diff --git a/.gitignore b/.gitignore index 2d2cbdf3..96eb68e6 100644 --- a/.gitignore +++ b/.gitignore @@ -56,3 +56,6 @@ ChangeLog # Files created by releasenotes build releasenotes/build + +# sample config included in docs +doc/source/_static/keystonemiddleware.conf.sample diff --git a/config-generator/keystonemiddleware.conf b/config-generator/keystonemiddleware.conf new file mode 100644 index 00000000..0f49573c --- /dev/null +++ b/config-generator/keystonemiddleware.conf @@ -0,0 +1,4 @@ +[DEFAULT] +output_file = etc/keystone.conf.sample +wrap_width = 79 +namespace = keystonemiddleware.auth_token diff --git a/doc/source/conf.py b/doc/source/conf.py index e86dd93a..284bcb3b 100644 --- a/doc/source/conf.py +++ b/doc/source/conf.py @@ -49,9 +49,13 @@ extensions = ['sphinx.ext.autodoc', # remove this Sphinx extension when # https://launchpad.net/bugs/1260495 is fixed. 'ext.apidoc', - 'oslosphinx' + 'oslosphinx', + 'oslo_config.sphinxconfiggen' ] +config_generator_config_file = '../../config-generator/keystonemiddleware.conf' +sample_config_basename = '_static/keystonemiddleware' + todo_include_todos = True # Add any paths that contain templates here, relative to this directory. @@ -156,7 +160,7 @@ man_pages = [] # Add any paths that contain custom static files (such as style sheets) here, # relative to this directory. They are copied after the builtin static files, # so a file named "default.css" will overwrite the builtin "default.css". -#html_static_path = ['static'] +html_static_path = ['_static'] # If not '', a 'Last updated on:' timestamp is inserted at every page bottom, # using the given strftime format. diff --git a/doc/source/middlewarearchitecture.rst b/doc/source/middlewarearchitecture.rst index 9317df47..65744990 100644 --- a/doc/source/middlewarearchitecture.rst +++ b/doc/source/middlewarearchitecture.rst @@ -124,166 +124,7 @@ a WSGI component. Example for the auth_token middleware: [filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory - # Prefix to prepend at the beginning of the path (string - # value) - # Deprecated group/name - [keystone_authtoken]/auth_url - #auth_admin_prefix= - - # Authentication URL (string value) - auth_url=http://127.0.0.1:35357 - - # Host providing the admin Identity API endpoint (string - # value) - # Deprecated group/name - [keystone_authtoken]/auth_url - #auth_host=127.0.0.1 - - # Port of the admin Identity API endpoint (integer value) - # Deprecated group/name - [keystone_authtoken]/auth_url - #auth_port=35357 - - # Protocol of the admin Identity API endpoint(http or https) - # (string value) - # Deprecated group/name - [keystone_authtoken]/auth_url - #auth_protocol=https - - # Complete admin Identity API endpoint. - # This should specify the unversioned root endpoint - # e.g. https://localhost:35357/. (string value) - # Deprecated group/name - [keystone_authtoken]/auth_url - #identity_uri= - - # Complete public Identity API endpoint (string value) - #auth_uri= - - # API version of the admin Identity API endpoint (string - # value) - #auth_version= - - # Do not handle authorization requests within the middleware, - # but delegate the authorization decision to downstream WSGI - # components (boolean value) - #delay_auth_decision=false - - # Request timeout value for communicating with Identity API - # server. (boolean value) - #http_connect_timeout= - - # How many times are we trying to reconnect when communicating - # with Identity API Server. (integer value) - #http_request_max_retries=3 - - # Single shared secret with the Keystone configuration used - # for bootstrapping a Keystone installation, or otherwise - # bypassing the normal authentication process. (string value) - # Deprecated, use username and password instead. - #admin_token= - - # Keystone account username (string value) - #admin_user= - - # Keystone account password (string value) - admin_password=SuperSekretPassword - - # Keystone service account tenant name to validate user tokens - # (string value) - #admin_tenant_name=admin - - # Env key for the swift cache (string value) - #cache= - - # Required if Keystone server requires client certificate - # (string value) - #certfile= - - # Required if Keystone server requires client certificate - # (string value) - #keyfile= - - # A PEM encoded Certificate Authority to use when verifying - # HTTPs connections. Defaults to system CAs. (string value) - #cafile= - - # Verify HTTPS connections. (boolean value) - #insecure=false - - # Directory used to cache files related to PKI tokens (string - # value) - #signing_dir= - - # If defined, the memcached server(s) to use for caching (list - # value) - # Deprecated group/name - [DEFAULT]/memcache_servers - #memcached_servers= - - # In order to prevent excessive requests and validations, the - # middleware uses an in-memory cache for the tokens the - # Keystone API returns. This is only valid if memcache_servers - # is defined. Set to -1 to disable caching completely. - # (integer value) - #token_cache_time=300 - - # Determines the frequency at which the list of revoked tokens - # is retrieved from the Identity service (in seconds). A high - # number of revocation events combined with a low cache duration - # may significantly reduce performance. Only valid for PKI tokens. - # (integer value) - #revocation_cache_time = 10 - - # (optional) if defined, indicate whether token data should be - # authenticated or authenticated and encrypted. Acceptable - # values are MAC or ENCRYPT. If MAC, token data is - # authenticated (with HMAC) in the cache. If ENCRYPT, token - # data is encrypted and authenticated in the cache. If the - # value is not one of these options or empty, auth_token will - # raise an exception on initialization. (string value) - #memcache_security_strategy= - - # (optional, mandatory if memcache_security_strategy is - # defined) this string is used for key derivation. (string - # value) - #memcache_secret_key= - - # (optional) indicate whether to set the X-Service-Catalog - # header. If False, middleware will not ask for service - # catalog on token validation and will not set the X-Service- - # Catalog header. (boolean value) - #include_service_catalog=true - - # Used to control the use and type of token binding. Can be - # set to: "disabled" to not check token binding. "permissive" - # (default) to validate binding information if the bind type - # is of a form known to the server and ignore it if not. - # "strict" like "permissive" but if the bind type is unknown - # the token will be rejected. "required" any form of token - # binding is needed to be allowed. Finally the name of a - # binding method that must be present in tokens. (string - # value) - #enforce_token_bind=permissive - - # If true, the revocation list will be checked for cached - # tokens. This requires that PKI tokens are configured on the - # identity server. - # (boolean value) - #check_revocations_for_cached = false - - # Hash algorithms to use for hashing PKI tokens. This may be a - # single algorithm or multiple. The algorithms are those supported - # by Python standard hashlib.new(). The hashes will be tried in the - # order given, so put the preferred one first for performance. The - # result of the first hash will be stored in the cache. This will - # typically be set to multiple values only while migrating from a - # less secure algorithm to a more secure one. Once all the old - # tokens are expired this option should be set to a single value - # for better performance. (list value) - #hash_algorithms = md5 - - # Authentication type to load (unknown value) - # Deprecated group/name - [DEFAULT]/auth_plugin - #auth_type = - - # Config Section from which to load plugin specific options - # (unknown value) - #auth_section = +.. literalinclude:: _static/keystonemiddleware.conf.sample If the ``auth_plugin`` configuration option is set, you may need to refer to the `Authentication Plugins