• Juno 版 Keystone 主配置文件 keystone.conf 详解


      本文全面解读Icehouse发行版keystone的配置文件keystone.conf,由于从keystone提供的服务或依赖的基础设施角度入手,因此[DEFAULT]部分可能被拆分到很多子块中。

    关于API的配置

     

    [DEFAULT]

     
    admin_bind_host = 0.0.0.0

    (StrOpt)admin服务监听的IP地址

    admin_endpoint = None

    (StrOpt)广播给其他服务的keystone管理终端URL

    admin_port = 35357

    (IntOpt)admin服务监听的端口

    admin_token = ADMIN

    (StrOpt) 管理员令牌,建议在生产模式中禁用(如在keystone-paste.ini文件中删除AdminTokenAuthMiddleware)

    compute_port = 8774

    (IntOpt)计算服务监听的端口

    domain_id_immutable = True

    (BoolOpt)是否可以通过修改domain_id来在域间移动用户,组和工程

    list_limit = None

    (IntOpt)限制响应返回的最大容量

    max_param_size = 64

    (IntOpt)用户/租户的ID或名称的最大长度

    max_request_body_size= 114688

    (IntOpt)最大请求限制,由可选的尺寸限制中间件来实现,如keystone.middleware:RequestBodySizeLimiter

    max_token_size = 8192

    (IntOpt)专门针对令牌的长度限制

    member_role_id 

    (StrOpt)

    member_role_name=_member_

     

    public_bind_host=0.0.0.0

    (StrOpt)公共服务监听的IP地址

    public_endpoint=None

    (StrOpt)广播给其他服务的keystone公共终端URL
    public_port = 5000

    (IntOpt)公共服务监听的端口

    tcp_keepalive = False

    (BoolOpt)能够控制服务器端socket中TCP_KEEPALIVE是否启用的开关

    tcp_keepidle = 600

    (IntOpt)在上一个选项是True的情况下,为每一个服务器socket设定TCP_KEEPIDLE的值

    [endpoint_filter]

     

    driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter

    (StrOpt)终端过滤的后端驱动程序

    return_all_endpoints_if_no_filter = True

    (BoolOpt)是否决定如果没有过滤器存在,就返回所有活动的终端

    [paste_deploy]

     

    config_file = keystone-paste.ini

    (StrOpt)paste配置文件的名称

    关于调试的配置

     

    [DEFAULT]

     

    backdoor_port = None

    (StrOpt)Enable eventlet backdoor. Acceptable values are 0, <port>, and <start>:<end>, where 0 results in listening on a random tcp port number; <port> results in listening on the specified port number (and not enabling backdoor if that port is in use); and <start>:<end> results in listening on the smallest unused port number within the specified range of port numbers. The chosen port is displayed in theservice's log file.

     debug = False

    (BoolOpt)打印调试输出,将日志等级设置为DEBUG而不是默认的WARNING等级

    disable_process_locking = False 

    (BoolOpt)是否禁用进程间锁

    fatal_deprecation = False 

    (BoolOpt)Make deprecations fatal

    publish_errors = False 

    (BoolOpt)公布error events

     pydev_debug_host = None

    (StrOpt)连接远程调试器的主机

     pydev_debug_port = None

    (IntOpt)连接远程调试器的端口

     standard_threads = False

    (BoolOpt)不要猴子补丁线程系统的模块

    [audit]

     

    namespace = openstack

    (StrOpt)生成的ID的命名空间前缀

     关于EC2的配置

     

    [DEFAULT]

     

    keystone_ec2_cafile = None 

     (StrOpt)用来验证HTTPS连接的PEM编码的CA,默认为系统CAs

    keystone_ec2_certfile = None 

     (StrOpt)客户端证书密钥文件,如果EC2服务器要求验证客户端证书的话则本文件就是必须的

     keystone_ec2_insecure = False

     (BoolOpt)是否禁用SSL证书验证,False是启用,True是禁用(即不安全的)

    keystone_ec2_keyfile = None 

     (StrOpt)如果EC2服务器要求验证客户端证书的话,该文件是必须的

    keystone_ec2_url =  http://localhost:5000/v2.0/ec2tokens

     (StrOpt)从EC2请求中获取token的URL

    [ec2]

     

    driver = keystone.contrib.ec2.backends.kvs.Ec2

     (StrOpt)keystone EC2Credential 后端驱动

    关于misc的配置

    [DEFAULT]

     

    lock_path = None

    (StrOpt)锁文件存放的目录

    关于通告(notification)的配置

     

    [DEFAULT]

     

    onready = None

    (StrOpt)当一个进程就绪时,本选项允许其发送一条通知,比如采取systemd通知的话,可以在等号后设置shell “systemd-notify --ready”或者一个拥有notify()方法的模块,如:keystone.common.systemd

    关于策略(Policy)的配置

     

    [DEFAULT]

     

    policy_default_rule = default

    (StrOpt)请求的规则不存在时执行的规则

    policy_file = policy.json

    (StrOpt)包含访问控制策略的JSON文件

    [policy]

     

    driver = keystone.policy.backends.sql.Policy

    (StrOpt)keystone策略后端驱动

    list_limit = None

    (IntOpt)返回策略集的容量上限

    关于密码安全性的配置

     

    [DEFAULT]

     

    CRYPT_STRENGTH = 40000

    (IntOpt)作为关键字"rounds"传给passlib中的加密方法

    关于SSL的配置

     

    [signing]

     

    ca_certs = /etc/keystone/ssl/certs/ca.pem

     (StrOpt)签名令牌用到的CA路径

    ca_key = /etc/keystone/ssl/private/cakey.pem

     (StrOpt)签名令牌用到的CA密钥的路径

    cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/
    CN=www.example.com

     (StrOpt)签名令牌用到的Certificate Subject

     certfile = /etc/keystone/ssl/certs/signing_cert.pem

     (StrOpt)签名令牌用到的证书文件

     key_size = 2048

     (IntOpt)签名令牌的证书中的密钥尺寸(单位:bit)

     keyfile = /etc/keystone/ssl/private/signing_key.pem

     (StrOpt)签名令牌的密钥文件路径

     token_format = None

     (StrOpt)不建议使用该选项,支持使用[token]段落中的provider字段

     valid_days = 3650

     (IntOpt)签名令牌的证书有效期

     [ssl]

     

     ca_certs = /etc/keystone/ssl/certs/ca.pem

     (StrOpt)SSL用到的CA证书文件路径

     ca_key = /etc/keystone/ssl/private/cakey.pem

     (StrOpt)SSL用到的CA密钥文件路径

     cert_required = False

     (BoolOpt)要求客户端证书

     cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/

    CN=localhost

     (StrOpt)SSL Certificate Subject

     certfile = /etc/keystone/ssl/certs/keystone.pem

     (StrOpt)SSL证书路径

     enable = False

     (BoolOpt)keystone eventlet 服务器是否支持SSL的开关

     key_size = 1024

     (IntOpt)SSL密钥长度(单位:bit)

    keyfile = /etc/keystone/ssl/private/keystonekey.pem

    (StrOpt)SSL密钥文件路径

    valid_days = 3650

    (IntOpt)数字证书有效期

    关于RPC的配置

     

    [DEFAULT]

     

    allowed_rpc_exception_modules =
    oslo.messaging.exceptions, nova.exception,
    cinder.exception, exceptions

    (ListOpt)Modules of exceptions that are permitted to berecreated upon receiving exception data from an rpc call.

    关于amqp的配置

     

    [DEFAULT]

     

    amqp_auto_delete = False

    (BoolOpt) 自动删除amqp中的队列

    amqp_durable_queues = False

    (BoolOpt) 在amqp中使用持久队列

     control_exchange = openstack

     (StrOpt) The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.

     default_publisher_id = None

     (StrOpt)Default publisher_id for outgoing notifications

     notification_driver = []

     (MultiStrOpt)Driver or drivers to handle sending notifications.

     notification_topics = notifications

     (ListOpt)AMQP topic used for OpenStack notifications

     rpc_backend = rabbit

     (StrOpt)The messaging driver to use, defaults to rabbit. Other drivers include qpid and zmq.

     rpc_cast_timeout = 30

     (IntOpt)Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.

     rpc_conn_pool_size = 30

     (IntOpt)Size of RPC connection pool

     rpc_response_timeout = 60

     (IntOpt)Seconds to wait for a response from a call.

     rpc_thread_pool_size = 64

     (IntOpt)Size of RPC greenthread pool.

     transport_url = None

     (StrOpt)A URL representing the messaging driver to use and its full configuration. If not set, we fall back to the rpc_backend option and driver specific configuration

     关于qpid的配置

     

     [DEFAULT]

     

     qpid_heartbeat = 60

     (IntOpt)Seconds between connection keepalive heartbeats.

     qpid_hostname = localhost

     (StrOpt)Qpid broker hostname.

     qpid_hosts = $qpid_hostname:$qpid_port

     (ListOpt)Qpid HA cluster host:port pairs.

     qpid_password =

     (StrOpt)Password for Qpid connection.

    qpid_port = 5672

    (IntOpt)Qpid broker port.

    qpid_protocol = tcp

    (StrOpt)Transport to use, either 'tcp' or 'ssl'.

    qpid_sasl_mechanisms =

    (StrOpt) Space separated list of SASL mechanisms to use for auth.

    qpid_tcp_nodelay = True

    (BoolOpt)Whether to disable the Nagle algorithm

    qpid_topology_version = 1

    (IntOpt)The qpid topology version to use. Version 1 is what was originally used by impl_qpid. Version 2 includes some backwards-incompatible changes that allow broker federation to work. Users should update to version 2 when they are able to take everything down, as it requires a clean break.

    qpid_username =

    (StrOpt) qpid连接的用户名

    关于rabbit的配置

     

    [DEFAULT]

     

    fake_rabbit = False

    (BoolOpt) If passed, use a fake RabbitMQ provider.

    kombu_reconnect_delay = 1.0

    (FloatOpt) How long to wait before reconnecting in response to an AMQP consumer cancel notification

    kombu_ssl_ca_certs =

    (StrOpt) SSL certification authority file (valid only if SSL enabled)

    kombu_ssl_certfile =

    (StrOpt) SSL cert file (valid only if SSL enabled)

    kombu_ssl_keyfile =

    (StrOpt) SSL key file (valid only if SSL enabled)

    kombu_ssl_version =

    (StrOpt) SSL version to use (valid only if SSL enabled). valid values are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some distributions

    rabbit_ha_queues = False

    (BoolOpt) Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database.

    rabbit_host = localhost

    (StrOpt)The RabbitMQ broker address where a single node is used.

    rabbit_hosts = $rabbit_host:$rabbit_port

    (ListOpt)RabbitMQ HA cluster host:port pairs.

    rabbit_login_method = AMQPLAIN

    (StrOpt)the RabbitMQ login method

    rabbit_max_retries = 0

    (IntOpt)Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).

    rabbit_password = guest

    (StrOpt)The RabbitMQ password

    rabbit_port = 5672

    (IntOpt)The RabbitMQ broker port where a single node is used.

    rabbit_retry_backoff = 2

    (IntOpt)How long to backoff for between retries when connecting to RabbitMQ

    rabbit_retry_interval = 1

    (IntOpt)How frequently to retry connecting with RabbitMQ

    rabbit_use_ssl = False

    (BoolOpt) Connect over SSL for RabbitMQ

     rabbit_userid = guest

     (StrOpt)RabbitMQ用户id

     rabbit_virtual_host = /

     (StrOpt)RabbitMQ虚拟主机

     关于zeromq的配置

     

    [DEFAULT]

     

    rpc_zmq_bind_address = *

    (StrOpt) ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.

    rpc_zmq_contexts = 1

    (IntOpt) Number of ZeroMQ contexts, defaults to 1

    rpc_zmq_host = oslo

    (StrOpt) Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.

    rpc_zmq_ipc_dir = /var/run/openstack

    (StrOpt) Directory for holding IPC sockets

    rpc_zmq_matchmaker =
    oslo.messaging._drivers.matchmaker.MatchMakerLocalhost

    (StrOpt) MatchMaker driver

    rpc_zmq_port = 9501

    (IntOpt) ZeroMQ receiver listening port

    rpc_zmq_topic_backlog = None

    (IntOpt)Maximum number of ingress messages to locally buffer per topic. Default is unlimited

    关于redis的配置

     

    [DEFAULT]

     

    host = 127.0.0.1

    (StrOpt) Host to locate redis

    matchmaker_heartbeat_freq = 300

    (IntOpt) Heartbeat frequency

    matchmaker_heartbeat_ttl = 600

    (IntOpt) Heartbeat time-to-live

    password = None

    (StrOpt) Password for Redis server (optional).

    port = 6379

    (IntOpt) Use this port to connect to redis host

    [matchmaker_ring]

     

    ringfile = /etc/oslo/matchmaker_ring.json

    (StrOpt) Matchmaker ring file (JSON).

     关于记录日志的配置

     

    [DEFAULT]

     

    default_log_levels = amqp=WARN,
    amqplib=WARN, boto=WARN, qpid=WARN,
    sqlalchemy=WARN, suds=INFO, iso8601=WARN,
    requests.packages.urllib3.connectionpool=WARN

    (ListOpt)List of logger=LEVEL pairs

    instance_format = "[instance: %(uuid)s] "

    (StrOpt)If an instance is passed with the log message, format it like this

    instance_uuid_format = "[instance: %(uuid)s] "

    (StrOpt)If an instance UUID is passed with the log message, format it like this

    log_config_append = None

    (StrOpt)The name of logging configuration file. It does not disable existing loggers, but just appends specified logging configuration to any other existing logging options. Please see the Python logging module documentation for details on logging configuration files.

    log_date_format = %Y-%m-%d %H:%M:%S

    (StrOpt)Format string for %%(asctime)s in log records. Default: %(default)s

    log_dir = None

    (StrOpt) (Optional) The base directory used for relative -- log-file paths

    log_file = None

    (StrOpt)(Optional) Name of log file to output to. If no default is set, logging will go to stdout.

    log_format = None

    (StrOpt)DEPRECATED. A logging.Formatter log message format string which may use any of the available logging.LogRecord attributes. This option is deprecated. Please use logging_context_format_string and logging_default_format_string instead.

    logging_context_format_string = %(asctime)s.
    %(msecs)03d %(process)d %(levelname)s %(name)s
    [%(request_id)s %(user_identity)s] %(instance)s
    %(message)s

    (StrOpt) Format string to use for log messages with context

    logging_debug_format_suffix = %(funcName)s
    %(pathname)s:%(lineno)d

    (StrOpt) Data to append to log format when level is DEBUG

    logging_default_format_string = %(asctime)s.%(msecs)03d
    %(process)d %(levelname)s %(name)s [-] %(instance)s
    %(message)s

    (StrOpt) Format string to use for log messages without context

    logging_exception_prefix = %(asctime)s.%(msecs)03d
    %(process)d TRACE %(name)s %(instance)s

    (StrOpt) Prefix each line of exception output with this format

    syslog_log_facility = LOG_USER

    (StrOpt) Syslog facility to receive log lin

    use_stderr = True

    (BoolOpt) Log output to standard error

    use_syslog = False

    (BoolOpt) Use syslog for logging. Existing syslog format is DEPRECATED during I, and then will be changed in J to honor RFC5424

    use_syslog_rfc_format = False

    (BoolOpt) (Optional) Use syslog rfc5424 format for logging. If enabled, will add APP-NAME (RFC5424) before the MSG part of the syslog message. The old format without APP-NAME is deprecated in I, and will be removed in J.

     verbose = False

     (BoolOpt) Print more verbose output (set logging level to INFO instead of default WARNING level).

     以下为其余各个段落的说明

     

    [assignment]

     
    dirver

    (StrOpt)assignment后端驱动

    caching

    (BoolOpt)缓存asignment数据,除非启用全局缓存,否则本选项无效

    cache_time

    (IntOpt)缓存assignment数据的时间(单位:秒),除非启用全局缓存,否则本选项无效

    list_limit

    (IntOpt)返回的assignment集合中数据项的容量

    [auth]

     
    methods

    (ListOpt)默认的认证方法

    password

    (StrOpt)Password认证插件模块

    token

    (StrOpt)Token认证插件模块

    external

    (StrOpt)External(REMOTE_USER)认证插件模块

    [cache]

     
    backend

    (StrOpt) Dogpile.cache后端模块,在生产部署模式中推荐使用dogpile.cache.memcache或dog

    -pile.cache.redis,小规模负载情况下可以使用dogpile.cache.memory后端

    backend_argument

    (MultiStrOpt)传给dogpile.cache后端模块的参数,参考格式:“名:值“

    config_prefix

    (StrOpt)为缓冲域建立配置字典时的前缀,除非有相同配置名称dogpile.cache域,否则本选项不需要更改提供的默认值

    debug_cache_backend

    (BoolOpt)额外的缓存后端调试,通常为False

    enabled

    (BoolOpt)全局缓存开关

    expiration_time

    (IntOpt)dogpile.cache域中的全局缓存时间(单位:秒),适用于任何没有明确标明缓存时间的非全局缓存项。

    proxies

    (ListOpt)可以引入的能够影响dogpile.cache后端工作的代理类,

    use_key_mangler

    (BoolOpt)使用key-mangling function (如:SHA-1)来确保缓存键的长度统一,推荐设为True

    [catalog]

    Keystone提供两种类型的目录服务,一种是基于数据库的,一种是基于文件的,二者使用的驱动不同,不可混用。

     

    template_file = default_catalog.templates

    (StrOpt)指定目录模板文件

    driver = keystone.catalog.backends.sql.Catalog

    (StrOpt)目录后端驱动,还有keystone.catalog.backends.templated.Catalog
    list_limit = None

    (IntOpt)一次返回的目录集合容量

    [credential]

     

    driver

    (StrOpt)Credential后端驱动

    [database]

     

    sqlite_db

    (StrOpt)使用SQLite的文件名
    backend

    (StrOpt)用于数据库的后端

    connection

    (StrOpt)连接至指定数据库的SQLAlchemy连接字符串

    slave_connection
    mysql_sql_mode

    (StrOpt)MYSQL会话使用的SQL模式,该设置覆写数据库服务器处的设置,使用

    数据库服务器自带的SQL模式,这里置空不填任何值

    idle_timeout

    (IntOpt)重复空闲sql连接时的间隔

    min_pool_size

    (IntOpt)连接池的最小规模

    max_pool_size

    (IntOpt)连接池的最大规模

    max_retries

    (IntOpt)启动阶段最大数据库连接重试次数,-1代表无穷次重试

    retry_interval

    (IntOpt)重试启动sql连接时的间隔

    max_overflow

    (IntOpt)与sqlalchemy中的max_overflow相对应

    connection_debug

    (IntOpt)SQL调试信息的复杂程度,0是什么都不反馈,100是什么都提示

    connection_trace

    (BoolOpt)将python的栈踪迹(stack trace)添加到SQL中作为注释

    pool_timeout

    (IntOpt)与sqlalchemy中的pool_timeout相对应

    use_db_reconnect

    (BoolOpt)在连接丢失时启用实验性质的数据库重连

    db_retry_interval

    (IntOpt)数据库重连间隔(单位:秒)

    db_inc_retry_interval

    (BoolOpt)是否启用数据库重连增量间隔
    db_max_retry_interval

    (IntOpt)重连增量间隔的上限

    db_max_retries

    (IntOpt)最大数据库连接重试次数(-1为无穷次)

    [federation]

     

    assertion_prefix

    (StrOpt)从环境中筛选断言参数时使用的值

    driver

    (StrOpt)keystone联盟后端驱动

    [identity]

     

    default_domain_id

    (StrOpt)所有Identity API v2请求都使用的domain,专为支持v2用户保留,v3 API无法删除

    domain_config_dir

    (StrOpt)下一个选项为True时,keystone用来定位domain-specific的身份配置文件
    domain_specific_drivers_enabled

    (BoolOpt)是否允许所有domain中的一部分拥有自己的identity驱动

    driver

    (StrOpt)keystone Identity后端驱动

    list_limit

    (IntOpt)keystone服务器返回的数据项容量

    max_password_length

    (IntOpt)用户密码长度上限

    [kvs]

     

    backends

    (ListOpt)额外的dogpile.cache后端模块

    config_prefix

    (StrOpt)为KVS域创建配置字典时的前缀,除非有另一个配置名称相同的dogpile.cache域,否则不推荐修改默认值

    default_lock_timeout

    (IntOpt)分布式加锁的超时限制

    enable_key_mangler

    (BoolOpt)推荐设置为真,同[cache]的use_key_mangler

    [memcache]

     

    max_compare_and_set_retry

    (IntOpt)使用令牌memcache后端的compare-and-set时进行尝试的次数

    servers

    (ListOpt)"host:port"格式的memcache服务器

    [oauth1]

     

    access_token_duration

    (IntOpt)OAuth访问令牌的有效期(单位:秒)

    driver

    (StrOpt)keystone credential后端驱动

    request_token_duration

    (IntOpt)OAuth请求令牌的有效期(单位:秒)

     [os_inherit]

     
     enabled

     (BoolOpt)从拥有的domain向项目继承角色指派可以有选择的开启

     [revoke]

     

    caching

     (BoolOpt)是否开启缓存撤销事件,只有在全局缓存开启后才有效

    driver

     (StrOpt)为持续的撤销事件实现的后端驱动
    expiration_buffer

     (IntOpt)在一个撤销事件从该后端删除前,该值(单位:秒)将被增加到token的失效期上

    [stats]

     

     driver

     (StrOpt) Keystone stats后端驱动

    [token]

     

    bind

     (ListOpt)需要与令牌绑定的外部认证机制,如kerberos, x.509等

    cache_time

     (IntOpt)缓存令牌的时间(单位:秒)

    caching

     (BoolOpt)是否缓存令牌,只有在全局缓存启用后才有效

    driver

     (StrOpt)令牌持久存储后端驱动

    enforce_token_bind

     (StrOpt)令牌绑定信息提供给keystone的执行策略,可选值有disabled, permissive, strict, required或特别要求绑定的模式,如kerberos, x.509等

     expiration

     (IntOpt)令牌有效期限(单位:秒)

    provider

     (StrOpt)控制着令牌的构造,验证,撤销等操作,包括pki, uuid等提供者

    revocation_cache_time

     (IntOpt)缓存撤销列表的时间(单位:秒)和一旦撤销扩展被启用时的撤销事件。除非全局缓存启用否则本设置无效
    revoke_by_id

     (BoolOpt)通过令牌ID撤销令牌,设置为True时允许多种形式的枚举令牌。建议只在使用撤销扩展且后端驱动不是KVS时禁用该选项。

    [trust]

     

    driver

    (StrOpt)信任后端驱动

    enabled

    (BoolOpt)是否启用代理和身份扮演功能

    [LDAP]

     

    alias_dereferencing = default

     (StrOpt) The LDAP dereferencing option for queries. This can be either "never", "searching", "always", "finding" or "default". The "default" option falls back to using default dereferencing configured by your ldap.conf.

    allow_subtree_delete = False

     (BoolOpt) allow deleting subtrees.

    chase_referrals = None

     (BoolOpt) Override the system's default referral chasing behavior for queries.

    dumb_member = cn=dumb,dc=nonexistent

     (StrOpt) DN of the "dummy member" to use when "use_dumb_member" is enabled.

    group_additional_attribute_mapping =

     (ListOpt) Additional attribute mappings for groups. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.

     group_allow_create = True

     (BoolOpt) Allow group creation in LDAP backend.

    group_allow_delete = True

     (BoolOpt) Allow group deletion in LDAP backend

    group_allow_update = True

     (BoolOpt) Allow group update in LDAP backend

    group_attribute_ignore =

     (ListOpt) List of attributes stripped off the group on update.

    group_desc_attribute = description

     (StrOpt) LDAP attribute mapped to group description

    group_filter = None

     (StrOpt) LDAP search filter for groups

    group_id_attribute = cn

     (StrOpt) LDAP attribute mapped to group id.

     group_member_attribute = member

     (StrOpt) LDAP attribute mapped to show group membership.

    group_name_attribute = ou

     (StrOpt) LDAP attribute mapped to group name.

    group_objectclass = groupOfNames

     (StrOpt) LDAP objectClass for groups.

    group_tree_dn = None

     (StrOpt) Search base for groups.

    page_size = 0

     (IntOpt) Maximum results per page; a value of zero ("0") disables paging

    password = None

     (StrOpt) Password for the BindDN to query the LDAP server.

    query_scope = one

     (StrOpt) The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) or "sub" (subtree/wholeSubtree).

    role_additional_attribute_mapping =

     (ListOpt) Additional attribute mappings for roles. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute

    role_allow_create = True

     (BoolOpt) Allow role creation in LDAP backend.

    role_allow_delete = True

     (BoolOpt) Allow role deletion in LDAP backend.

    role_allow_update = True

     (BoolOpt) Allow role update in LDAP backend.

    role_attribute_ignore =

     (ListOpt) List of attributes stripped off the role on update.

    role_filter = None

     (StrOpt) LDAP search filter for roles.

     role_id_attribute = cn

     (StrOpt) LDAP attribute mapped to role id.

    role_member_attribute = roleOccupant

     (StrOpt) LDAP attribute mapped to role membership.

    role_name_attribute = ou

     (StrOpt) LDAP attribute mapped to role name.

    role_objectclass = organizationalRole

     (StrOpt) LDAP objectClass for roles.

    role_tree_dn = None

     (StrOpt) Search base for roles.

    suffix = cn=example,cn=com

     (StrOpt) LDAP server suffix

    tenant_additional_attribute_mapping =

     (ListOpt) Additional attribute mappings for projects. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.

    tenant_allow_create = True

     (BoolOpt) Allow tenant creation in LDAP backend.

    tenant_allow_delete = True

     (BoolOpt) Allow tenant deletion in LDAP backend.

    tenant_allow_update = True

     (BoolOpt) Allow tenant update in LDAP backend.

    tenant_attribute_ignore =

     (ListOpt) List of attributes stripped off the project on update.

    tenant_desc_attribute = description

     (StrOpt) LDAP attribute mapped to project description.

    tenant_domain_id_attribute = businessCategory

     (StrOpt) LDAP attribute mapped to project domain_id.

    tenant_enabled_attribute = enabled

     (StrOpt) LDAP attribute mapped to project enabled

    tenant_enabled_emulation = False

     (BoolOpt) If True, Keystone uses an alternative method to determine if a project is enabled or not by checking if they are a member of the "tenant_enabled_emulation_dn" group.

    tenant_enabled_emulation_dn = None

     (StrOpt) DN of the group entry to hold enabled projects when using enabled emulation.

    tenant_filter = None

     (StrOpt) LDAP search filter for projects.

    tenant_id_attribute = cn

     (StrOpt) LDAP attribute mapped to project id.

    tenant_member_attribute = member

     (StrOpt) LDAP attribute mapped to project membership for user.

    tenant_name_attribute = ou

     (StrOpt) LDAP attribute mapped to project name.

    tenant_objectclass = groupOfNames

     (StrOpt) LDAP objectClass for projects.

    tenant_tree_dn = None

     (StrOpt) Search base for projects

    tls_cacertdir = None

     (StrOpt) CA certificate directory path for communicating with LDAP servers.

    tls_cacertfile = None

     (StrOpt) CA certificate file path for communicating with LDAP servers.

    tls_req_cert = demand

    (StrOpt) valid options for tls_req_cert are demand, never, and allow.

    url = ldap://localhost

     (StrOpt) URL for connecting to the LDAP server

    use_dumb_member = False

     (BoolOpt) If true, will add a dummy member to groups. This is required if the objectclass for groups requires the "member" attribute.

    use_tls = False

     (BoolOpt) Enable TLS for communicating with LDAP servers.

    user = None

     (StrOpt) User BindDN to query the LDAP server.

    user_additional_attribute_mapping =

     (ListOpt) List of additional LDAP attributes used for mapping Additional attribute mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP entry and user_attr is the Identity API attribute.

    user_allow_create = True

     (BoolOpt) Allow user creation in LDAP backend

    user_allow_delete = True

     (BoolOpt) Allow user deletion in LDAP backend

    user_allow_update = True

     (BoolOpt) Allow user updates in LDAP backend

    user_attribute_ignore = default_project_id, tenants

     (ListOpt) List of attributes stripped off the user on update

    user_default_project_id_attribute = None

     (StrOpt) LDAP attribute mapped to default_project_id for users.

    user_enabled_attribute = enabled

     (StrOpt) LDAP attribute mapped to user enabled flag

    user_enabled_default = True

     (StrOpt) Default value to enable users. This should match an appropriate int value if the LDAP server uses nonboolean (bitmask) values to indicate if a user is enabled or disabled. If this is not set to "True"the typical value is "512". This is typically used when "user_enabled_attribute = userAccountControl".

    user_enabled_emulation = False

     (BoolOpt) If True, Keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the "user_enabled_emulation_dn" gro

    user_enabled_emulation_dn = None

     (StrOpt) DN of the group entry to hold enabled users when using enabled emulation.

    user_enabled_mask = 0

     (IntOpt) Bitmask integer to indicate the bit that the enabled value is stored in if the LDAP server represents "enabled" as a bit on an integer rather than a boolean. A value of "0" indicates the mask is not used. If this is not set to "0" the typical value is "2". This is typically used when "user_enabled_attribute = userAccountControl".

    user_filter = None

     (StrOpt) LDAP search filter for users.

    user_id_attribute = cn

     (StrOpt) LDAP attribute mapped to user id.

    user_mail_attribute = email

     (StrOpt) LDAP attribute mapped to user email.

    user_name_attribute = sn

     (StrOpt) LDAP attribute mapped to user name.

    user_objectclass = inetOrgPerson

     (StrOpt) LDAP objectClass for users.

    user_pass_attribute = userPassword

     (StrOpt) LDAP attribute mapped to password.

    user_tree_dn = None

     (StrOpt) Search base for users.
     
  • 相关阅读:
    Centos7 安装rabbitmq详细教程
    Spring Boot中的@Configuration和@Bean
    springboot+redis项目实战完整篇
    rabbitmq、kafka、activemq、rocketmq之间对比,区别
    MySQL基础总结
    MySQL视图
    MySQL左外链接与右外连接
    MySQL自连接
    MySQL关联查询
    MySQLhaving子句
  • 原文地址:https://www.cnblogs.com/Security-Darren/p/3837895.html
Copyright © 2020-2023  润新知