diff --git a/etc/glance-api.conf b/etc/glance-api.conf index 307d7b0164..e6f5125bbe 100644 --- a/etc/glance-api.conf +++ b/etc/glance-api.conf @@ -236,49 +236,6 @@ # (integer value) #image_location_quota = 10 -# DEPRECATED: -# Python module path of data access API. -# -# Specifies the path to the API to use for accessing the data model. -# This option determines how the image catalog data will be accessed. -# -# Possible values: -# * glance.db.sqlalchemy.api -# * glance.db.registry.api -# * glance.db.simple.api -# -# If this option is set to ``glance.db.sqlalchemy.api`` then the image -# catalog data is stored in and read from the database via the -# SQLAlchemy Core and ORM APIs. -# -# Setting this option to ``glance.db.registry.api`` will force all -# database access requests to be routed through the Registry service. -# This avoids data access from the Glance API nodes for an added layer -# of security, scalability and manageability. -# -# NOTE: In v2 OpenStack Images API, the registry service is optional. -# In order to use the Registry API in v2, the option -# ``enable_v2_registry`` must be set to ``True``. -# -# Finally, when this configuration option is set to -# ``glance.db.simple.api``, image catalog data is stored in and read -# from an in-memory data structure. This is primarily used for testing. -# -# Related options: -# * enable_v2_api -# * enable_v2_registry -# -# (string value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -#data_api = glance.db.sqlalchemy.api - # # The default number of results to return for a request. # @@ -455,67 +412,6 @@ # (string value) #user_storage_quota = 0 -# -# Deploy the v2 OpenStack Images API. -# -# When this option is set to ``True``, Glance service will respond -# to requests on registered endpoints conforming to the v2 OpenStack -# Images API. -# -# NOTES: -# * If this option is disabled, then the ``enable_v2_registry`` -# option, which is enabled by default, is also recommended -# to be disabled. -# -# Possible values: -# * True -# * False -# -# Related options: -# * enable_v2_registry -# -# (boolean value) -#enable_v2_api = true - -# -# DEPRECATED FOR REMOVAL -# (boolean value) -#enable_v1_registry = true - -# DEPRECATED: -# Deploy the v2 API Registry service. -# -# When this option is set to ``True``, the Registry service -# will be enabled in Glance for v2 API requests. -# -# NOTES: -# * Use of Registry is optional in v2 API, so this option -# must only be enabled if both ``enable_v2_api`` is set to -# ``True`` and the ``data_api`` option is set to -# ``glance.db.registry.api``. -# -# * If deploying only the v1 OpenStack Images API, this option, -# which is enabled by default, should be disabled. -# -# Possible values: -# * True -# * False -# -# Related options: -# * enable_v2_api -# * data_api -# -# (boolean value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -#enable_v2_registry = true - # # Host address of the pydev server. # @@ -720,27 +616,6 @@ # policies - #property_protection_rule_format = roles -# -# List of allowed exception modules to handle RPC exceptions. -# -# Provide a comma separated list of modules whose exceptions are -# permitted to be recreated upon receiving exception data via an RPC -# call made to Glance. The default list includes -# ``glance.common.exception``, ``builtins``, and ``exceptions``. -# -# The RPC protocol permits interaction with Glance via calls across a -# network or within the same system. Including a list of exception -# namespaces with this option enables RPC to propagate the exceptions -# back to the users. -# -# Possible values: -# * A comma separated list of valid exception modules -# -# Related options: -# * None -# (list value) -#allowed_rpc_exception_modules = glance.common.exception,builtins,exceptions - # # IP address to bind the glance servers to. # @@ -1118,355 +993,6 @@ # (list value) #disabled_notifications = -# DEPRECATED: -# Address the registry server is hosted on. -# -# Possible values: -# * A valid IP or hostname -# -# Related options: -# * None -# -# (host address value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -#registry_host = 0.0.0.0 - -# DEPRECATED: -# Port the registry server is listening on. -# -# Possible values: -# * A valid port number -# -# Related options: -# * None -# -# (port value) -# Minimum value: 0 -# Maximum value: 65535 -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -#registry_port = 9191 - -# DEPRECATED: Whether to pass through the user token when making requests to the -# registry. To prevent failures with token expiration during big files upload, -# it is recommended to set this parameter to False.If "use_user_token" is not in -# effect, then admin credentials can be specified. (boolean value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: This option was considered harmful and has been deprecated in M -# release. It will be removed in O release. For more information read OSSN-0060. -# Related functionality with uploading big images has been implemented with -# Keystone trusts support. -#use_user_token = true - -# DEPRECATED: The administrators user name. If "use_user_token" is not in -# effect, then admin credentials can be specified. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: This option was considered harmful and has been deprecated in M -# release. It will be removed in O release. For more information read OSSN-0060. -# Related functionality with uploading big images has been implemented with -# Keystone trusts support. -#admin_user = - -# DEPRECATED: The administrators password. If "use_user_token" is not in effect, -# then admin credentials can be specified. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: This option was considered harmful and has been deprecated in M -# release. It will be removed in O release. For more information read OSSN-0060. -# Related functionality with uploading big images has been implemented with -# Keystone trusts support. -#admin_password = - -# DEPRECATED: The tenant name of the administrative user. If "use_user_token" is -# not in effect, then admin tenant name can be specified. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: This option was considered harmful and has been deprecated in M -# release. It will be removed in O release. For more information read OSSN-0060. -# Related functionality with uploading big images has been implemented with -# Keystone trusts support. -#admin_tenant_name = - -# DEPRECATED: The URL to the keystone service. If "use_user_token" is not in -# effect and using keystone auth, then URL of keystone can be specified. (string -# value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: This option was considered harmful and has been deprecated in M -# release. It will be removed in O release. For more information read OSSN-0060. -# Related functionality with uploading big images has been implemented with -# Keystone trusts support. -#auth_url = - -# DEPRECATED: The strategy to use for authentication. If "use_user_token" is not -# in effect, then auth strategy can be specified. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: This option was considered harmful and has been deprecated in M -# release. It will be removed in O release. For more information read OSSN-0060. -# Related functionality with uploading big images has been implemented with -# Keystone trusts support. -#auth_strategy = noauth - -# DEPRECATED: The region for the authentication service. If "use_user_token" is -# not in effect and using keystone auth, then region name can be specified. -# (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: This option was considered harmful and has been deprecated in M -# release. It will be removed in O release. For more information read OSSN-0060. -# Related functionality with uploading big images has been implemented with -# Keystone trusts support. -#auth_region = - -# DEPRECATED: -# Protocol to use for communication with the registry server. -# -# Provide a string value representing the protocol to use for -# communication with the registry server. By default, this option is -# set to ``http`` and the connection is not secure. -# -# This option can be set to ``https`` to establish a secure connection -# to the registry server. In this case, provide a key to use for the -# SSL connection using the ``registry_client_key_file`` option. Also -# include the CA file and cert file using the options -# ``registry_client_ca_file`` and ``registry_client_cert_file`` -# respectively. -# -# Possible values: -# * http -# * https -# -# Related options: -# * registry_client_key_file -# * registry_client_cert_file -# * registry_client_ca_file -# -# (string value) -# Possible values: -# http - -# https - -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -#registry_client_protocol = http - -# DEPRECATED: -# Absolute path to the private key file. -# -# Provide a string value representing a valid absolute path to the -# private key file to use for establishing a secure connection to -# the registry server. -# -# NOTE: This option must be set if ``registry_client_protocol`` is -# set to ``https``. Alternatively, the GLANCE_CLIENT_KEY_FILE -# environment variable may be set to a filepath of the key file. -# -# Possible values: -# * String value representing a valid absolute path to the key -# file. -# -# Related options: -# * registry_client_protocol -# -# (string value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -# -# This option has a sample default set, which means that -# its actual default value may vary from the one documented -# below. -#registry_client_key_file = /etc/ssl/key/key-file.pem - -# DEPRECATED: -# Absolute path to the certificate file. -# -# Provide a string value representing a valid absolute path to the -# certificate file to use for establishing a secure connection to -# the registry server. -# -# NOTE: This option must be set if ``registry_client_protocol`` is -# set to ``https``. Alternatively, the GLANCE_CLIENT_CERT_FILE -# environment variable may be set to a filepath of the certificate -# file. -# -# Possible values: -# * String value representing a valid absolute path to the -# certificate file. -# -# Related options: -# * registry_client_protocol -# -# (string value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -# -# This option has a sample default set, which means that -# its actual default value may vary from the one documented -# below. -#registry_client_cert_file = /etc/ssl/certs/file.crt - -# DEPRECATED: -# Absolute path to the Certificate Authority file. -# -# Provide a string value representing a valid absolute path to the -# certificate authority file to use for establishing a secure -# connection to the registry server. -# -# NOTE: This option must be set if ``registry_client_protocol`` is -# set to ``https``. Alternatively, the GLANCE_CLIENT_CA_FILE -# environment variable may be set to a filepath of the CA file. -# This option is ignored if the ``registry_client_insecure`` option -# is set to ``True``. -# -# Possible values: -# * String value representing a valid absolute path to the CA -# file. -# -# Related options: -# * registry_client_protocol -# * registry_client_insecure -# -# (string value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -# -# This option has a sample default set, which means that -# its actual default value may vary from the one documented -# below. -#registry_client_ca_file = /etc/ssl/cafile/file.ca - -# DEPRECATED: -# Set verification of the registry server certificate. -# -# Provide a boolean value to determine whether or not to validate -# SSL connections to the registry server. By default, this option -# is set to ``False`` and the SSL connections are validated. -# -# If set to ``True``, the connection to the registry server is not -# validated via a certifying authority and the -# ``registry_client_ca_file`` option is ignored. This is the -# registry's equivalent of specifying --insecure on the command line -# using glanceclient for the API. -# -# Possible values: -# * True -# * False -# -# Related options: -# * registry_client_protocol -# * registry_client_ca_file -# -# (boolean value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -#registry_client_insecure = false - -# DEPRECATED: -# Timeout value for registry requests. -# -# Provide an integer value representing the period of time in seconds -# that the API server will wait for a registry request to complete. -# The default value is 600 seconds. -# -# A value of 0 implies that a request will never timeout. -# -# Possible values: -# * Zero -# * Positive integer -# -# Related options: -# * None -# -# (integer value) -# Minimum value: 0 -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -#registry_client_timeout = 600 - -# -# Send headers received from identity when making requests to -# registry. -# -# Typically, Glance registry can be deployed in multiple flavors, -# which may or may not include authentication. For example, -# ``trusted-auth`` is a flavor that does not require the registry -# service to authenticate the requests it receives. However, the -# registry service may still need a user context to be populated to -# serve the requests. This can be achieved by the caller -# (the Glance API usually) passing through the headers it received -# from authenticating with identity for the same request. The typical -# headers sent are ``X-User-Id``, ``X-Tenant-Id``, ``X-Roles``, -# ``X-Identity-Status`` and ``X-Service-Catalog``. -# -# Provide a boolean value to determine whether to send the identity -# headers to provide tenant and user information along with the -# requests to registry service. By default, this option is set to -# ``False``, which means that user and tenant information is not -# available readily. It must be obtained by authenticating. Hence, if -# this is set to ``False``, ``flavor`` must be set to value that -# either includes authentication or authenticated user context. -# -# Possible values: -# * True -# * False -# -# Related options: -# * flavor -# -# (boolean value) -#send_identity_headers = false - # # The amount of time, in seconds, to delay image scrubbing. # @@ -5639,6 +5165,14 @@ # scope. (boolean value) #enforce_scope = false +# This option controls whether or not to use old deprecated defaults when +# evaluating policies. If ``True``, the old deprecated defaults are not going to +# be evaluated. This means if any existing token is allowed for old defaults but +# is disallowed for new defaults, it will be disallowed. It is encouraged to +# enable this flag along with the ``enforce_scope`` flag so that you can get the +# benefits of new defaults and ``scope_type`` together (boolean value) +#enforce_new_defaults = false + # The relative or absolute path of a file that maps roles to permissions for a # given service. Relative paths must be specified in relation to the # configuration file setting this option. (string value) diff --git a/etc/glance-cache.conf b/etc/glance-cache.conf index f11953ac34..668279ed13 100644 --- a/etc/glance-cache.conf +++ b/etc/glance-cache.conf @@ -117,49 +117,6 @@ # (integer value) #image_location_quota = 10 -# DEPRECATED: -# Python module path of data access API. -# -# Specifies the path to the API to use for accessing the data model. -# This option determines how the image catalog data will be accessed. -# -# Possible values: -# * glance.db.sqlalchemy.api -# * glance.db.registry.api -# * glance.db.simple.api -# -# If this option is set to ``glance.db.sqlalchemy.api`` then the image -# catalog data is stored in and read from the database via the -# SQLAlchemy Core and ORM APIs. -# -# Setting this option to ``glance.db.registry.api`` will force all -# database access requests to be routed through the Registry service. -# This avoids data access from the Glance API nodes for an added layer -# of security, scalability and manageability. -# -# NOTE: In v2 OpenStack Images API, the registry service is optional. -# In order to use the Registry API in v2, the option -# ``enable_v2_registry`` must be set to ``True``. -# -# Finally, when this configuration option is set to -# ``glance.db.simple.api``, image catalog data is stored in and read -# from an in-memory data structure. This is primarily used for testing. -# -# Related options: -# * enable_v2_api -# * enable_v2_registry -# -# (string value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -#data_api = glance.db.sqlalchemy.api - # # The default number of results to return for a request. # @@ -336,67 +293,6 @@ # (string value) #user_storage_quota = 0 -# -# Deploy the v2 OpenStack Images API. -# -# When this option is set to ``True``, Glance service will respond -# to requests on registered endpoints conforming to the v2 OpenStack -# Images API. -# -# NOTES: -# * If this option is disabled, then the ``enable_v2_registry`` -# option, which is enabled by default, is also recommended -# to be disabled. -# -# Possible values: -# * True -# * False -# -# Related options: -# * enable_v2_registry -# -# (boolean value) -#enable_v2_api = true - -# -# DEPRECATED FOR REMOVAL -# (boolean value) -#enable_v1_registry = true - -# DEPRECATED: -# Deploy the v2 API Registry service. -# -# When this option is set to ``True``, the Registry service -# will be enabled in Glance for v2 API requests. -# -# NOTES: -# * Use of Registry is optional in v2 API, so this option -# must only be enabled if both ``enable_v2_api`` is set to -# ``True`` and the ``data_api`` option is set to -# ``glance.db.registry.api``. -# -# * If deploying only the v1 OpenStack Images API, this option, -# which is enabled by default, should be disabled. -# -# Possible values: -# * True -# * False -# -# Related options: -# * enable_v2_api -# * data_api -# -# (boolean value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -#enable_v2_registry = true - # # Host address of the pydev server. # @@ -656,322 +552,6 @@ # (string value) #image_cache_dir = -# DEPRECATED: -# Address the registry server is hosted on. -# -# Possible values: -# * A valid IP or hostname -# -# Related options: -# * None -# -# (host address value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -#registry_host = 0.0.0.0 - -# DEPRECATED: -# Port the registry server is listening on. -# -# Possible values: -# * A valid port number -# -# Related options: -# * None -# -# (port value) -# Minimum value: 0 -# Maximum value: 65535 -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -#registry_port = 9191 - -# DEPRECATED: -# Protocol to use for communication with the registry server. -# -# Provide a string value representing the protocol to use for -# communication with the registry server. By default, this option is -# set to ``http`` and the connection is not secure. -# -# This option can be set to ``https`` to establish a secure connection -# to the registry server. In this case, provide a key to use for the -# SSL connection using the ``registry_client_key_file`` option. Also -# include the CA file and cert file using the options -# ``registry_client_ca_file`` and ``registry_client_cert_file`` -# respectively. -# -# Possible values: -# * http -# * https -# -# Related options: -# * registry_client_key_file -# * registry_client_cert_file -# * registry_client_ca_file -# -# (string value) -# Possible values: -# http - -# https - -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -#registry_client_protocol = http - -# DEPRECATED: -# Absolute path to the private key file. -# -# Provide a string value representing a valid absolute path to the -# private key file to use for establishing a secure connection to -# the registry server. -# -# NOTE: This option must be set if ``registry_client_protocol`` is -# set to ``https``. Alternatively, the GLANCE_CLIENT_KEY_FILE -# environment variable may be set to a filepath of the key file. -# -# Possible values: -# * String value representing a valid absolute path to the key -# file. -# -# Related options: -# * registry_client_protocol -# -# (string value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -# -# This option has a sample default set, which means that -# its actual default value may vary from the one documented -# below. -#registry_client_key_file = /etc/ssl/key/key-file.pem - -# DEPRECATED: -# Absolute path to the certificate file. -# -# Provide a string value representing a valid absolute path to the -# certificate file to use for establishing a secure connection to -# the registry server. -# -# NOTE: This option must be set if ``registry_client_protocol`` is -# set to ``https``. Alternatively, the GLANCE_CLIENT_CERT_FILE -# environment variable may be set to a filepath of the certificate -# file. -# -# Possible values: -# * String value representing a valid absolute path to the -# certificate file. -# -# Related options: -# * registry_client_protocol -# -# (string value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -# -# This option has a sample default set, which means that -# its actual default value may vary from the one documented -# below. -#registry_client_cert_file = /etc/ssl/certs/file.crt - -# DEPRECATED: -# Absolute path to the Certificate Authority file. -# -# Provide a string value representing a valid absolute path to the -# certificate authority file to use for establishing a secure -# connection to the registry server. -# -# NOTE: This option must be set if ``registry_client_protocol`` is -# set to ``https``. Alternatively, the GLANCE_CLIENT_CA_FILE -# environment variable may be set to a filepath of the CA file. -# This option is ignored if the ``registry_client_insecure`` option -# is set to ``True``. -# -# Possible values: -# * String value representing a valid absolute path to the CA -# file. -# -# Related options: -# * registry_client_protocol -# * registry_client_insecure -# -# (string value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -# -# This option has a sample default set, which means that -# its actual default value may vary from the one documented -# below. -#registry_client_ca_file = /etc/ssl/cafile/file.ca - -# DEPRECATED: -# Set verification of the registry server certificate. -# -# Provide a boolean value to determine whether or not to validate -# SSL connections to the registry server. By default, this option -# is set to ``False`` and the SSL connections are validated. -# -# If set to ``True``, the connection to the registry server is not -# validated via a certifying authority and the -# ``registry_client_ca_file`` option is ignored. This is the -# registry's equivalent of specifying --insecure on the command line -# using glanceclient for the API. -# -# Possible values: -# * True -# * False -# -# Related options: -# * registry_client_protocol -# * registry_client_ca_file -# -# (boolean value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -#registry_client_insecure = false - -# DEPRECATED: -# Timeout value for registry requests. -# -# Provide an integer value representing the period of time in seconds -# that the API server will wait for a registry request to complete. -# The default value is 600 seconds. -# -# A value of 0 implies that a request will never timeout. -# -# Possible values: -# * Zero -# * Positive integer -# -# Related options: -# * None -# -# (integer value) -# Minimum value: 0 -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -#registry_client_timeout = 600 - -# DEPRECATED: Whether to pass through the user token when making requests to the -# registry. To prevent failures with token expiration during big files upload, -# it is recommended to set this parameter to False.If "use_user_token" is not in -# effect, then admin credentials can be specified. (boolean value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: This option was considered harmful and has been deprecated in M -# release. It will be removed in O release. For more information read OSSN-0060. -# Related functionality with uploading big images has been implemented with -# Keystone trusts support. -#use_user_token = true - -# DEPRECATED: The administrators user name. If "use_user_token" is not in -# effect, then admin credentials can be specified. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: This option was considered harmful and has been deprecated in M -# release. It will be removed in O release. For more information read OSSN-0060. -# Related functionality with uploading big images has been implemented with -# Keystone trusts support. -#admin_user = - -# DEPRECATED: The administrators password. If "use_user_token" is not in effect, -# then admin credentials can be specified. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: This option was considered harmful and has been deprecated in M -# release. It will be removed in O release. For more information read OSSN-0060. -# Related functionality with uploading big images has been implemented with -# Keystone trusts support. -#admin_password = - -# DEPRECATED: The tenant name of the administrative user. If "use_user_token" is -# not in effect, then admin tenant name can be specified. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: This option was considered harmful and has been deprecated in M -# release. It will be removed in O release. For more information read OSSN-0060. -# Related functionality with uploading big images has been implemented with -# Keystone trusts support. -#admin_tenant_name = - -# DEPRECATED: The URL to the keystone service. If "use_user_token" is not in -# effect and using keystone auth, then URL of keystone can be specified. (string -# value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: This option was considered harmful and has been deprecated in M -# release. It will be removed in O release. For more information read OSSN-0060. -# Related functionality with uploading big images has been implemented with -# Keystone trusts support. -#auth_url = - -# DEPRECATED: The strategy to use for authentication. If "use_user_token" is not -# in effect, then auth strategy can be specified. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: This option was considered harmful and has been deprecated in M -# release. It will be removed in O release. For more information read OSSN-0060. -# Related functionality with uploading big images has been implemented with -# Keystone trusts support. -#auth_strategy = noauth - -# DEPRECATED: The region for the authentication service. If "use_user_token" is -# not in effect and using keystone auth, then region name can be specified. -# (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: This option was considered harmful and has been deprecated in M -# release. It will be removed in O release. For more information read OSSN-0060. -# Related functionality with uploading big images has been implemented with -# Keystone trusts support. -#auth_region = - # # From oslo.log # @@ -2716,6 +2296,14 @@ # scope. (boolean value) #enforce_scope = false +# This option controls whether or not to use old deprecated defaults when +# evaluating policies. If ``True``, the old deprecated defaults are not going to +# be evaluated. This means if any existing token is allowed for old defaults but +# is disallowed for new defaults, it will be disallowed. It is encouraged to +# enable this flag along with the ``enforce_scope`` flag so that you can get the +# benefits of new defaults and ``scope_type`` together (boolean value) +#enforce_new_defaults = false + # The relative or absolute path of a file that maps roles to permissions for a # given service. Relative paths must be specified in relation to the # configuration file setting this option. (string value) diff --git a/etc/glance-scrubber.conf b/etc/glance-scrubber.conf index 60342514b2..0dd3713950 100644 --- a/etc/glance-scrubber.conf +++ b/etc/glance-scrubber.conf @@ -117,49 +117,6 @@ # (integer value) #image_location_quota = 10 -# DEPRECATED: -# Python module path of data access API. -# -# Specifies the path to the API to use for accessing the data model. -# This option determines how the image catalog data will be accessed. -# -# Possible values: -# * glance.db.sqlalchemy.api -# * glance.db.registry.api -# * glance.db.simple.api -# -# If this option is set to ``glance.db.sqlalchemy.api`` then the image -# catalog data is stored in and read from the database via the -# SQLAlchemy Core and ORM APIs. -# -# Setting this option to ``glance.db.registry.api`` will force all -# database access requests to be routed through the Registry service. -# This avoids data access from the Glance API nodes for an added layer -# of security, scalability and manageability. -# -# NOTE: In v2 OpenStack Images API, the registry service is optional. -# In order to use the Registry API in v2, the option -# ``enable_v2_registry`` must be set to ``True``. -# -# Finally, when this configuration option is set to -# ``glance.db.simple.api``, image catalog data is stored in and read -# from an in-memory data structure. This is primarily used for testing. -# -# Related options: -# * enable_v2_api -# * enable_v2_registry -# -# (string value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -#data_api = glance.db.sqlalchemy.api - # # The default number of results to return for a request. # @@ -336,67 +293,6 @@ # (string value) #user_storage_quota = 0 -# -# Deploy the v2 OpenStack Images API. -# -# When this option is set to ``True``, Glance service will respond -# to requests on registered endpoints conforming to the v2 OpenStack -# Images API. -# -# NOTES: -# * If this option is disabled, then the ``enable_v2_registry`` -# option, which is enabled by default, is also recommended -# to be disabled. -# -# Possible values: -# * True -# * False -# -# Related options: -# * enable_v2_registry -# -# (boolean value) -#enable_v2_api = true - -# -# DEPRECATED FOR REMOVAL -# (boolean value) -#enable_v1_registry = true - -# DEPRECATED: -# Deploy the v2 API Registry service. -# -# When this option is set to ``True``, the Registry service -# will be enabled in Glance for v2 API requests. -# -# NOTES: -# * Use of Registry is optional in v2 API, so this option -# must only be enabled if both ``enable_v2_api`` is set to -# ``True`` and the ``data_api`` option is set to -# ``glance.db.registry.api``. -# -# * If deploying only the v1 OpenStack Images API, this option, -# which is enabled by default, should be disabled. -# -# Possible values: -# * True -# * False -# -# Related options: -# * enable_v2_api -# * data_api -# -# (boolean value) -# This option is deprecated for removal since Queens. -# Its value may be silently ignored in the future. -# Reason: -# Glance registry service is deprecated for removal. -# -# More information can be found from the spec: -# http://specs.openstack.org/openstack/glance- -# specs/specs/queens/approved/glance/deprecate-registry.html -#enable_v2_registry = true - # # Host address of the pydev server. # @@ -2525,6 +2421,14 @@ # scope. (boolean value) #enforce_scope = false +# This option controls whether or not to use old deprecated defaults when +# evaluating policies. If ``True``, the old deprecated defaults are not going to +# be evaluated. This means if any existing token is allowed for old defaults but +# is disallowed for new defaults, it will be disallowed. It is encouraged to +# enable this flag along with the ``enforce_scope`` flag so that you can get the +# benefits of new defaults and ``scope_type`` together (boolean value) +#enforce_new_defaults = false + # The relative or absolute path of a file that maps roles to permissions for a # given service. Relative paths must be specified in relation to the # configuration file setting this option. (string value)