e7cbc675ce
Change-Id: I959cc6884633ada1deb55f44ca1fc6f230bdebd9
81 lines
4.2 KiB
XML
81 lines
4.2 KiB
XML
<?xml version='1.0' encoding='UTF-8'?>
|
|
<para xmlns="http://docbook.org/ns/docbook" version="5.0">
|
|
<!--
|
|
###################################################################
|
|
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
|
|
###################################################################
|
|
|
|
Warning: Do not edit this file. It is automatically
|
|
generated from the software project's code and your changes
|
|
will be overwritten.
|
|
|
|
The tool to generate this file lives in openstack-doc-tools
|
|
repository.
|
|
|
|
Please make any changes needed in the code, then run the
|
|
autogenerate-config-doc tool from the openstack-doc-tools
|
|
repository, or ask for help on the documentation mailing list,
|
|
IRC channel or meeting.
|
|
|
|
###################################################################
|
|
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
|
|
###################################################################
|
|
-->
|
|
<table rules="all" xml:id="config_table_keystone_token">
|
|
<caption>Description of token configuration options</caption>
|
|
<col width="50%"/>
|
|
<col width="50%"/>
|
|
<thead>
|
|
<tr>
|
|
<th>Configuration option = Default value</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<th colspan="2">[token]</th>
|
|
</tr>
|
|
<tr>
|
|
<td><option>allow_rescope_scoped_token</option> = <replaceable>True</replaceable></td>
|
|
<td>(BoolOpt) Allow rescoping of scoped token. Setting allow_rescoped_scoped_token to false prevents a user from exchanging a scoped token for any other token.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>bind</option> = <replaceable></replaceable></td>
|
|
<td>(ListOpt) External auth mechanisms that should add bind information to token, e.g., kerberos,x509.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>cache_time</option> = <replaceable>None</replaceable></td>
|
|
<td>(IntOpt) Time to cache tokens (in seconds). This has no effect unless global and token caching are enabled.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>caching</option> = <replaceable>True</replaceable></td>
|
|
<td>(BoolOpt) Toggle for token system caching. This has no effect unless global caching is enabled.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>driver</option> = <replaceable>sql</replaceable></td>
|
|
<td>(StrOpt) Entrypoint for the token persistence backend driver in the keystone.token.persistence namespace. Supplied drivers are kvs, memcache, memcache_pool, and sql.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>enforce_token_bind</option> = <replaceable>permissive</replaceable></td>
|
|
<td>(StrOpt) Enforcement policy on tokens presented to Keystone with bind information. One of disabled, permissive, strict, required or a specifically required bind mode, e.g., kerberos or x509 to require binding to that authentication.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>expiration</option> = <replaceable>3600</replaceable></td>
|
|
<td>(IntOpt) Amount of time a token should remain valid (in seconds).</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>hash_algorithm</option> = <replaceable>md5</replaceable></td>
|
|
<td>(StrOpt) The hash algorithm to use for PKI tokens. This can be set to any algorithm that hashlib supports. WARNING: Before changing this value, the auth_token middleware must be configured with the hash_algorithms, otherwise token revocation will not be processed correctly.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>provider</option> = <replaceable>uuid</replaceable></td>
|
|
<td>(StrOpt) Controls the token construction, validation, and revocation operations. Entrypoint in the keystone.token.provider namespace. Core providers are [fernet|pkiz|pki|uuid].</td>
|
|
</tr>
|
|
<tr>
|
|
<td><option>revoke_by_id</option> = <replaceable>True</replaceable></td>
|
|
<td>(BoolOpt) Revoke token by token identifier. Setting revoke_by_id to true enables various forms of enumerating tokens, e.g. `list tokens for user`. These enumerations are processed to determine the list of tokens to revoke. Only disable if you are switching to using the Revoke extension with a backend other than KVS, which stores events in memory.</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</para>
|