keystone  18.0.0
About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Victoria" series (maintained release).
  Fossies Dox: keystone-18.0.0.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

default.py
Go to the documentation of this file.
1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
2 # not use this file except in compliance with the License. You may obtain
3 # a copy of the License at
4 #
5 # http://www.apache.org/licenses/LICENSE-2.0
6 #
7 # Unless required by applicable law or agreed to in writing, software
8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
10 # License for the specific language governing permissions and limitations
11 # under the License.
12 
13 from oslo_config import cfg
14 
15 from keystone.conf import utils
16 
17 
18 admin_token = cfg.StrOpt(
19  'admin_token',
20  secret=True,
21  help=utils.fmt("""
22 Using this feature is *NOT* recommended. Instead, use the `keystone-manage
23 bootstrap` command. The value of this option is treated as a "shared secret"
24 that can be used to bootstrap Keystone through the API. This "token" does not
25 represent a user (it has no identity), and carries no explicit authorization
26 (it effectively bypasses most authorization checks). If set to `None`, the
27 value is ignored and the `admin_token` middleware is effectively disabled.
28 """))
29 
30 public_endpoint = cfg.URIOpt(
31  'public_endpoint',
32  help=utils.fmt("""
33 The base public endpoint URL for Keystone that is advertised to clients (NOTE:
34 this does NOT affect how Keystone listens for connections). Defaults to the
35 base host URL of the request. For example, if keystone receives a request to
36 `http://server:5000/v3/users`, then this will option will be automatically
37 treated as `http://server:5000`. You should only need to set option if either
38 the value of the base URL contains a path that keystone does not automatically
39 infer (`/prefix/v3`), or if the endpoint should be found on a different host.
40 """))
41 
42 max_project_tree_depth = cfg.IntOpt(
43  'max_project_tree_depth',
44  default=5,
45  help=utils.fmt("""
46 Maximum depth of the project hierarchy, excluding the project acting as a
47 domain at the top of the hierarchy. WARNING: Setting it to a large value may
48 adversely impact performance.
49 """))
50 
51 max_param_size = cfg.IntOpt(
52  'max_param_size',
53  default=64,
54  help=utils.fmt("""
55 Limit the sizes of user & project ID/names.
56 """))
57 
58 # NOTE(breton): 255 is the size of the database columns used for ID fields.
59 # This size is picked so that the tokens can be indexed in-place as opposed to
60 # being entries in a string table. Thus, this is a performance decision.
61 max_token_size = cfg.IntOpt(
62  'max_token_size',
63  default=255,
64  help=utils.fmt("""
65 Similar to `[DEFAULT] max_param_size`, but provides an exception for token
66 values. With Fernet tokens, this can be set as low as 255.
67 """))
68 
69 list_limit = cfg.IntOpt(
70  'list_limit',
71  help=utils.fmt("""
72 The maximum number of entities that will be returned in a collection. This
73 global limit may be then overridden for a specific driver, by specifying a
74 list_limit in the appropriate section (for example, `[assignment]`). No limit
75 is set by default. In larger deployments, it is recommended that you set this
76 to a reasonable number to prevent operations like listing all users and
77 projects from placing an unnecessary load on the system.
78 """))
79 
80 strict_password_check = cfg.BoolOpt(
81  'strict_password_check',
82  default=False,
83  help=utils.fmt("""
84 If set to true, strict password length checking is performed for password
85 manipulation. If a password exceeds the maximum length, the operation will fail
86 with an HTTP 403 Forbidden error. If set to false, passwords are automatically
87 truncated to the maximum length.
88 """))
89 
90 insecure_debug = cfg.BoolOpt(
91  'insecure_debug',
92  default=False,
93  help=utils.fmt("""
94 If set to true, then the server will return information in HTTP responses that
95 may allow an unauthenticated or authenticated user to get more information than
96 normal, such as additional details about why authentication failed. This may be
97 useful for debugging but is insecure.
98 """))
99 
100 default_publisher_id = cfg.StrOpt(
101  'default_publisher_id',
102  help=utils.fmt("""
103 Default `publisher_id` for outgoing notifications. If left undefined, Keystone
104 will default to using the server's host name.
105 """))
106 
107 notification_format = cfg.StrOpt(
108  'notification_format',
109  default='cadf',
110  choices=['basic', 'cadf'],
111  help=utils.fmt("""
112 Define the notification format for identity service events. A `basic`
113 notification only has information about the resource being operated on. A
114 `cadf` notification has the same information, as well as information about the
115 initiator of the event. The `cadf` option is entirely backwards compatible with
116 the `basic` option, but is fully CADF-compliant, and is recommended for
117 auditing use cases.
118 """))
119 
120 notification_opt_out = cfg.MultiStrOpt(
121  'notification_opt_out',
122  default=["identity.authenticate.success",
123  "identity.authenticate.pending",
124  "identity.authenticate.failed"],
125  help=utils.fmt("""
126 You can reduce the number of notifications keystone emits by explicitly
127 opting out. Keystone will not emit notifications that match the patterns
128 expressed in this list. Values are expected to be in the form of
129 `identity.<resource_type>.<operation>`. By default, all notifications
130 related to authentication are automatically suppressed. This field can be
131 set multiple times in order to opt-out of multiple notification topics. For
132 example, the following suppresses notifications describing user creation or
133 successful authentication events:
134 notification_opt_out=identity.user.create
135 notification_opt_out=identity.authenticate.success
136 """))
137 
138 
139 GROUP_NAME = 'DEFAULT'
140 ALL_OPTS = [
141  admin_token,
142  public_endpoint,
143  max_project_tree_depth,
144  max_param_size,
145  max_token_size,
146  list_limit,
147  strict_password_check,
148  insecure_debug,
149  default_publisher_id,
150  notification_format,
151  notification_opt_out,
152 ]
153 
154 
155 def register_opts(conf):
156  conf.register_opts(ALL_OPTS)
157 
158 
159 def list_opts():
160  return {GROUP_NAME: ALL_OPTS}
keystone.conf.default.register_opts
def register_opts(conf)
Definition: default.py:155
keystone.conf.default.list_opts
def list_opts()
Definition: default.py:159
keystone.conf
Definition: __init__.py:1