openstack/openstack-manuals
Code Issues Proposed changes
6475c37330
openstack-manuals/doc/config-reference/conf-changes/keystone.xml
Andreas Jaeger ab261dbc0c Config Reference: Update changes for Liberty 
Regenerate all changes file with changes between kilo and Liberty.

Change-Id: I80d8f1b2170aa1c85e352c3572bf106d50c3f7dc
2015-10-14 14:20:07 +02:00

337 lines
13 KiB
XML
Raw Blame History

<?xml version='1.0' encoding='UTF-8'?>
<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="keystone-conf-changes-liberty">
<!-- Warning: Do not edit this file. It is automatically generated and your changes will be overwritten. The tool to do so lives in the openstack-doc-tools repository. -->
<title>New, updated, and deprecated options in Liberty for OpenStack Identity</title>
<table>
<caption>New options</caption>
<col width="50%"/>
<col width="50%"/>
<thead>
<tr>
<td>Option = default value</td>
<td>(Type) Help string</td>
</tr>
</thead>
<tr>
<td>[DEFAULT] executor_thread_pool_size = 64</td>
<td>(IntOpt) Size of executor thread pool.</td>
</tr>
<tr>
<td>[DEFAULT] host = 127.0.0.1</td>
<td>(StrOpt) Host to locate redis.</td>
</tr>
<tr>
<td>[DEFAULT] password = </td>
<td>(StrOpt) Password for Redis server (optional).</td>
</tr>
<tr>
<td>[DEFAULT] port = 6379</td>
<td>(IntOpt) Use this port to connect to redis host.</td>
</tr>
<tr>
<td>[DEFAULT] rpc_conn_pool_size = 30</td>
<td>(IntOpt) Size of RPC connection pool.</td>
</tr>
<tr>
<td>[DEFAULT] rpc_poll_timeout = 1</td>
<td>(IntOpt) The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.</td>
</tr>
<tr>
<td>[DEFAULT] rpc_zmq_all_req_rep = True</td>
<td>(BoolOpt) Use REQ/REP pattern for all methods CALL/CAST/FANOUT.</td>
</tr>
<tr>
<td>[DEFAULT] rpc_zmq_concurrency = eventlet</td>
<td>(StrOpt) Type of concurrency used. Either "native" or "eventlet"</td>
</tr>
<tr>
<td>[DEFAULT] watch_log_file = False</td>
<td>(BoolOpt) (Optional) Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log-file option is specified and Linux platform is used. This option is ignored if log_config_append is set.</td>
</tr>
<tr>
<td>[DEFAULT] zmq_use_broker = True</td>
<td>(BoolOpt) Shows whether zmq-messaging uses broker or not.</td>
</tr>
<tr>
<td>[cors] allow_credentials = True</td>
<td>(BoolOpt) Indicate that the actual request can include user credentials</td>
</tr>
<tr>
<td>[cors] allow_headers = Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma</td>
<td>(ListOpt) Indicate which header field names may be used during the actual request.</td>
</tr>
<tr>
<td>[cors] allow_methods = GET, POST, PUT, DELETE, OPTIONS</td>
<td>(ListOpt) Indicate which methods can be used during the actual request.</td>
</tr>
<tr>
<td>[cors] allowed_origin = None</td>
<td>(StrOpt) Indicate whether this resource may be shared with the domain received in the requests "origin" header.</td>
</tr>
<tr>
<td>[cors] expose_headers = Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma</td>
<td>(ListOpt) Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.</td>
</tr>
<tr>
<td>[cors] max_age = 3600</td>
<td>(IntOpt) Maximum cache age of CORS preflight requests.</td>
</tr>
<tr>
<td>[cors.subdomain] allow_credentials = True</td>
<td>(BoolOpt) Indicate that the actual request can include user credentials</td>
</tr>
<tr>
<td>[cors.subdomain] allow_headers = Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma</td>
<td>(ListOpt) Indicate which header field names may be used during the actual request.</td>
</tr>
<tr>
<td>[cors.subdomain] allow_methods = GET, POST, PUT, DELETE, OPTIONS</td>
<td>(ListOpt) Indicate which methods can be used during the actual request.</td>
</tr>
<tr>
<td>[cors.subdomain] allowed_origin = None</td>
<td>(StrOpt) Indicate whether this resource may be shared with the domain received in the requests "origin" header.</td>
</tr>
<tr>
<td>[cors.subdomain] expose_headers = Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma</td>
<td>(ListOpt) Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.</td>
</tr>
<tr>
<td>[cors.subdomain] max_age = 3600</td>
<td>(IntOpt) Maximum cache age of CORS preflight requests.</td>
</tr>
<tr>
<td>[endpoint_policy] enabled = True</td>
<td>(BoolOpt) Enable endpoint_policy functionality.</td>
</tr>
<tr>
<td>[keystone_authtoken] region_name = None</td>
<td>(StrOpt) The region in which the identity server can be found.</td>
</tr>
<tr>
<td>[oslo_messaging_amqp] password = </td>
<td>(StrOpt) Password for message broker authentication</td>
</tr>
<tr>
<td>[oslo_messaging_amqp] sasl_config_dir = </td>
<td>(StrOpt) Path to directory that contains the SASL configuration</td>
</tr>
<tr>
<td>[oslo_messaging_amqp] sasl_config_name = </td>
<td>(StrOpt) Name of configuration file (without .conf suffix)</td>
</tr>
<tr>
<td>[oslo_messaging_amqp] sasl_mechanisms = </td>
<td>(StrOpt) Space separated list of acceptable SASL mechanisms</td>
</tr>
<tr>
<td>[oslo_messaging_amqp] username = </td>
<td>(StrOpt) User name for message broker authentication</td>
</tr>
<tr>
<td>[oslo_messaging_qpid] send_single_reply = False</td>
<td>(BoolOpt) Send a single AMQP reply to call message. The current behaviour since oslo-incubator is to send two AMQP replies - first one with the payload, a second one to ensure the other have finish to send the payload. We are going to remove it in the N release, but we must keep backward compatible at the same time. This option provides such compatibility - it defaults to False in Liberty and can be turned on for early adopters with a new installations or for testing. Please note, that this option will be removed in the Mitaka release.</td>
</tr>
<tr>
<td>[oslo_messaging_rabbit] kombu_reconnect_timeout = 60</td>
<td>(IntOpt) How long to wait before considering a reconnect attempt to have failed. This value should not be longer than rpc_response_timeout.</td>
</tr>
<tr>
<td>[oslo_messaging_rabbit] send_single_reply = False</td>
<td>(BoolOpt) Send a single AMQP reply to call message. The current behaviour since oslo-incubator is to send two AMQP replies - first one with the payload, a second one to ensure the other have finish to send the payload. We are going to remove it in the N release, but we must keep backward compatible at the same time. This option provides such compatibility - it defaults to False in Liberty and can be turned on for early adopters with a new installations or for testing. Please note, that this option will be removed in the Mitaka release.</td>
</tr>
<tr>
<td>[oslo_middleware] secure_proxy_ssl_header = X-Forwarded-Proto</td>
<td>(StrOpt) The HTTP Header that will be used to determine what the original request protocol scheme was, even if it was hidden by an SSL termination proxy.</td>
</tr>
<tr>
<td>[tokenless_auth] issuer_attribute = SSL_CLIENT_I_DN</td>
<td>(StrOpt) The issuer attribute that is served as an IdP ID for the X.509 tokenless authorization along with the protocol to look up its corresponding mapping. It is the environment variable in the WSGI environment that references to the issuer of the client certificate.</td>
</tr>
<tr>
<td>[tokenless_auth] protocol = x509</td>
<td>(StrOpt) The protocol name for the X.509 tokenless authorization along with the option issuer_attribute below can look up its corresponding mapping.</td>
</tr>
<tr>
<td>[tokenless_auth] trusted_issuer = []</td>
<td>(MultiStrOpt) The list of trusted issuers to further filter the certificates that are allowed to participate in the X.509 tokenless authorization. If the option is absent then no certificates will be allowed. The naming format for the attributes of a Distinguished Name(DN) must be separated by a comma and contain no spaces. This configuration option may be repeated for multiple values. For example: trusted_issuer=CN=john,OU=keystone,O=openstack trusted_issuer=CN=mary,OU=eng,O=abc</td>
</tr>
</table>
<table>
<caption>New default values</caption>
<col width="33%"/>
<col width="33%"/>
<col width="33%"/>
<thead>
<tr>
<td>Option</td>
<td>Previous default value</td>
<td>New default value</td>
</tr>
</thead>
<tr>
<td>[DEFAULT] crypt_strength</td>
<td>40000</td>
<td>10000</td>
</tr>
<tr>
<td>[DEFAULT] default_log_levels</td>
<td>amqp=WARN, amqplib=WARN, boto=WARN, qpid=WARN, sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO, iso8601=WARN, requests.packages.urllib3.connectionpool=WARN, urllib3.connectionpool=WARN, websocket=WARN, requests.packages.urllib3.util.retry=WARN, urllib3.util.retry=WARN, keystonemiddleware=WARN, routes.middleware=WARN, stevedore=WARN</td>
<td>amqp=WARN, amqplib=WARN, boto=WARN, qpid=WARN, sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO, iso8601=WARN, requests.packages.urllib3.connectionpool=WARN, urllib3.connectionpool=WARN, websocket=WARN, requests.packages.urllib3.util.retry=WARN, urllib3.util.retry=WARN, keystonemiddleware=WARN, routes.middleware=WARN, stevedore=WARN, taskflow=WARN</td>
</tr>
<tr>
<td>[DEFAULT] logging_exception_prefix</td>
<td>%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s</td>
<td>%(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s</td>
</tr>
<tr>
<td>[DEFAULT] rpc_zmq_matchmaker</td>
<td>local</td>
<td>redis</td>
</tr>
<tr>
<td>[DEFAULT] use_syslog_rfc_format</td>
<td>False</td>
<td>True</td>
</tr>
<tr>
<td>[DEFAULT] verbose</td>
<td>False</td>
<td>True</td>
</tr>
<tr>
<td>[auth] external</td>
<td>keystone.auth.plugins.external.DefaultDomain</td>
<td>None</td>
</tr>
<tr>
<td>[auth] oauth1</td>
<td>keystone.auth.plugins.oauth1.OAuth</td>
<td>None</td>
</tr>
<tr>
<td>[auth] password</td>
<td>keystone.auth.plugins.password.Password</td>
<td>None</td>
</tr>
<tr>
<td>[auth] token</td>
<td>keystone.auth.plugins.token.Token</td>
<td>None</td>
</tr>
<tr>
<td>[catalog] driver</td>
<td>keystone.catalog.backends.sql.Catalog</td>
<td>sql</td>
</tr>
<tr>
<td>[credential] driver</td>
<td>keystone.credential.backends.sql.Credential</td>
<td>sql</td>
</tr>
<tr>
<td>[domain_config] driver</td>
<td>keystone.resource.config_backends.sql.DomainConfig</td>
<td>sql</td>
</tr>
<tr>
<td>[endpoint_filter] driver</td>
<td>keystone.contrib.endpoint_filter.backends.sql.EndpointFilter</td>
<td>sql</td>
</tr>
<tr>
<td>[endpoint_policy] driver</td>
<td>keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy</td>
<td>sql</td>
</tr>
<tr>
<td>[federation] driver</td>
<td>keystone.contrib.federation.backends.sql.Federation</td>
<td>sql</td>
</tr>
<tr>
<td>[identity] driver</td>
<td>keystone.identity.backends.sql.Identity</td>
<td>sql</td>
</tr>
<tr>
<td>[identity_mapping] driver</td>
<td>keystone.identity.mapping_backends.sql.Mapping</td>
<td>sql</td>
</tr>
<tr>
<td>[identity_mapping] generator</td>
<td>keystone.identity.id_generators.sha256.Generator</td>
<td>sha256</td>
</tr>
<tr>
<td>[ldap] user_attribute_ignore</td>
<td>default_project_id, tenants</td>
<td>default_project_id</td>
</tr>
<tr>
<td>[matchmaker_redis] password</td>
<td>None</td>
<td></td>
</tr>
<tr>
<td>[oauth1] driver</td>
<td>keystone.contrib.oauth1.backends.sql.OAuth1</td>
<td>sql</td>
</tr>
<tr>
<td>[oslo_messaging_rabbit] heartbeat_timeout_threshold</td>
<td>0</td>
<td>60</td>
</tr>
<tr>
<td>[policy] driver</td>
<td>keystone.policy.backends.sql.Policy</td>
<td>sql</td>
</tr>
<tr>
<td>[revoke] driver</td>
<td>keystone.contrib.revoke.backends.sql.Revoke</td>
<td>sql</td>
</tr>
<tr>
<td>[token] driver</td>
<td>keystone.token.persistence.backends.sql.Token</td>
<td>sql</td>
</tr>
<tr>
<td>[token] provider</td>
<td>keystone.token.providers.uuid.Provider</td>
<td>uuid</td>
</tr>
<tr>
<td>[trust] driver</td>
<td>keystone.trust.backends.sql.Trust</td>
<td>sql</td>
</tr>
</table>
<table>
<caption>Deprecated options</caption>
<col width="50%"/>
<col width="50%"/>
<thead>
<tr>
<td>Deprecated option</td>
<td>New Option</td>
</tr>
</thead>
<tr>
<td>[DEFAULT] use_syslog</td>
<td>None</td>
</tr>
<tr>
<td>[DEFAULT] log_format</td>
<td>None</td>
</tr>
<tr>
<td>[DEFAULT] rpc_thread_pool_size</td>
<td>[DEFAULT] executor_thread_pool_size</td>
</tr>
</table>
</section>
View Git Blame Copy Permalink