summaryrefslogtreecommitdiffstats
path: root/etc/keystone.conf.sample
diff options
context:
space:
mode:
Diffstat (limited to 'etc/keystone.conf.sample')
-rw-r--r--etc/keystone.conf.sample46
1 files changed, 36 insertions, 10 deletions
diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample
index 9a36316d..a49a9a5e 100644
--- a/etc/keystone.conf.sample
+++ b/etc/keystone.conf.sample
@@ -109,6 +109,11 @@
# delegation and impersonation features can be optionally disabled
# enabled = True
+[os_inherit]
+# role-assignment inheritance to projects from owning domain can be
+# optionally enabled
+# enabled = False
+
[catalog]
# dynamic, sql-based backend (supports API/CLI-based management commands)
# driver = keystone.catalog.backends.sql.Catalog
@@ -119,23 +124,40 @@
# template_file = default_catalog.templates
[token]
+# Provides token persistence.
# driver = keystone.token.backends.sql.Token
+# Controls the token construction, validation, and revocation operations.
+# Core providers are keystone.token.providers.[pki|uuid].Provider
+# provider =
+
# Amount of time a token should remain valid (in seconds)
# expiration = 86400
+# External auth mechanisms that should add bind information to token.
+# eg kerberos, x509
+# bind =
+
+# Enforcement policy on tokens presented to keystone with bind information.
+# One of disabled, permissive, strict, required or a specifically required bind
+# mode e.g. kerberos or x509 to require binding to that authentication.
+# enforce_token_bind = permissive
+
[policy]
# driver = keystone.policy.backends.sql.Policy
[ec2]
# driver = keystone.contrib.ec2.backends.kvs.Ec2
+[assignment]
+# driver =
+
[ssl]
#enable = True
-#certfile = /etc/keystone/ssl/certs/keystone.pem
-#keyfile = /etc/keystone/ssl/private/keystonekey.pem
-#ca_certs = /etc/keystone/ssl/certs/ca.pem
-#ca_key = /etc/keystone/ssl/certs/cakey.pem
+#certfile = /etc/keystone/pki/certs/ssl_cert.pem
+#keyfile = /etc/keystone/pki/private/ssl_key.pem
+#ca_certs = /etc/keystone/pki/certs/cacert.pem
+#ca_key = /etc/keystone/pki/private/cakey.pem
#key_size = 1024
#valid_days = 3650
#ca_password = None
@@ -143,11 +165,14 @@
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
[signing]
-#token_format = PKI
-#certfile = /etc/keystone/ssl/certs/signing_cert.pem
-#keyfile = /etc/keystone/ssl/private/signing_key.pem
-#ca_certs = /etc/keystone/ssl/certs/ca.pem
-#ca_key = /etc/keystone/ssl/certs/cakey.pem
+# Deprecated in favor of provider in the [token] section
+# Allowed values are PKI or UUID
+#token_format =
+
+#certfile = /etc/keystone/pki/certs/signing_cert.pem
+#keyfile = /etc/keystone/pki/private/signing_key.pem
+#ca_certs = /etc/keystone/pki/certs/cacert.pem
+#ca_key = /etc/keystone/pki/private/cakey.pem
#key_size = 2048
#valid_days = 3650
#ca_password = None
@@ -253,7 +278,8 @@
# user_additional_attribute_mapping =
[auth]
-methods = password,token
+methods = external,password,token
+#external = keystone.auth.plugins.external.ExternalDefault
password = keystone.auth.plugins.password.Password
token = keystone.auth.plugins.token.Token
generated by cgit (git 2.34.1) at 2024-06-07 17:33:28 +0000