Red Hat Training

A Red Hat training course is available for Red Hat OpenStack Platform

7.3. New, updated and deprecated options in Kilo for OpenStack Identity

Table 7.37. New options

Option = default value (Type) Help string
[DEFAULT] executor_thread_pool_size = 64 (IntOpt) Size of executor thread pool.
[DEFAULT] host = 127.0.0.1 (StrOpt) Host to locate redis.
[DEFAULT] password = (StrOpt) Password for Redis server (optional).
[DEFAULT] port = 6379 (IntOpt) Use this port to connect to redis host.
[DEFAULT] rpc_conn_pool_size = 30 (IntOpt) Size of RPC connection pool.
[DEFAULT] rpc_poll_timeout = 1 (IntOpt) The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
[DEFAULT] rpc_zmq_all_req_rep = True (BoolOpt) Use REQ/REP pattern for all methods CALL/CAST/FANOUT.
[DEFAULT] rpc_zmq_concurrency = eventlet (StrOpt) Type of concurrency used. Either "native" or "eventlet"
[DEFAULT] watch_log_file = False (BoolOpt) (Optional) Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log-file option is specified and Linux platform is used. This option is ignored if log_config_append is set.
[DEFAULT] zmq_use_broker = True (BoolOpt) Shows whether zmq-messaging uses broker or not.
[cors] allow_credentials = True (BoolOpt) Indicate that the actual request can include user credentials
[cors] allow_headers = Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma (ListOpt) Indicate which header field names may be used during the actual request.
[cors] allow_methods = GET, POST, PUT, DELETE, OPTIONS (ListOpt) Indicate which methods can be used during the actual request.
[cors] allowed_origin = None (StrOpt) Indicate whether this resource may be shared with the domain received in the requests "origin" header.
[cors] expose_headers = Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma (ListOpt) Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.
[cors] max_age = 3600 (IntOpt) Maximum cache age of CORS preflight requests.
[cors.subdomain] allow_credentials = True (BoolOpt) Indicate that the actual request can include user credentials
[cors.subdomain] allow_headers = Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma (ListOpt) Indicate which header field names may be used during the actual request.
[cors.subdomain] allow_methods = GET, POST, PUT, DELETE, OPTIONS (ListOpt) Indicate which methods can be used during the actual request.
[cors.subdomain] allowed_origin = None (StrOpt) Indicate whether this resource may be shared with the domain received in the requests "origin" header.
[cors.subdomain] expose_headers = Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma (ListOpt) Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.
[cors.subdomain] max_age = 3600 (IntOpt) Maximum cache age of CORS preflight requests.
[endpoint_policy] enabled = True (BoolOpt) Enable endpoint_policy functionality.
[keystone_authtoken] region_name = None (StrOpt) The region in which the identity server can be found.
[oslo_messaging_amqp] password = (StrOpt) Password for message broker authentication
[oslo_messaging_amqp] sasl_config_dir = (StrOpt) Path to directory that contains the SASL configuration
[oslo_messaging_amqp] sasl_config_name = (StrOpt) Name of configuration file (without .conf suffix)
[oslo_messaging_amqp] sasl_mechanisms = (StrOpt) Space separated list of acceptable SASL mechanisms
[oslo_messaging_amqp] username = (StrOpt) User name for message broker authentication
[oslo_messaging_qpid] send_single_reply = False (BoolOpt) Send a single AMQP reply to call message. The current behavior since oslo-incubator is to send two AMQP replies - first one with the payload, a second one to ensure the other has finished to send the payload. We are going to remove it in the N release, but we must keep backward compatible at the same time. This option provides such compatibility - it defaults to False in Liberty and can be turned on for early adopters with new installations or for testing. This option will be removed in the Mitaka release.
[oslo_messaging_rabbit] kombu_reconnect_timeout = 60 (IntOpt) How long to wait before considering a reconnect attempt to have failed. This value should not be longer than rpc_response_timeout.
[oslo_messaging_rabbit] send_single_reply = False (BoolOpt) Send a single AMQP reply to call message. The current behavior since oslo-incubator is to send two AMQP replies - first one with the payload, a second one to ensure the other has finished to send the payload. We are going to remove it in the N release, but we must keep backward compatible at the same time. This option provides such compatibility - it defaults to False in Liberty and can be turned on for early adopters with new installations or for testing. This option will be removed in the Mitaka release.
[oslo_middleware] secure_proxy_ssl_header = X-Forwarded-Proto (StrOpt) The HTTP Header that will be used to determine what the original request protocol scheme was, even if it was hidden by an SSL termination proxy.
[tokenless_auth] issuer_attribute = SSL_CLIENT_I_DN (StrOpt) The issuer attribute that is served as an IdP ID for the X.509 tokenless authorization along with the protocol to look up its corresponding mapping. It is the environment variable in the WSGI environment that references to the issuer of the client certificate.
[tokenless_auth] protocol = x509 (StrOpt) The protocol name for the X.509 tokenless authorization along with the option issuer_attribute below can look up its corresponding mapping.
[tokenless_auth] trusted_issuer = [] (MultiStrOpt) The list of trusted issuers to further filter the certificates that are allowed to participate in the X.509 tokenless authorization. If the option is absent then no certificates will be allowed. The naming format for the attributes of a Distinguished Name(DN) must be separated by a comma and contain no spaces. This configuration option may be repeated for multiple values. For example: trusted_issuer=CN=john,OU=keystone,O=openstack trusted_issuer=CN=mary,OU=eng,O=abc

Table 7.38. New default values

Option Previous default value New default value
[DEFAULT] crypt_strength 40000 10000
[DEFAULT] default_log_levels amqp=WARN, amqplib=WARN, boto=WARN, qpid=WARN, sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO, iso8601=WARN, requests.packages.urllib3.connectionpool=WARN, urllib3.connectionpool=WARN, websocket=WARN, requests.packages.urllib3.util.retry=WARN, urllib3.util.retry=WARN, keystonemiddleware=WARN, routes.middleware=WARN, stevedore=WARN amqp=WARN, amqplib=WARN, boto=WARN, qpid=WARN, sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO, iso8601=WARN, requests.packages.urllib3.connectionpool=WARN, urllib3.connectionpool=WARN, websocket=WARN, requests.packages.urllib3.util.retry=WARN, urllib3.util.retry=WARN, keystonemiddleware=WARN, routes.middleware=WARN, stevedore=WARN, taskflow=WARN
[DEFAULT] logging_exception_prefix %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
[DEFAULT] rpc_zmq_matchmaker local redis
[DEFAULT] use_syslog_rfc_format False True
[DEFAULT] verbose False True
[auth] external keystone.auth.plugins.external.DefaultDomain None
[auth] oauth1 keystone.auth.plugins.oauth1.OAuth None
[auth] password keystone.auth.plugins.password.Password None
[auth] token keystone.auth.plugins.token.Token None
[catalog] driver keystone.catalog.backends.sql.Catalog sql
[credential] driver keystone.credential.backends.sql.Credential sql
[domain_config] driver keystone.resource.config_backends.sql.DomainConfig sql
[endpoint_filter] driver keystone.contrib.endpoint_filter.backends.sql.EndpointFilter sql
[endpoint_policy] driver keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy sql
[federation] driver keystone.contrib.federation.backends.sql.Federation sql
[identity] driver keystone.identity.backends.sql.Identity sql
[identity_mapping] driver keystone.identity.mapping_backends.sql.Mapping sql
[identity_mapping] generator keystone.identity.id_generators.sha256.Generator sha256
[ldap] user_attribute_ignore default_project_id, tenants default_project_id
[matchmaker_redis] password None
[oauth1] driver keystone.contrib.oauth1.backends.sql.OAuth1 sql
[oslo_messaging_rabbit] heartbeat_timeout_threshold 0 60
[policy] driver keystone.policy.backends.sql.Policy sql
[revoke] driver keystone.contrib.revoke.backends.sql.Revoke sql
[token] driver keystone.token.persistence.backends.sql.Token sql
[token] provider keystone.token.providers.uuid.Provider uuid
[trust] driver keystone.trust.backends.sql.Trust sql

Table 7.39. Deprecated options

Deprecated option New Option
[DEFAULT] use_syslog None
[DEFAULT] log_format None
[DEFAULT] rpc_thread_pool_size [DEFAULT] executor_thread_pool_size