NCM::Component::openstack::identity - keystone

Types

  • /software/components/openstack/openstack_keystone_token
    • Description: The Keystone “token” configuration section
    • /software/components/openstack/openstack_keystone_token/provider
      • Description: Entry point for the token provider in the “keystone.token.provider” namespace. The token provider controls the token construction, validation, and revocation operations. Keystone includes “fernet” and “uuid” token providers. “uuid” tokens must be persisted (using the backend specified in the “[token] driver” option), but do not require any extra configuration or setup. “fernet” tokens do not need to be persisted at all, but require that you run “keystone-manage fernet_setup” (also see the “keystone-manage fernet_rotate” command)
      • Required
      • Type: string
      • Default value: fernet
    • /software/components/openstack/openstack_keystone_token/driver
      • Description: Entry point for the token persistence backend driver in the “keystone.token.persistence” namespace. Keystone provides “kvs” and “sql” drivers. The “kvs” backend depends on the configuration in the “[kvs]” section. The “sql” option (default) depends on the options in your “[database]” section. If you are using the “fernet” “[token] provider”, this backend will not be utilized to persist tokens at all. (string value)
      • Optional
      • Type: string
  • /software/components/openstack/openstack_keystone_authtoken
    • Description: The Keystone configuration options in the “authtoken” Section
    • /software/components/openstack/openstack_keystone_authtoken/auth_uri
      • Description: Complete “public” Identity API endpoint. This endpoint should not be an “admin” endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you are using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. http(s)://host:port
      • Required
      • Type: type_absoluteURI
    • /software/components/openstack/openstack_keystone_authtoken/memcached_servers
      • Description: Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process (“host:port” list)
      • Required
      • Type: type_hostport
    • /software/components/openstack/openstack_keystone_authtoken/region_name
      • Description: The region in which the service server can be found
      • Optional
      • Type: string
      • Default value: RegionOne
  • /software/components/openstack/openstack_keystone_paste_deploy
    • Description: The Keystone configuration options in the “paste_deploy” Section.
    • /software/components/openstack/openstack_keystone_paste_deploy/flavor
      • Description: Deployment flavor to use in the server application pipeline. Provide a string value representing the appropriate deployment flavor used in the server application pipleline. This is typically the partial name of a pipeline in the paste configuration file with the service name removed. For example, if your paste section name in the paste configuration file is [pipeline:glance-api-keystone], set “flavor” to “keystone”
      • Required
      • Type: string
      • Default value: keystone
  • /software/components/openstack/openstack_keystone_auth
    • Description: The Keystone configuration options in the “auth” section
    • /software/components/openstack/openstack_keystone_auth/methods
      • Description: Allowed authentication methods. Note: You should disable the external auth method if you are currently using federation. External auth and federation both use the REMOTE_USER variable. Since both the mapped and external plugin are being invoked to validate attributes in the request environment, it can cause conflicts.
      • Optional
      • Type: choice
  • /software/components/openstack/openstack_keystone_federation
    • Description: The Keystone configuration options in the “federation” section
    • /software/components/openstack/openstack_keystone_federation/assertion_prefix
      • Description: Prefix to use when filtering environment variable names for federated assertions. Matched variables are passed into the federated mapping engine.
      • Optional
      • Type: string
    • /software/components/openstack/openstack_keystone_federation/remote_id_attribute
      • Description: Value to be used to obtain the entity ID of the Identity Provider from the environment. For mod_shib, this would be Shib-Identity-Provider. For mod_auth_openidc, this could be HTTP_OIDC_ISS. For mod_auth_mellon this could be MELLON_IDP. It is recommended to set this in the per-protocol basis
      • Optional
      • Type: string
    • /software/components/openstack/openstack_keystone_federation/trusted_dashboard
      • Description: A list of trusted dashboard hosts. Before accepting a Single Sign-On request to return a token, the origin host must be a member of this list. This configuration option may be repeated for multiple values. You must set this in order to use web-based SSO flows.
      • Optional
      • Type: type_hostURI
    • /software/components/openstack/openstack_keystone_federation/sso_callback_template
      • Description: Absolute path to an HTML file used as a Single Sign-On callback handler. This page is expected to redirect the user from keystone back to a trusted dashboard host, by form encoding a token in a POST request. Keystone’s default value /etc/keystone/sso_callback_template.html should be sufficient for most deployments.
      • Optional
      • Type: absolute_file_path
  • /software/components/openstack/openstack_keystone_application_credential
    • Description: The Keystone configuration options in the “application_credential” section
    • /software/components/openstack/openstack_keystone_application_credential/driver
      • Description: Entry point for the application credential backend driver in the “keystone.application_credential” namespace. Keystone only provides a “sql” driver, so there is no reason to change this unless you are providing a custom entry point
      • Required
      • Type: string
      • Default value: sql
    • /software/components/openstack/openstack_keystone_application_credential/caching
      • Description: Toggle for application credential caching. This has no effect unless global caching is enabled
      • Optional
      • Type: boolean
    • /software/components/openstack/openstack_keystone_application_credential/cache_time
      • Description: Time to cache application credential data in seconds. This has no effect unless global caching is enabled
      • Optional
      • Type: long
      • Range: 1..
    • /software/components/openstack/openstack_keystone_application_credential/user_limit
      • Description: Maximum number of application credentials a user is permitted to create. A value of -1 means unlimited. If a limit is not set, users are permitted to create application credentials at will, which could lead to bloat in the keystone database or open keystone to a DoS attack
      • Optional
      • Type: long
      • Range: -1..
  • /software/components/openstack/openstack_keystone_mapped
    • Description: The Keystone configuration options in the “mapped” section
    • /software/components/openstack/openstack_keystone_mapped/remote_id_attribute
      • Description: Value to be used to obtain the entity ID of the Identity Provider from the environment. For mod_shib, this would be Shib-Identity-Provider.
      • Optional
      • Type: string
  • /software/components/openstack/openstack_keystone_openid
    • Description: The Keystone configuration options in the “openid” section
    • /software/components/openstack/openstack_keystone_openid/remote_id_attribute
      • Description: Value to be used to obtain the entity ID of the Identity Provider from the environment. For mod_auth_openidc, this could be HTTP_OIDC_ISS.
      • Optional
      • Type: string
  • /software/components/openstack/openstack_quattor_keystone
  • /software/components/openstack/openstack_keystone_config
    • Description: The Keystone configuration sections
    • /software/components/openstack/openstack_keystone_config/DEFAULT
      • Optional
      • Type: openstack_DEFAULTS
    • /software/components/openstack/openstack_keystone_config/database
      • Required
      • Type: openstack_database
    • /software/components/openstack/openstack_keystone_config/token
      • Required
      • Type: openstack_keystone_token
    • /software/components/openstack/openstack_keystone_config/auth
      • Optional
      • Type: openstack_keystone_auth
    • /software/components/openstack/openstack_keystone_config/federation
      • Optional
      • Type: openstack_keystone_federation
    • /software/components/openstack/openstack_keystone_config/mapped
      • Optional
      • Type: openstack_keystone_mapped
    • /software/components/openstack/openstack_keystone_config/openid
      • Optional
      • Type: openstack_keystone_openid
    • /software/components/openstack/openstack_keystone_config/application_credential
      • Optional
      • Type: openstack_keystone_application_credential
    • /software/components/openstack/openstack_keystone_config/quattor
      • Required
      • Type: openstack_quattor_keystone