Add undocumented options to keystoneauth sample config
Adds is_admin and allow_overrides to the keystoneauth section of proxy-server.conf.sample and also adds related comments to the keystoneauth docstring. DocImpact Change-Id: I7c751880cb6742db7347f31c4d32b523e33da75b
This commit is contained in:
parent
1f1cdceabe
commit
fd8eb6b280
@ -283,8 +283,22 @@ user_test_tester3 = testing3
|
||||
# Operator roles is the role which user would be allowed to manage a
|
||||
# tenant and be able to create container or give ACL to others.
|
||||
# operator_roles = admin, swiftoperator
|
||||
#
|
||||
# The reseller admin role has the ability to create and delete accounts
|
||||
# reseller_admin_role = ResellerAdmin
|
||||
#
|
||||
# This allows middleware higher in the WSGI pipeline to override auth
|
||||
# processing, useful for middleware such as tempurl and formpost. If you know
|
||||
# you're not going to use such middleware and you want a bit of extra security,
|
||||
# you can set this to false.
|
||||
# allow_overrides = true
|
||||
#
|
||||
# If is_admin is true, a user whose username is the same as the project name
|
||||
# and who has any role on the project will have access rights elevated to be
|
||||
# the same as if the user had an operator role. Note that the condition
|
||||
# compares names rather than UUIDs. This option is deprecated.
|
||||
# is_admin = false
|
||||
#
|
||||
# For backwards compatibility, keystoneauth will match names in cross-tenant
|
||||
# access control lists (ACLs) when both the requesting user and the tenant
|
||||
# are in the default domain i.e the domain to which existing tenants are
|
||||
|
@ -42,10 +42,10 @@ class KeystoneAuth(object):
|
||||
The authtoken middleware will take care of validating the user and
|
||||
keystoneauth will authorize access.
|
||||
|
||||
The authtoken middleware is shipped directly with keystone it
|
||||
does not have any other dependences than itself so you can either
|
||||
The authtoken middleware is shipped with keystonemiddleware - it
|
||||
does not have any other dependencies than itself so you can either
|
||||
install it by copying the file directly in your python path or by
|
||||
installing keystone.
|
||||
installing keystonemiddleware.
|
||||
|
||||
If support is required for unvalidated users (as with anonymous
|
||||
access) or for formpost/staticweb/tempurl middleware, authtoken will
|
||||
@ -72,6 +72,12 @@ class KeystoneAuth(object):
|
||||
setting which by default includes the admin and the swiftoperator
|
||||
roles.
|
||||
|
||||
If the ``is_admin`` option is ``true``, a user whose username is the same
|
||||
as the project name and who has any role on the project will have access
|
||||
rights elevated to be the same as if the user had one of the
|
||||
``operator_roles``. Note that the condition compares names rather than
|
||||
UUIDs. This option is deprecated. It is ``false`` by default.
|
||||
|
||||
If you need to have a different reseller_prefix to be able to
|
||||
mix different auth servers you can configure the option
|
||||
``reseller_prefix`` in your keystoneauth entry like this::
|
||||
@ -114,6 +120,14 @@ class KeystoneAuth(object):
|
||||
keystoneauth will assume that the tenant may not be in the default domain
|
||||
and therefore not match names in ACLs for that account.
|
||||
|
||||
By default, middleware higher in the WSGI pipeline may override auth
|
||||
processing, useful for middleware such as tempurl and formpost. If you know
|
||||
you're not going to use such middleware and you want a bit of extra
|
||||
security you can disable this behaviour by setting the ``allow_overrides``
|
||||
option to ``false``::
|
||||
|
||||
allow_overrides = false
|
||||
|
||||
:param app: The next WSGI app in the pipeline
|
||||
:param conf: The dict of configuration values
|
||||
"""
|
||||
|
Loading…
Reference in New Issue
Block a user