Gitiles
Code Review Sign In
osm.etsi.org / osm / devops / refs/heads/sol006v331 / . / installers / charm / keystone / config.yaml
blob: 2a54a3d96344cc383a2adc1fb008fc8b61ecdd84 [file] [log] [blame]
David Garcia009a5d62020-08-27 16:53:44 +0200[diff] [blame]1# Copyright 2020 Canonical Ltd.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14options:
David Garcia009a5d62020-08-27 16:53:44 +0200[diff] [blame]15 max_file_size:
16 type: int
17 description: |
18 The maximum file size, in megabytes.
19
20 If there is a reverse proxy in front of Keystone, it may
21 need to be configured to handle the requested size.
22 default: 5
23 ingress_whitelist_source_range:
24 type: string
25 description: |
26 A comma-separated list of CIDRs to store in the
27 ingress.kubernetes.io/whitelist-source-range annotation.
28
29 This can be used to lock down access to
30 Keystone based on source IP address.
31 default: ""
32 tls_secret_name:
33 type: string
34 description: TLS Secret name
35 default: ""
36 site_url:
37 type: string
38 description: Ingress URL
39 default: ""
David Garcia009a5d62020-08-27 16:53:44 +0200[diff] [blame]40 region_id:
41 type: string
42 description: Region ID to be created when starting the service
43 default: RegionOne
44 keystone_db_password:
45 type: string
46 description: Keystone DB Password
47 default: admin
48 admin_username:
49 type: string
50 description: Admin username to be created when starting the service
51 default: admin
52 admin_password:
53 type: string
54 description: Admin password to be created when starting the service
55 default: admin
56 admin_project:
57 type: string
58 description: Admin project to be created when starting the service
59 default: admin
60 service_username:
61 type: string
62 description: Service Username to be created when starting the service
63 default: nbi
64 service_password:
65 type: string
66 description: Service Password to be created when starting the service
67 default: nbi
68 service_project:
69 type: string
70 description: Service Project to be created when starting the service
71 default: service
72 user_domain_name:
73 type: string
74 description: User domain name (Hardcoded in the container start.sh script)
75 default: default
76 project_domain_name:
77 type: string
78 description: |
79 Project domain name (Hardcoded in the container start.sh script)
80 default: default
sousaedu738bf6f2020-10-10 00:25:26 +0100[diff] [blame]81 token_expiration:
82 type: int
83 description: Token keys expiration in seconds
84 default: 172800
sousaedu126a4432020-09-23 13:28:25 +0100[diff] [blame]85 ldap_enabled:
86 type: boolean
87 description: Boolean to enable/disable LDAP authentication
88 default: false
89 ldap_authentication_domain_name:
90 type: string
91 description: Name of the domain which use LDAP authentication
92 default: ""
93 ldap_url:
94 type: string
95 description: URL of the LDAP server
96 default: "ldap://localhost"
97 ldap_bind_user:
98 type: string
99 description: User to bind and search for users
100 default: ""
101 ldap_bind_password:
102 type: string
103 description: Password to bind and search for users
104 default: ""
sousaedu0be373d2020-10-20 01:06:32 +0100[diff] [blame]105 ldap_chase_referrals:
106 type: string
107 description: |
108 Sets keystone’s referral chasing behavior across directory partitions.
109 If left unset, the system’s default behavior will be used.
110 default: ""
111 ldap_page_size:
112 type: int
113 description: |
114 Defines the maximum number of results per page that keystone should
115 request from the LDAP server when listing objects. A value of zero (0)
116 disables paging.
117 default: 0
sousaedu126a4432020-09-23 13:28:25 +0100[diff] [blame]118 ldap_user_tree_dn:
119 type: string
120 description: |
121 Root of the tree in LDAP server in which Keystone will search for users
122 default: ""
123 ldap_user_objectclass:
124 type: string
125 description: |
126 LDAP object class that Keystone will filter on within user_tree_dn to
127 find user objects. Any objects of other classes will be ignored.
128 default: inetOrgPerson
129 ldap_user_id_attribute:
130 type: string
131 description: |
132 This set of options define the mapping to LDAP attributes for the three
133 key user attributes supported by Keystone. The LDAP attribute chosen for
134 user_id must be something that is immutable for a user and no more than
135 64 characters in length. Notice that Distinguished Name (DN) may be
136 longer than 64 characters and thus is not suitable. An uid, or mail may
137 be appropriate.
138 default: cn
139 ldap_user_name_attribute:
140 type: string
141 description: |
142 This set of options define the mapping to LDAP attributes for the three
143 key user attributes supported by Keystone. The LDAP attribute chosen for
144 user_id must be something that is immutable for a user and no more than
145 64 characters in length. Notice that Distinguished Name (DN) may be
146 longer than 64 characters and thus is not suitable. An uid, or mail may
147 be appropriate.
148 default: sn
149 ldap_user_pass_attribute:
150 type: string
151 description: |
152 This set of options define the mapping to LDAP attributes for the three
153 key user attributes supported by Keystone. The LDAP attribute chosen for
154 user_id must be something that is immutable for a user and no more than
155 64 characters in length. Notice that Distinguished Name (DN) may be
156 longer than 64 characters and thus is not suitable. An uid, or mail may
157 be appropriate.
158 default: userPassword
159 ldap_user_filter:
160 type: string
161 description: |
162 This filter option allow additional filter (over and above
163 user_objectclass) to be included into the search of user. One common use
164 of this is to provide more efficient searching, where the recommended
165 search for user objects is (&(objectCategory=person)(objectClass=user)).
166 By specifying user_objectclass as user and user_filter as
167 objectCategory=person in the Keystone configuration file, this can be
168 achieved.
169 default: ""
170 ldap_user_enabled_attribute:
171 type: string
172 description: |
173 In Keystone, a user entity can be either enabled or disabled. Setting
174 the above option will give a mapping to an equivalent attribute in LDAP,
175 allowing your LDAP management tools to disable a user.
176 default: enabled
177 ldap_user_enabled_mask:
178 type: int
179 description: |
180 Some LDAP schemas, rather than having a dedicated attribute for user
181 enablement, use a bit within a general control attribute (such as
182 userAccountControl) to indicate this. Setting user_enabled_mask will
183 cause Keystone to look at only the status of this bit in the attribute
184 specified by user_enabled_attribute, with the bit set indicating the
185 user is enabled.
186 default: 0
187 ldap_user_enabled_default:
sousaedu21a9d212021-04-20 11:10:45 +0200[diff] [blame]188 type: string
sousaedu126a4432020-09-23 13:28:25 +0100[diff] [blame]189 description: |
190 Most LDAP servers use a boolean or bit in a control field to indicate
191 enablement. However, some schemas might use an integer value in an
192 attribute. In this situation, set user_enabled_default to the integer
193 value that represents a user being enabled.
194 default: true
195 ldap_user_enabled_invert:
196 type: boolean
197 description: |
198 Some LDAP schemas have an “account locked” attribute, which is the
199 equivalent to account being “disabled.” In order to map this to the
200 Keystone enabled attribute, you can utilize the user_enabled_invert
201 setting in conjunction with user_enabled_attribute to map the lock
202 status to disabled in Keystone.
203 default: false
sousaedu0be373d2020-10-20 01:06:32 +0100[diff] [blame]204 ldap_group_objectclass:
205 type: string
206 description: The LDAP object class to use for groups.
207 default: groupOfNames
208 ldap_group_tree_dn:
209 type: string
210 description: The search base to use for groups.
211 default: ""
sousaedu126a4432020-09-23 13:28:25 +0100[diff] [blame]212 ldap_use_starttls:
213 type: boolean
214 description: |
215 Enable Transport Layer Security (TLS) for providing a secure connection
216 from Keystone to LDAP (StartTLS, not LDAPS).
217 default: false
218 ldap_tls_cacert_base64:
219 type: string
220 description: |
221 CA certificate in Base64 format (if you have the PEM file, text inside
222 "-----BEGIN CERTIFICATE-----"/"-----END CERTIFICATE-----" tags).
223 default: ""
224 ldap_tls_req_cert:
225 type: string
226 description: |
227 Defines how the certificates are checked for validity in the client
228 (i.e., Keystone end) of the secure connection (this doesn’t affect what
229 level of checking the server is doing on the certificates it receives
230 from Keystone). Possible values are "demand", "never", and "allow". The
231 default of demand means the client always checks the certificate and
232 will drop the connection if it is not provided or invalid. never is the
233 opposite—it never checks it, nor requires it to be provided. allow means
234 that if it is not provided then the connection is allowed to continue,
235 but if it is provided it will be checked—and if invalid, the connection
236 will be dropped.
237 default: demand