"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/conf/default.py" (13 May 2020, 5966 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "default.py" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 16.0.1_vs_17.0.0.

    1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 # not use this file except in compliance with the License. You may obtain
    3 # a copy of the License at
    4 #
    5 #      http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 # Unless required by applicable law or agreed to in writing, software
    8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 # License for the specific language governing permissions and limitations
   11 # under the License.
   12 
   13 from oslo_config import cfg
   14 
   15 from keystone.conf import utils
   16 
   17 
   18 admin_token = cfg.StrOpt(
   19     'admin_token',
   20     secret=True,
   21     help=utils.fmt("""
   22 Using this feature is *NOT* recommended. Instead, use the `keystone-manage
   23 bootstrap` command. The value of this option is treated as a "shared secret"
   24 that can be used to bootstrap Keystone through the API. This "token" does not
   25 represent a user (it has no identity), and carries no explicit authorization
   26 (it effectively bypasses most authorization checks). If set to `None`, the
   27 value is ignored and the `admin_token` middleware is effectively disabled.
   28 """))
   29 
   30 public_endpoint = cfg.URIOpt(
   31     'public_endpoint',
   32     help=utils.fmt("""
   33 The base public endpoint URL for Keystone that is advertised to clients (NOTE:
   34 this does NOT affect how Keystone listens for connections). Defaults to the
   35 base host URL of the request. For example, if keystone receives a request to
   36 `http://server:5000/v3/users`, then this will option will be automatically
   37 treated as `http://server:5000`. You should only need to set option if either
   38 the value of the base URL contains a path that keystone does not automatically
   39 infer (`/prefix/v3`), or if the endpoint should be found on a different host.
   40 """))
   41 
   42 max_project_tree_depth = cfg.IntOpt(
   43     'max_project_tree_depth',
   44     default=5,
   45     help=utils.fmt("""
   46 Maximum depth of the project hierarchy, excluding the project acting as a
   47 domain at the top of the hierarchy. WARNING: Setting it to a large value may
   48 adversely impact performance.
   49 """))
   50 
   51 max_param_size = cfg.IntOpt(
   52     'max_param_size',
   53     default=64,
   54     help=utils.fmt("""
   55 Limit the sizes of user & project ID/names.
   56 """))
   57 
   58 # NOTE(breton): 255 is the size of the database columns used for ID fields.
   59 # This size is picked so that the tokens can be indexed in-place as opposed to
   60 # being entries in a string table. Thus, this is a performance decision.
   61 max_token_size = cfg.IntOpt(
   62     'max_token_size',
   63     default=255,
   64     help=utils.fmt("""
   65 Similar to `[DEFAULT] max_param_size`, but provides an exception for token
   66 values. With Fernet tokens, this can be set as low as 255.
   67 """))
   68 
   69 list_limit = cfg.IntOpt(
   70     'list_limit',
   71     help=utils.fmt("""
   72 The maximum number of entities that will be returned in a collection. This
   73 global limit may be then overridden for a specific driver, by specifying a
   74 list_limit in the appropriate section (for example, `[assignment]`). No limit
   75 is set by default. In larger deployments, it is recommended that you set this
   76 to a reasonable number to prevent operations like listing all users and
   77 projects from placing an unnecessary load on the system.
   78 """))
   79 
   80 strict_password_check = cfg.BoolOpt(
   81     'strict_password_check',
   82     default=False,
   83     help=utils.fmt("""
   84 If set to true, strict password length checking is performed for password
   85 manipulation. If a password exceeds the maximum length, the operation will fail
   86 with an HTTP 403 Forbidden error. If set to false, passwords are automatically
   87 truncated to the maximum length.
   88 """))
   89 
   90 insecure_debug = cfg.BoolOpt(
   91     'insecure_debug',
   92     default=False,
   93     help=utils.fmt("""
   94 If set to true, then the server will return information in HTTP responses that
   95 may allow an unauthenticated or authenticated user to get more information than
   96 normal, such as additional details about why authentication failed. This may be
   97 useful for debugging but is insecure.
   98 """))
   99 
  100 default_publisher_id = cfg.StrOpt(
  101     'default_publisher_id',
  102     help=utils.fmt("""
  103 Default `publisher_id` for outgoing notifications. If left undefined, Keystone
  104 will default to using the server's host name.
  105 """))
  106 
  107 notification_format = cfg.StrOpt(
  108     'notification_format',
  109     default='cadf',
  110     choices=['basic', 'cadf'],
  111     help=utils.fmt("""
  112 Define the notification format for identity service events. A `basic`
  113 notification only has information about the resource being operated on. A
  114 `cadf` notification has the same information, as well as information about the
  115 initiator of the event. The `cadf` option is entirely backwards compatible with
  116 the `basic` option, but is fully CADF-compliant, and is recommended for
  117 auditing use cases.
  118 """))
  119 
  120 notification_opt_out = cfg.MultiStrOpt(
  121     'notification_opt_out',
  122     default=["identity.authenticate.success",
  123              "identity.authenticate.pending",
  124              "identity.authenticate.failed"],
  125     help=utils.fmt("""
  126 You can reduce the number of notifications keystone emits by explicitly
  127 opting out. Keystone will not emit notifications that match the patterns
  128 expressed in this list. Values are expected to be in the form of
  129 `identity.<resource_type>.<operation>`. By default, all notifications
  130 related to authentication are automatically suppressed. This field can be
  131 set multiple times in order to opt-out of multiple notification topics. For
  132 example, the following suppresses notifications describing user creation or
  133 successful authentication events:
  134 notification_opt_out=identity.user.create
  135 notification_opt_out=identity.authenticate.success
  136 """))
  137 
  138 
  139 GROUP_NAME = 'DEFAULT'
  140 ALL_OPTS = [
  141     admin_token,
  142     public_endpoint,
  143     max_project_tree_depth,
  144     max_param_size,
  145     max_token_size,
  146     list_limit,
  147     strict_password_check,
  148     insecure_debug,
  149     default_publisher_id,
  150     notification_format,
  151     notification_opt_out,
  152 ]
  153 
  154 
  155 def register_opts(conf):
  156     conf.register_opts(ALL_OPTS)
  157 
  158 
  159 def list_opts():
  160     return {GROUP_NAME: ALL_OPTS}