config-ref: keystone tables update

Change-Id: I0a4238052b65880e0da4f28268d00349765899fc
This commit is contained in:
Gauvain Pocentek 2015-04-24 12:49:33 +02:00
parent 01cb8e9e3d
commit 6953de9caa
24 changed files with 380 additions and 193 deletions

@ -17,14 +17,6 @@
<tr>
<th colspan="2">[DEFAULT]</th>
</tr>
<tr>
<td><option>amqp_auto_delete</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Auto-delete queues in AMQP.</td>
</tr>
<tr>
<td><option>amqp_durable_queues</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Use durable queues in AMQP.</td>
</tr>
<tr>
<td><option>control_exchange</option> = <replaceable>keystone</replaceable></td>
<td>(StrOpt) The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.</td>
@ -35,7 +27,11 @@
</tr>
<tr>
<td><option>notification_driver</option> = <replaceable>[]</replaceable></td>
<td>(MultiStrOpt) Driver or drivers to handle sending notifications.</td>
<td>(MultiStrOpt) The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing,log, test, noop</td>
</tr>
<tr>
<td><option>notification_format</option> = <replaceable>basic</replaceable></td>
<td>(StrOpt) Define the notification format for Identity Service events. A "basic" notification has information about the resource being operated on. A "cadf" notification has the same information, as well as information about the initiator of the event.</td>
</tr>
<tr>
<td><option>notification_topics</option> = <replaceable>notifications</replaceable></td>

@ -17,26 +17,14 @@
<tr>
<th colspan="2">[DEFAULT]</th>
</tr>
<tr>
<td><option>admin_bind_host</option> = <replaceable>0.0.0.0</replaceable></td>
<td>(StrOpt) The IP address of the network interface for the admin service to listen on.</td>
</tr>
<tr>
<td><option>admin_endpoint</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) The base admin endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. E.g. a request to http://server:35357/v3/users will default to http://server:35357. You should only need to set this value if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be found on a different server.</td>
</tr>
<tr>
<td><option>admin_port</option> = <replaceable>35357</replaceable></td>
<td>(IntOpt) The port number which the admin service listens on.</td>
</tr>
<tr>
<td><option>admin_token</option> = <replaceable>ADMIN</replaceable></td>
<td>(StrOpt) A "shared secret" that can be used to bootstrap Keystone. This "token" does not represent a user, and carries no explicit authorization. To disable in production (highly recommended), remove AdminTokenAuthMiddleware from your paste application pipelines (for example, in keystone-paste.ini).</td>
</tr>
<tr>
<td><option>admin_workers</option> = <replaceable>None</replaceable></td>
<td>(IntOpt) The number of worker processes to serve the admin WSGI application. Defaults to number of CPUs (minimum of 2).</td>
</tr>
<tr>
<td><option>compute_port</option> = <replaceable>8774</replaceable></td>
<td>(IntOpt) (Deprecated) The port which the OpenStack Compute service listens on. This option was only used for string replacement in the templated catalog backend. Templated catalogs should replace the "$(compute_port)s" substitution with the static port of the compute service. As of Juno, this option is deprecated and will be removed in the L release.</td>
@ -57,10 +45,6 @@
<td><option>max_project_tree_depth</option> = <replaceable>5</replaceable></td>
<td>(IntOpt) Maximum depth of the project hierarchy. WARNING: setting it to a large value may adversely impact performance.</td>
</tr>
<tr>
<td><option>max_request_body_size</option> = <replaceable>114688</replaceable></td>
<td>(IntOpt) Enforced by optional sizelimit middleware (keystone.middleware:RequestBodySizeLimiter).</td>
</tr>
<tr>
<td><option>max_token_size</option> = <replaceable>8192</replaceable></td>
<td>(IntOpt) Similar to max_param_size, but provides an exception for token values.</td>
@ -73,34 +57,18 @@
<td><option>member_role_name</option> = <replaceable>_member_</replaceable></td>
<td>(StrOpt) This is the role name used in combination with the member_role_id option; see that option for more detail.</td>
</tr>
<tr>
<td><option>public_bind_host</option> = <replaceable>0.0.0.0</replaceable></td>
<td>(StrOpt) The IP address of the network interface for the public service to listen on.</td>
</tr>
<tr>
<td><option>public_endpoint</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) The base public endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. E.g. a request to http://server:5000/v3/users will default to http://server:5000. You should only need to set this value if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be found on a different server.</td>
</tr>
<tr>
<td><option>public_port</option> = <replaceable>5000</replaceable></td>
<td>(IntOpt) The port number which the public service listens on.</td>
</tr>
<tr>
<td><option>public_workers</option> = <replaceable>None</replaceable></td>
<td>(IntOpt) The number of worker processes to serve the public WSGI application. Defaults to number of CPUs (minimum of 2).</td>
<td><option>secure_proxy_ssl_header</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) The HTTP header used to determine the scheme for the original request, even if it was removed by an SSL terminating proxy. Typical value is "HTTP_X_FORWARDED_PROTO".</td>
</tr>
<tr>
<td><option>strict_password_check</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) If set to true, strict password length checking is performed for password manipulation. If a password exceeds the maximum length, the operation will fail with an HTTP 403 Forbidden error. If set to false, passwords are automatically truncated to the maximum length.</td>
</tr>
<tr>
<td><option>tcp_keepalive</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e. sockets used by the Keystone wsgi server for client connections.</td>
</tr>
<tr>
<td><option>tcp_keepidle</option> = <replaceable>600</replaceable></td>
<td>(IntOpt) Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only applies if tcp_keepalive is true.</td>
</tr>
<tr>
<th colspan="2">[endpoint_filter]</th>
</tr>
@ -119,6 +87,41 @@
<td><option>driver</option> = <replaceable>keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy</replaceable></td>
<td>(StrOpt) Endpoint policy backend driver</td>
</tr>
<tr>
<th colspan="2">[eventlet_server]</th>
</tr>
<tr>
<td><option>admin_bind_host</option> = <replaceable>0.0.0.0</replaceable></td>
<td>(StrOpt) The IP address of the network interface for the admin service to listen on.</td>
</tr>
<tr>
<td><option>admin_port</option> = <replaceable>35357</replaceable></td>
<td>(IntOpt) The port number which the admin service listens on.</td>
</tr>
<tr>
<td><option>admin_workers</option> = <replaceable>None</replaceable></td>
<td>(IntOpt) The number of worker processes to serve the admin eventlet application. Defaults to number of CPUs (minimum of 2).</td>
</tr>
<tr>
<td><option>public_bind_host</option> = <replaceable>0.0.0.0</replaceable></td>
<td>(StrOpt) The IP address of the network interface for the public service to listen on.</td>
</tr>
<tr>
<td><option>public_port</option> = <replaceable>5000</replaceable></td>
<td>(IntOpt) The port number which the public service listens on.</td>
</tr>
<tr>
<td><option>public_workers</option> = <replaceable>None</replaceable></td>
<td>(IntOpt) The number of worker processes to serve the public eventlet application. Defaults to number of CPUs (minimum of 2).</td>
</tr>
<tr>
<td><option>tcp_keepalive</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e. sockets used by the Keystone wsgi server for client connections.</td>
</tr>
<tr>
<td><option>tcp_keepidle</option> = <replaceable>600</replaceable></td>
<td>(IntOpt) Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only applies if tcp_keepalive is true.</td>
</tr>
<tr>
<th colspan="2">[paste_deploy]</th>
</tr>
@ -126,6 +129,25 @@
<td><option>config_file</option> = <replaceable>keystone-paste.ini</replaceable></td>
<td>(StrOpt) Name of the paste configuration file that defines the available pipelines.</td>
</tr>
<tr>
<th colspan="2">[resource]</th>
</tr>
<tr>
<td><option>cache_time</option> = <replaceable>None</replaceable></td>
<td>(IntOpt) TTL (in seconds) to cache resource data. This has no effect unless global caching is enabled.</td>
</tr>
<tr>
<td><option>caching</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) Toggle for resource caching. This has no effect unless global caching is enabled.</td>
</tr>
<tr>
<td><option>driver</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) Resource backend driver. If a resource driver is not specified, the assignment driver will choose the resource driver.</td>
</tr>
<tr>
<td><option>list_limit</option> = <replaceable>None</replaceable></td>
<td>(IntOpt) Maximum number of entities that will be returned in a resource collection.</td>
</tr>
</tbody>
</table>
</para>

@ -17,22 +17,10 @@
<tr>
<th colspan="2">[assignment]</th>
</tr>
<tr>
<td><option>cache_time</option> = <replaceable>None</replaceable></td>
<td>(IntOpt) TTL (in seconds) to cache assignment data. This has no effect unless global caching is enabled.</td>
</tr>
<tr>
<td><option>caching</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) Toggle for assignment caching. This has no effect unless global caching is enabled.</td>
</tr>
<tr>
<td><option>driver</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) Assignment backend driver.</td>
</tr>
<tr>
<td><option>list_limit</option> = <replaceable>None</replaceable></td>
<td>(IntOpt) Maximum number of entities that will be returned in an assignment collection.</td>
</tr>
</tbody>
</table>
</para>

@ -22,9 +22,13 @@
<td>(StrOpt) The external (REMOTE_USER) auth plugin module.</td>
</tr>
<tr>
<td><option>methods</option> = <replaceable>external, password, token</replaceable></td>
<td><option>methods</option> = <replaceable>external, password, token, oauth1</replaceable></td>
<td>(ListOpt) Default auth methods.</td>
</tr>
<tr>
<td><option>oauth1</option> = <replaceable>keystone.auth.plugins.oauth1.OAuth</replaceable></td>
<td>(StrOpt) The oAuth1.0 auth plugin module.</td>
</tr>
<tr>
<td><option>password</option> = <replaceable>keystone.auth.plugins.password.Password</replaceable></td>
<td>(StrOpt) The password auth plugin module.</td>

@ -41,6 +41,10 @@
<td><option>auth_host</option> = <replaceable>127.0.0.1</replaceable></td>
<td>(StrOpt) Host providing the admin Identity API endpoint. Deprecated, use identity_uri.</td>
</tr>
<tr>
<td><option>auth_plugin</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) Name of the plugin to load</td>
</tr>
<tr>
<td><option>auth_port</option> = <replaceable>35357</replaceable></td>
<td>(IntOpt) Port of the admin Identity API endpoint. Deprecated, use identity_uri.</td>
@ -49,6 +53,10 @@
<td><option>auth_protocol</option> = <replaceable>https</replaceable></td>
<td>(StrOpt) Protocol of the admin Identity API endpoint (http or https). Deprecated, use identity_uri.</td>
</tr>
<tr>
<td><option>auth_section</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) Config Section from which to load plugin specific options</td>
</tr>
<tr>
<td><option>auth_uri</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) Complete public Identity API endpoint.</td>
@ -109,6 +117,26 @@
<td><option>keyfile</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) Required if identity server requires client certificate</td>
</tr>
<tr>
<td><option>memcache_pool_conn_get_timeout</option> = <replaceable>10</replaceable></td>
<td>(IntOpt) (Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.</td>
</tr>
<tr>
<td><option>memcache_pool_dead_retry</option> = <replaceable>300</replaceable></td>
<td>(IntOpt) (Optional) Number of seconds memcached server is considered dead before it is tried again.</td>
</tr>
<tr>
<td><option>memcache_pool_maxsize</option> = <replaceable>10</replaceable></td>
<td>(IntOpt) (Optional) Maximum total number of open connections to every memcached server.</td>
</tr>
<tr>
<td><option>memcache_pool_socket_timeout</option> = <replaceable>3</replaceable></td>
<td>(IntOpt) (Optional) Socket timeout in seconds for communicating with a memcached server.</td>
</tr>
<tr>
<td><option>memcache_pool_unused_timeout</option> = <replaceable>60</replaceable></td>
<td>(IntOpt) (Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.</td>
</tr>
<tr>
<td><option>memcache_secret_key</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) (Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.</td>
@ -117,6 +145,10 @@
<td><option>memcache_security_strategy</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) (Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.</td>
</tr>
<tr>
<td><option>memcache_use_advanced_pool</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) (Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.</td>
</tr>
<tr>
<td><option>revocation_cache_time</option> = <replaceable>10</replaceable></td>
<td>(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.</td>

@ -14,6 +14,29 @@
</tr>
</thead>
<tbody>
<tr>
<th colspan="2">[eventlet_server_ssl]</th>
</tr>
<tr>
<td><option>ca_certs</option> = <replaceable>/etc/keystone/ssl/certs/ca.pem</replaceable></td>
<td>(StrOpt) Path of the CA cert file for SSL.</td>
</tr>
<tr>
<td><option>cert_required</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Require client certificate.</td>
</tr>
<tr>
<td><option>certfile</option> = <replaceable>/etc/keystone/ssl/certs/keystone.pem</replaceable></td>
<td>(StrOpt) Path of the certfile for SSL. For non-production environments, you may be interested in using `keystone-manage ssl_setup` to generate self-signed certificates.</td>
</tr>
<tr>
<td><option>enable</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Toggle for SSL support on the Keystone eventlet servers.</td>
</tr>
<tr>
<td><option>keyfile</option> = <replaceable>/etc/keystone/ssl/private/keystonekey.pem</replaceable></td>
<td>(StrOpt) Path of the keyfile for SSL.</td>
</tr>
<tr>
<th colspan="2">[signing]</th>
</tr>
@ -41,10 +64,6 @@
<td><option>keyfile</option> = <replaceable>/etc/keystone/ssl/private/signing_key.pem</replaceable></td>
<td>(StrOpt) Path of the keyfile for token signing.</td>
</tr>
<tr>
<td><option>token_format</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) Deprecated in favor of provider in the [token] section.</td>
</tr>
<tr>
<td><option>valid_days</option> = <replaceable>3650</replaceable></td>
<td>(IntOpt) Days the token signing cert is valid for (auto generated certificate).</td>
@ -52,38 +71,18 @@
<tr>
<th colspan="2">[ssl]</th>
</tr>
<tr>
<td><option>ca_certs</option> = <replaceable>/etc/keystone/ssl/certs/ca.pem</replaceable></td>
<td>(StrOpt) Path of the CA cert file for SSL.</td>
</tr>
<tr>
<td><option>ca_key</option> = <replaceable>/etc/keystone/ssl/private/cakey.pem</replaceable></td>
<td>(StrOpt) Path of the CA key file for SSL.</td>
</tr>
<tr>
<td><option>cert_required</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Require client certificate.</td>
</tr>
<tr>
<td><option>cert_subject</option> = <replaceable>/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost</replaceable></td>
<td>(StrOpt) SSL certificate subject (auto generated certificate).</td>
</tr>
<tr>
<td><option>certfile</option> = <replaceable>/etc/keystone/ssl/certs/keystone.pem</replaceable></td>
<td>(StrOpt) Path of the certfile for SSL. For non-production environments, you may be interested in using `keystone-manage ssl_setup` to generate self-signed certificates.</td>
</tr>
<tr>
<td><option>enable</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Toggle for SSL support on the Keystone eventlet servers.</td>
</tr>
<tr>
<td><option>key_size</option> = <replaceable>1024</replaceable></td>
<td>(IntOpt) SSL key length (in bits) (auto generated certificate).</td>
</tr>
<tr>
<td><option>keyfile</option> = <replaceable>/etc/keystone/ssl/private/keystonekey.pem</replaceable></td>
<td>(StrOpt) Path of the keyfile for SSL.</td>
</tr>
<tr>
<td><option>valid_days</option> = <replaceable>3650</replaceable></td>
<td>(IntOpt) Days the certificate is valid for once signed (auto generated certificate).</td>

@ -0,0 +1,34 @@
<?xml version='1.0' encoding='UTF-8'?>
<para xmlns="http://docbook.org/ns/docbook" version="5.0">
<!-- Warning: Do not edit this file. It is automatically
generated and your changes will be overwritten.
The tool to do so lives in openstack-doc-tools repository. -->
<table rules="all" xml:id="config_table_keystone_domain">
<caption>Description of domain configuration options</caption>
<col width="50%"/>
<col width="50%"/>
<thead>
<tr>
<th>Configuration option = Default value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<th colspan="2">[domain_config]</th>
</tr>
<tr>
<td><option>cache_time</option> = <replaceable>300</replaceable></td>
<td>(IntOpt) TTL (in seconds) to cache domain config data. This has no effect unless domain config caching is enabled.</td>
</tr>
<tr>
<td><option>caching</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) Toggle for domain config caching. This has no effect unless global caching is enabled.</td>
</tr>
<tr>
<td><option>driver</option> = <replaceable>keystone.resource.config_backends.sql.DomainConfig</replaceable></td>
<td>(StrOpt) Domain config backend driver.</td>
</tr>
</tbody>
</table>
</para>

@ -25,6 +25,22 @@
<td><option>driver</option> = <replaceable>keystone.contrib.federation.backends.sql.Federation</replaceable></td>
<td>(StrOpt) Federation backend driver.</td>
</tr>
<tr>
<td><option>federated_domain_name</option> = <replaceable>Federated</replaceable></td>
<td>(StrOpt) A domain name that is reserved to allow federated ephemeral users to have a domain concept. Note that an admin will not be able to create a domain with this name or update an existing domain to this name. You are not advised to change this value unless you really have to. Changing this option to empty string or None will not have any impact and default name will be used.</td>
</tr>
<tr>
<td><option>remote_id_attribute</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) Value to be used to obtain the entity ID of the Identity Provider from the environment (e.g. if using the mod_shib plugin this value is `Shib-Identity-Provider`).</td>
</tr>
<tr>
<td><option>sso_callback_template</option> = <replaceable>/etc/keystone/sso_callback_template.html</replaceable></td>
<td>(StrOpt) Location of Single Sign-On callback handler, will return a token to a trusted dashboard host.</td>
</tr>
<tr>
<td><option>trusted_dashboard</option> = <replaceable>[]</replaceable></td>
<td>(MultiStrOpt) A list of trusted dashboard hosts. Before accepting a Single Sign-On request to return a token, the origin host must be a member of the trusted_dashboard list. This configuration option may be repeated for multiple values. For example: trusted_dashboard=http://acme.com trusted_dashboard=http://beta.com</td>
</tr>
</tbody>
</table>
</para>

@ -0,0 +1,30 @@
<?xml version='1.0' encoding='UTF-8'?>
<para xmlns="http://docbook.org/ns/docbook" version="5.0">
<!-- Warning: Do not edit this file. It is automatically
generated and your changes will be overwritten.
The tool to do so lives in openstack-doc-tools repository. -->
<table rules="all" xml:id="config_table_keystone_fernet_tokens">
<caption>Description of Fernet tokens configuration options</caption>
<col width="50%"/>
<col width="50%"/>
<thead>
<tr>
<th>Configuration option = Default value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<th colspan="2">[fernet_tokens]</th>
</tr>
<tr>
<td><option>key_repository</option> = <replaceable>/etc/keystone/fernet-keys/</replaceable></td>
<td>(StrOpt) Directory containing Fernet token keys.</td>
</tr>
<tr>
<td><option>max_active_keys</option> = <replaceable>3</replaceable></td>
<td>(IntOpt) This controls how many keys are held in rotation by keystone-manage fernet_rotate before they are discarded. The default value of 3 means that keystone will maintain one staged key, one primary key, and one secondary key. Increasing this value means that additional secondary keys will be kept in the rotation.</td>
</tr>
</tbody>
</table>
</para>

@ -17,6 +17,14 @@
<tr>
<th colspan="2">[identity]</th>
</tr>
<tr>
<td><option>cache_time</option> = <replaceable>600</replaceable></td>
<td>(IntOpt) Time to cache identity data (in seconds). This has no effect unless global and identity caching are enabled.</td>
</tr>
<tr>
<td><option>caching</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) Toggle for identity caching. This has no effect unless global caching is enabled.</td>
</tr>
<tr>
<td><option>default_domain_id</option> = <replaceable>default</replaceable></td>
<td>(StrOpt) This references the domain to use for all Identity API v2 requests (which are not aware of domains). A domain with this ID will be created for you by keystone-manage db_sync in migration 008. The domain referenced by this ID cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. There is nothing special about this domain, other than the fact that it must exist to order to maintain support for your v2 clients.</td>
@ -25,9 +33,13 @@
<td><option>domain_config_dir</option> = <replaceable>/etc/keystone/domains</replaceable></td>
<td>(StrOpt) Path for Keystone to locate the domain specific identity configuration files if domain_specific_drivers_enabled is set to true.</td>
</tr>
<tr>
<td><option>domain_configurations_from_database</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Extract the domain specific configuration options from the resource backend where they have been stored with the domain data. This feature is disabled by default (in which case the domain specific options will be loaded from files in the domain configuration directory); set to true to enable.</td>
</tr>
<tr>
<td><option>domain_specific_drivers_enabled</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) A subset (or all) of domains can have their own identity driver, each with their own partial configuration file in a domain configuration directory. Only values specific to the domain need to be placed in the domain specific configuration file. This feature is disabled by default; set to true to enable.</td>
<td>(BoolOpt) A subset (or all) of domains can have their own identity driver, each with their own partial configuration options, stored in either the resource backend or in a file in a domain configuration directory (depending on the setting of domain_configurations_from_database). Only values specific to the domain need to be specified in this manner. This feature is disabled by default; set to true to enable.</td>
</tr>
<tr>
<td><option>driver</option> = <replaceable>keystone.identity.backends.sql.Identity</replaceable></td>

@ -27,7 +27,7 @@
</tr>
<tr>
<td><option>default_lock_timeout</option> = <replaceable>5</replaceable></td>
<td>(IntOpt) Default lock timeout for distributed locking.</td>
<td>(IntOpt) Default lock timeout (in seconds) for distributed locking.</td>
</tr>
<tr>
<td><option>enable_key_mangler</option> = <replaceable>True</replaceable></td>

@ -19,7 +19,7 @@
</tr>
<tr>
<td><option>alias_dereferencing</option> = <replaceable>default</replaceable></td>
<td>(StrOpt) The LDAP dereferencing option for queries. This can be either "never", "searching", "always", "finding" or "default". The "default" option falls back to using default dereferencing configured by your ldap.conf.</td>
<td>(StrOpt) The LDAP dereferencing option for queries. The "default" option falls back to using default dereferencing configured by your ldap.conf.</td>
</tr>
<tr>
<td><option>allow_subtree_delete</option> = <replaceable>False</replaceable></td>
@ -187,7 +187,7 @@
</tr>
<tr>
<td><option>query_scope</option> = <replaceable>one</replaceable></td>
<td>(StrOpt) The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) or "sub" (subtree/wholeSubtree).</td>
<td>(StrOpt) The LDAP scope for queries, "one" represents oneLevel/singleLevel and "sub" represents subtree/wholeSubtree options.</td>
</tr>
<tr>
<td><option>role_additional_attribute_mapping</option> = <replaceable></replaceable></td>
@ -247,7 +247,7 @@
</tr>
<tr>
<td><option>tls_req_cert</option> = <replaceable>demand</replaceable></td>
<td>(StrOpt) Valid options for tls_req_cert are demand, never, and allow.</td>
<td>(StrOpt) Specifies what checks to perform on client certificates in an incoming TLS session.</td>
</tr>
<tr>
<td><option>url</option> = <replaceable>ldap://localhost</replaceable></td>

@ -22,7 +22,7 @@
<td>(BoolOpt) Print debugging output (set logging level to DEBUG instead of default WARNING level).</td>
</tr>
<tr>
<td><option>default_log_levels</option> = <replaceable>amqp=WARN, amqplib=WARN, boto=WARN, qpid=WARN, sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO, iso8601=WARN, requests.packages.urllib3.connectionpool=WARN, urllib3.connectionpool=WARN, websocket=WARN, keystonemiddleware=WARN, routes.middleware=WARN, stevedore=WARN</replaceable></td>
<td><option>default_log_levels</option> = <replaceable>amqp=WARN, amqplib=WARN, boto=WARN, qpid=WARN, sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO, iso8601=WARN, requests.packages.urllib3.connectionpool=WARN, urllib3.connectionpool=WARN, websocket=WARN, requests.packages.urllib3.util.retry=WARN, urllib3.util.retry=WARN, keystonemiddleware=WARN, routes.middleware=WARN, stevedore=WARN</replaceable></td>
<td>(ListOpt) List of logger=LEVEL pairs.</td>
</tr>
<tr>
@ -81,17 +81,17 @@
<td><option>syslog_log_facility</option> = <replaceable>LOG_USER</replaceable></td>
<td>(StrOpt) Syslog facility to receive log lines.</td>
</tr>
<tr>
<td><option>use_stderr</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) Log output to standard error.</td>
</tr>
<tr>
<td><option>use_syslog</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Use syslog for logging. Existing syslog format is DEPRECATED during I, and will change in J to honor RFC5424.</td>
</tr>
<tr>
<td><option>use_syslog_rfc_format</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in I, and will be removed in J.</td>
<td><option>use_syslog_rfc_format</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in K, and will be removed in L, along with this option.</td>
</tr>
<tr>
<td><option>use_stderr</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) Log output to standard error.</td>
</tr>
<tr>
<td><option>verbose</option> = <replaceable>False</replaceable></td>

@ -15,7 +15,7 @@
</thead>
<tbody>
<tr>
<th colspan="2">[DEFAULT]</th>
<th colspan="2">[oslo_policy]</th>
</tr>
<tr>
<td><option>policy_default_rule</option> = <replaceable>default</replaceable></td>
@ -23,7 +23,7 @@
</tr>
<tr>
<td><option>policy_dirs</option> = <replaceable>['policy.d']</replaceable></td>
<td>(MultiStrOpt) Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched.</td>
<td>(MultiStrOpt) Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.</td>
</tr>
<tr>
<td><option>policy_file</option> = <replaceable>policy.json</replaceable></td>

@ -15,7 +15,15 @@
</thead>
<tbody>
<tr>
<th colspan="2">[DEFAULT]</th>
<th colspan="2">[oslo_messaging_qpid]</th>
</tr>
<tr>
<td><option>amqp_auto_delete</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Auto-delete queues in AMQP.</td>
</tr>
<tr>
<td><option>amqp_durable_queues</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Use durable queues in AMQP.</td>
</tr>
<tr>
<td><option>qpid_heartbeat</option> = <replaceable>60</replaceable></td>
@ -61,6 +69,10 @@
<td><option>qpid_username</option> = <replaceable></replaceable></td>
<td>(StrOpt) Username for Qpid connection.</td>
</tr>
<tr>
<td><option>rpc_conn_pool_size</option> = <replaceable>30</replaceable></td>
<td>(IntOpt) Size of RPC connection pool.</td>
</tr>
</tbody>
</table>
</para>

@ -15,7 +15,27 @@
</thead>
<tbody>
<tr>
<th colspan="2">[DEFAULT]</th>
<th colspan="2">[oslo_messaging_rabbit]</th>
</tr>
<tr>
<td><option>amqp_auto_delete</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Auto-delete queues in AMQP.</td>
</tr>
<tr>
<td><option>amqp_durable_queues</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Use durable queues in AMQP.</td>
</tr>
<tr>
<td><option>fake_rabbit</option> = <replaceable>False</replaceable></td>
<td>(BoolOpt) Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake</td>
</tr>
<tr>
<td><option>heartbeat_rate</option> = <replaceable>2</replaceable></td>
<td>(IntOpt) How often times during the heartbeat_timeout_threshold we check the heartbeat.</td>
</tr>
<tr>
<td><option>heartbeat_timeout_threshold</option> = <replaceable>60</replaceable></td>
<td>(IntOpt) Number of seconds after which the Rabbit broker is considered down if heartbeat's keep-alive fails (0 disable the heartbeat).</td>
</tr>
<tr>
<td><option>kombu_reconnect_delay</option> = <replaceable>1.0</replaceable></td>
@ -35,7 +55,7 @@
</tr>
<tr>
<td><option>kombu_ssl_version</option> = <replaceable></replaceable></td>
<td>(StrOpt) SSL version to use (valid only if SSL enabled). valid values are TLSv1 and SSLv23. SSLv2 and SSLv3 may be available on some distributions.</td>
<td>(StrOpt) SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.</td>
</tr>
<tr>
<td><option>rabbit_ha_queues</option> = <replaceable>False</replaceable></td>
@ -85,6 +105,10 @@
<td><option>rabbit_virtual_host</option> = <replaceable>/</replaceable></td>
<td>(StrOpt) The RabbitMQ virtual host.</td>
</tr>
<tr>
<td><option>rpc_conn_pool_size</option> = <replaceable>30</replaceable></td>
<td>(IntOpt) Size of RPC connection pool.</td>
</tr>
</tbody>
</table>
</para>

@ -17,6 +17,10 @@
<tr>
<th colspan="2">[revoke]</th>
</tr>
<tr>
<td><option>cache_time</option> = <replaceable>3600</replaceable></td>
<td>(IntOpt) Time to cache the revocation list and the revocation events (in seconds). This has no effect unless global and token caching are enabled.</td>
</tr>
<tr>
<td><option>caching</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) Toggle for revocation event caching. This has no effect unless global caching is enabled.</td>

@ -33,17 +33,13 @@
<td><option>rpc_cast_timeout</option> = <replaceable>30</replaceable></td>
<td>(IntOpt) Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.</td>
</tr>
<tr>
<td><option>rpc_conn_pool_size</option> = <replaceable>30</replaceable></td>
<td>(IntOpt) Size of RPC connection pool.</td>
</tr>
<tr>
<td><option>rpc_response_timeout</option> = <replaceable>60</replaceable></td>
<td>(IntOpt) Seconds to wait for a response from a call.</td>
</tr>
<tr>
<td><option>rpc_thread_pool_size</option> = <replaceable>64</replaceable></td>
<td>(IntOpt) Size of RPC greenthread pool.</td>
<td>(IntOpt) Size of RPC thread pool.</td>
</tr>
<tr>
<th colspan="2">[oslo_messaging_amqp]</th>
@ -74,7 +70,7 @@
</tr>
<tr>
<td><option>ssl_ca_file</option> = <replaceable></replaceable></td>
<td>(StrOpt) CA certificate PEM file for verifing server certificate</td>
<td>(StrOpt) CA certificate PEM file to verify server certificate</td>
</tr>
<tr>
<td><option>ssl_cert_file</option> = <replaceable></replaceable></td>

@ -47,7 +47,7 @@
</tr>
<tr>
<td><option>idp_contact_type</option> = <replaceable>other</replaceable></td>
<td>(StrOpt) Contact type. Allowed values are: technical, support, administrative billing, and other</td>
<td>(StrOpt) The contact type describing the main point of contact for the identity provider.</td>
</tr>
<tr>
<td><option>idp_entity_id</option> = <replaceable>None</replaceable></td>
@ -81,6 +81,10 @@
<td><option>keyfile</option> = <replaceable>/etc/keystone/ssl/private/signing_key.pem</replaceable></td>
<td>(StrOpt) Path of the keyfile for SAML signing. Note, the path cannot contain a comma.</td>
</tr>
<tr>
<td><option>relay_state_prefix</option> = <replaceable>ss:mem:</replaceable></td>
<td>(StrOpt) The prefix to use for the RelayState SAML attribute, used when generating ECP wrapped assertions.</td>
</tr>
<tr>
<td><option>xmlsec1_binary</option> = <replaceable>xmlsec1</replaceable></td>
<td>(StrOpt) Binary to be called for XML signing. Install the appropriate package, specify absolute path or adjust your PATH environment variable if the binary cannot be found.</td>

@ -17,6 +17,10 @@
<tr>
<th colspan="2">[token]</th>
</tr>
<tr>
<td><option>allow_rescope_scoped_token</option> = <replaceable>True</replaceable></td>
<td>(BoolOpt) Allow rescoping of scoped token. Setting allow_rescoped_scoped_token to false prevents a user from exchanging a scoped token for any other token.</td>
</tr>
<tr>
<td><option>bind</option> = <replaceable></replaceable></td>
<td>(ListOpt) External auth mechanisms that should add bind information to token, e.g., kerberos,x509.</td>
@ -46,12 +50,8 @@
<td>(StrOpt) The hash algorithm to use for PKI tokens. This can be set to any algorithm that hashlib supports. WARNING: Before changing this value, the auth_token middleware must be configured with the hash_algorithms, otherwise token revocation will not be processed correctly.</td>
</tr>
<tr>
<td><option>provider</option> = <replaceable>None</replaceable></td>
<td>(StrOpt) Controls the token construction, validation, and revocation operations. Core providers are "keystone.token.providers.[pkiz|pki|uuid].Provider". The default provider is uuid.</td>
</tr>
<tr>
<td><option>revocation_cache_time</option> = <replaceable>3600</replaceable></td>
<td>(IntOpt) Time to cache the revocation list and the revocation events if revoke extension is enabled (in seconds). This has no effect unless global and token caching are enabled.</td>
<td><option>provider</option> = <replaceable>keystone.token.providers.uuid.Provider</replaceable></td>
<td>(StrOpt) Controls the token construction, validation, and revocation operations. Core providers are "keystone.token.providers.[fernet|pkiz|pki|uuid].Provider".</td>
</tr>
<tr>
<td><option>revoke_by_id</option> = <replaceable>True</replaceable></td>

@ -34,7 +34,7 @@
<td>(StrOpt) Directory for holding IPC sockets.</td>
</tr>
<tr>
<td><option>rpc_zmq_matchmaker</option> = <replaceable>oslo.messaging._drivers.matchmaker.MatchMakerLocalhost</replaceable></td>
<td><option>rpc_zmq_matchmaker</option> = <replaceable>local</replaceable></td>
<td>(StrOpt) MatchMaker driver.</td>
</tr>
<tr>

@ -63,8 +63,10 @@ options. For installation prerequisites and step-by-step walkthroughs, see the
<xi:include href="../common/tables/keystone-credential.xml"/>
<xi:include href="../common/tables/keystone-database.xml"/>
<xi:include href="../common/tables/keystone-debug.xml"/>
<xi:include href="../common/tables/keystone-domain.xml"/>
<xi:include href="../common/tables/keystone-ec2.xml"/>
<xi:include href="../common/tables/keystone-federation.xml"/>
<xi:include href="../common/tables/keystone-fernet_tokens.xml"/>
<xi:include href="../common/tables/keystone-identity.xml"/>
<xi:include href="../common/tables/keystone-kvs.xml"/>
<xi:include href="../common/tables/keystone-ldap.xml"/>

@ -1,10 +1,5 @@
admin_bind_host api
admin_endpoint api
admin_port api
admin_token api
admin_workers api
amqp_auto_delete amqp
amqp_durable_queues amqp
backdoor_port debug
compute_port api
control_exchange amqp
@ -13,21 +8,15 @@ debug logging
default_log_levels logging
default_publisher_id amqp
domain_id_immutable api
fake_rabbit testing
fatal_deprecations logging
instance_format logging
instance_uuid_format logging
kombu_reconnect_delay rabbitmq
kombu_ssl_ca_certs rabbitmq
kombu_ssl_certfile rabbitmq
kombu_ssl_keyfile rabbitmq
kombu_ssl_version rabbitmq
list_limit api
log_config_append logging
log_date_format logging
log_dir logging
log_file logging
log_format logging
log-config-append logging
log-date-format logging
log-dir logging
log-file logging
log-format logging
logging_context_format_string logging
logging_debug_format_suffix logging
logging_default_format_string logging
@ -36,49 +25,19 @@ matchmaker_heartbeat_freq rpc
matchmaker_heartbeat_ttl rpc
max_param_size api
max_project_tree_depth api
max_request_body_size api
max_token_size api
member_role_id api
member_role_name api
memcached_servers common
notification_driver amqp
notification_format amqp
notification_topics amqp
policy_default_rule policy
policy_dirs policy
policy_file policy
public_bind_host api
public_endpoint api
public_port api
public_workers api
publish_errors logging
pydev_debug_host debug
pydev_debug_port debug
qpid_heartbeat qpid
qpid_hostname qpid
qpid_hosts qpid
qpid_password qpid
qpid_port qpid
qpid_protocol qpid
qpid_receiver_capacity qpid
qpid_sasl_mechanisms qpid
qpid_tcp_nodelay qpid
qpid_topology_version qpid
qpid_username qpid
rabbit_ha_queues rabbitmq
rabbit_host rabbitmq
rabbit_hosts rabbitmq
rabbit_login_method rabbitmq
rabbit_max_retries rabbitmq
rabbit_password rabbitmq
rabbit_port rabbitmq
rabbit_retry_backoff rabbitmq
rabbit_retry_interval rabbitmq
rabbit_use_ssl rabbitmq
rabbit_userid rabbitmq
rabbit_virtual_host rabbitmq
rpc_backend rpc
rpc_cast_timeout rpc
rpc_conn_pool_size rpc
rpc_response_timeout rpc
rpc_thread_pool_size rpc
rpc_zmq_bind_address zeromq
@ -88,23 +47,20 @@ rpc_zmq_ipc_dir zeromq
rpc_zmq_matchmaker zeromq
rpc_zmq_port zeromq
rpc_zmq_topic_backlog zeromq
secure_proxy_ssl_header api
standard_threads debug
strict_password_check api
syslog_log_facility logging
tcp_keepalive api
tcp_keepidle api
syslog-log-facility logging
transport_url amqp
use-syslog logging
use-syslog-rfc-format logging
use_stderr logging
use_syslog logging
use_syslog_rfc_format logging
verbose logging
assignment/cache_time assignment
assignment/caching assignment
assignment/driver assignment
assignment/list_limit assignment
audit/namespace debug
auth/external auth
auth/methods auth
auth/oauth1 auth
auth/password auth
auth/token auth
cache/backend cache
@ -126,33 +82,38 @@ catalog/driver catalog
catalog/list_limit catalog
catalog/template_file catalog
credential/driver credential
database/backend database
database/connection database
database/connection_debug database
database/connection_trace database
database/db_inc_retry_interval database
database/db_max_retries database
database/db_max_retry_interval database
database/db_retry_interval database
database/idle_timeout database
database/max_overflow database
database/max_pool_size database
database/max_retries database
database/min_pool_size database
database/mysql_sql_mode database
database/pool_timeout database
database/retry_interval database
database/slave_connection database
database/sqlite_db database
database/sqlite_synchronous database
database/use_db_reconnect database
domain_config/cache_time domain
domain_config/caching domain
domain_config/driver domain
endpoint_filter/driver api
endpoint_filter/return_all_endpoints_if_no_filter api
endpoint_policy/driver api
eventlet_server/admin_bind_host api
eventlet_server/admin_port api
eventlet_server/admin_workers api
eventlet_server/public_bind_host api
eventlet_server/public_port api
eventlet_server/public_workers api
eventlet_server/tcp_keepalive api
eventlet_server/tcp_keepidle api
eventlet_server_ssl/ca_certs ca
eventlet_server_ssl/cert_required ca
eventlet_server_ssl/certfile ca
eventlet_server_ssl/enable ca
eventlet_server_ssl/keyfile ca
federation/assertion_prefix federation
federation/driver federation
federation/federated_domain_name federation
federation/remote_id_attribute federation
federation/sso_callback_template federation
federation/trusted_dashboard federation
fernet_tokens/key_repository fernet_tokens
fernet_tokens/max_active_keys fernet_tokens
identity/cache_time identity
identity/caching identity
identity/default_domain_id identity
identity/domain_config_dir identity
identity/domain_configurations_from_database identity
identity/domain_specific_drivers_enabled identity
identity/driver identity
identity/list_limit identity
@ -166,8 +127,10 @@ keystone_authtoken/admin_token auth_token
keystone_authtoken/admin_user auth_token
keystone_authtoken/auth_admin_prefix auth_token
keystone_authtoken/auth_host auth_token
keystone_authtoken/auth_plugin auth_token
keystone_authtoken/auth_port auth_token
keystone_authtoken/auth_protocol auth_token
keystone_authtoken/auth_section auth_token
keystone_authtoken/auth_uri auth_token
keystone_authtoken/auth_version auth_token
keystone_authtoken/cache auth_token
@ -183,8 +146,14 @@ keystone_authtoken/identity_uri auth_token
keystone_authtoken/include_service_catalog auth_token
keystone_authtoken/insecure auth_token
keystone_authtoken/keyfile auth_token
keystone_authtoken/memcache_pool_conn_get_timeout auth_token
keystone_authtoken/memcache_pool_dead_retry auth_token
keystone_authtoken/memcache_pool_maxsize auth_token
keystone_authtoken/memcache_pool_socket_timeout auth_token
keystone_authtoken/memcache_pool_unused_timeout auth_token
keystone_authtoken/memcache_secret_key auth_token
keystone_authtoken/memcache_security_strategy auth_token
keystone_authtoken/memcache_use_advanced_pool auth_token
keystone_authtoken/memcached_servers common
keystone_authtoken/revocation_cache_time auth_token
keystone_authtoken/signing_dir auth_token
@ -306,9 +275,54 @@ oslo_messaging_amqp/ssl_cert_file rpc
oslo_messaging_amqp/ssl_key_file rpc
oslo_messaging_amqp/ssl_key_password rpc
oslo_messaging_amqp/trace rpc
oslo_messaging_qpid/amqp_auto_delete qpid
oslo_messaging_qpid/amqp_durable_queues qpid
oslo_messaging_qpid/qpid_heartbeat qpid
oslo_messaging_qpid/qpid_hostname qpid
oslo_messaging_qpid/qpid_hosts qpid
oslo_messaging_qpid/qpid_password qpid
oslo_messaging_qpid/qpid_port qpid
oslo_messaging_qpid/qpid_protocol qpid
oslo_messaging_qpid/qpid_receiver_capacity qpid
oslo_messaging_qpid/qpid_sasl_mechanisms qpid
oslo_messaging_qpid/qpid_tcp_nodelay qpid
oslo_messaging_qpid/qpid_topology_version qpid
oslo_messaging_qpid/qpid_username qpid
oslo_messaging_qpid/rpc_conn_pool_size qpid
oslo_messaging_rabbit/amqp_auto_delete rabbitmq
oslo_messaging_rabbit/amqp_durable_queues rabbitmq
oslo_messaging_rabbit/fake_rabbit rabbitmq
oslo_messaging_rabbit/heartbeat_rate rabbitmq
oslo_messaging_rabbit/heartbeat_timeout_threshold rabbitmq
oslo_messaging_rabbit/kombu_reconnect_delay rabbitmq
oslo_messaging_rabbit/kombu_ssl_ca_certs rabbitmq
oslo_messaging_rabbit/kombu_ssl_certfile rabbitmq
oslo_messaging_rabbit/kombu_ssl_keyfile rabbitmq
oslo_messaging_rabbit/kombu_ssl_version rabbitmq
oslo_messaging_rabbit/rabbit_ha_queues rabbitmq
oslo_messaging_rabbit/rabbit_host rabbitmq
oslo_messaging_rabbit/rabbit_hosts rabbitmq
oslo_messaging_rabbit/rabbit_login_method rabbitmq
oslo_messaging_rabbit/rabbit_max_retries rabbitmq
oslo_messaging_rabbit/rabbit_password rabbitmq
oslo_messaging_rabbit/rabbit_port rabbitmq
oslo_messaging_rabbit/rabbit_retry_backoff rabbitmq
oslo_messaging_rabbit/rabbit_retry_interval rabbitmq
oslo_messaging_rabbit/rabbit_use_ssl rabbitmq
oslo_messaging_rabbit/rabbit_userid rabbitmq
oslo_messaging_rabbit/rabbit_virtual_host rabbitmq
oslo_messaging_rabbit/rpc_conn_pool_size rabbitmq
oslo_policy/policy_default_rule policy
oslo_policy/policy_dirs policy
oslo_policy/policy_file policy
paste_deploy/config_file api
policy/driver policy
policy/list_limit policy
resource/cache_time api
resource/caching api
resource/driver api
resource/list_limit api
revoke/cache_time revoke
revoke/caching revoke
revoke/driver revoke
revoke/expiration_buffer revoke
@ -332,6 +346,7 @@ saml/idp_organization_name saml
saml/idp_organization_url saml
saml/idp_sso_endpoint saml
saml/keyfile saml
saml/relay_state_prefix saml
saml/xmlsec1_binary saml
signing/ca_certs ca
signing/ca_key ca
@ -339,17 +354,12 @@ signing/cert_subject ca
signing/certfile ca
signing/key_size ca
signing/keyfile ca
signing/token_format ca
signing/valid_days ca
ssl/ca_certs ca
ssl/ca_key ca
ssl/cert_required ca
ssl/cert_subject ca
ssl/certfile ca
ssl/enable ca
ssl/key_size ca
ssl/keyfile ca
ssl/valid_days ca
token/allow_rescope_scoped_token token
token/bind token
token/cache_time token
token/caching token
@ -358,7 +368,6 @@ token/enforce_token_bind token
token/expiration token
token/hash_algorithm token
token/provider token
token/revocation_cache_time token
token/revoke_by_id token
trust/allow_redelegation trust
trust/driver trust

@ -2,7 +2,9 @@ assignment assignment
cache cache
catalog catalog
credential credential
domain domain
federation federation
fernet_tokens Fernet tokens
identity identity
kvs KVS
mapping mapping
@ -10,6 +12,7 @@ memcache memcache
oauth OAuth
os_inherit os_inherit
revoke revoke
role role
saml SAML
security security
token token