Add undocumented options to keystoneauth sample config

Adds is_admin and allow_overrides to the keystoneauth section
of proxy-server.conf.sample and also adds related comments to
the keystoneauth docstring.

DocImpact

Change-Id: I7c751880cb6742db7347f31c4d32b523e33da75b
This commit is contained in:
Alistair Coles 2015-01-06 16:57:17 +00:00
parent 1f1cdceabe
commit fd8eb6b280
2 changed files with 31 additions and 3 deletions

View File

@ -283,8 +283,22 @@ user_test_tester3 = testing3
# Operator roles is the role which user would be allowed to manage a
# tenant and be able to create container or give ACL to others.
# operator_roles = admin, swiftoperator
#
# The reseller admin role has the ability to create and delete accounts
# reseller_admin_role = ResellerAdmin
#
# This allows middleware higher in the WSGI pipeline to override auth
# processing, useful for middleware such as tempurl and formpost. If you know
# you're not going to use such middleware and you want a bit of extra security,
# you can set this to false.
# allow_overrides = true
#
# If is_admin is true, a user whose username is the same as the project name
# and who has any role on the project will have access rights elevated to be
# the same as if the user had an operator role. Note that the condition
# compares names rather than UUIDs. This option is deprecated.
# is_admin = false
#
# For backwards compatibility, keystoneauth will match names in cross-tenant
# access control lists (ACLs) when both the requesting user and the tenant
# are in the default domain i.e the domain to which existing tenants are

View File

@ -42,10 +42,10 @@ class KeystoneAuth(object):
The authtoken middleware will take care of validating the user and
keystoneauth will authorize access.
The authtoken middleware is shipped directly with keystone it
does not have any other dependences than itself so you can either
The authtoken middleware is shipped with keystonemiddleware - it
does not have any other dependencies than itself so you can either
install it by copying the file directly in your python path or by
installing keystone.
installing keystonemiddleware.
If support is required for unvalidated users (as with anonymous
access) or for formpost/staticweb/tempurl middleware, authtoken will
@ -72,6 +72,12 @@ class KeystoneAuth(object):
setting which by default includes the admin and the swiftoperator
roles.
If the ``is_admin`` option is ``true``, a user whose username is the same
as the project name and who has any role on the project will have access
rights elevated to be the same as if the user had one of the
``operator_roles``. Note that the condition compares names rather than
UUIDs. This option is deprecated. It is ``false`` by default.
If you need to have a different reseller_prefix to be able to
mix different auth servers you can configure the option
``reseller_prefix`` in your keystoneauth entry like this::
@ -114,6 +120,14 @@ class KeystoneAuth(object):
keystoneauth will assume that the tenant may not be in the default domain
and therefore not match names in ACLs for that account.
By default, middleware higher in the WSGI pipeline may override auth
processing, useful for middleware such as tempurl and formpost. If you know
you're not going to use such middleware and you want a bit of extra
security you can disable this behaviour by setting the ``allow_overrides``
option to ``false``::
allow_overrides = false
:param app: The next WSGI app in the pipeline
:param conf: The dict of configuration values
"""