mapping to the underlying

attribute in LDAP. By default this mapping is disabled,

which ensures that existing IDs will not change. Even when

the mapping is enabled by using domain specific drivers, any

users and groups from the default domain being handled by

LDAP will still not be mapped to ensure their IDs remain

backward compatible. Setting this value to False will enable

the mapping for even the default LDAP driver. It is only

safe to do this if you do not already have assignments for

users and groups from the default LDAP domain, and it is

acceptable for Keystone to provide the different IDs to

clients than it did previously. Typically this means that

the only time you can set this value to False is when

configuring a fresh installation. (boolean value)

backward_compatible_ids=true

[kvs]

#

Options defined in keystone

#

Extra dogpile.cache backend modules to register with the

dogpile.cache library. (list value)

backends=

Prefix for building the configuration dictionary for the KVS

region. This should not need to be changed unless there is

another dogpile.cache region with the same configuration

name. (string value)

config_prefix=keystone.kvs

Toggle to disable using a key-mangling function to ensure

fixed length keys. This is toggle-able for debugging

purposes, it is highly recommended to always leave this set

to true. (boolean value)

enable_key_mangler=true

Default lock timeout for distributed locking. (integer

value)

default_lock_timeout=5

[ldap]

#

Options defined in keystone

#

URL for connecting to the LDAP server. (string value)

url=ldap://localhost

User BindDN to query the LDAP server. (string value)

user=<none>

Password for the BindDN to query the LDAP server. (string

value)

password=<none>

LDAP server suffix (string value)

suffix=cn=example,cn=com

If true, will add a dummy member to groups. This is required

if the objectclass for groups requires the "member"

attribute. (boolean value)

use_dumb_member=false

DN of the "dummy member" to use when "use_dumb_member" is

enabled. (string value)

dumb_member=cn=dumb,dc=nonexistent

Delete subtrees using the subtree delete control. Only

enable this option if your LDAP server supports subtree

deletion. (boolean value)

allow_subtree_delete=false

The LDAP scope for queries, this can be either "one"

(onelevel/singleLevel) or "sub" (subtree/wholeSubtree).

(string value)

query_scope=one

Maximum results per page; a value of zero ("0") disables

paging. (integer value)

page_size=0

The LDAP dereferencing option for queries. This can be

either "never", "searching", "always", "finding" or

"default". The "default" option falls back to using default

dereferencing configured by your ldap.conf. (string value)

alias_dereferencing=default

Sets the LDAP debugging level for LDAP calls. A value of 0

means that debugging is not enabled. This value is a

bitmask, consult your LDAP documentation for possible

values. (integer value)

debug_level=<none>

Override the system's default referral chasing behavior for

queries. (boolean value)

chase_referrals=<none>

Search base for users. (string value)

user_tree_dn=<none>

LDAP search filter for users. (string value)

user_filter=<none>

LDAP objectclass for users. (string value)

user_objectclass=inetOrgPerson

LDAP attribute mapped to user id. WARNING: must not be a

multivalued attribute. (string value)

user_id_attribute=cn

LDAP attribute mapped to user name. (string value)

user_name_attribute=sn

LDAP attribute mapped to user email. (string value)

user_mail_attribute=mail

LDAP attribute mapped to password. (string value)

user_pass_attribute=userPassword

LDAP attribute mapped to user enabled flag. (string value)

user_enabled_attribute=enabled

Invert the meaning of the boolean enabled values. Some LDAP

servers use a boolean lock attribute where "true" means an

account is disabled. Setting "user_enabled_invert = true"

will allow these lock attributes to be used. This setting

will have no effect if "user_enabled_mask" or

"user_enabled_emulation" settings are in use. (boolean

value)

user_enabled_invert=false

Bitmask integer to indicate the bit that the enabled value

is stored in if the LDAP server represents "enabled" as a

bit on an integer rather than a boolean. A value of "0"

indicates the mask is not used. If this is not set to "0"

the typical value is "2". This is typically used when

"user_enabled_attribute = userAccountControl". (integer

value)

user_enabled_mask=0

Default value to enable users. This should match an

appropriate int value if the LDAP server uses non-boolean

(bitmask) values to indicate if a user is enabled or

disabled. If this is not set to "True" the typical value is

"512". This is typically used when "user_enabled_attribute =

userAccountControl". (string value)

user_enabled_default=True

List of attributes stripped off the user on update. (list

value)

user_attribute_ignore=default_project_id,tenants

LDAP attribute mapped to default_project_id for users.

(string value)

user_default_project_id_attribute=<none>

Allow user creation in LDAP backend. (boolean value)

user_allow_create=true

Allow user updates in LDAP backend. (boolean value)

user_allow_update=true

Allow user deletion in LDAP backend. (boolean value)

user_allow_delete=true

If true, Keystone uses an alternative method to determine if

a user is enabled or not by checking if they are a member of

the "user_enabled_emulation_dn" group. (boolean value)

user_enabled_emulation=false

DN of the group entry to hold enabled users when using

enabled emulation. (string value)

user_enabled_emulation_dn=<none>

List of additional LDAP attributes used for mapping

additional attribute mappings for users. Attribute mapping

format is <ldap_attr>:<user_attr>, where ldap_attr is the

attribute in the LDAP entry and user_attr is the Identity

API attribute. (list value)

user_additional_attribute_mapping=

Search base for projects (string value)

Deprecated group/name - [ldap]/tenant_tree_dn

project_tree_dn=<none>

LDAP search filter for projects. (string value)

Deprecated group/name - [ldap]/tenant_filter

project_filter=<none>

LDAP objectclass for projects. (string value)

Deprecated group/name - [ldap]/tenant_objectclass

project_objectclass=groupOfNames

LDAP attribute mapped to project id. (string value)

Deprecated group/name - [ldap]/tenant_id_attribute

project_id_attribute=cn

LDAP attribute mapped to project membership for user.

(string value)

Deprecated group/name - [ldap]/tenant_member_attribute

project_member_attribute=member

LDAP attribute mapped to project name. (string value)

Deprecated group/name - [ldap]/tenant_name_attribute

project_name_attribute=ou

LDAP attribute mapped to project description. (string value)

Deprecated group/name - [ldap]/tenant_desc_attribute

project_desc_attribute=description

LDAP attribute mapped to project enabled. (string value)

Deprecated group/name - [ldap]/tenant_enabled_attribute

project_enabled_attribute=enabled

LDAP attribute mapped to project domain_id. (string value)

Deprecated group/name - [ldap]/tenant_domain_id_attribute

project_domain_id_attribute=businessCategory

List of attributes stripped off the project on update. (list

value)

Deprecated group/name - [ldap]/tenant_attribute_ignore

project_attribute_ignore=

Allow project creation in LDAP backend. (boolean value)

Deprecated group/name - [ldap]/tenant_allow_create

project_allow_create=true

Allow project update in LDAP backend. (boolean value)

Deprecated group/name - [ldap]/tenant_allow_update

project_allow_update=true

Allow project deletion in LDAP backend. (boolean value)

Deprecated group/name - [ldap]/tenant_allow_delete

project_allow_delete=true

If true, Keystone uses an alternative method to determine if

a project is enabled or not by checking if they are a member

of the "project_enabled_emulation_dn" group. (boolean value)

Deprecated group/name - [ldap]/tenant_enabled_emulation

project_enabled_emulation=false

DN of the group entry to hold enabled projects when using

enabled emulation. (string value)

Deprecated group/name - [ldap]/tenant_enabled_emulation_dn

project_enabled_emulation_dn=<none>

Additional attribute mappings for projects. Attribute

mapping format is <ldap_attr>:<user_attr>, where ldap_attr

is the attribute in the LDAP entry and user_attr is the

Identity API attribute. (list value)

Deprecated group/name - [ldap]/tenant_additional_attribute_mapping

project_additional_attribute_mapping=

Search base for roles. (string value)

role_tree_dn=<none>

LDAP search filter for roles. (string value)

role_filter=<none>

LDAP objectclass for roles. (string value)

role_objectclass=organizationalRole

LDAP attribute mapped to role id. (string value)

role_id_attribute=cn

LDAP attribute mapped to role name. (string value)

role_name_attribute=ou

LDAP attribute mapped to role membership. (string value)

role_member_attribute=roleOccupant

List of attributes stripped off the role on update. (list

value)

role_attribute_ignore=

Allow role creation in LDAP backend. (boolean value)

role_allow_create=true

Allow role update in LDAP backend. (boolean value)

role_allow_update=true

Allow role deletion in LDAP backend. (boolean value)

role_allow_delete=true

Additional attribute mappings for roles. Attribute mapping

format is <ldap_attr>:<user_attr>, where ldap_attr is the

attribute in the LDAP entry and user_attr is the Identity

API attribute. (list value)

role_additional_attribute_mapping=

Search base for groups. (string value)

group_tree_dn=<none>

LDAP search filter for groups. (string value)

group_filter=<none>

LDAP objectclass for groups. (string value)

group_objectclass=groupOfNames

LDAP attribute mapped to group id. (string value)

group_id_attribute=cn

LDAP attribute mapped to group name. (string value)

group_name_attribute=ou

LDAP attribute mapped to show group membership. (string

value)

group_member_attribute=member

LDAP attribute mapped to group description. (string value)

group_desc_attribute=description

List of attributes stripped off the group on update. (list

value)

group_attribute_ignore=

Allow group creation in LDAP backend. (boolean value)

group_allow_create=true

Allow group update in LDAP backend. (boolean value)

group_allow_update=true

Allow group deletion in LDAP backend. (boolean value)

group_allow_delete=true

Additional attribute mappings for groups. Attribute mapping

format is <ldap_attr>:<user_attr>, where ldap_attr is the

attribute in the LDAP entry and user_attr is the Identity

API attribute. (list value)

group_additional_attribute_mapping=

CA certificate file path for communicating with LDAP

servers. (string value)

tls_cacertfile=<none>

CA certificate directory path for communicating with LDAP

servers. (string value)

tls_cacertdir=<none>

Enable TLS for communicating with LDAP servers. (boolean

value)

use_tls=false

Valid options for tls_req_cert are demand, never, and allow.

(string value)

tls_req_cert=demand

Enable LDAP connection pooling. (boolean value)

use_pool=false

Connection pool size. (integer value)

pool_size=10

Maximum count of reconnect trials. (integer value)

pool_retry_max=3

Time span in seconds to wait between two reconnect trials.

(floating point value)

pool_retry_delay=0.1

Connector timeout in seconds. Value -1 indicates indefinite

wait for response. (integer value)

pool_connection_timeout=-1

Connection lifetime in seconds. (integer value)

pool_connection_lifetime=600

Enable LDAP connection pooling for end user authentication.

If use_pool is disabled, then this setting is meaningless

and is not used at all. (boolean value)

use_auth_pool=false

End user auth connection pool size. (integer value)

auth_pool_size=100

End user auth connection lifetime in seconds. (integer

value)

auth_pool_connection_lifetime=60

[matchmaker_redis]

#

Options defined in oslo.messaging

#

Host to locate redis. (string value)

host=127.0.0.1

Use this port to connect to redis host. (integer value)

port=6379

Password for Redis server (optional). (string value)

password=<none>

[matchmaker_ring]

#

Options defined in oslo.messaging

#

Matchmaker ring file (JSON). (string value)

Deprecated group/name - [DEFAULT]/matchmaker_ringfile

ringfile=/etc/oslo/matchmaker_ring.json

[memcache]

#

Options defined in keystone

#

Memcache servers in the format of "host:port". (list value)

servers=localhost:11211

Number of seconds memcached server is considered dead before

it is tried again. This is used by the key value store

system (e.g. token pooled memcached persistence backend).

(integer value)

dead_retry=300

Timeout in seconds for every call to a server. This is used

by the key value store system (e.g. token pooled memcached

persistence backend). (integer value)

socket_timeout=3

Max total number of open connections to every memcached

server. This is used by the key value store system (e.g.

token pooled memcached persistence backend). (integer value)

pool_maxsize=10

Number of seconds a connection to memcached is held unused

in the pool before it is closed. This is used by the key

value store system (e.g. token pooled memcached persistence

backend). (integer value)

pool_unused_timeout=60

Number of seconds that an operation will wait to get a

memcache client connection. This is used by the key value

store system (e.g. token pooled memcached persistence

backend). (integer value)

pool_connection_get_timeout=10

[oauth1]

#

Options defined in keystone

#

Credential backend driver. (string value)

driver=keystone.contrib.oauth1.backends.sql.OAuth1

Duration (in seconds) for the OAuth Request Token. (integer

value)

request_token_duration=28800

Duration (in seconds) for the OAuth Access Token. (integer

value)

access_token_duration=86400

[os_inherit]

#

Options defined in keystone

#

role-assignment inheritance to projects from owning domain

can be optionally enabled. (boolean value)

enabled=false

[paste_deploy]

#

Options defined in keystone

#

Name of the paste configuration file that defines the

available pipelines. (string value)

config_file=keystone-paste.ini

[policy]

#

Options defined in keystone

#

Policy backend driver. (string value)

driver=keystone.policy.backends.sql.Policy

Maximum number of entities that will be returned in a policy

collection. (integer value)

list_limit=<none>

[revoke]

#

Options defined in keystone

#

An implementation of the backend for persisting revocation

events. (string value)

driver=keystone.contrib.revoke.backends.kvs.Revoke

driver=keystone.contrib.revoke.backends.sql.Revoke

This value (calculated in seconds) is added to token

expiration before a revocation event may be removed from the

backend. (integer value)

expiration_buffer=1800

Toggle for revocation event caching. This has no effect

unless global caching is enabled. (boolean value)

caching=true

[saml]

#

Options defined in keystone

#

Default TTL, in seconds, for any generated SAML assertion

created by Keystone. (integer value)

assertion_expiration_time=3600

Binary to be called for XML signing. Install the appropriate

package, specify absolute path or adjust your PATH

environment variable if the binary cannot be found. (string

value)

xmlsec1_binary=xmlsec1

Path of the certfile for SAML signing. For non-production

environments, you may be interested in using `keystone-

manage pki_setup` to generate self-signed certificates.

Note, the path cannot contain a comma. (string value)

certfile=/etc/keystone/ssl/certs/signing_cert.pem

Path of the keyfile for SAML signing. Note, the path cannot

contain a comma. (string value)

keyfile=/etc/keystone/ssl/private/signing_key.pem

Entity ID value for unique Identity Provider identification.

Usually FQDN is set with a suffix. A value is required to

generate IDP Metadata. For example:

https://keystone.example.com/v3/OS-FEDERATION/saml2/idp

(string value)

idp_entity_id=<none>

Identity Provider Single-Sign-On service value, required in

the Identity Provider's metadata. A value is required to

generate IDP Metadata. For example:

https://keystone.example.com/v3/OS-FEDERATION/saml2/sso

(string value)

idp_sso_endpoint=<none>

Language used by the organization. (string value)

idp_lang=en

Organization name the installation belongs to. (string

value)

idp_organization_name=<none>

Organization name to be displayed. (string value)

idp_organization_display_name=<none>

URL of the organization. (string value)

idp_organization_url=<none>

Company of contact person. (string value)

idp_contact_company=<none>

Given name of contact person (string value)

idp_contact_name=<none>

Surname of contact person. (string value)

idp_contact_surname=<none>

Email address of contact person. (string value)

idp_contact_email=<none>

Telephone number of contact person. (string value)

idp_contact_telephone=<none>

Contact type. Allowed values are: technical, support,

administrative billing, and other (string value)

idp_contact_type=other

Path to the Identity Provider Metadata file. This file

should be generated with the keystone-manage

saml_idp_metadata command. (string value)

idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml

[signing]

#

Options defined in keystone

#

Deprecated in favor of provider in the [token] section.

(string value)

token_format=<none>

Path of the certfile for token signing. For non-production

environments, you may be interested in using `keystone-

manage pki_setup` to generate self-signed certificates.

(string value)

certfile=/etc/keystone/ssl/certs/signing_cert.pem

Path of the keyfile for token signing. (string value)

keyfile=/etc/keystone/ssl/private/signing_key.pem

Path of the CA for token signing. (string value)

ca_certs=/etc/keystone/ssl/certs/ca.pem

Path of the CA key for token signing. (string value)

ca_key=/etc/keystone/ssl/private/cakey.pem

Key size (in bits) for token signing cert (auto generated

certificate). (integer value)

key_size=2048

Days the token signing cert is valid for (auto generated

certificate). (integer value)

valid_days=3650

Certificate subject (auto generated certificate) for token

signing. (string value)

cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com

[ssl]

#

Options defined in keystone

#

Toggle for SSL support on the Keystone eventlet servers.

(boolean value)

enable=false

Path of the certfile for SSL. For non-production

environments, you may be interested in using `keystone-

manage ssl_setup` to generate self-signed certificates.

(string value)

certfile=/etc/keystone/ssl/certs/keystone.pem

Path of the keyfile for SSL. (string value)

keyfile=/etc/keystone/ssl/private/keystonekey.pem

Path of the ca cert file for SSL. (string value)

ca_certs=/etc/keystone/ssl/certs/ca.pem

Path of the CA key file for SSL. (string value)

ca_key=/etc/keystone/ssl/private/cakey.pem

Require client certificate. (boolean value)

cert_required=false

SSL key length (in bits) (auto generated certificate).

(integer value)

key_size=1024

Days the certificate is valid for once signed (auto

generated certificate). (integer value)

valid_days=3650

SSL certificate subject (auto generated certificate).

(string value)

cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost

[stats]

#

Options defined in keystone

#

Stats backend driver. (string value)

driver=keystone.contrib.stats.backends.kvs.Stats

[token]

#

Options defined in keystone

#

External auth mechanisms that should add bind information to

token, e.g., kerberos,x509. (list value)

bind=

Enforcement policy on tokens presented to Keystone with bind

information. One of disabled, permissive, strict, required

or a specifically required bind mode, e.g., kerberos or x509

to require binding to that authentication. (string value)

enforce_token_bind=permissive

Amount of time a token should remain valid (in seconds).

(integer value)

expiration=3600

Controls the token construction, validation, and revocation

operations. Core providers are

"keystone.token.providers.[pkiz|pki|uuid].Provider". The

default provider is uuid. (string value)

provider=keystone.token.providers.uuid.Provider

Token persistence backend driver. (string value)

driver=keystone.token.persistence.backends.sql.Token

driver=keystone.token.persistence.backends.memcache.Token

Toggle for token system caching. This has no effect unless

global caching is enabled. (boolean value)

caching=true

Time to cache the revocation list and the revocation events

if revoke extension is enabled (in seconds). This has no

effect unless global and token caching are enabled. (integer

value)

revocation_cache_time=3600

Time to cache tokens (in seconds). This has no effect unless

global and token caching are enabled. (integer value)

cache_time=<none>

Revoke token by token identifier. Setting revoke_by_id to

true enables various forms of enumerating tokens, e.g. `list

tokens for user`. These enumerations are processed to

determine the list of tokens to revoke. Only disable if you

are switching to using the Revoke extension with a backend

other than KVS, which stores events in memory. (boolean

value)

revoke_by_id=true

The hash algorithm to use for PKI tokens. This can be set to

any algorithm that hashlib supports. WARNING: Before

changing this value, the auth_token middleware must be

configured with the hash_algorithms, otherwise token

revocation will not be processed correctly. (string value)

hash_algorithm=md5

[trust]

#

Options defined in keystone

#

Delegation and impersonation features can be optionally

disabled. (boolean value)

enabled=true

Trust backend driver. (string value)

driver=keystone.trust.backends.sql.Trust

keystone ImportError: No module named urlmap

Dear all; I am going to setup openstack swtift keystone,according to official document,but after configing keystone.conf and doing keystone-all i got the following error in log. i google alot,but no useful solution i found.is there any body to help me?

2016-02-03 12:33:02.911 8962 CRITICAL keystone [-] ImportError: No module named urlmap
2016-02-03 12:33:02.911 8962 TRACE keystone Traceback (most recent call last):
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/bin/keystone-all", line 36, in <module>
2016-02-03 12:33:02.911 8962 TRACE keystone     eventlet_server.run(possible_topdir)
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/lib/python2.7/dist-packages/keystone/server/eventlet.py", line 155, in run
2016-02-03 12:33:02.911 8962 TRACE keystone     startup_application_fn=create_servers)
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/lib/python2.7/dist-packages/keystone/server/common.py", line 43, in setup_backends
2016-02-03 12:33:02.911 8962 TRACE keystone     res = startup_application_fn()
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/lib/python2.7/dist-packages/keystone/server/eventlet.py", line 146, in create_servers
2016-02-03 12:33:02.911 8962 TRACE keystone     admin_worker_count))
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/lib/python2.7/dist-packages/keystone/server/eventlet.py", line 64, in create_server
2016-02-03 12:33:02.911 8962 TRACE keystone     app = keystone_service.loadapp('config:%s' % conf, name)
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/lib/python2.7/dist-packages/keystone/service.py", line 45, in loadapp
2016-02-03 12:33:02.911 8962 TRACE keystone     controllers.latest_app = deploy.loadapp(conf, name=name)
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 247, in loadapp
2016-02-03 12:33:02.911 8962 TRACE keystone     return loadobj(APP, uri, name=name, **kw)
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 271, in loadobj
2016-02-03 12:33:02.911 8962 TRACE keystone     global_conf=global_conf)
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 296, in loadcontext
2016-02-03 12:33:02.911 8962 TRACE keystone     global_conf=global_conf)
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 320, in _loadconfig
2016-02-03 12:33:02.911 8962 TRACE keystone     return loader.get_context(object_type, name, global_conf)
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 454, in get_context
2016-02-03 12:33:02.911 8962 TRACE keystone     section)
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 476, in _context_from_use
2016-02-03 12:33:02.911 8962 TRACE keystone     object_type, name=use, global_conf=global_conf)
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 406, in get_context
2016-02-03 12:33:02.911 8962 TRACE keystone     global_conf=global_conf)
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 296, in loadcontext
2016-02-03 12:33:02.911 8962 TRACE keystone     global_conf=global_conf)
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 328, in _loadegg
2016-02-03 12:33:02.911 8962 TRACE keystone     return loader.get_context(object_type, name, global_conf)
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 620, in get_context
2016-02-03 12:33:02.911 8962 TRACE keystone     object_type, name=name)
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/local/lib/python2.7/dist-packages/paste/deploy/loadwsgi.py", line 646, in find_egg_entry_point
2016-02-03 12:33:02.911 8962 TRACE keystone     possible.append((entry.load(), protocol, entry.name))
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2312, in load
2016-02-03 12:33:02.911 8962 TRACE keystone     return self.resolve()
2016-02-03 12:33:02.911 8962 TRACE keystone   File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2318, in resolve
2016-02-03 12:33:02.911 8962 TRACE keystone     module = __import__(self.module_name, fromlist=['__name__'], level=0)

level=0) 2016-02-03 12:33:02.911 8962 TRACE keystone ImportError: No module named urlmap

keystone.conf file

urlmap

[DEFAULT]

#

Options defined in keystone

#

A "shared secret" that Keystone configurations can be used to bootstrap Keystone.

This "token" does not represent a user, and carries no

explicit authorization. To disable in production (highly

recommended), remove AdminTokenAuthMiddleware from your

paste application pipelines (for example, in keystone-

paste.ini). (string value)

admin_token=b9736eb78baf33cee1a0found here.

The IP address of the network interface for the public

service to listen on. (string value)

Deprecated group/name - [DEFAULT]/bind_host

public_bind_host=0.0.0.0

The IP address of the network interface for the admin

service to listen on. (string value)

Deprecated group/name - [DEFAULT]/bind_host

admin_bind_host=0.0.0.0

(Deprecated) The port which the OpenStack Compute service

listens on. This option was only used for string replacement

in the templated catalog backend. Templated catalogs should

replace the "$(compute_port)s" substitution with the static

port of the compute service. As of Juno, this option is

deprecated and will be removed in the L release. (integer

value)

compute_port=8774

The port number which the admin service listens on. (integer

value)

admin_port=35357

The port number which the public service listens on.

(integer value)

public_port=5000

The base public endpoint URL for Keystone that is advertised

to clients (NOTE: this does NOT affect how Keystone listens

for connections). Defaults to the base host URL of the

request. E.g. a request to http://server:5000/v2.0/users

will default to http://server:5000. You should only need to

set this value if the base URL contains a path (e.g.

/prefix/v2.0) or the endpoint should be found on a different

server. (string value)

public_endpoint=<none>

The base admin endpoint URL for Keystone that is advertised

to clients (NOTE: this does NOT affect how Keystone listens

for connections). Defaults to the base host URL of the

request. E.g. a request to http://server:35357/v2.0/users

will default to http://server:35357. You should only need to

set this value if the base URL contains a path (e.g.

/prefix/v2.0) or the endpoint should be found on a different

server. (string value)

admin_endpoint=<none>

The number of worker processes to serve the public WSGI

application. Defaults to number of CPUs (minimum of 2).

(integer value)

public_workers=<none>

The number of worker processes to serve the admin WSGI

application. Defaults to number of CPUs (minimum of 2).

(integer value)

admin_workers=<none>

Enforced by optional sizelimit middleware

(keystone.middleware:RequestBodySizeLimiter). (integer

value)

max_request_body_size=114688

Limit the sizes of user & project ID/names. (integer value)

max_param_size=64

Similar to max_param_size, but provides an exception for

token values. (integer value)

max_token_size=8192

During a SQL upgrade member_role_id will be used to create a

new role that will replace records in the assignment table

with explicit role grants. After migration, the

member_role_id will be used in the API add_user_to_project.

(string value)

member_role_id=9fe2ff9ee4384b1894a90878d3e92bab

During a SQL upgrade member_role_name will be used to create

a new role that will replace records in the assignment table

with explicit role grants. After migration, member_role_name

will be ignored. (string value)

member_role_name=_member_

The value passed as the keyword "rounds" to passlib's

encrypt method. (integer value)

crypt_strength=40000

Set this to true if you want to enable TCP_KEEPALIVE on

server sockets, i.e. sockets used by the Keystone wsgi

server for client connections. (boolean value)

tcp_keepalive=false

Sets the value of TCP_KEEPIDLE in seconds for each server

socket. Only applies if tcp_keepalive is true. Not supported

on OS X. (integer value)

tcp_keepidle=600

The maximum number of entities that will be returned in a

collection, with no limit set by default. This global limit

may be then overridden for a specific driver, by specifying

a list_limit in the appropriate section (e.g. [assignment]).

(integer value)

list_limit=<none>

Set this to false if you want to enable the ability for

user, group and project entities to be moved between domains

by updating their domain_id. Allowing such movement is not

recommended if the scope of a domain admin is being

restricted by use of an appropriate policy file (see

policy.v3cloudsample as an example). (boolean value)

domain_id_immutable=true

If set to true, strict password length checking is performed

for password manipulation. If a password exceeds the maximum

length, the operation will fail with an HTTP 403 Forbidden

error. If set to false, passwords are automatically

truncated to the maximum length. (boolean value)

strict_password_check=false

#

Options defined in oslo.messaging

#

Use durable queues in amqp. (boolean value)

Deprecated group/name - [DEFAULT]/rabbit_durable_queues

amqp_durable_queues=false

Auto-delete queues in amqp. (boolean value)

amqp_auto_delete=false

Size of RPC connection pool. (integer value)

rpc_conn_pool_size=30

Qpid broker hostname. (string value)

qpid_hostname=localhost

Qpid broker port. (integer value)

qpid_port=5672

Qpid HA cluster host:port pairs. (list value)

qpid_hosts=$qpid_hostname:$qpid_port

Username for Qpid connection. (string value)

qpid_username=

Password for Qpid connection. (string value)

qpid_password=

Space separated list of SASL mechanisms to use for auth.

(string value)

qpid_sasl_mechanisms=

Seconds between connection keepalive heartbeats. (integer

value)

qpid_heartbeat=60

Transport to use, either 'tcp' or 'ssl'. (string value)

qpid_protocol=tcp

Whether to disable the Nagle algorithm. (boolean value)

qpid_tcp_nodelay=true

The number of prefetched messages held by receiver. (integer

value)

qpid_receiver_capacity=1

The qpid topology version to use. Version 1 is what was

originally used by impl_qpid. Version 2 includes some

backwards-incompatible changes that allow broker federation

to work. Users should update to version 2 when they are

able to take everything down, as it requires a clean break.

(integer value)

qpid_topology_version=1

SSL version to use (valid only if SSL enabled). valid values

are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some

distributions. (string value)

kombu_ssl_version=

SSL key file (valid only if SSL enabled). (string value)

kombu_ssl_keyfile=

SSL cert file (valid only if SSL enabled). (string value)

kombu_ssl_certfile=

SSL certification authority file (valid only if SSL

enabled). (string value)

kombu_ssl_ca_certs=

How long to wait before reconnecting in response to an AMQP

consumer cancel notification. (floating point value)

kombu_reconnect_delay=1.0

The RabbitMQ broker address where a single node is used.

(string value)

rabbit_host=localhost

The RabbitMQ broker port where a single node is used.

(integer value)

rabbit_port=5672

RabbitMQ HA cluster host:port pairs. (list value)

rabbit_hosts=$rabbit_host:$rabbit_port

Connect over SSL for RabbitMQ. (boolean value)

rabbit_use_ssl=false

The RabbitMQ userid. (string value)

rabbit_userid=guest

The RabbitMQ password. (string value)

rabbit_password=guest

the RabbitMQ login method (string value)

rabbit_login_method=AMQPLAIN

The RabbitMQ virtual host. (string value)

rabbit_virtual_host=/

How frequently to retry connecting with RabbitMQ. (integer

value)

rabbit_retry_interval=1

How long to backoff for between retries when connecting to

RabbitMQ. (integer value)

rabbit_retry_backoff=2

Maximum number of RabbitMQ connection retries. Default is 0

(infinite retry count). (integer value)

rabbit_max_retries=0

Use HA queues in RabbitMQ (x-ha-policy: all). If you change

this option, you must wipe the RabbitMQ database. (boolean

value)

rabbit_ha_queues=false

If passed, use a fake RabbitMQ provider. (boolean value)

fake_rabbit=false

ZeroMQ bind address. Should be a wildcard (*), an ethernet

interface, or IP. The "host" option should point or resolve

to this address. (string value)

rpc_zmq_bind_address=*

MatchMaker driver. (string value)

rpc_zmq_matchmaker=oslo.messaging._drivers.matchmaker.MatchMakerLocalhost

ZeroMQ receiver listening port. (integer value)

rpc_zmq_port=9501

Number of ZeroMQ contexts, defaults to 1. (integer value)

rpc_zmq_contexts=1

Maximum number of ingress messages to locally buffer per

topic. Default is unlimited. (integer value)

rpc_zmq_topic_backlog=<none>

Directory for holding IPC sockets. (string value)

rpc_zmq_ipc_dir=/var/run/openstack

Name of this node. Must be a valid hostname, FQDN, or IP

address. Must match "host" option, if running Nova. (string

value)

rpc_zmq_host=keystone

Seconds to wait before a cast expires (TTL). Only supported

by impl_zmq. (integer value)

rpc_cast_timeout=30

Heartbeat frequency. (integer value)

matchmaker_heartbeat_freq=300

Heartbeat time-to-live. (integer value)

matchmaker_heartbeat_ttl=600

Size of RPC greenthread pool. (integer value)

rpc_thread_pool_size=64

Driver or drivers to handle sending notifications. (multi

valued)

notification_driver=

AMQP topic used for OpenStack notifications. (list value)

Deprecated group/name - [rpc_notifier2]/topics

notification_topics=notifications

Seconds to wait for a response from a call. (integer value)

rpc_response_timeout=60

A URL representing the messaging driver to use and its full

configuration. If not set, we fall back to the rpc_backend

option and driver specific configuration. (string value)

transport_url=<none>

The messaging driver to use, defaults to rabbit. Other

drivers include qpid and zmq. (string value)

rpc_backend=rabbit

The default exchange under which topics are scoped. May be

overridden by an exchange name specified in the

transport_url option. (string value)

control_exchange=keystone

#

Options defined in keystone.notifications

#

Default publisher_id for outgoing notifications (string

value)

default_publisher_id=<none>

#

Options defined in keystone.openstack.common.eventlet_backdoor

#

Enable eventlet backdoor. Acceptable values are 0, <port>,

and <start>:<end>, where 0 results in listening on a random

tcp port number; <port> results in listening on the

specified port number (and not enabling backdoor if that

port is in use); and <start>:<end> results in listening on

the smallest unused port number within the specified range

of port numbers. The chosen port is displayed in the

service's log file. (string value)

backdoor_port=<none>

#

Options defined in keystone.openstack.common.log

#

Print debugging output (set logging level to DEBUG instead

of default WARNING level). (boolean value)

debug=false

Print more verbose output (set logging level to INFO instead

of default WARNING level). (boolean value)

verbose=true

Log output to standard error. (boolean value)

use_stderr=true

Format string to use for log messages with context. (string

value)

logging_context_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s

Format string to use for log messages without context.

(string value)

logging_default_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s

Data to append to log format when level is DEBUG. (string

value)

logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d

Prefix each line of exception output with this format.

(string value)

logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s

List of logger=LEVEL pairs. (list value)

default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN

Enables or disables publication of error events. (boolean

value)

publish_errors=false

Enables or disables fatal status of deprecations. (boolean

value)

fatal_deprecations=false

The format for an instance that is passed with the log

message. (string value)

instance_format="[instance: %(uuid)s] "

The format for an instance UUID that is passed with the log

message. (string value)

instance_uuid_format="[instance: %(uuid)s] "

The name of a logging configuration file. This file is

appended to any existing logging configuration files. For

details about logging configuration files, see the Python

logging module documentation. (string value)

Deprecated group/name - [DEFAULT]/log_config

log_config_append=<none>

DEPRECATED. A logging.Formatter log message format string

which may use any of the available logging.LogRecord

attributes. This option is deprecated. Please use

logging_context_format_string and

logging_default_format_string instead. (string value)

log_format=<none>

Format string for %%(asctime)s in log records. Default:

%(default)s . (string value)

log_date_format=%Y-%m-%d %H:%M:%S

(Optional) Name of log file to output to. If no default is

set, logging will go to stdout. (string value)

Deprecated group/name - [DEFAULT]/logfile

log_file=<none>

(Optional) The base directory used for relative --log-file

paths. (string value)

Deprecated group/name - [DEFAULT]/logdir

log_dir=<none>

Use syslog for logging. Existing syslog format is DEPRECATED

during I, and will change in J to honor RFC5424. (boolean

value)

use_syslog=false

(Optional) Enables or disables syslog rfc5424 format for

logging. If enabled, prefixes the MSG part of the syslog

message with APP-NAME (RFC5424). The format without the APP-

NAME is deprecated in I, and will be removed in J. (boolean

value)

use_syslog_rfc_format=false

Syslog facility to receive log lines. (string value)

syslog_log_facility=LOG_USER

#

Options defined in keystone.openstack.common.policy

#

The JSON file that defines policies. (string value)

policy_file=policy.json

Default rule. Enforced when a requested rule is not found.

(string value)

policy_default_rule=default

[assignment]

#

Options defined in keystone

#

Assignment backend driver. (string value)

driver=<none>

Toggle for assignment caching. This has no effect unless

global caching is enabled. (boolean value)

caching=true

TTL (in seconds) to cache assignment data. This has no

effect unless global caching is enabled. (integer value)

cache_time=<none>

Maximum number of entities that will be returned in an

assignment collection. (integer value)

list_limit=<none>

[auth]

#

Options defined in keystone

#

Default auth methods. (list value)

methods=external,password,token

The password auth plugin module. (string value)

password=keystone.auth.plugins.password.Password

The token auth plugin module. (string value)

token=keystone.auth.plugins.token.Token

The external (REMOTE_USER) auth plugin module. (string

value)

external=keystone.auth.plugins.external.DefaultDomain

[cache]

#

Options defined in keystone

#

Prefix for building the configuration dictionary for the

cache region. This should not need to be changed unless

there is another dogpile.cache region with the same

configuration name. (string value)

config_prefix=cache.keystone

Default TTL, in seconds, for any cached item in the

dogpile.cache region. This applies to any cached method that

doesn't have an explicit cache expiration time defined for

it. (integer value)

expiration_time=600

Dogpile.cache backend module. It is recommended that

Memcache with pooling (keystone.cache.memcache_pool) or

Redis (dogpile.cache.redis) be used in production

deployments. Small workloads (single process) like devstack

can use the dogpile.cache.memory backend. (string value)

backend=keystone.common.cache.noop

Arguments supplied to the backend module. Specify this

option once per argument to be passed to the dogpile.cache

backend. Example format: "<argname>:<value>". (multi valued)

backend_argument=

Proxy classes to import that will affect the way the

dogpile.cache backend functions. See the dogpile.cache

documentation on changing-backend-behavior. (list value)

proxies=

Global toggle for all caching using the should_cache_fn

mechanism. (boolean value)

enabled=false

Extra debugging from the cache backend (cache keys,

get/set/delete/etc calls). This is only really useful if you

need to see the specific cache-backend get/set/delete calls

with the keys/values. Typically this should be left set to

false. (boolean value)

debug_cache_backend=false

Memcache servers in the format of "host:port".

(dogpile.cache.memcache and keystone.cache.memcache_pool

backends only) (list value)

memcache_servers=localhost:11211

Number of seconds memcached server is considered dead before

it is tried again. (dogpile.cache.memcache and

keystone.cache.memcache_pool backends only) (integer value)

memcache_dead_retry=300

Timeout in seconds for every call to a server.

(dogpile.cache.memcache and keystone.cache.memcache_pool

backends only) (integer value)

memcache_socket_timeout=3

Max total number of open connections to every memcached

server. (keystone.cache.memcache_pool backend only) (integer

value)

memcache_pool_maxsize=10

Number of seconds a connection to memcached is held unused

in the pool before it is closed.

(keystone.cache.memcache_pool backend only) (integer value)

memcache_pool_unused_timeout=60

Number of seconds that an operation will wait to get a

memcache client connection. (integer value)

memcache_pool_connection_get_timeout=10

[catalog]

#

Options defined in keystone

#

Catalog template file name for use with the template catalog

backend. (string value)

template_file=default_catalog.templates

Catalog backend driver. (string value)

driver=keystone.catalog.backends.sql.Catalog

Toggle for catalog caching. This has no effect unless global

caching is enabled. (boolean value)

caching=true

Time to cache catalog data (in seconds). This has no effect

unless global and catalog caching are enabled. (integer

value)

cache_time=<none>

Maximum number of entities that will be returned in a

catalog collection. (integer value)

list_limit=<none>

(Deprecated) List of possible substitutions for use in

formatting endpoints. Use caution when modifying this list.

It will give users with permission to create endpoints the

ability to see those values in your configuration file. This

option will be removed in Juno. (list value)

endpoint_substitution_whitelist=tenant_id,user_id,public_bind_host,admin_bind_host,compute_host,compute_port,admin_port,public_port,public_endpoint,admin_endpoint

[credential]

#

Options defined in keystone

#

Credential backend driver. (string value)

driver=keystone.credential.backends.sql.Credential

[database]

#

Options defined in oslo.db

#

The file name to use with SQLite. (string value)

sqlite_db=oslo.sqlite

If True, SQLite uses synchronous mode. (boolean value)

sqlite_synchronous=true

The back end to use for the database. (string value)

Deprecated group/name - [DEFAULT]/db_backend

backend=sqlalchemy

The SQLAlchemy connection string to use to connect to the

database. (string value)

Deprecated group/name - [DEFAULT]/sql_connection

Deprecated group/name - [DATABASE]/sql_connection

Deprecated group/name - [sql]/connection

connection= mysql://keystone:root@127.0.0.1/keystone

The SQLAlchemy connection string to use to connect to the

slave database. (string value)

slave_connection=<none>

The SQL mode to be used for MySQL sessions. This option,

including the default, overrides any server-set SQL mode. To

use whatever SQL mode is set by the server configuration,

set this to no value. Example: mysql_sql_mode= (string

value)

mysql_sql_mode=TRADITIONAL

Timeout before idle SQL connections are reaped. (integer

value)

Deprecated group/name - [DEFAULT]/sql_idle_timeout

Deprecated group/name - [DATABASE]/sql_idle_timeout

Deprecated group/name - [sql]/idle_timeout

idle_timeout=3600

Minimum number of SQL connections to keep open in a pool.

(integer value)

Deprecated group/name - [DEFAULT]/sql_min_pool_size

Deprecated group/name - [DATABASE]/sql_min_pool_size

min_pool_size=1

Maximum number of SQL connections to keep open in a pool.

(integer value)

Deprecated group/name - [DEFAULT]/sql_max_pool_size

Deprecated group/name - [DATABASE]/sql_max_pool_size

max_pool_size=<none>

Maximum db connection retries during startup. Set to -1 to

specify an infinite retry count. (integer value)

Deprecated group/name - [DEFAULT]/sql_max_retries

Deprecated group/name - [DATABASE]/sql_max_retries

max_retries=10

Interval between retries of opening a SQL connection.

(integer value)

Deprecated group/name - [DEFAULT]/sql_retry_interval

Deprecated group/name - [DATABASE]/reconnect_interval

retry_interval=10

If set, use this value for max_overflow with SQLAlchemy.

(integer value)

Deprecated group/name - [DEFAULT]/sql_max_overflow

Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow

max_overflow=<none>

Verbosity of SQL debugging information: 0=None,

100=Everything. (integer value)

Deprecated group/name - [DEFAULT]/sql_connection_debug

connection_debug=0

Add Python stack traces to SQL as comment strings. (boolean

value)

Deprecated group/name - [DEFAULT]/sql_connection_trace

connection_trace=false

If set, use this value for pool_timeout with SQLAlchemy.

(integer value)

Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout

pool_timeout=<none>

Enable the experimental use of database reconnect on

connection lost. (boolean value)

use_db_reconnect=false

Seconds between database connection retries. (integer value)

db_retry_interval=1

If True, increases the interval between database connection

retries up to db_max_retry_interval. (boolean value)

db_inc_retry_interval=true

If db_inc_retry_interval is set, the maximum seconds between

database connection retries. (integer value)

db_max_retry_interval=10

Maximum database connection retries before error is raised.

Set to -1 to specify an infinite retry count. (integer

value)

db_max_retries=20

[ec2]

#

Options defined in keystone

#

EC2Credential backend driver. (string value)

driver=keystone.contrib.ec2.backends.kvs.Ec2

[endpoint_filter]

#

Options defined in keystone

#

Endpoint Filter backend driver (string value)

driver=keystone.contrib.endpoint_filter.backends.sql.EndpointFilter

Toggle to return all active endpoints if no filter exists.

(boolean value)

return_all_endpoints_if_no_filter=true

[endpoint_policy]

#

Options defined in keystone

#

Endpoint policy backend driver (string value)

driver=keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy

[federation]

#

Options defined in keystone

#

Federation backend driver. (string value)

driver=keystone.contrib.federation.backends.sql.Federation

Value to be used when filtering assertion parameters from

the environment. (string value)

assertion_prefix=

[identity]

#

Options defined in keystone

#

This references the domain to use for all Identity API v2

requests (which are not aware of domains). A domain with

this ID will be created for you by keystone-manage db_sync

in migration 008. The domain referenced by this ID cannot be

deleted on the v3 API, to prevent accidentally breaking the

v2 API. There is nothing special about this domain, other

than the fact that it must exist to order to maintain

support for your v2 clients. (string value)

default_domain_id=default

A subset (or all) of domains can have their own identity

driver, each with their own partial configuration file in a

domain configuration directory. Only values specific to the

domain need to be placed in the domain specific

configuration file. This feature is disabled by default; set

to true to enable. (boolean value)

domain_specific_drivers_enabled=false

Path for Keystone to locate the domain specific identity

configuration files if domain_specific_drivers_enabled is

set to true. (string value)

domain_config_dir=/etc/keystone/domains

Identity backend driver. (string value)

driver=keystone.identity.backends.sql.Identity

Maximum supported length for user passwords; decrease to

improve performance. (integer value)

max_password_length=4096

Maximum number of entities that will be returned in an

identity collection. (integer value)

list_limit=<none>

[identity_mapping]

#

Options defined in keystone

#

Keystone Identity Mapping backend driver. (string value)

driver=keystone.identity.mapping_backends.sql.Mapping

Public ID generator for user and group entities. The

Keystone identity mapper only supports generators that

produce no more than 64 characters. (string value)

generator=keystone.identity.id_generators.sha256.Generator

The format of user and group IDs changed in Juno for

backends that do not generate UUIDs (e.g. LDAP), with

keystone providing a hash mapping to the underlying

attribute in LDAP. By default this mapping is disabled,

which ensures that existing IDs will not change. Even when

the mapping is enabled by using domain specific drivers, any

users and groups from the default domain being handled by

LDAP will still not be mapped to ensure their IDs remain

backward compatible. Setting this value to False will enable

the mapping for even the default LDAP driver. It is only

safe to do this if you do not already have assignments for

users and groups from the default LDAP domain, and it is

acceptable for Keystone to provide the different IDs to

clients than it did previously. Typically this means that

the only time you can set this value to False is when

configuring a fresh installation. (boolean value)

backward_compatible_ids=true

[kvs]

#

Options defined in keystone

#

Extra dogpile.cache backend modules to register with the

dogpile.cache library. (list value)

backends=

Prefix for building the configuration dictionary for the KVS

region. This should not need to be changed unless there is

another dogpile.cache region with the same configuration

name. (string value)

config_prefix=keystone.kvs

Toggle to disable using a key-mangling function to ensure

fixed length keys. This is toggle-able for debugging

purposes, it is highly recommended to always leave this set

to true. (boolean value)

enable_key_mangler=true

Default lock timeout for distributed locking. (integer

value)

default_lock_timeout=5

[ldap]

#

Options defined in keystone

#

URL for connecting to the LDAP server. (string value)

url=ldap://localhost

User BindDN to query the LDAP server. (string value)

user=<none>

Password for the BindDN to query the LDAP server. (string

value)

password=<none>

LDAP server suffix (string value)

suffix=cn=example,cn=com

If true, will add a dummy member to groups. This is required

if the objectclass for groups requires the "member"

attribute. (boolean value)

use_dumb_member=false

DN of the "dummy member" to use when "use_dumb_member" is

enabled. (string value)

dumb_member=cn=dumb,dc=nonexistent

Delete subtrees using the subtree delete control. Only

enable this option if your LDAP server supports subtree

deletion. (boolean value)

allow_subtree_delete=false

The LDAP scope for queries, this can be either "one"

(onelevel/singleLevel) or "sub" (subtree/wholeSubtree).

(string value)

query_scope=one

Maximum results per page; a value of zero ("0") disables

paging. (integer value)

page_size=0

The LDAP dereferencing option for queries. This can be

either "never", "searching", "always", "finding" or

"default". The "default" option falls back to using default

dereferencing configured by your ldap.conf. (string value)

alias_dereferencing=default

Sets the LDAP debugging level for LDAP calls. A value of 0

means that debugging is not enabled. This value is a

bitmask, consult your LDAP documentation for possible

values. (integer value)

debug_level=<none>

Override the system's default referral chasing behavior for

queries. (boolean value)

chase_referrals=<none>

Search base for users. (string value)

user_tree_dn=<none>

LDAP search filter for users. (string value)

user_filter=<none>

LDAP objectclass for users. (string value)

user_objectclass=inetOrgPerson

LDAP attribute mapped to user id. WARNING: must not be a

multivalued attribute. (string value)

user_id_attribute=cn

LDAP attribute mapped to user name. (string value)

user_name_attribute=sn

LDAP attribute mapped to user email. (string value)

user_mail_attribute=mail

LDAP attribute mapped to password. (string value)

user_pass_attribute=userPassword

LDAP attribute mapped to user enabled flag. (string value)

user_enabled_attribute=enabled

Invert the meaning of the boolean enabled values. Some LDAP

servers use a boolean lock attribute where "true" means an

account is disabled. Setting "user_enabled_invert = true"

will allow these lock attributes to be used. This setting

will have no effect if "user_enabled_mask" or

"user_enabled_emulation" settings are in use. (boolean

value)

user_enabled_invert=false

Bitmask integer to indicate the bit that the enabled value

is stored in if the LDAP server represents "enabled" as a

bit on an integer rather than a boolean. A value of "0"

indicates the mask is not used. If this is not set to "0"

the typical value is "2". This is typically used when

"user_enabled_attribute = userAccountControl". (integer

value)

user_enabled_mask=0

Default value to enable users. This should match an

appropriate int value if the LDAP server uses non-boolean

(bitmask) values to indicate if a user is enabled or

disabled. If this is not set to "True" the typical value is

"512". This is typically used when "user_enabled_attribute =

userAccountControl". (string value)

user_enabled_default=True

List of attributes stripped off the user on update. (list

value)

user_attribute_ignore=default_project_id,tenants

LDAP attribute mapped to default_project_id for users.

(string value)

user_default_project_id_attribute=<none>

Allow user creation in LDAP backend. (boolean value)

user_allow_create=true

Allow user updates in LDAP backend. (boolean value)

user_allow_update=true

Allow user deletion in LDAP backend. (boolean value)

user_allow_delete=true

If true, Keystone uses an alternative method to determine if

a user is enabled or not by checking if they are a member of

the "user_enabled_emulation_dn" group. (boolean value)

user_enabled_emulation=false

DN of the group entry to hold enabled users when using

enabled emulation. (string value)

user_enabled_emulation_dn=<none>

List of additional LDAP attributes used for mapping

additional attribute mappings for users. Attribute mapping

format is <ldap_attr>:<user_attr>, where ldap_attr is the

attribute in the LDAP entry and user_attr is the Identity

API attribute. (list value)

user_additional_attribute_mapping=

Search base for projects (string value)

Deprecated group/name - [ldap]/tenant_tree_dn

project_tree_dn=<none>

LDAP search filter for projects. (string value)

Deprecated group/name - [ldap]/tenant_filter

project_filter=<none>

LDAP objectclass for projects. (string value)

Deprecated group/name - [ldap]/tenant_objectclass

project_objectclass=groupOfNames

LDAP attribute mapped to project id. (string value)

Deprecated group/name - [ldap]/tenant_id_attribute

project_id_attribute=cn

LDAP attribute mapped to project membership for user.

(string value)

Deprecated group/name - [ldap]/tenant_member_attribute

project_member_attribute=member

LDAP attribute mapped to project name. (string value)

Deprecated group/name - [ldap]/tenant_name_attribute

project_name_attribute=ou

LDAP attribute mapped to project description. (string value)

Deprecated group/name - [ldap]/tenant_desc_attribute

project_desc_attribute=description

LDAP attribute mapped to project enabled. (string value)

Deprecated group/name - [ldap]/tenant_enabled_attribute

project_enabled_attribute=enabled

LDAP attribute mapped to project domain_id. (string value)

Deprecated group/name - [ldap]/tenant_domain_id_attribute

project_domain_id_attribute=businessCategory

List of attributes stripped off the project on update. (list

value)

Deprecated group/name - [ldap]/tenant_attribute_ignore

project_attribute_ignore=

Allow project creation in LDAP backend. (boolean value)

Deprecated group/name - [ldap]/tenant_allow_create

project_allow_create=true

Allow project update in LDAP backend. (boolean value)

Deprecated group/name - [ldap]/tenant_allow_update

project_allow_update=true

Allow project deletion in LDAP backend. (boolean value)

Deprecated group/name - [ldap]/tenant_allow_delete

project_allow_delete=true

If true, Keystone uses an alternative method to determine if

a project is enabled or not by checking if they are a member

of the "project_enabled_emulation_dn" group. (boolean value)

Deprecated group/name - [ldap]/tenant_enabled_emulation

project_enabled_emulation=false

DN of the group entry to hold enabled projects when using

enabled emulation. (string value)

Deprecated group/name - [ldap]/tenant_enabled_emulation_dn

project_enabled_emulation_dn=<none>

Additional attribute mappings for projects. Attribute

mapping format is <ldap_attr>:<user_attr>, where ldap_attr

is the attribute in the LDAP entry and user_attr is the

Identity API attribute. (list value)

Deprecated group/name - [ldap]/tenant_additional_attribute_mapping

project_additional_attribute_mapping=

Search base for roles. (string value)

role_tree_dn=<none>

LDAP search filter for roles. (string value)

role_filter=<none>

LDAP objectclass for roles. (string value)

role_objectclass=organizationalRole

LDAP attribute mapped to role id. (string value)

role_id_attribute=cn

LDAP attribute mapped to role name. (string value)

role_name_attribute=ou

LDAP attribute mapped to role membership. (string value)

role_member_attribute=roleOccupant

List of attributes stripped off the role on update. (list

value)

role_attribute_ignore=

Allow role creation in LDAP backend. (boolean value)

role_allow_create=true

Allow role update in LDAP backend. (boolean value)

role_allow_update=true

Allow role deletion in LDAP backend. (boolean value)

role_allow_delete=true

Additional attribute mappings for roles. Attribute mapping

format is <ldap_attr>:<user_attr>, where ldap_attr is the

attribute in the LDAP entry and user_attr is the Identity

API attribute. (list value)

role_additional_attribute_mapping=

Search base for groups. (string value)

group_tree_dn=<none>

LDAP search filter for groups. (string value)

group_filter=<none>

LDAP objectclass for groups. (string value)

group_objectclass=groupOfNames

LDAP attribute mapped to group id. (string value)

group_id_attribute=cn

LDAP attribute mapped to group name. (string value)

group_name_attribute=ou

LDAP attribute mapped to show group membership. (string

value)

group_member_attribute=member

LDAP attribute mapped to group description. (string value)

group_desc_attribute=description

List of attributes stripped off the group on update. (list

value)

group_attribute_ignore=

Allow group creation in LDAP backend. (boolean value)

group_allow_create=true

Allow group update in LDAP backend. (boolean value)

group_allow_update=true

Allow group deletion in LDAP backend. (boolean value)

group_allow_delete=true

Additional attribute mappings for groups. Attribute mapping

format is <ldap_attr>:<user_attr>, where ldap_attr is the

attribute in the LDAP entry and user_attr is the Identity

API attribute. (list value)

group_additional_attribute_mapping=

CA certificate file path for communicating with LDAP

servers. (string value)

tls_cacertfile=<none>

CA certificate directory path for communicating with LDAP

servers. (string value)

tls_cacertdir=<none>

Enable TLS for communicating with LDAP servers. (boolean

value)

use_tls=false

Valid options for tls_req_cert are demand, never, and allow.

(string value)

tls_req_cert=demand

Enable LDAP connection pooling. (boolean value)

use_pool=false

Connection pool size. (integer value)

pool_size=10

Maximum count of reconnect trials. (integer value)

pool_retry_max=3

Time span in seconds to wait between two reconnect trials.

(floating point value)

pool_retry_delay=0.1

Connector timeout in seconds. Value -1 indicates indefinite

wait for response. (integer value)

pool_connection_timeout=-1

Connection lifetime in seconds. (integer value)

pool_connection_lifetime=600

Enable LDAP connection pooling for end user authentication.

If use_pool is disabled, then this setting is meaningless

and is not used at all. (boolean value)

use_auth_pool=false

End user auth connection pool size. (integer value)

auth_pool_size=100

End user auth connection lifetime in seconds. (integer

value)

auth_pool_connection_lifetime=60

[matchmaker_redis]

#

Options defined in oslo.messaging

#

Host to locate redis. (string value)

host=127.0.0.1

Use this port to connect to redis host. (integer value)

port=6379

Password for Redis server (optional). (string value)

password=<none>

[matchmaker_ring]

#

Options defined in oslo.messaging

#

Matchmaker ring file (JSON). (string value)

Deprecated group/name - [DEFAULT]/matchmaker_ringfile

ringfile=/etc/oslo/matchmaker_ring.json

[memcache]

#

Options defined in keystone

#

Memcache servers in the format of "host:port". (list value)

servers=localhost:11211

Number of seconds memcached server is considered dead before

it is tried again. This is used by the key value store

system (e.g. token pooled memcached persistence backend).

(integer value)

dead_retry=300

Timeout in seconds for every call to a server. This is used

by the key value store system (e.g. token pooled memcached

persistence backend). (integer value)

socket_timeout=3

Max total number of open connections to every memcached

server. This is used by the key value store system (e.g.

token pooled memcached persistence backend). (integer value)

pool_maxsize=10

Number of seconds a connection to memcached is held unused

in the pool before it is closed. This is used by the key

value store system (e.g. token pooled memcached persistence

backend). (integer value)

pool_unused_timeout=60

Number of seconds that an operation will wait to get a

memcache client connection. This is used by the key value

store system (e.g. token pooled memcached persistence

backend). (integer value)

pool_connection_get_timeout=10

[oauth1]

#

Options defined in keystone

#

Credential backend driver. (string value)

driver=keystone.contrib.oauth1.backends.sql.OAuth1

Duration (in seconds) for the OAuth Request Token. (integer

value)

request_token_duration=28800

Duration (in seconds) for the OAuth Access Token. (integer

value)

access_token_duration=86400

[os_inherit]

#

Options defined in keystone

#

role-assignment inheritance to projects from owning domain

can be optionally enabled. (boolean value)

enabled=false

[paste_deploy]

#

Options defined in keystone

#

Name of the paste configuration file that defines the

available pipelines. (string value)

config_file=keystone-paste.ini

[policy]

#

Options defined in keystone

#

Policy backend driver. (string value)

driver=keystone.policy.backends.sql.Policy

Maximum number of entities that will be returned in a policy

collection. (integer value)

list_limit=<none>

[revoke]

#

Options defined in keystone

#

An implementation of the backend for persisting revocation

events. (string value)

driver=keystone.contrib.revoke.backends.kvs.Revoke

driver=keystone.contrib.revoke.backends.sql.Revoke

This value (calculated in seconds) is added to token

expiration before a revocation event may be removed from the

backend. (integer value)

expiration_buffer=1800

Toggle for revocation event caching. This has no effect

unless global caching is enabled. (boolean value)

caching=true

[saml]

#

Options defined in keystone

#

Default TTL, in seconds, for any generated SAML assertion

created by Keystone. (integer value)

assertion_expiration_time=3600

Binary to be called for XML signing. Install the appropriate

package, specify absolute path or adjust your PATH

environment variable if the binary cannot be found. (string

value)

xmlsec1_binary=xmlsec1

Path of the certfile for SAML signing. For non-production

environments, you may be interested in using `keystone-

manage pki_setup` to generate self-signed certificates.

Note, the path cannot contain a comma. (string value)

certfile=/etc/keystone/ssl/certs/signing_cert.pem

Path of the keyfile for SAML signing. Note, the path cannot

contain a comma. (string value)

keyfile=/etc/keystone/ssl/private/signing_key.pem

Entity ID value for unique Identity Provider identification.

Usually FQDN is set with a suffix. A value is required to

generate IDP Metadata. For example:

https://keystone.example.com/v3/OS-FEDERATION/saml2/idp

(string value)

idp_entity_id=<none>

Identity Provider Single-Sign-On service value, required in

the Identity Provider's metadata. A value is required to

generate IDP Metadata. For example:

https://keystone.example.com/v3/OS-FEDERATION/saml2/sso

(string value)

idp_sso_endpoint=<none>

Language used by the organization. (string value)

idp_lang=en

Organization name the installation belongs to. (string

value)

idp_organization_name=<none>

Organization name to be displayed. (string value)

idp_organization_display_name=<none>

URL of the organization. (string value)

idp_organization_url=<none>

Company of contact person. (string value)

idp_contact_company=<none>

Given name of contact person (string value)

idp_contact_name=<none>

Surname of contact person. (string value)

idp_contact_surname=<none>

Email address of contact person. (string value)

idp_contact_email=<none>

Telephone number of contact person. (string value)

idp_contact_telephone=<none>

Contact type. Allowed values are: technical, support,

administrative billing, and other (string value)

idp_contact_type=other

Path to the Identity Provider Metadata file. This file

should be generated with the keystone-manage

saml_idp_metadata command. (string value)

idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml

[signing]

#

Options defined in keystone

#

Deprecated in favor of provider in the [token] section.

(string value)

token_format=<none>

Path of the certfile for token signing. For non-production

environments, you may be interested in using `keystone-

manage pki_setup` to generate self-signed certificates.

(string value)

certfile=/etc/keystone/ssl/certs/signing_cert.pem

Path of the keyfile for token signing. (string value)

keyfile=/etc/keystone/ssl/private/signing_key.pem

Path of the CA for token signing. (string value)

ca_certs=/etc/keystone/ssl/certs/ca.pem

Path of the CA key for token signing. (string value)

ca_key=/etc/keystone/ssl/private/cakey.pem

Key size (in bits) for token signing cert (auto generated

certificate). (integer value)

key_size=2048

Days the token signing cert is valid for (auto generated

certificate). (integer value)

valid_days=3650

Certificate subject (auto generated certificate) for token

signing. (string value)

cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com

[ssl]

#

Options defined in keystone

#

Toggle for SSL support on the Keystone eventlet servers.

(boolean value)

enable=false

Path of the certfile for SSL. For non-production

environments, you may be interested in using `keystone-

manage ssl_setup` to generate self-signed certificates.

(string value)

certfile=/etc/keystone/ssl/certs/keystone.pem

Path of the keyfile for SSL. (string value)

keyfile=/etc/keystone/ssl/private/keystonekey.pem

Path of the ca cert file for SSL. (string value)

ca_certs=/etc/keystone/ssl/certs/ca.pem

Path of the CA key file for SSL. (string value)

ca_key=/etc/keystone/ssl/private/cakey.pem

Require client certificate. (boolean value)

cert_required=false

SSL key length (in bits) (auto generated certificate).

(integer value)

key_size=1024

Days the certificate is valid for once signed (auto

generated certificate). (integer value)

valid_days=3650

SSL certificate subject (auto generated certificate).

(string value)

cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost

[stats]

#

Options defined in keystone

#

Stats backend driver. (string value)

driver=keystone.contrib.stats.backends.kvs.Stats

[token]

#

Options defined in keystone

#

External auth mechanisms that should add bind information to

token, e.g., kerberos,x509. (list value)

bind=

Enforcement policy on tokens presented to Keystone with bind

information. One of disabled, permissive, strict, required

or a specifically required bind mode, e.g., kerberos or x509

to require binding to that authentication. (string value)

enforce_token_bind=permissive

Amount of time a token should remain valid (in seconds).

(integer value)

expiration=3600

Controls the token construction, validation, and revocation

operations. Core providers are

"keystone.token.providers.[pkiz|pki|uuid].Provider". The

default provider is uuid. (string value)

provider=keystone.token.providers.uuid.Provider

Token persistence backend driver. (string value)

driver=keystone.token.persistence.backends.sql.Token

driver=keystone.token.persistence.backends.memcache.Token

Toggle for token system caching. This has no effect unless

global caching is enabled. (boolean value)

caching=true

Time to cache the revocation list and the revocation events

if revoke extension is enabled (in seconds). This has no

effect unless global and token caching are enabled. (integer

value)

revocation_cache_time=3600

Time to cache tokens (in seconds). This has no effect unless

global and token caching are enabled. (integer value)

cache_time=<none>

Revoke token by token identifier. Setting revoke_by_id to

true enables various forms of enumerating tokens, e.g. `list

tokens for user`. These enumerations are processed to

determine the list of tokens to revoke. Only disable if you

are switching to using the Revoke extension with a backend

other than KVS, which stores events in memory. (boolean

value)

revoke_by_id=true

The hash algorithm to use for PKI tokens. This can be set to

any algorithm that hashlib supports. WARNING: Before

changing this value, the auth_token middleware must be

configured with the hash_algorithms, otherwise token

revocation will not be processed correctly. (string value)

hash_algorithm=md5

[trust]

#

Options defined in keystone

#

Delegation and impersonation features can be optionally

disabled. (boolean value)

enabled=true

Trust backend driver. (string value)

driver=keystone.trust.backends.sql.Trust