chef/cookbooks/keystone/templates/default/keystone.conf.erb
[DEFAULT]
admin_endpoint = <%= @admin_endpoint %>
debug = <%= @debug ? "True" : "False" %>
insecure_debug = <%= @insecure_debug ? "True": "False" %>
log_file = keystone.log
log_dir = /var/log/keystone
transport_url = <%= @rabbit_settings[:url] %>
[assignment]
driver = <%= node[:keystone][:assignment][:driver] %>
[cache]
backend = oslo_cache.memcache_pool
enabled = True
memcache_servers = <%= @memcached_servers.join(',') %>
memcache_socket_timeout = 1
[database]
connection = <%= @sql_connection %>
connection_recycle_time = <%= @sql_idle_timeout %>
[fernet_tokens]
max_active_keys = <%= @max_active_keys %>
[identity]
password_hash_algorithm = <%= node[:keystone][:identity][:password_hash_algorithm] %>
<% if node[:keystone][:identity].key?("password_hash_rounds") -%>
password_hash_rounds = <%= node[:keystone][:identity][:password_hash_rounds] %>
<% end -%>
domain_specific_drivers_enabled = <%= node[:keystone][:domain_specific_drivers] ? "True" : "False" %>
<% if node[:keystone][:domain_specific_drivers] -%>
domain_config_dir = <%= node[:keystone][:domain_config_dir] %>
<% end -%>
driver = <%= node[:keystone][:identity][:driver] %>
<% if node[:keystone][:assignment][:driver] == 'hybrid' -%>
[ldap_hybrid]
default_roles = member
default_project = <%= node[:keystone][:default][:tenant] %>
<% end -%>
[ldap]
url = <%= node[:keystone][:ldap][:url] %>
user = <%= node[:keystone][:ldap][:user] %>
password = <%= node[:keystone][:ldap][:password] %>
suffix = <%= node[:keystone][:ldap][:suffix] %>
query_scope = <%= node[:keystone][:ldap][:query_scope] %>
page_size = <%= node[:keystone][:ldap][:page_size] %>
alias_dereferencing = <%= node[:keystone][:ldap][:alias_dereferencing] %>
<% unless node[:keystone][:ldap][:chase_referrals].nil? or node[:keystone][:ldap][:chase_referrals].empty? -%>
chase_referrals = <%= node[:keystone][:ldap][:chase_referrals] %>
<% end -%>
user_tree_dn = <%= node[:keystone][:ldap][:user_tree_dn] %>
user_filter = <%= node[:keystone][:ldap][:user_filter] %>
user_objectclass = <%= node[:keystone][:ldap][:user_objectclass] %>
user_id_attribute = <%= node[:keystone][:ldap][:user_id_attribute] %>
user_name_attribute = <%= node[:keystone][:ldap][:user_name_attribute] %>
user_description_attribute = <%= node[:keystone][:ldap][:user_description_attribute] %>
user_mail_attribute = <%= node[:keystone][:ldap][:user_mail_attribute] %>
user_pass_attribute = <%= node[:keystone][:ldap][:user_pass_attribute] %>
user_enabled_attribute = <%= node[:keystone][:ldap][:user_enabled_attribute] %>
user_enabled_invert = <%= node[:keystone][:ldap][:user_enabled_invert] %>
user_enabled_mask = <%= node[:keystone][:ldap][:user_enabled_mask] %>
user_enabled_default = <%= node[:keystone][:ldap][:user_enabled_default] %>
user_attribute_ignore = <%= node[:keystone][:ldap][:user_attribute_ignore] %>
user_default_project_id_attribute = <%= node[:keystone][:ldap][:user_default_project_id_attribute] %>
user_enabled_emulation = <%= node[:keystone][:ldap][:user_enabled_emulation] %>
user_enabled_emulation_dn = <%= node[:keystone][:ldap][:user_enabled_emulation_dn] %>
user_enabled_emulation_use_group_config = <%= node[:keystone][:ldap][:user_enabled_emulation_use_group_config] %>
user_additional_attribute_mapping = <%= node[:keystone][:ldap][:user_additional_attribute_mapping] %>
group_tree_dn = <%= node[:keystone][:ldap][:group_tree_dn] %>
group_filter = <%= node[:keystone][:ldap][:group_filter] %>
group_objectclass = <%= node[:keystone][:ldap][:group_objectclass] %>
group_id_attribute = <%= node[:keystone][:ldap][:group_id_attribute] %>
group_name_attribute = <%= node[:keystone][:ldap][:group_name_attribute]%>
group_member_attribute = <%= node[:keystone][:ldap][:group_member_attribute] %>
group_members_are_ids = <%= node[:keystone][:ldap][:group_members_are_ids] %>
group_desc_attribute = <%= node[:keystone][:ldap][:group_desc_attribute] %>
group_additional_attribute_mapping = <%= node[:keystone][:ldap][:group_additional_attribute_mapping] %>
group_ad_nesting = <%= node[:keystone][:ldap][:group_ad_nesting] %>
tls_cacertfile = <%= node[:keystone][:ldap][:tls_cacertfile] %>
tls_cacertdir = <%= node[:keystone][:ldap][:tls_cacertdir] %>
use_tls = <%= node[:keystone][:ldap][:use_tls] %>
tls_req_cert = <%= node[:keystone][:ldap][:tls_req_cert] %>
use_pool = <%= node[:keystone][:ldap][:use_pool] %>
pool_size = <%= node[:keystone][:ldap][:pool_size] %>
pool_retry_max = <%= node[:keystone][:ldap][:pool_retry_max] %>
pool_retry_delay = <%= node[:keystone][:ldap][:pool_retry_delay] %>
pool_connection_timeout = <%= node[:keystone][:ldap][:pool_connection_timeout] %>
pool_connection_lifetime = <%= node[:keystone][:ldap][:pool_connection_lifetime] %>
use_auth_pool = <%= node[:keystone][:ldap][:use_auth_pool] %>
auth_pool_size = <%= node[:keystone][:ldap][:auth_pool_size] %>
auth_pool_connection_lifetime = <%= node[:keystone][:ldap][:auth_pool_connection_lifetime] %>
[oslo_messaging_rabbit]
amqp_durable_queues = <%= @rabbit_settings[:durable_queues] %>
rabbit_ha_queues = <%= @rabbit_settings[:ha_queues] %>
ssl = <%= @rabbit_settings[:use_ssl] %>
<% if @rabbit_settings[:client_ca_certs] -%>
ssl_ca_file = <%= @rabbit_settings[:client_ca_certs] %>
<% end -%>
heartbeat_timeout_threshold = <%= @rabbit_settings[:heartbeat_timeout] %>
[oslo_policy]
policy_file = <%= node[:keystone][:policy_file] %>
[role]
driver = sql
[token]
expiration = <%= @token_expiration %>
provider = <%= node[:keystone][:token_format] %>
<% if @profiler_settings[:enabled] -%>
[profiler]
enabled = true
trace_sqlalchemy = <%= @profiler_settings[:trace_sqlalchemy] ? "true" : "false" %>
hmac_keys = <%= @profiler_settings[:hmac_keys].join(",") %>
connection_string = <%= @profiler_settings[:connection_string] %>
<% end -%>
<% if @websso_enabled %>
[federation]
<% @trusted_dashboards.each do |trusted_dashboard_url| -%>
trusted_dashboard = <%= trusted_dashboard_url %>
<% end -%>
<% if @openidc_enabled -%>
[openid]
remote_id_attribute = HTTP_OIDC_ISS
<% end -%>
<% end -%>
[auth]
methods = <%= @auth_methods %>