| Patricia Reinoso | d5b463c | 2023-05-31 08:37:18 +0000 | [diff] [blame] | 1 | # Copyright 2021 Canonical Ltd. |
| 2 | # |
| 3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 4 | # not use this file except in compliance with the License. You may obtain |
| 5 | # a copy of the License at |
| 6 | # |
| 7 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | # |
| 9 | # Unless required by applicable law or agreed to in writing, software |
| 10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 12 | # License for the specific language governing permissions and limitations |
| 13 | # under the License. |
| 14 | # |
| 15 | # For those usages not covered by the Apache License, Version 2.0 please |
| 16 | # contact: legal@canonical.com |
| 17 | |
| 18 | options: |
| 19 | region-id: |
| 20 | type: string |
| 21 | description: Region ID to be created when starting the service |
| 22 | default: RegionOne |
| 23 | keystone-db-password: |
| 24 | type: string |
| 25 | description: Keystone DB Password |
| 26 | default: admin |
| 27 | admin-username: |
| 28 | type: string |
| 29 | description: Admin username to be created when starting the service |
| 30 | default: admin |
| 31 | admin-password: |
| 32 | type: string |
| 33 | description: Admin password to be created when starting the service |
| 34 | default: admin |
| 35 | admin-project: |
| 36 | type: string |
| 37 | description: Admin project to be created when starting the service |
| 38 | default: admin |
| 39 | service-username: |
| 40 | type: string |
| 41 | description: Service Username to be created when starting the service |
| 42 | default: nbi |
| 43 | service-password: |
| 44 | type: string |
| 45 | description: Service Password to be created when starting the service |
| 46 | default: nbi |
| 47 | service-project: |
| 48 | type: string |
| 49 | description: Service Project to be created when starting the service |
| 50 | default: service |
| 51 | user-domain-name: |
| 52 | type: string |
| 53 | description: User domain name (Hardcoded in the container start.sh script) |
| 54 | default: default |
| 55 | project-domain-name: |
| 56 | type: string |
| 57 | description: | |
| 58 | Project domain name (Hardcoded in the container start.sh script) |
| 59 | default: default |
| 60 | token-expiration: |
| 61 | type: int |
| 62 | description: Token keys expiration in seconds |
| 63 | default: 3600 |
| 64 | ldap-enabled: |
| 65 | type: boolean |
| 66 | description: Boolean to enable/disable LDAP authentication |
| 67 | default: false |
| 68 | ldap-authentication-domain-name: |
| 69 | type: string |
| 70 | description: Name of the domain which use LDAP authentication |
| 71 | default: "" |
| 72 | ldap-url: |
| 73 | type: string |
| 74 | description: URL of the LDAP server |
| 75 | default: "ldap://localhost" |
| 76 | ldap-bind-user: |
| 77 | type: string |
| 78 | description: User to bind and search for users |
| 79 | default: "" |
| 80 | ldap-bind-password: |
| 81 | type: string |
| 82 | description: Password to bind and search for users |
| 83 | default: "" |
| 84 | ldap-chase-referrals: |
| 85 | type: string |
| 86 | description: | |
| 87 | Sets keystone’s referral chasing behavior across directory partitions. |
| 88 | If left unset, the system’s default behavior will be used. |
| 89 | default: "" |
| 90 | ldap-page-size: |
| 91 | type: int |
| 92 | description: | |
| 93 | Defines the maximum number of results per page that keystone should |
| 94 | request from the LDAP server when listing objects. A value of zero (0) |
| 95 | disables paging. |
| 96 | default: 0 |
| 97 | ldap-user-tree-dn: |
| 98 | type: string |
| 99 | description: | |
| 100 | Root of the tree in LDAP server in which Keystone will search for users |
| 101 | default: "" |
| 102 | ldap-user-objectclass: |
| 103 | type: string |
| 104 | description: | |
| 105 | LDAP object class that Keystone will filter on within user_tree_dn to |
| 106 | find user objects. Any objects of other classes will be ignored. |
| 107 | default: inetOrgPerson |
| 108 | ldap-user-id-attribute: |
| 109 | type: string |
| 110 | description: | |
| 111 | This set of options define the mapping to LDAP attributes for the three |
| 112 | key user attributes supported by Keystone. The LDAP attribute chosen for |
| 113 | user_id must be something that is immutable for a user and no more than |
| 114 | 64 characters in length. Notice that Distinguished Name (DN) may be |
| 115 | longer than 64 characters and thus is not suitable. An uid, or mail may |
| 116 | be appropriate. |
| 117 | default: cn |
| 118 | ldap-user-name-attribute: |
| 119 | type: string |
| 120 | description: | |
| 121 | This set of options define the mapping to LDAP attributes for the three |
| 122 | key user attributes supported by Keystone. The LDAP attribute chosen for |
| 123 | user_id must be something that is immutable for a user and no more than |
| 124 | 64 characters in length. Notice that Distinguished Name (DN) may be |
| 125 | longer than 64 characters and thus is not suitable. An uid, or mail may |
| 126 | be appropriate. |
| 127 | default: sn |
| 128 | ldap-user-pass-attribute: |
| 129 | type: string |
| 130 | description: | |
| 131 | This set of options define the mapping to LDAP attributes for the three |
| 132 | key user attributes supported by Keystone. The LDAP attribute chosen for |
| 133 | user_id must be something that is immutable for a user and no more than |
| 134 | 64 characters in length. Notice that Distinguished Name (DN) may be |
| 135 | longer than 64 characters and thus is not suitable. An uid, or mail may |
| 136 | be appropriate. |
| 137 | default: userPassword |
| 138 | ldap-user-filter: |
| 139 | type: string |
| 140 | description: | |
| 141 | This filter option allow additional filter (over and above |
| 142 | user_objectclass) to be included into the search of user. One common use |
| 143 | of this is to provide more efficient searching, where the recommended |
| 144 | search for user objects is (&(objectCategory=person)(objectClass=user)). |
| 145 | By specifying user_objectclass as user and user_filter as |
| 146 | objectCategory=person in the Keystone configuration file, this can be |
| 147 | achieved. |
| 148 | default: "" |
| 149 | ldap-user-enabled-attribute: |
| 150 | type: string |
| 151 | description: | |
| 152 | In Keystone, a user entity can be either enabled or disabled. Setting |
| 153 | the above option will give a mapping to an equivalent attribute in LDAP, |
| 154 | allowing your LDAP management tools to disable a user. |
| 155 | default: enabled |
| 156 | ldap-user-enabled-mask: |
| 157 | type: int |
| 158 | description: | |
| 159 | Some LDAP schemas, rather than having a dedicated attribute for user |
| 160 | enablement, use a bit within a general control attribute (such as |
| 161 | userAccountControl) to indicate this. Setting user_enabled_mask will |
| 162 | cause Keystone to look at only the status of this bit in the attribute |
| 163 | specified by user_enabled_attribute, with the bit set indicating the |
| 164 | user is enabled. |
| 165 | default: 0 |
| 166 | ldap-user-enabled-default: |
| 167 | type: string |
| 168 | description: | |
| 169 | Most LDAP servers use a boolean or bit in a control field to indicate |
| 170 | enablement. However, some schemas might use an integer value in an |
| 171 | attribute. In this situation, set user_enabled_default to the integer |
| 172 | value that represents a user being enabled. |
| 173 | default: "true" |
| 174 | ldap-user-enabled-invert: |
| 175 | type: boolean |
| 176 | description: | |
| 177 | Some LDAP schemas have an “account locked” attribute, which is the |
| 178 | equivalent to account being “disabled.” In order to map this to the |
| 179 | Keystone enabled attribute, you can utilize the user_enabled_invert |
| 180 | setting in conjunction with user_enabled_attribute to map the lock |
| 181 | status to disabled in Keystone. |
| 182 | default: false |
| 183 | ldap-group-objectclass: |
| 184 | type: string |
| 185 | description: The LDAP object class to use for groups. |
| 186 | default: groupOfNames |
| 187 | ldap-group-tree-dn: |
| 188 | type: string |
| 189 | description: The search base to use for groups. |
| 190 | default: "" |
| 191 | ldap-use-starttls: |
| 192 | type: boolean |
| 193 | description: | |
| 194 | Enable Transport Layer Security (TLS) for providing a secure connection |
| 195 | from Keystone to LDAP (StartTLS, not LDAPS). |
| 196 | default: false |
| 197 | ldap-tls-cacert-base64: |
| 198 | type: string |
| 199 | description: | |
| 200 | CA certificate in Base64 format (if you have the PEM file, text inside |
| 201 | "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----" tags). |
| 202 | default: "" |
| 203 | ldap-tls-req-cert: |
| 204 | type: string |
| 205 | description: | |
| 206 | Defines how the certificates are checked for validity in the client |
| 207 | (i.e., Keystone end) of the secure connection (this doesn’t affect what |
| 208 | level of checking the server is doing on the certificates it receives |
| 209 | from Keystone). Possible values are "demand", "never", and "allow". The |
| 210 | default of demand means the client always checks the certificate and |
| 211 | will drop the connection if it is not provided or invalid. never is the |
| 212 | opposite—it never checks it, nor requires it to be provided. allow means |
| 213 | that if it is not provided then the connection is allowed to continue, |
| 214 | but if it is provided it will be checked—and if invalid, the connection |
| 215 | will be dropped. |
| 216 | default: demand |
| 217 | mysql-uri: |
| 218 | type: string |
| 219 | description: | |
| 220 | Mysql URI with the following format: |
| 221 | mysql://<user>:<password>@<mysql_host>:<mysql_port>/<database> |