# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
dead_retry = cfg.IntOpt(
'dead_retry',
default=5 * 60,
help=utils.fmt("""
Number of seconds memcached server is considered dead before it is tried again.
This is used by the key value store system.
"""))
socket_timeout = cfg.IntOpt(
'socket_timeout',
default=3,
help=utils.fmt("""
Timeout in seconds for every call to a server. This is used by the key value
store system.
"""))
pool_maxsize = cfg.IntOpt(
'pool_maxsize',
default=10,
help=utils.fmt("""
Max total number of open connections to every memcached server. This is used by
import hashlib
import sys
from oslo_config import cfg
from oslo_log import versionutils
from keystone.conf import constants
from keystone.conf import utils
bind = cfg.ListOpt(
'bind',
default=[],
help=utils.fmt("""
This is a list of external authentication mechanisms which should add token
binding metadata to tokens, such as `kerberos` or `x509`. Binding metadata is
enforced according to the `[token] enforce_token_bind` option.
"""))
enforce_token_bind = cfg.StrOpt(
'enforce_token_bind',
default='permissive',
choices=['disabled', 'permissive', 'strict', 'required'],
help=utils.fmt("""
This controls the token binding enforcement policy on tokens presented to
keystone with token binding metadata (as specified by the `[token] bind`
option). `disabled` completely bypasses token binding validation. `permissive`
and `strict` do not require tokens to have binding metadata (but will validate
it if present), whereas `required` will always demand tokens to having binding
metadata. `permissive` will allow unsupported binding metadata to pass through
without validation (usually to be validated at another time by another
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from oslo_log import versionutils
from keystone.conf import utils
_DEPRECATED_LDAP_WRITE = utils.fmt("""
Write support for the LDAP identity backend has been deprecated in the Mitaka
release and will be removed in the Ocata release.
""")
url = cfg.StrOpt(
'url',
default='ldap://localhost',
help=utils.fmt("""
URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified
as a comma separated string. The first URL to successfully bind is used for the
connection.
"""))
user = cfg.StrOpt(
'user',
help=utils.fmt("""
from oslo_config import cfg
from keystone.conf import utils
host = cfg.StrOpt('host',
default='localhost',
help=utils.fmt('IP/hostname to listen on.'))
port = cfg.PortOpt('port',
default=5672,
help=utils.fmt('Port number to listen on.'))
GROUP_NAME = __name__.split('.')[-1]
ALL_OPTS = [
host,
port,
]
def register_opts(conf):
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
def list_opts():
return {GROUP_NAME: ALL_OPTS}
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt(
'driver',
default='sql',
help=utils.fmt("""
Entrypoint for an implementation of the backend for persisting revocation
events in the keystone.revoke namespace. Supplied drivers are kvs and sql.
"""))
expiration_buffer = cfg.IntOpt(
'expiration_buffer',
default=1800,
help=utils.fmt("""
This value (calculated in seconds) is added to token expiration before a
revocation event may be removed from the backend.
"""))
caching = cfg.BoolOpt(
'caching',
default=True,
help=utils.fmt("""
Toggle for revocation event caching. This has no effect unless global caching
# under the License.
from oslo_config import cfg
from keystone.conf import constants
from keystone.conf import utils
certfile = cfg.StrOpt(
'certfile',
default=constants._CERTFILE,
deprecated_for_removal=True,
deprecated_reason=constants._DEPRECATE_PKI_MSG,
help=utils.fmt("""
Path of the certfile for token signing. For non-production environments, you
may be interested in using `keystone-manage pki_setup` to generate self-signed
certificates.
"""))
keyfile = cfg.StrOpt(
'keyfile',
default=constants._KEYFILE,
deprecated_for_removal=True,
deprecated_reason=constants._DEPRECATE_PKI_MSG,
help=utils.fmt("""
Path of the keyfile for token signing.
"""))
ca_certs = cfg.StrOpt(
'ca_certs',
deprecated_for_removal=True,
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt(
'driver',
default='sql',
help=utils.fmt("""
Entrypoint for the shadow users backend driver in the
keystone.identity.shadow_users namespace.
"""))
GROUP_NAME = __name__.split('.')[-1]
ALL_OPTS = [
driver,
]
def register_opts(conf):
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
def list_opts():
return {GROUP_NAME: ALL_OPTS}
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt(
'driver',
help=utils.fmt("""
Entrypoint for the assignment backend driver in the keystone.assignment
namespace. Only an SQL driver is supplied. If an assignment driver is not
specified, the identity driver will choose the assignment driver (driver
selection based on `[identity]/driver` option is deprecated and will be removed
in the "O" release).
"""))
prohibited_implied_role = cfg.ListOpt(
'prohibited_implied_role',
default=['admin'],
help=utils.fmt("""
A list of role names which are prohibited from being an implied role.
"""))
GROUP_NAME = __name__.split('.')[-1]
ALL_OPTS = [
driver,
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from oslo_log import versionutils
from keystone.conf import utils
_DEPRECATE_EVENTLET_MSG = utils.fmt("""
Support for running keystone under eventlet has been removed in the Newton
release. These options remain for backwards compatibility because they are used
for URL substitutions.
""")
public_bind_host = cfg.HostAddressOpt(
'public_bind_host',
default='0.0.0.0', # nosec : Bind to all interfaces by default for
# backwards compatibility.
deprecated_opts=[
cfg.DeprecatedOpt('bind_host', group='DEFAULT'),
cfg.DeprecatedOpt('public_bind_host', group='DEFAULT'),
],
deprecated_for_removal=True,
deprecated_reason=_DEPRECATE_EVENTLET_MSG,
deprecated_since=versionutils.deprecated.KILO,
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt(
'driver',
default='sql',
help=utils.fmt("""
Entry point for the credential backend driver in the `keystone.credential`
namespace. Keystone only provides a `sql` driver, so there's no reason to
change this unless you are providing a custom entry point.
"""))
provider = cfg.StrOpt(
'provider',
default='fernet',
help=utils.fmt("""
Entry point for credential encryption and decryption operations in the
`keystone.credential.provider` namespace. Keystone only provides a `fernet`
driver, so there's no reason to change this unless you are providing a custom
entry point to encrypt and decrypt credentials.
"""))
key_repository = cfg.StrOpt(
'key_repository',
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt(
'driver',
default='sql',
help=utils.fmt("""
Entrypoint for the policy backend driver in the keystone.policy namespace.
Supplied drivers are rules and sql.
"""))
list_limit = cfg.IntOpt(
'list_limit',
help=utils.fmt("""
Maximum number of entities that will be returned in a policy collection.
"""))
GROUP_NAME = __name__.split('.')[-1]
ALL_OPTS = [
driver,
list_limit,
]
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
enabled = cfg.BoolOpt('enabled',
default=True,
help=utils.fmt("""
Delegation and impersonation features can be optionally disabled.
"""))
allow_redelegation = cfg.BoolOpt('allow_redelegation',
default=False,
help=utils.fmt("""
Enable redelegation feature.
"""))
max_redelegation_count = cfg.IntOpt('max_redelegation_count',
default=3,
help=utils.fmt("""
Maximum depth of trust redelegation.
"""))
driver = cfg.StrOpt('driver',
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
key_repository = cfg.StrOpt(
'key_repository',
default='/etc/keystone/fernet-keys/',
help=utils.fmt("""
Directory containing Fernet token keys.
"""))
max_active_keys = cfg.IntOpt(
'max_active_keys',
default=3,
help=utils.fmt("""
This controls how many keys are held in rotation by keystone-manage
fernet_rotate before they are discarded. The default value of 3 means that
keystone will maintain one staged key, one primary key, and one secondary key.
Increasing this value means that additional secondary keys will be kept in the
rotation.
"""))
GROUP_NAME = __name__.split('.')[-1]
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
trusted_issuer = cfg.MultiStrOpt('trusted_issuer',
default=[],
help=utils.fmt("""
The list of trusted issuers to further filter the certificates that are allowed
to participate in the X.509 tokenless authorization. If the option is absent
then no certificates will be allowed. The naming format for the attributes of a
Distinguished Name(DN) must be separated by a comma and contain no spaces. This
configuration option may be repeated for multiple values. For example:
trusted_issuer=CN=john,OU=keystone,O=openstack
trusted_issuer=CN=mary,OU=eng,O=abc
"""))
protocol = cfg.StrOpt('protocol',
default='x509',
help=utils.fmt("""
The protocol name for the X.509 tokenless authorization along with the option
issuer_attribute below can look up its corresponding mapping.
"""))
issuer_attribute = cfg.StrOpt('issuer_attribute',
default='SSL_CLIENT_I_DN',
help=utils.fmt("""
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt(
"driver",
default="sql",
help=utils.fmt(
"""
Entrypoint for the identity mapping backend driver in the
keystone.identity.id_mapping namespace.
"""
),
)
generator = cfg.StrOpt(
"generator",
default="sha256",
help=utils.fmt(
"""
Entrypoint for the public ID generator for user and group entities in the
keystone.identity.id_generator namespace. The Keystone identity mapper only
supports generators that produce no more than 64 characters.
"""
),
)
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from oslo_log import versionutils
from keystone.conf import utils
_DEPRECATE_EVENTLET_MSG = utils.fmt("""
Support for running keystone under eventlet has been removed in the Newton
release. These options remain for backwards compatibility because they are used
for URL substitutions.
""")
public_bind_host = cfg.HostAddressOpt(
'public_bind_host',
default='0.0.0.0', # nosec : Bind to all interfaces by default for
# backwards compatibility.
deprecated_opts=[
cfg.DeprecatedOpt('bind_host', group='DEFAULT'),
cfg.DeprecatedOpt('public_bind_host', group='DEFAULT'),
],
deprecated_for_removal=True,
deprecated_reason=_DEPRECATE_EVENTLET_MSG,
deprecated_since=versionutils.deprecated.KILO,
help=utils.fmt("""
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt(
'driver',
default='sql',
help=utils.fmt("""
Entry point for the shadow users backend driver in the
`keystone.identity.shadow_users` namespace. This driver is used for persisting
local user references to externally-managed identities (via federation, LDAP,
etc). Keystone only provides a `sql` driver, so there is no reason to change
this option unless you are providing a custom entry point.
"""))
GROUP_NAME = __name__.split('.')[-1]
ALL_OPTS = [
driver,
]
def register_opts(conf):
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt('driver',
default='sql',
help=utils.fmt("""
Entry point for the application credential backend driver in the
`keystone.application_credential` namespace. Keystone only provides a `sql`
driver, so there is no reason to change this unless you are providing a custom
entry point.
"""))
caching = cfg.BoolOpt('caching',
default=True,
help=utils.fmt("""
Toggle for application credential caching. This has no effect unless global
caching is enabled.
"""))
cache_time = cfg.IntOpt('cache_time',
help=utils.fmt("""
Time to cache application credential data in seconds. This has no effect
unless global caching is enabled.
"""))
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
allow_redelegation = cfg.BoolOpt('allow_redelegation',
default=False,
help=utils.fmt("""
Allows authorization to be redelegated from one user to another, effectively
chaining trusts together. When disabled, the `remaining_uses` attribute of a
trust is constrained to be zero.
"""))
max_redelegation_count = cfg.IntOpt('max_redelegation_count',
default=3,
help=utils.fmt("""
Maximum number of times that authorization can be redelegated from one user to
another in a chain of trusts. This number may be reduced further for a specific
trust.
"""))
driver = cfg.StrOpt('driver',
default='sql',
help=utils.fmt("""
Entry point for the trust backend driver in the `keystone.trust` namespace.
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
trusted_issuer = cfg.MultiStrOpt(
'trusted_issuer',
default=[],
help=utils.fmt("""
The list of trusted issuers to further filter the certificates that are allowed
to participate in the X.509 tokenless authorization. If the option is absent
then no certificates will be allowed. The naming format for the attributes of a
Distinguished Name(DN) must be separated by a comma and contain no spaces. This
configuration option may be repeated for multiple values. For example:
trusted_issuer=CN=john,OU=keystone,O=openstack
trusted_issuer=CN=mary,OU=eng,O=abc
"""))
protocol = cfg.StrOpt(
'protocol',
default='x509',
help=utils.fmt("""
The protocol name for the X.509 tokenless authorization along with the option
issuer_attribute below can look up its corresponding mapping.
"""))
issuer_attribute = cfg.StrOpt(
'issuer_attribute',
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt(
'driver',
default='sql',
help=utils.fmt("""
Entry point for the OAuth backend driver in the `keystone.oauth1` namespace.
Typically, there is no reason to set this option unless you are providing a
custom entry point.
"""))
request_token_duration = cfg.IntOpt(
'request_token_duration',
min=0,
default=28800,
help=utils.fmt("""
Number of seconds for the OAuth Request Token to remain valid after being
created. This is the amount of time the user has to authorize the token.
Setting this option to zero means that request tokens will last forever.
"""))
access_token_duration = cfg.IntOpt(
'access_token_duration',
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from oslo_log import versionutils
from keystone.conf import utils
_DEPRECATE_PROXY_SSL = utils.fmt("""
This option has been deprecated in the N release and will be removed in the P
release. Use oslo.middleware.http_proxy_to_wsgi configuration instead.
""")
admin_token = cfg.StrOpt('admin_token',
secret=True,
help=utils.fmt("""
Using this feature is *NOT* recommended. Instead, use the `keystone-manage
bootstrap` command. The value of this option is treated as a "shared secret"
that can be used to bootstrap Keystone through the API. This "token" does not
represent a user (it has no identity), and carries no explicit authorization
(it effectively bypasses most authorization checks). If set to `None`, the
value is ignored and the `admin_token` middleware is effectively disabled.
"""))
public_endpoint = cfg.URIOpt('public_endpoint',
help=utils.fmt("""
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt(
'driver',
default='sql',
help=utils.fmt("""
Entry point for the resource driver in the `keystone.resource` namespace. Only
a `sql` driver is supplied by keystone. Unless you are writing proprietary
drivers for keystone, you do not need to set this option.
"""))
caching = cfg.BoolOpt(
'caching',
default=True,
deprecated_opts=[cfg.DeprecatedOpt('caching', group='assignment')],
help=utils.fmt("""
Toggle for resource caching. This has no effect unless global caching is
enabled.
"""))
cache_time = cfg.IntOpt(
'cache_time',
deprecated_opts=[cfg.DeprecatedOpt('cache_time', group='assignment')],
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt('driver',
default='sql',
help=utils.fmt("""
Entry point for the credential backend driver in the `keystone.credential`
namespace. Keystone only provides a `sql` driver, so there's no reason to
change this unless you are providing a custom entry point.
"""))
provider = cfg.StrOpt('provider',
default='fernet',
help=utils.fmt("""
Entry point for credential encryption and decryption operations in the
`keystone.credential.provider` namespace. Keystone only provides a `fernet`
driver, so there's no reason to change this unless you are providing a custom
entry point to encrypt and decrypt credentials.
"""))
key_repository = cfg.StrOpt('key_repository',
default='/etc/keystone/credential-keys/',
help=utils.fmt("""
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
key_repository = cfg.StrOpt('key_repository',
default='/etc/keystone/fernet-keys/',
help=utils.fmt("""
Directory containing Fernet token keys.
"""))
max_active_keys = cfg.IntOpt('max_active_keys',
default=3,
help=utils.fmt("""
This controls how many keys are held in rotation by keystone-manage
fernet_rotate before they are discarded. The default value of 3 means that
keystone will maintain one staged key, one primary key, and one secondary key.
Increasing this value means that additional secondary keys will be kept in the
rotation.
"""))
GROUP_NAME = __name__.split('.')[-1]
ALL_OPTS = [
key_repository,
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
disable_user_account_days_inactive = cfg.IntOpt(
'disable_user_account_days_inactive',
default=0,
help=utils.fmt("""
Number of days for which a user can be inactive before the account becomes
disabled. Setting the value to 0 disables this feature.
"""))
lockout_failure_attempts = cfg.IntOpt(
'lockout_failure_attempts',
default=0,
help=utils.fmt("""
Number of times a user can fail login attempts until the user account is
locked. Setting the value to 0 disables this feature.
"""))
lockout_duration = cfg.IntOpt(
'lockout_duration',
default=1800,
help=utils.fmt("""
Number of seconds a user account will be locked.
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from oslo_log import versionutils
from keystone.conf import utils
_DEPRECATE_PROXY_SSL = utils.fmt("""
This option has been deprecated in the N release and will be removed in the P
release. Use oslo.middleware.http_proxy_to_wsgi configuration instead.
""")
admin_token = cfg.StrOpt(
'admin_token',
secret=True,
help=utils.fmt("""
Using this feature is *NOT* recommended. Instead, use the `keystone-manage
bootstrap` command. The value of this option is treated as a "shared secret"
that can be used to bootstrap Keystone through the API. This "token" does not
represent a user (it has no identity), and carries no explicit authorization
(it effectively bypasses most authorization checks). If set to `None`, the
value is ignored and the `admin_token` middleware is effectively disabled.
However, to completely disable `admin_token` in production (highly recommended,
as it presents a security risk), remove `AdminTokenAuthMiddleware`
(the `admin_token_auth` filter) from your paste application pipelines (for
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""Constants for use in the keystone.conf package.
These constants are shared by more than one module in the keystone.conf
package.
"""
from keystone.conf import utils
_DEFAULT_AUTH_METHODS = ['external', 'password', 'token', 'oauth1']
_CERTFILE = '/etc/keystone/ssl/certs/signing_cert.pem'
_KEYFILE = '/etc/keystone/ssl/private/signing_key.pem'
_DEPRECATE_PKI_MSG = utils.fmt("""
PKI token support has been deprecated in the M release and will be removed in
the O release. Fernet or UUID tokens are recommended.
""")
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from oslo_log import versionutils
from keystone.conf import utils
admin_token = cfg.StrOpt(
'admin_token',
secret=True,
help=utils.fmt("""
Using this feature is *NOT* recommended. Instead, use the `keystone-manage
bootstrap` command. The value of this option is treated as a "shared secret"
that can be used to bootstrap Keystone through the API. This "token" does not
represent a user (it has no identity), and carries no explicit authorization
(it effectively bypasses most authorization checks). If set to `None`, the
value is ignored and the `admin_token` middleware is effectively disabled.
"""))
public_endpoint = cfg.URIOpt(
'public_endpoint',
help=utils.fmt("""
The base public endpoint URL for Keystone that is advertised to clients (NOTE:
this does NOT affect how Keystone listens for connections). Defaults to the
base host URL of the request. For example, if keystone receives a request to
`http://server:5000/v3/users`, then this will option will be automatically
treated as `http://server:5000`. You should only need to set option if either
the value of the base URL contains a path that keystone does not automatically
infer (`/prefix/v3`), or if the endpoint should be found on a different host.
"""))
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import constants
from keystone.conf import utils
methods = cfg.ListOpt(
'methods',
default=constants._DEFAULT_AUTH_METHODS,
help=utils.fmt("""
Allowed authentication methods. Note: You should disable the `external` auth
method if you are currently using federation. External auth and federation
both use the REMOTE_USER variable. Since both the mapped and external plugin
are being invoked to validate attributes in the request environment, it can
cause conflicts.
"""))
password = cfg.StrOpt( # nosec : This is the name of the plugin, not
'password', # a password that needs to be protected.
help=utils.fmt("""
Entry point for the password auth plugin module in the `keystone.auth.password`
namespace. You do not need to set this unless you are overriding keystone's own
password authentication plugin.
"""))
token = cfg.StrOpt(
'token',
help=utils.fmt("""
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt('driver',
default='sql',
help=utils.fmt("""
Entry point for the endpoint policy driver in the `keystone.endpoint_policy`
namespace. Only a `sql` driver is provided by keystone, so there is no reason
to set this unless you are providing a custom entry point.
"""))
GROUP_NAME = __name__.split('.')[-1]
ALL_OPTS = [
driver,
]
def register_opts(conf):
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
def list_opts():
return {GROUP_NAME: ALL_OPTS}
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt('driver',
help=utils.fmt("""
Entrypoint for the resource backend driver in the keystone.resource namespace.
Only an SQL driver is supplied. If a resource driver is not specified, the
assignment driver will choose the resource driver.
"""))
caching = cfg.BoolOpt(
'caching',
default=True,
deprecated_opts=[cfg.DeprecatedOpt('caching', group='assignment')],
help=utils.fmt("""
Toggle for resource caching. This has no effect unless global caching is
enabled.
"""))
cache_time = cfg.IntOpt(
'cache_time',
deprecated_opts=[cfg.DeprecatedOpt('cache_time', group='assignment')],
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt('driver',
default='sql',
help=utils.fmt("""
Entry point for the OAuth backend driver in the `keystone.oauth1` namespace.
Typically, there is no reason to set this option unless you are providing a
custom entry point.
"""))
request_token_duration = cfg.IntOpt('request_token_duration',
min=0,
default=28800,
help=utils.fmt("""
Number of seconds for the OAuth Request Token to remain valid after being
created. This is the amount of time the user has to authorize the token.
Setting this option to zero means that request tokens will last forever.
"""))
access_token_duration = cfg.IntOpt('access_token_duration',
min=0,
default=86400,
from keystone.conf import utils
key_repository = cfg.StrOpt('key_repository',
default='/etc/keystone/fernet-keys/',
help=utils.fmt("""
Directory containing Fernet receipt keys. This directory must exist before
using `keystone-manage fernet_setup` for the first time, must be writable by
the user running `keystone-manage fernet_setup` or `keystone-manage
fernet_rotate`, and of course must be readable by keystone's server process.
The repository may contain keys in one of three states: a single staged key
(always index 0) used for receipt validation, a single primary key (always the
highest index) used for receipt creation and validation, and any number of
secondary keys (all other index values) used for receipt validation. With
multiple keystone nodes, each node must share the same key repository contents,
with the exception of the staged key (index 0). It is safe to run
`keystone-manage fernet_rotate` once on any one node to promote a staged key
(index 0) to be the new primary (incremented from the previous highest index),
and produce a new staged key (a new key with index 0); the resulting repository
can then be atomically replicated to other nodes without any risk of race
conditions (for example, it is safe to run `keystone-manage fernet_rotate` on
host A, wait any amount of time, create a tarball of the directory on host A,
unpack it on host B to a temporary location, and atomically move (`mv`) the
directory into place on host B). Running `keystone-manage fernet_rotate`
*twice* on a key repository without syncing other nodes will result in receipts
that can not be validated by all nodes.
"""))
max_active_keys = cfg.IntOpt('max_active_keys',
default=3,
min=1,
help=utils.fmt("""
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt(
'driver',
default='sql',
help=utils.fmt("""
Entrypoint for the identity mapping backend driver in the
keystone.identity.id_mapping namespace.
"""))
generator = cfg.StrOpt(
'generator',
default='sha256',
help=utils.fmt("""
Entrypoint for the public ID generator for user and group entities in the
keystone.identity.id_generator namespace. The Keystone identity mapper only
supports generators that produce no more than 64 characters.
"""))
backward_compatible_ids = cfg.BoolOpt(
'backward_compatible_ids',
default=True,
help=utils.fmt("""
# under the License.
import hashlib
import sys
from oslo_config import cfg
from oslo_log import versionutils
from keystone.conf import constants
from keystone.conf import utils
bind = cfg.ListOpt('bind',
default=[],
help=utils.fmt("""
This is a list of external authentication mechanisms which should add token
binding metadata to tokens, such as `kerberos` or `x509`. Binding metadata is
enforced according to the `[token] enforce_token_bind` option.
"""))
enforce_token_bind = cfg.StrOpt(
'enforce_token_bind',
default='permissive',
choices=['disabled', 'permissive', 'strict', 'required'],
help=utils.fmt("""
This controls the token binding enforcement policy on tokens presented to
keystone with token binding metadata (as specified by the `[token] bind`
option). `disabled` completely bypasses token binding validation. `permissive`
and `strict` do not require tokens to have binding metadata (but will validate
it if present), whereas `required` will always demand tokens to having binding
metadata. `permissive` will allow unsupported binding metadata to pass through
without validation (usually to be validated at another time by another
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import constants
from keystone.conf import utils
assertion_expiration_time = cfg.IntOpt(
'assertion_expiration_time',
default=3600,
help=utils.fmt("""
Determines the lifetime for any SAML assertions generated by keystone, using
`NotOnOrAfter` attributes.
"""))
xmlsec1_binary = cfg.StrOpt(
'xmlsec1_binary',
default='xmlsec1',
help=utils.fmt("""
Name of, or absolute path to, the binary to be used for XML signing. Although
only the XML Security Library (`xmlsec1`) is supported, it may have a
non-standard name or path on your system. If keystone cannot find the binary
itself, you may need to install the appropriate package, use this option to
specify an absolute path, or adjust keystone's PATH environment variable.
"""))
certfile = cfg.StrOpt(
'certfile',
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import constants
from keystone.conf import utils
assertion_expiration_time = cfg.IntOpt(
'assertion_expiration_time',
default=3600,
help=utils.fmt("""
Default TTL, in seconds, for any generated SAML assertion created by Keystone.
"""))
xmlsec1_binary = cfg.StrOpt(
'xmlsec1_binary',
default='xmlsec1',
help=utils.fmt("""
Binary to be called for XML signing. Install the appropriate package, specify
absolute path or adjust your PATH environment variable if the binary cannot be
found.
"""))
certfile = cfg.StrOpt(
'certfile',
default=constants._CERTFILE,
help=utils.fmt("""
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
disable_user_account_days_inactive = cfg.IntOpt(
'disable_user_account_days_inactive',
default=None,
min=1,
help=utils.fmt("""
The maximum number of days a user can go without authenticating before being
considered "inactive" and automatically disabled (locked). This feature is
disabled by default; set any value to enable it. This feature depends on the
`sql` backend for the `[identity] driver`. When a user exceeds this threshold
and is considered "inactive", the user's `enabled` attribute in the HTTP API
may not match the value of the user's `enabled` column in the user table.
"""))
lockout_failure_attempts = cfg.IntOpt(
'lockout_failure_attempts',
default=0,
min=0,
help=utils.fmt("""
The maximum number of times that a user can fail to authenticate before the
user account is locked for the number of seconds specified by
`[security_compliance] lockout_duration`. Setting this value to zero (the
default) disables this feature. This feature depends on the `sql` backend for
the `[identity] driver`.
"""))
from oslo_config import cfg
from keystone.conf import constants
from keystone.conf import utils
certfile = cfg.StrOpt(
"certfile",
default=constants._CERTFILE,
deprecated_for_removal=True,
deprecated_reason=constants._DEPRECATE_PKI_MSG,
help=utils.fmt(
"""
Path of the certfile for token signing. For non-production environments, you
may be interested in using `keystone-manage pki_setup` to generate self-signed
certificates.
"""
),
)
keyfile = cfg.StrOpt(
"keyfile",
default=constants._KEYFILE,
deprecated_for_removal=True,
deprecated_reason=constants._DEPRECATE_PKI_MSG,
help=utils.fmt(
"""
Path of the keyfile for token signing.
"""
),
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
jws_public_key_repository = cfg.StrOpt('jws_public_key_repository',
default='/etc/keystone/jws-keys/public',
help=utils.fmt("""
Directory containing public keys for validating JWS token signatures. This
directory must exist in order for keystone's server process to start. It must
also be readable by keystone's server process. It must contain at least one
public key that corresponds to a private key in `keystone.conf [jwt_tokens]
jws_private_key_repository`. This option is only applicable in deployments
issuing JWS tokens and setting `keystone.conf [tokens] provider = jws`.
"""))
jws_private_key_repository = cfg.StrOpt(
'jws_private_key_repository',
default='/etc/keystone/jws-keys/private',
help=utils.fmt("""
Directory containing private keys for signing JWS tokens. This directory must
exist in order for keystone's server process to start. It must also be readable
by keystone's server process. It must contain at least one private key that
corresponds to a public key in `keystone.conf [jwt_tokens]
jws_public_key_repository`. In the event there are multiple private keys in
this directory, keystone will use a key named `private.pem` to sign tokens. In
the future, keystone may support the ability to sign tokens with multiple
private keys. For now, only a key named `private.pem` within this directory is
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from oslo_log import versionutils
from keystone.conf import utils
_DEPRECATE_KVS_MSG = utils.fmt("""
This option has been deprecated in the O release and will be removed in the P
release. Use oslo.cache instead.
""")
servers = cfg.ListOpt('servers',
default=['localhost:11211'],
deprecated_for_removal=True,
deprecated_reason=_DEPRECATE_KVS_MSG,
deprecated_since=versionutils.deprecated.OCATA,
help=utils.fmt("""
Comma-separated list of memcached servers in the format of
`host:port,host:port` that keystone should use for the `memcache` token
persistence provider and other memcache-backed KVS drivers. This configuration
value is NOT used for intermediary caching between keystone and other backends,
such as SQL and LDAP (for that, see the `[cache]` section). Multiple keystone
servers in the same deployment should use the same set of memcached servers to
ensure that data (such as UUID tokens) created by one node is available to the
key_repository = cfg.StrOpt(
'key_repository',
default='/etc/keystone/fernet-keys/',
help=utils.fmt("""
Directory containing Fernet receipt keys. This directory must exist before
using `keystone-manage fernet_setup` for the first time, must be writable by
the user running `keystone-manage fernet_setup` or `keystone-manage
fernet_rotate`, and of course must be readable by keystone's server process.
The repository may contain keys in one of three states: a single staged key
(always index 0) used for receipt validation, a single primary key (always the
highest index) used for receipt creation and validation, and any number of
secondary keys (all other index values) used for receipt validation. With
multiple keystone nodes, each node must share the same key repository contents,
with the exception of the staged key (index 0). It is safe to run
`keystone-manage fernet_rotate` once on any one node to promote a staged key
(index 0) to be the new primary (incremented from the previous highest index),
and produce a new staged key (a new key with index 0); the resulting repository
can then be atomically replicated to other nodes without any risk of race
conditions (for example, it is safe to run `keystone-manage fernet_rotate` on
host A, wait any amount of time, create a tarball of the directory on host A,
unpack it on host B to a temporary location, and atomically move (`mv`) the
directory into place on host B). Running `keystone-manage fernet_rotate`
*twice* on a key repository without syncing other nodes will result in receipts
that can not be validated by all nodes.
"""))
max_active_keys = cfg.IntOpt(
'max_active_keys',
default=3,
min=1,
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
expiration = cfg.IntOpt('expiration',
default=300,
min=0,
max=86400,
help=utils.fmt("""
The amount of time that a receipt should remain valid (in seconds). This value
should always be very short, as it represents how long a user has to reattempt
auth with the missing auth methods.
"""))
provider = cfg.StrOpt('provider',
default='fernet',
help=utils.fmt("""
Entry point for the receipt provider in the `keystone.receipt.provider`
namespace. The receipt provider controls the receipt construction and
validation operations. Keystone includes just the `fernet` receipt provider for
now. `fernet` receipts do not need to be persisted at all, but require that you
run `keystone-manage fernet_setup` (also see the `keystone-manage
fernet_rotate` command).
"""))
caching = cfg.BoolOpt('caching',
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
enabled = cfg.BoolOpt(
'enabled',
default=True,
deprecated_for_removal=True,
deprecated_reason=utils.fmt("""
The option to enable the OS-ENDPOINT-POLICY API extension has been deprecated
in the M release and will be removed in the O release. The OS-ENDPOINT-POLICY
API extension will be enabled by default.
"""),
help=utils.fmt("""
Enable endpoint-policy functionality, which allows policies to be associated
with either specific endpoints, or endpoints of a given service type.
"""))
driver = cfg.StrOpt(
'driver',
default='sql',
help=utils.fmt("""
Entry point for the endpoint policy driver in the `keystone.endpoint_policy`
namespace. Only a `sql` driver is provided by keystone, so there is no reason
to set this unless you are providing a custom entry point.
"""))
# under the License.
from oslo_config import cfg
from keystone.conf import utils
trusted_issuer = cfg.MultiStrOpt(
'trusted_issuer',
default=[],
help=utils.fmt("""
The list of distinguished names which identify trusted issuers of client
certificates allowed to use X.509 tokenless authorization. If the option is
absent then no certificates will be allowed. The format for the values of a
distinguished name (DN) must be separated by a comma and contain no spaces.
Furthermore, because an individual DN may contain commas, this configuration
option may be repeated multiple times to represent multiple values. For
example, keystone.conf would include two consecutive lines in order to trust
two different DNs, such as `trusted_issuer = CN=john,OU=keystone,O=openstack`
and `trusted_issuer = CN=mary,OU=eng,O=abc`.
"""))
protocol = cfg.StrOpt(
'protocol',
default='x509',
help=utils.fmt("""
The federated protocol ID used to represent X.509 tokenless authorization. This
is used in combination with the value of `[tokenless_auth] issuer_attribute` to
find a corresponding federated mapping. In a typical deployment, there is no
reason to change this value.
"""))
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt(
'driver',
default='sql',
help=utils.fmt("""
Entry point for the federation backend driver in the `keystone.federation`
namespace. Keystone only provides a `sql` driver, so there is no reason to set
this option unless you are providing a custom entry point.
"""))
assertion_prefix = cfg.StrOpt(
'assertion_prefix',
default='',
help=utils.fmt("""
Prefix to use when filtering environment variable names for federated
assertions. Matched variables are passed into the federated mapping engine.
"""))
remote_id_attribute = cfg.StrOpt(
'remote_id_attribute',
help=utils.fmt("""
Value to be used to obtain the entity ID of the Identity Provider from the
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
disable_user_account_days_inactive = cfg.IntOpt(
'disable_user_account_days_inactive',
default=None,
min=1,
help=utils.fmt("""
The maximum number of days a user can go without authenticating before being
considered "inactive" and automatically disabled (locked). This feature is
disabled by default; set any value to enable it. This feature depends on the
`sql` backend for the `[identity] driver`. When a user exceeds this threshold
and is considered "inactive", the user's `enabled` attribute in the HTTP API
may not match the value of the user's `enabled` column in the user table.
"""))
lockout_failure_attempts = cfg.IntOpt('lockout_failure_attempts',
default=None,
min=1,
help=utils.fmt("""
The maximum number of times that a user can fail to authenticate before the
user account is locked for the number of seconds specified by
`[security_compliance] lockout_duration`. This feature is disabled by
default. If this feature is enabled and `[security_compliance]
lockout_duration` is not set, then users may be locked out indefinitely
until the user is explicitly enabled via the API. This feature depends on
the `sql` backend for the `[identity] driver`.
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt(
'driver',
help=utils.fmt("""
Entrypoint for the resource backend driver in the keystone.resource namespace.
Only an SQL driver is supplied. If a resource driver is not specified, the
assignment driver will choose the resource driver.
"""))
caching = cfg.BoolOpt(
'caching',
default=True,
deprecated_opts=[cfg.DeprecatedOpt('caching', group='assignment')],
help=utils.fmt("""
Toggle for resource caching. This has no effect unless global caching is
enabled.
"""))
cache_time = cfg.IntOpt(
'cache_time',
deprecated_opts=[cfg.DeprecatedOpt('cache_time', group='assignment')],
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from oslo_log import versionutils
from keystone.conf import utils
_DEPRECATE_MUTABLE_DOMAIN_IDS = utils.fmt("""
The option to set domain_id_immutable to false has been deprecated in the M
release and will be removed in the O release.
""")
_DEPRECATE_PROXY_SSL = utils.fmt("""
This option has been deprecated in the N release and will be removed in the P
release. Use oslo.middleware.http_proxy_to_wsgi configuration instead.
""")
admin_token = cfg.StrOpt('admin_token',
secret=True,
help=utils.fmt("""
Using this feature is *NOT* recommended. Instead, use the `keystone-manage
bootstrap` command. The value of this option is treated as a "shared secret"
that can be used to bootstrap Keystone through the API. This "token" does not
represent a user (it has no identity), and carries no explicit authorization
(it effectively bypasses most authorization checks). If set to `None`, the
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt(
'driver',
help=utils.fmt("""
Entry point for the resource driver in the `keystone.resource` namespace. Only
a `sql` driver is supplied by keystone. If a resource driver is not specified,
the assignment driver will choose the resource driver to maintain backwards
compatibility with older configuration files.
"""))
caching = cfg.BoolOpt(
'caching',
default=True,
deprecated_opts=[cfg.DeprecatedOpt('caching', group='assignment')],
help=utils.fmt("""
Toggle for resource caching. This has no effect unless global caching is
enabled.
"""))
cache_time = cfg.IntOpt(
'cache_time',
deprecated_opts=[cfg.DeprecatedOpt('cache_time', group='assignment')],
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import sys
from oslo_config import cfg
from oslo_log import versionutils
from keystone.conf import utils
bind = cfg.ListOpt('bind',
default=[],
help=utils.fmt("""
This is a list of external authentication mechanisms which should add token
binding metadata to tokens, such as `kerberos` or `x509`. Binding metadata is
enforced according to the `[token] enforce_token_bind` option.
"""))
enforce_token_bind = cfg.StrOpt('enforce_token_bind',
default='permissive',
deprecated_since=versionutils.deprecated.PIKE,
deprecated_for_removal=True,
help=utils.fmt("""
This controls the token binding enforcement policy on tokens presented to
keystone with token binding metadata (as specified by the `[token] bind`
option). `disabled` completely bypasses token binding validation. `permissive`
and `strict` do not require tokens to have binding metadata (but will validate
it if present), whereas `required` will always demand tokens to having binding
metadata. `permissive` will allow unsupported binding metadata to pass through
without validation (usually to be validated at another time by another
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
driver = cfg.StrOpt('driver',
default='sql',
help=utils.fmt("""
Entry point for the application credential backend driver in the
`keystone.application_credential` namespace. Keystone only provides a `sql`
driver, so there is no reason to change this unless you are providing a custom
entry point.
"""))
caching = cfg.BoolOpt('caching',
default=True,
help=utils.fmt("""
Toggle for application credential caching. This has no effect unless global
caching is enabled.
"""))
cache_time = cfg.IntOpt('cache_time',
help=utils.fmt("""
Time to cache application credential data in seconds. This has no effect
unless global caching is enabled.
"""))
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
disable_user_account_days_inactive = cfg.IntOpt(
'disable_user_account_days_inactive',
min=1,
help=utils.fmt("""
The maximum number of days a user can go without authenticating before being
considered "inactive" and automatically disabled (locked). This feature is
disabled by default; set any value to enable it. This feature depends on the
`sql` backend for the `[identity] driver`. When a user exceeds this threshold
and is considered "inactive", the user's `enabled` attribute in the HTTP API
may not match the value of the user's `enabled` column in the user table.
"""))
lockout_failure_attempts = cfg.IntOpt(
'lockout_failure_attempts',
min=1,
help=utils.fmt("""
The maximum number of times that a user can fail to authenticate before the
user account is locked for the number of seconds specified by
`[security_compliance] lockout_duration`. This feature is disabled by
default. If this feature is enabled and `[security_compliance]
lockout_duration` is not set, then users may be locked out indefinitely
until the user is explicitly enabled via the API. This feature depends on
the `sql` backend for the `[identity] driver`.
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
template_file = cfg.StrOpt(
'template_file',
default='default_catalog.templates',
help=utils.fmt("""
Catalog template file name for use with the template catalog backend.
"""))
driver = cfg.StrOpt(
'driver',
default='sql',
help=utils.fmt("""
Entrypoint for the catalog backend driver in the keystone.catalog namespace.
Supplied drivers are kvs, sql, templated, and endpoint_filter.sql
"""))
aching = cfg.BoolOpt(
'caching',
default=True,
help=utils.fmt("""
Toggle for catalog caching. This has no effect unless global caching is