[DEFAULT]
debug = {{ keystone_logging_debug }}

transport_url = {{ rpc_transport_url }}

# NOTE(elemoine) log_dir alone does not work for Keystone
log_file = /var/log/kolla/keystone/keystone.log
use_stderr = True

[oslo_middleware]
enable_proxy_headers_parsing = True

{% if keystone_policy_file is defined %}
[oslo_policy]
policy_file = {{ keystone_policy_file }}
{% endif %}

[database]
connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }}
connection_recycle_time = {{ database_connection_recycle_time }}
max_pool_size = {{ database_max_pool_size }}
max_retries = -1

{% if keystone_domain_directory.stat.exists %}
[identity]
domain_specific_drivers_enabled = true
domain_config_dir = /etc/keystone/domains
{% endif %}

[token]
revoke_by_id = False
provider = fernet
expiration = {{ fernet_token_expiry }}
allow_expired_window = {{ fernet_token_allow_expired_window }}

[fernet_tokens]
# Keystone docs note:
#   max_active_keys =
#     ((token_expiration + allow_expired_window) / rotation_frequency) + 2
# https://docs.openstack.org/keystone/stein/admin/fernet-token-faq.html
#
# Use (x + y - 1) / y to round up integer division.
max_active_keys = {{ ((fernet_token_expiry | int +
                       fernet_token_allow_expired_window | int +
                       fernet_key_rotation_interval | int - 1) //
                      fernet_key_rotation_interval | int) + 2 }}

[cache]
backend = oslo_cache.memcache_pool
enabled = True
memcache_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}

[oslo_messaging_notifications]
transport_url = {{ notify_transport_url }}
{% if keystone_enabled_notification_topics %}
driver = messagingv2
topics = {{ keystone_enabled_notification_topics | map(attribute='name') | join(',') }}
{% else %}
driver = noop
{% endif %}

[oslo_messaging_rabbit]
heartbeat_in_pthread = {{ service_name == 'keystone' }}
{% if om_enable_rabbitmq_tls | bool %}
ssl = true
ssl_ca_file = {{ om_rabbitmq_cacert }}
{% endif %}
{% if om_enable_rabbitmq_high_availability | bool %}
amqp_durable_queues = true
{% endif %}
{% if om_enable_rabbitmq_quorum_queues | bool %}
rabbit_quorum_queue = true
{% endif %}

{% if enable_osprofiler | bool %}
[profiler]
enabled = true
trace_sqlalchemy = true
hmac_keys = {{ osprofiler_secret }}
connection_string = {{ osprofiler_backend_connection_string }}
{% endif %}

{% if enable_grafana | bool %}
[cors]
allowed_origin = {{ grafana_public_endpoint }}
{% endif %}

{% if enable_keystone_federation | bool %}
[federation]
{% for dashboard in keystone_trusted_dashboards %}
trusted_dashboard = {{ dashboard }}
{% endfor %}

sso_callback_template = /etc/keystone/sso_callback_template.html

[openid]
remote_id_attribute = {{ keystone_remote_id_attribute_oidc }}

[auth]
methods = password,token,openid,application_credential
{% endif %}