f1c3437320
Expose 'ssl_keyfile','ssl_certfile','ssl_cert_reqs' and 'ssl_ca_certs' options for maximum security. By default, ssl is not enabled except that ssl parameter was included in the mongodb uri directly, and ssl_cert_reqs = CERT_REQUIRED which means user must provide the 'ssl_ca_certs' if ssl is enabled by adding the ssl parameter in the mongodb uri. Change-Id: I67cb5a9b2d76625de2932c854d0a696e9118ca6b Closes-Bug: #1328720
364 lines
11 KiB
Plaintext
364 lines
11 KiB
Plaintext
[DEFAULT]
|
|
|
|
#
|
|
# Options defined in marconi.transport.base
|
|
#
|
|
|
|
# Backend to use for authentication. For no auth, keep it
|
|
# empty. Existing strategies: keystone. See also the
|
|
# keystone_authtoken section below (string value)
|
|
#auth_strategy=
|
|
|
|
|
|
#
|
|
# Options defined in marconi.bootstrap
|
|
#
|
|
|
|
# ('Enable sharding across multiple storage backends. ', 'If
|
|
# sharding is enabled, the storage driver ', 'configuration is
|
|
# used to determine where the ', 'catalogue/control plane data
|
|
# is kept.') (boolean value)
|
|
#sharding=false
|
|
|
|
# Activate endpoints to manage shard registry. (boolean value)
|
|
#admin_mode=false
|
|
|
|
|
|
#
|
|
# Options defined in marconi.openstack.common.lockutils
|
|
#
|
|
|
|
# Whether to disable inter-process locks (boolean value)
|
|
#disable_process_locking=false
|
|
|
|
# Directory to use for lock files. (string value)
|
|
#lock_path=<None>
|
|
|
|
|
|
#
|
|
# Options defined in marconi.openstack.common.log
|
|
#
|
|
|
|
# Print debugging output (set logging level to DEBUG instead
|
|
# of default WARNING level). (boolean value)
|
|
#debug=false
|
|
|
|
# Print more verbose output (set logging level to INFO instead
|
|
# of default WARNING level). (boolean value)
|
|
#verbose=false
|
|
|
|
# Log output to standard error (boolean value)
|
|
#use_stderr=true
|
|
|
|
# Format string to use for log messages with context (string
|
|
# value)
|
|
#logging_context_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
|
|
|
|
# Format string to use for log messages without context
|
|
# (string value)
|
|
#logging_default_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
|
|
|
|
# Data to append to log format when level is DEBUG (string
|
|
# value)
|
|
#logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d
|
|
|
|
# Prefix each line of exception output with this format
|
|
# (string value)
|
|
#logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s
|
|
|
|
# List of logger=LEVEL pairs (list value)
|
|
#default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN
|
|
|
|
# Publish error events (boolean value)
|
|
#publish_errors=false
|
|
|
|
# Make deprecations fatal (boolean value)
|
|
#fatal_deprecations=false
|
|
|
|
# If an instance is passed with the log message, format it
|
|
# like this (string value)
|
|
#instance_format="[instance: %(uuid)s] "
|
|
|
|
# If an instance UUID is passed with the log message, format
|
|
# it like this (string value)
|
|
#instance_uuid_format="[instance: %(uuid)s] "
|
|
|
|
# The name of logging configuration file. It does not disable
|
|
# existing loggers, but just appends specified logging
|
|
# configuration to any other existing logging options. Please
|
|
# see the Python logging module documentation for details on
|
|
# logging configuration files. (string value)
|
|
# Deprecated group/name - [DEFAULT]/log_config
|
|
#log_config_append=<None>
|
|
|
|
# DEPRECATED. A logging.Formatter log message format string
|
|
# which may use any of the available logging.LogRecord
|
|
# attributes. This option is deprecated. Please use
|
|
# logging_context_format_string and
|
|
# logging_default_format_string instead. (string value)
|
|
#log_format=<None>
|
|
|
|
# Format string for %%(asctime)s in log records. Default:
|
|
# %(default)s (string value)
|
|
#log_date_format=%Y-%m-%d %H:%M:%S
|
|
|
|
# (Optional) Name of log file to output to. If no default is
|
|
# set, logging will go to stdout. (string value)
|
|
# Deprecated group/name - [DEFAULT]/logfile
|
|
#log_file=<None>
|
|
|
|
# (Optional) The base directory used for relative --log-file
|
|
# paths (string value)
|
|
# Deprecated group/name - [DEFAULT]/logdir
|
|
#log_dir=<None>
|
|
|
|
# Use syslog for logging. Existing syslog format is DEPRECATED
|
|
# during I, and then will be changed in J to honor RFC5424
|
|
# (boolean value)
|
|
#use_syslog=false
|
|
|
|
# (Optional) Use syslog rfc5424 format for logging. If
|
|
# enabled, will add APP-NAME (RFC5424) before the MSG part of
|
|
# the syslog message. The old format without APP-NAME is
|
|
# deprecated in I, and will be removed in J. (boolean value)
|
|
#use_syslog_rfc_format=false
|
|
|
|
# Syslog facility to receive log lines (string value)
|
|
#syslog_log_facility=LOG_USER
|
|
|
|
|
|
[drivers]
|
|
|
|
#
|
|
# Options defined in marconi.bootstrap
|
|
#
|
|
|
|
# Transport driver to use. (string value)
|
|
#transport=wsgi
|
|
|
|
# Storage driver to use. (string value)
|
|
#storage=sqlite
|
|
|
|
|
|
[drivers:storage:mongodb]
|
|
|
|
#
|
|
# Options defined in marconi.storage.mongodb
|
|
#
|
|
|
|
# Mongodb Connection URI. If ssl connection enabled,
|
|
# then the following 'ssl_keyfile', 'ssl_certfile',
|
|
# 'ssl_cert_reqs', 'ssl_ca_certs' need to be set accordingly.
|
|
# (string value)
|
|
#uri=<None>
|
|
|
|
# The private keyfile used to identify the local connection
|
|
# against mongod. If included with the 'certifle' then only
|
|
# the ssl_certfile is needed. (string value)
|
|
#ssl_keyfile=<None>
|
|
|
|
# The certificate file used to identify the local connection
|
|
# against mongod. (string value)
|
|
#ssl_certfile=<None>
|
|
|
|
# Specifies whether a certificate is required from the other
|
|
# side of the connection, and whether it will be validated
|
|
# if provided. It must be one of the three values 'CERT_NONE'
|
|
# (certificates ignored), 'CERT_OPTIONAL'(not required, but
|
|
# validated if provided), or 'CERT_REQUIRED'(required and validated).
|
|
# If the value of this parameter is not 'CERT_NONE', then the
|
|
# 'ssl_ca_certs' parameter must point to a file of CA certificates.
|
|
# (string value)
|
|
#ssl_cert_reqs=CERT_REQUIRED
|
|
|
|
# The ca_certs file contains a set of concatenated certification
|
|
# authority certificates, which are used to validate certificates
|
|
# passed from the other end of the connection. (string value)
|
|
#ssl_ca_certs=<None>
|
|
|
|
# Database name. (string value)
|
|
#database=marconi
|
|
|
|
# Number of databases across which to partition message data,
|
|
# in order to reduce writer lock %. DO NOT change this setting
|
|
# after initial deployment. It MUST remain static. Also, you
|
|
# should not need a large number of partitions to improve
|
|
# performance, esp. if deploying MongoDB on SSD storage.
|
|
# (integer value)
|
|
#partitions=2
|
|
|
|
# Maximum number of times to retry a failed operation.
|
|
# Currently only used for retrying a message post. (integer
|
|
# value)
|
|
#max_attempts=1000
|
|
|
|
# Maximum sleep interval between retries (actual sleep time
|
|
# increases linearly according to number of attempts
|
|
# performed). (floating point value)
|
|
#max_retry_sleep=0.1
|
|
|
|
# Maximum jitter interval, to be added to the sleep interval,
|
|
# in order to decrease probability that parallel requests will
|
|
# retry at the same instant. (floating point value)
|
|
#max_retry_jitter=0.005
|
|
|
|
# Maximum number of times to retry an operation that failed
|
|
# due to a primary node failover. (integer value)
|
|
#max_reconnect_attempts=10
|
|
|
|
# Base sleep interval between attempts to reconnect after a
|
|
# primary node failover. The actual sleep time increases
|
|
# exponentially (power of 2) each time the operation is
|
|
# retried. (floating point value)
|
|
#reconnect_sleep=0.02
|
|
|
|
|
|
[drivers:storage:sqlalchemy]
|
|
|
|
#
|
|
# Options defined in marconi.storage.sqlalchemy
|
|
#
|
|
|
|
# An sqlalchemy URL (string value)
|
|
#uri=sqlite:///:memory:
|
|
|
|
|
|
[keystone_authtoken]
|
|
|
|
#
|
|
# Options defined in keystoneclient.middleware.auth_token
|
|
#
|
|
|
|
# Prefix to prepend at the beginning of the path (string
|
|
# value)
|
|
#auth_admin_prefix=
|
|
|
|
# Host providing the admin Identity API endpoint (string
|
|
# value)
|
|
#auth_host=127.0.0.1
|
|
|
|
# Port of the admin Identity API endpoint (integer value)
|
|
#auth_port=35357
|
|
|
|
# Protocol of the admin Identity API endpoint(http or https)
|
|
# (string value)
|
|
#auth_protocol=https
|
|
|
|
# Complete public Identity API endpoint (string value)
|
|
#auth_uri=<None>
|
|
|
|
# API version of the admin Identity API endpoint (string
|
|
# value)
|
|
#auth_version=<None>
|
|
|
|
# Do not handle authorization requests within the middleware,
|
|
# but delegate the authorization decision to downstream WSGI
|
|
# components (boolean value)
|
|
#delay_auth_decision=false
|
|
|
|
# Request timeout value for communicating with Identity API
|
|
# server. (boolean value)
|
|
#http_connect_timeout=<None>
|
|
|
|
# How many times are we trying to reconnect when communicating
|
|
# with Identity API Server. (integer value)
|
|
#http_request_max_retries=3
|
|
|
|
# Allows to pass in the name of a fake http_handler callback
|
|
# function used instead of httplib.HTTPConnection or
|
|
# httplib.HTTPSConnection. Useful for unit testing where
|
|
# network is not available. (string value)
|
|
#http_handler=<None>
|
|
|
|
# Single shared secret with the Keystone configuration used
|
|
# for bootstrapping a Keystone installation, or otherwise
|
|
# bypassing the normal authentication process. (string value)
|
|
#admin_token=<None>
|
|
|
|
# Keystone account username (string value)
|
|
#admin_user=<None>
|
|
|
|
# Keystone account password (string value)
|
|
#admin_password=<None>
|
|
|
|
# Keystone service account tenant name to validate user tokens
|
|
# (string value)
|
|
#admin_tenant_name=admin
|
|
|
|
# Env key for the swift cache (string value)
|
|
#cache=<None>
|
|
|
|
# Required if Keystone server requires client certificate
|
|
# (string value)
|
|
#certfile=<None>
|
|
|
|
# Required if Keystone server requires client certificate
|
|
# (string value)
|
|
#keyfile=<None>
|
|
|
|
# A PEM encoded Certificate Authority to use when verifying
|
|
# HTTPs connections. Defaults to system CAs. (string value)
|
|
#cafile=<None>
|
|
|
|
# Verify HTTPS connections. (boolean value)
|
|
#insecure=false
|
|
|
|
# Directory used to cache files related to PKI tokens (string
|
|
# value)
|
|
#signing_dir=<None>
|
|
|
|
# If defined, the memcache server(s) to use for caching (list
|
|
# value)
|
|
# Deprecated group/name - [DEFAULT]/memcache_servers
|
|
#memcached_servers=<None>
|
|
|
|
# In order to prevent excessive requests and validations, the
|
|
# middleware uses an in-memory cache for the tokens the
|
|
# Keystone API returns. This is only valid if memcache_servers
|
|
# is defined. Set to -1 to disable caching completely.
|
|
# (integer value)
|
|
#token_cache_time=300
|
|
|
|
# Value only used for unit testing (integer value)
|
|
#revocation_cache_time=1
|
|
|
|
# (optional) if defined, indicate whether token data should be
|
|
# authenticated or authenticated and encrypted. Acceptable
|
|
# values are MAC or ENCRYPT. If MAC, token data is
|
|
# authenticated (with HMAC) in the cache. If ENCRYPT, token
|
|
# data is encrypted and authenticated in the cache. If the
|
|
# value is not one of these options or empty, auth_token will
|
|
# raise an exception on initialization. (string value)
|
|
#memcache_security_strategy=<None>
|
|
|
|
# (optional, mandatory if memcache_security_strategy is
|
|
# defined) this string is used for key derivation. (string
|
|
# value)
|
|
#memcache_secret_key=<None>
|
|
|
|
# (optional) indicate whether to set the X-Service-Catalog
|
|
# header. If False, middleware will not ask for service
|
|
# catalog on token validation and will not set the X-Service-
|
|
# Catalog header. (boolean value)
|
|
#include_service_catalog=true
|
|
|
|
# Used to control the use and type of token binding. Can be
|
|
# set to: "disabled" to not check token binding. "permissive"
|
|
# (default) to validate binding information if the bind type
|
|
# is of a form known to the server and ignore it if not.
|
|
# "strict" like "permissive" but if the bind type is unknown
|
|
# the token will be rejected. "required" any form of token
|
|
# binding is needed to be allowed. Finally the name of a
|
|
# binding method that must be present in tokens. (string
|
|
# value)
|
|
#enforce_token_bind=permissive
|
|
|
|
|
|
[sharding:catalog]
|
|
|
|
#
|
|
# Options defined in marconi.storage.sharding
|
|
#
|
|
|
|
# Catalog storage driver. (integer value)
|