diff options
Diffstat (limited to 'etc/keystone.conf.sample')
-rw-r--r-- | etc/keystone.conf.sample | 46 |
1 files changed, 36 insertions, 10 deletions
diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample index 9a36316d..a49a9a5e 100644 --- a/etc/keystone.conf.sample +++ b/etc/keystone.conf.sample @@ -109,6 +109,11 @@ # delegation and impersonation features can be optionally disabled # enabled = True +[os_inherit] +# role-assignment inheritance to projects from owning domain can be +# optionally enabled +# enabled = False + [catalog] # dynamic, sql-based backend (supports API/CLI-based management commands) # driver = keystone.catalog.backends.sql.Catalog @@ -119,23 +124,40 @@ # template_file = default_catalog.templates [token] +# Provides token persistence. # driver = keystone.token.backends.sql.Token +# Controls the token construction, validation, and revocation operations. +# Core providers are keystone.token.providers.[pki|uuid].Provider +# provider = + # Amount of time a token should remain valid (in seconds) # expiration = 86400 +# External auth mechanisms that should add bind information to token. +# eg kerberos, x509 +# bind = + +# Enforcement policy on tokens presented to keystone with bind information. +# One of disabled, permissive, strict, required or a specifically required bind +# mode e.g. kerberos or x509 to require binding to that authentication. +# enforce_token_bind = permissive + [policy] # driver = keystone.policy.backends.sql.Policy [ec2] # driver = keystone.contrib.ec2.backends.kvs.Ec2 +[assignment] +# driver = + [ssl] #enable = True -#certfile = /etc/keystone/ssl/certs/keystone.pem -#keyfile = /etc/keystone/ssl/private/keystonekey.pem -#ca_certs = /etc/keystone/ssl/certs/ca.pem -#ca_key = /etc/keystone/ssl/certs/cakey.pem +#certfile = /etc/keystone/pki/certs/ssl_cert.pem +#keyfile = /etc/keystone/pki/private/ssl_key.pem +#ca_certs = /etc/keystone/pki/certs/cacert.pem +#ca_key = /etc/keystone/pki/private/cakey.pem #key_size = 1024 #valid_days = 3650 #ca_password = None @@ -143,11 +165,14 @@ #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost [signing] -#token_format = PKI -#certfile = /etc/keystone/ssl/certs/signing_cert.pem -#keyfile = /etc/keystone/ssl/private/signing_key.pem -#ca_certs = /etc/keystone/ssl/certs/ca.pem -#ca_key = /etc/keystone/ssl/certs/cakey.pem +# Deprecated in favor of provider in the [token] section +# Allowed values are PKI or UUID +#token_format = + +#certfile = /etc/keystone/pki/certs/signing_cert.pem +#keyfile = /etc/keystone/pki/private/signing_key.pem +#ca_certs = /etc/keystone/pki/certs/cacert.pem +#ca_key = /etc/keystone/pki/private/cakey.pem #key_size = 2048 #valid_days = 3650 #ca_password = None @@ -253,7 +278,8 @@ # user_additional_attribute_mapping = [auth] -methods = password,token +methods = external,password,token +#external = keystone.auth.plugins.external.ExternalDefault password = keystone.auth.plugins.password.Password token = keystone.auth.plugins.token.Token |