openstack-ansible-os_keystone/templates/keystone.conf.j2

# {{ ansible_managed }}

[DEFAULT]
use_journal = True
# Disable stderr logging
use_stderr = False
debug = {{ debug }}
{% if keystone_public_endpoint is defined %}
public_endpoint = {{ keystone_public_endpoint }}
{% endif %}
fatal_deprecations = {{ keystone_fatal_deprecations }}
{% if keystone_sp != {} and (keystone_sp.cadf_notifications is defined) and (keystone_sp.cadf_notifications | bool) %}
{% set cadf_notifications = true %}
{% else %}
{% set cadf_notifications = false %}
{% endif %}
{% if cadf_notifications | bool %}
notification_format = cadf
{% if keystone_sp.cadf_notifications_opt_out is defined %}
{% for opt_out in keystone_sp.cadf_notifications_opt_out %}
notification_opt_out = {{ opt_out }}
{% endfor %}
{% endif %}
{% endif %}

## Oslo.Messaging RPC
transport_url = {{ keystone_oslomsg_rpc_transport }}://{% for host in keystone_oslomsg_rpc_servers.split(',') %}{{ keystone_oslomsg_rpc_userid }}:{{ keystone_oslomsg_rpc_password }}@{{ host }}:{{ keystone_oslomsg_rpc_port }}{% if not loop.last %},{% else %}/{{ keystone_oslomsg_rpc_vhost }}{% if keystone_oslomsg_rpc_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}

[oslo_messaging_rabbit]
ssl = {{ keystone_oslomsg_rpc_use_ssl }}

[oslo_messaging_notifications]
{% if keystone_ceilometer_enabled | bool %}
driver = messagingv2
{% set notification_driver = true %}
{% endif %}
{% if cadf_notifications | bool %}
driver = log
{% set notification_driver = true %}
{% endif %}
{% if notification_driver is not defined or notification_driver == false | bool %}
driver = noop
{% endif %}

transport_url = {{ keystone_oslomsg_notify_transport }}://{% for host in keystone_oslomsg_notify_servers.split(',') %}{{ keystone_oslomsg_notify_userid }}:{{ keystone_oslomsg_notify_password }}@{{ host }}:{{ keystone_oslomsg_notify_port }}{% if not loop.last %},{% else %}/{{ keystone_oslomsg_notify_vhost }}{% if keystone_oslomsg_notify_use_ssl | bool %}?ssl=1{% else %}?ssl=0{% endif %}{% endif %}{% endfor %}

{% if keystone_cache_servers | length > 0 %}
[cache]
backend = oslo_cache.memcache_pool
# FIXME(lbragstad): Some strange behaviors have been reported when using
# multiple memcached instances with backend_argument. This has been documented
# in https://bugs.launchpad.net/oslo.cache/+bug/1743036
# For the time being, memcache_servers works with a single memcached instance
# and multiple instances.
memcache_servers = {{ keystone_cache_servers | join(',') }}
config_prefix = cache.keystone
distributed_lock = True
enabled = true
{% endif %}


[revoke]
driver = {{ keystone_revocation_driver }}
expiration_buffer = {{ keystone_revocation_expiration_buffer }}
cache_time = {{ keystone_revocation_cache_time }}


[auth]
methods = {{ keystone_auth_methods }}{% if keystone_sp_apache_mod_shib %},saml2{% endif %}{% if keystone_sp_apache_mod_auth_openidc %},openid{% endif %}


{% if keystone_database_enabled | bool %}
[database]
connection = {{ keystone_database_connection_string }}
connection_recycle_time = {{ keystone_database_idle_timeout }}
min_pool_size = {{ keystone_database_min_pool_size }}
max_pool_size = {{ keystone_database_max_pool_size }}
pool_timeout = {{ keystone_database_pool_timeout }}
{% endif %}

{% if 'fernet' in keystone_token_provider %}
[fernet_tokens]
key_repository = {{ keystone_fernet_tokens_key_repository }}
max_active_keys = {{ keystone_fernet_tokens_max_active_keys }}
{% endif %}


[identity]
{% if keystone_ldap.Default is not defined %}
driver = sql
{% endif %}
{% if keystone_ldap | length > 0 %}
domain_config_dir = {{ keystone_ldap_domain_config_dir }}
domain_specific_drivers_enabled = True
{% endif %}


[assignment]
driver = {{ keystone_assignment_driver }}


[resource]
cache_time = {{ keystone_resource_cache_time }}
driver = {{ keystone_resource_driver }}


[token]
enforce_token_bind = permissive
expiration = {{ keystone_token_expiration }}
cache_time = {{ keystone_token_cache_time }}
provider = {{ keystone_token_provider }}

{% if keystone_idp != {} %}
[saml]
certfile = "{{ keystone_idp.certfile }}"
keyfile = "{{ keystone_idp.keyfile }}"
idp_entity_id = "{{ keystone_idp.idp_entity_id }}"
idp_sso_endpoint = "{{ keystone_idp.idp_sso_endpoint }}"
idp_metadata_path = "{{ keystone_idp.idp_metadata_path }}"
{% if keystone_idp.organization_name is defined %}
idp_organization_name = {{ keystone_idp.organization_name }}
{% endif %}
{% if keystone_idp.organization_display_name is defined %}
idp_organization_display_name = {{ keystone_idp.organization_display_name }}
{% endif %}
{% if keystone_idp.organization_url is defined %}
idp_organization_url = {{ keystone_idp.organization_url }}
{% endif %}
{% if keystone_idp.contact_company is defined %}
idp_contact_company = {{ keystone_idp.contact_company }}
{% endif %}
{% if keystone_idp.contact_name is defined %}
idp_contact_name = {{ keystone_idp.contact_name }}
{% endif %}
{% if keystone_idp.contact_surname is defined %}
idp_contact_surname = {{ keystone_idp.contact_surname }}
{% endif %}
{% if keystone_idp.contact_email is defined %}
idp_contact_email = {{ keystone_idp.contact_email }}
{% endif %}
{% if keystone_idp.contact_telephone is defined %}
idp_contact_telephone = {{ keystone_idp.contact_telephone }}
{% endif %}
{% if keystone_idp.contact_type is defined %}
idp_contact_type = {{ keystone_idp.contact_type }}
{% endif %}
{% endif %}

[credential]
key_repository = {{ keystone_credential_key_repository }}

{% if keystone_sp != {} %}
[federation]
{% if keystone_sp_apache_mod_auth_openidc %}
remote_id_attribute = HTTP_OIDC_ISS
{% elif keystone_sp_apache_mod_shib %}
remote_id_attribute = Shib-Identity-Provider
{% endif %}
{% if keystone_sp.trusted_dashboard_list is defined %}
{% for item in keystone_sp.trusted_dashboard_list %}
trusted_dashboard = {{ item }}
{% endfor %}
{% endif %}
{% endif %}