state_path
¶Type: | string |
---|---|
Default: | /var/lib/karbor |
Top-level directory for maintaining karbor’s state
Group | Name |
---|---|
DEFAULT | pybasedir |
service_down_time
¶Type: | integer |
---|---|
Default: | 60 |
Maximum time since last check-in for a service to be considered up
operationengine_topic
¶Type: | string |
---|---|
Default: | karbor-operationengine |
The topic that OperationEngine nodes listen on
operationengine_manager
¶Type: | string |
---|---|
Default: | karbor.services.operationengine.manager.OperationEngineManager |
Full class name for the Manager for OperationEngine
protection_topic
¶Type: | string |
---|---|
Default: | karbor-protection |
The topic that protection nodes listen on
protection_manager
¶Type: | string |
---|---|
Default: | karbor.services.protection.manager.ProtectionManager |
Full class name for the Manager for Protection
host
¶Type: | host address |
---|---|
Default: | ubuntu-xenial-rax-iad-0004962281 |
Name of this node. This can be an opaque identifier. It is not necessarily a host name, FQDN, or IP address.
auth_strategy
¶Type: | string |
---|---|
Default: | keystone |
Valid Values: | noauth, keystone |
The strategy to use for auth. Supports noauth or keystone.
osapi_max_limit
¶Type: | integer |
---|---|
Default: | 1000 |
The maximum number of items that a collection resource returns in a single response
osapi_karbor_base_URL
¶Type: | string |
---|---|
Default: | <None> |
Base URL that will be presented to users in links to the OpenStack Karbor API
query_instance_filters
¶Type: | list |
---|---|
Default: | status |
Instance filter options which non-admin user could use to query instances. Default values are: [‘status’]
query_provider_filters
¶Type: | list |
---|---|
Default: | name,description |
Provider filter options which non-admin user could use to query providers. Default values are: [‘name’, ‘description’]
query_checkpoint_filters
¶Type: | list |
---|---|
Default: | project_id,plan_id,start_date,end_date |
Checkpoint filter options which non-admin user could use to query checkpoints. Default values are: [‘project_id’, ‘plan_id’, ‘start_date’, ‘end_date’]
enable_new_services
¶Type: | boolean |
---|---|
Default: | true |
Services to be added to the available pool on create
thread_count
¶Type: | integer |
---|---|
Default: | 10 |
The count of thread which executor will start
min_interval
¶Type: | integer |
---|---|
Default: | 3600 |
The minimum interval of two adjacent time points. min_interval >= (max_window_time * 2)
min_window_time
¶Type: | integer |
---|---|
Default: | 900 |
The minimum window time
max_window_time
¶Type: | integer |
---|---|
Default: | 1800 |
The maximum window time
time_format
¶Type: | string |
---|---|
Default: | calendar |
Valid Values: | crontab, calendar |
The type of time format which is used to compute time
trigger_poll_interval
¶Type: | integer |
---|---|
Default: | 15 |
Interval, in seconds, in which Karbor will poll for trigger events
scheduling_strategy
¶Type: | string |
---|---|
Default: | multi_node |
Time trigger scheduling strategy
retained_operation_log_number
¶Type: | integer |
---|---|
Default: | 5 |
The number of retained operation log
sync_status_interval
¶Type: | integer |
---|---|
Default: | 20 |
update protection status interval
workflow_engine
¶Type: | string |
---|---|
Default: | karbor.services.protection.flows.workflow.TaskFlowEngine |
The workflow engine provides flow and task interface
provider_registry
¶Type: | string |
---|---|
Default: | provider-registry |
the provider registry
max_concurrent_operations
¶Type: | integer |
---|---|
Default: | 0 |
number of maximum concurrent operation (protect, restore, delete) flows. 0 means no hard limit
tcp_keepalive
¶Type: | boolean |
---|---|
Default: | true |
Sets the value of TCP_KEEPALIVE (True/False) for each server socket.
tcp_keepalive_interval
¶Type: | integer |
---|---|
Default: | <None> |
Sets the value of TCP_KEEPINTVL in seconds for each server socket. Not supported on OS X.
tcp_keepalive_count
¶Type: | integer |
---|---|
Default: | <None> |
Sets the value of TCP_KEEPCNT for each server socket. Not supported on OS X.
fatal_exception_format_errors
¶Type: | boolean |
---|---|
Default: | false |
Make exception message format errors fatal.
report_interval
¶Type: | integer |
---|---|
Default: | 10 |
Interval, in seconds, between nodes reporting state to datastore
periodic_interval
¶Type: | integer |
---|---|
Default: | 60 |
Interval, in seconds, between running periodic tasks
periodic_fuzzy_delay
¶Type: | integer |
---|---|
Default: | 60 |
Range, in seconds, to randomly delay when starting the periodic task OperationEngine to reduce stampeding. (Disable by setting to 0)
osapi_karbor_listen
¶Type: | host address |
---|---|
Default: | 0.0.0.0 |
IP address on which OpenStack Karbor API listens
osapi_karbor_listen_port
¶Type: | port number |
---|---|
Default: | 8799 |
Minimum Value: | 0 |
Maximum Value: | 65535 |
Port on which OpenStack Karbor API listens
osapi_karbor_workers
¶Type: | integer |
---|---|
Default: | <None> |
Number of workers for OpenStack Karbor API service. The default is equal to the number of CPUs available.
service_name
¶Type: | string |
---|---|
Default: | <None> |
The name of service registered in Keystone
service_type
¶Type: | string |
---|---|
Default: | <None> |
The type of service registered in Keystone
version
¶Type: | string |
---|---|
Default: | <None> |
The version of service client
region_id
¶Type: | string |
---|---|
Default: | RegionOne |
The region id which the service belongs to.
interface
¶Type: | string |
---|---|
Default: | internal |
The network interface of the endpoint. Valid values are: public, admin, internal.
ca_cert_file
¶Type: | string |
---|---|
Default: | <None> |
Location of the CA certificate file to use for client requests in SSL connections.
auth_insecure
¶Type: | boolean |
---|---|
Default: | false |
Bypass verification of server certificate when making SSL connection to service.
cinder_endpoint
¶Type: | string |
---|---|
Default: | <None> |
URL of the cinder endpoint.
cinder_catalog_info
¶Type: | string |
---|---|
Default: | volumev3:cinderv3:publicURL |
Info to match when looking for cinder in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if cinder_endpoint is unset
cinder_ca_cert_file
¶Type: | string |
---|---|
Default: | <None> |
Location of the CA certificate file to use for client requests in SSL connections.
cinder_auth_insecure
¶Type: | boolean |
---|---|
Default: | false |
Bypass verification of server certificate when making SSL connection to Cinder.
auth_uri
¶Type: | string |
---|---|
Default: | u'' |
Unversioned keystone url in format like http://0.0.0.0:5000.
sqlite_synchronous
¶Type: | boolean |
---|---|
Default: | true |
If True, SQLite uses synchronous mode.
Group | Name |
---|---|
DEFAULT | sqlite_synchronous |
backend
¶Type: | string |
---|---|
Default: | sqlalchemy |
The back end to use for the database.
Group | Name |
---|---|
DEFAULT | db_backend |
connection
¶Type: | string |
---|---|
Default: | <None> |
The SQLAlchemy connection string to use to connect to the database.
Group | Name |
---|---|
DEFAULT | sql_connection |
DATABASE | sql_connection |
sql | connection |
slave_connection
¶Type: | string |
---|---|
Default: | <None> |
The SQLAlchemy connection string to use to connect to the slave database.
mysql_sql_mode
¶Type: | string |
---|---|
Default: | TRADITIONAL |
The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
mysql_enable_ndb
¶Type: | boolean |
---|---|
Default: | false |
If True, transparently enables support for handling MySQL Cluster (NDB).
connection_recycle_time
¶Type: | integer |
---|---|
Default: | 3600 |
Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
Group | Name |
---|---|
DATABASE | idle_timeout |
database | idle_timeout |
DEFAULT | sql_idle_timeout |
DATABASE | sql_idle_timeout |
sql | idle_timeout |
min_pool_size
¶Type: | integer |
---|---|
Default: | 1 |
Minimum number of SQL connections to keep open in a pool.
Group | Name |
---|---|
DEFAULT | sql_min_pool_size |
DATABASE | sql_min_pool_size |
Warning
This option is deprecated for removal. Its value may be silently ignored in the future.
Reason: | The option to set the minimum pool size is not supported by sqlalchemy. |
---|
max_pool_size
¶Type: | integer |
---|---|
Default: | 5 |
Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
Group | Name |
---|---|
DEFAULT | sql_max_pool_size |
DATABASE | sql_max_pool_size |
max_retries
¶Type: | integer |
---|---|
Default: | 10 |
Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
Group | Name |
---|---|
DEFAULT | sql_max_retries |
DATABASE | sql_max_retries |
retry_interval
¶Type: | integer |
---|---|
Default: | 10 |
Interval between retries of opening a SQL connection.
Group | Name |
---|---|
DEFAULT | sql_retry_interval |
DATABASE | reconnect_interval |
max_overflow
¶Type: | integer |
---|---|
Default: | 50 |
If set, use this value for max_overflow with SQLAlchemy.
Group | Name |
---|---|
DEFAULT | sql_max_overflow |
DATABASE | sqlalchemy_max_overflow |
connection_debug
¶Type: | integer |
---|---|
Default: | 0 |
Minimum Value: | 0 |
Maximum Value: | 100 |
Verbosity of SQL debugging information: 0=None, 100=Everything.
Group | Name |
---|---|
DEFAULT | sql_connection_debug |
connection_trace
¶Type: | boolean |
---|---|
Default: | false |
Add Python stack traces to SQL as comment strings.
Group | Name |
---|---|
DEFAULT | sql_connection_trace |
pool_timeout
¶Type: | integer |
---|---|
Default: | <None> |
If set, use this value for pool_timeout with SQLAlchemy.
Group | Name |
---|---|
DATABASE | sqlalchemy_pool_timeout |
use_db_reconnect
¶Type: | boolean |
---|---|
Default: | false |
Enable the experimental use of database reconnect on connection lost.
db_retry_interval
¶Type: | integer |
---|---|
Default: | 1 |
Seconds between retries of a database transaction.
db_inc_retry_interval
¶Type: | boolean |
---|---|
Default: | true |
If True, increases the interval between retries of a database operation up to db_max_retry_interval.
db_max_retry_interval
¶Type: | integer |
---|---|
Default: | 10 |
If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
db_max_retries
¶Type: | integer |
---|---|
Default: | 20 |
Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
connection_parameters
¶Type: | string |
---|---|
Default: | u'' |
Optional URL parameters to append onto the connection URL at connect time; specify as param1=value1¶m2=value2&…
service_name
¶Type: | string |
---|---|
Default: | <None> |
The name of service registered in Keystone
service_type
¶Type: | string |
---|---|
Default: | <None> |
The type of service registered in Keystone
version
¶Type: | string |
---|---|
Default: | <None> |
The version of service client
region_id
¶Type: | string |
---|---|
Default: | RegionOne |
The region id which the service belongs to.
interface
¶Type: | string |
---|---|
Default: | internal |
The network interface of the endpoint. Valid values are: public, admin, internal.
ca_cert_file
¶Type: | string |
---|---|
Default: | <None> |
Location of the CA certificate file to use for client requests in SSL connections.
auth_insecure
¶Type: | boolean |
---|---|
Default: | false |
Bypass verification of server certificate when making SSL connection to service.
glance_endpoint
¶Type: | string |
---|---|
Default: | <None> |
URL of the glance endpoint.
glance_catalog_info
¶Type: | string |
---|---|
Default: | image:glance:publicURL |
Info to match when looking for glance in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if glance_endpoint is unset
glance_ca_cert_file
¶Type: | string |
---|---|
Default: | <None> |
Location of the CA certificate file to use for client requests in SSL connections.
glance_auth_insecure
¶Type: | boolean |
---|---|
Default: | false |
Bypass verification of server certificate when making SSL connection to Glance.
service_name
¶Type: | string |
---|---|
Default: | <None> |
The name of service registered in Keystone
service_type
¶Type: | string |
---|---|
Default: | <None> |
The type of service registered in Keystone
version
¶Type: | string |
---|---|
Default: | <None> |
The version of service client
region_id
¶Type: | string |
---|---|
Default: | RegionOne |
The region id which the service belongs to.
interface
¶Type: | string |
---|---|
Default: | internal |
The network interface of the endpoint. Valid values are: public, admin, internal.
ca_cert_file
¶Type: | string |
---|---|
Default: | <None> |
Location of the CA certificate file to use for client requests in SSL connections.
auth_insecure
¶Type: | boolean |
---|---|
Default: | false |
Bypass verification of server certificate when making SSL connection to service.
www_authenticate_uri
¶Type: | string |
---|---|
Default: | <None> |
Complete “public” Identity API endpoint. This endpoint should not be an “admin” endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.
Group | Name |
---|---|
keystone_authtoken | auth_uri |
auth_uri
¶Type: | string |
---|---|
Default: | <None> |
Complete “public” Identity API endpoint. This endpoint should not be an “admin” endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
Warning
This option is deprecated for removal since Queens. Its value may be silently ignored in the future.
Reason: | The auth_uri option is deprecated in favor of www_authenticate_uri and will be removed in the S release. |
---|
auth_version
¶Type: | string |
---|---|
Default: | <None> |
API version of the admin Identity API endpoint.
delay_auth_decision
¶Type: | boolean |
---|---|
Default: | false |
Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.
http_connect_timeout
¶Type: | integer |
---|---|
Default: | <None> |
Request timeout value for communicating with Identity API server.
http_request_max_retries
¶Type: | integer |
---|---|
Default: | 3 |
How many times are we trying to reconnect when communicating with Identity API Server.
cache
¶Type: | string |
---|---|
Default: | <None> |
Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the memcached_servers
option instead.
certfile
¶Type: | string |
---|---|
Default: | <None> |
Required if identity server requires client certificate
keyfile
¶Type: | string |
---|---|
Default: | <None> |
Required if identity server requires client certificate
cafile
¶Type: | string |
---|---|
Default: | <None> |
A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
insecure
¶Type: | boolean |
---|---|
Default: | false |
Verify HTTPS connections.
region_name
¶Type: | string |
---|---|
Default: | <None> |
The region in which the identity server can be found.
signing_dir
¶Type: | string |
---|---|
Default: | <None> |
Directory used to cache files related to PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
Warning
This option is deprecated for removal since Ocata. Its value may be silently ignored in the future.
Reason: | PKI token format is no longer supported. |
---|
memcached_servers
¶Type: | list |
---|---|
Default: | <None> |
Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
Group | Name |
---|---|
keystone_authtoken | memcache_servers |
token_cache_time
¶Type: | integer |
---|---|
Default: | 300 |
In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
revocation_cache_time
¶Type: | integer |
---|---|
Default: | 10 |
Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance. Only valid for PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
Warning
This option is deprecated for removal since Ocata. Its value may be silently ignored in the future.
Reason: | PKI token format is no longer supported. |
---|
memcache_security_strategy
¶Type: | string |
---|---|
Default: | None |
Valid Values: | None, MAC, ENCRYPT |
(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
memcache_secret_key
¶Type: | string |
---|---|
Default: | <None> |
(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.
memcache_pool_dead_retry
¶Type: | integer |
---|---|
Default: | 300 |
(Optional) Number of seconds memcached server is considered dead before it is tried again.
memcache_pool_maxsize
¶Type: | integer |
---|---|
Default: | 10 |
(Optional) Maximum total number of open connections to every memcached server.
memcache_pool_socket_timeout
¶Type: | integer |
---|---|
Default: | 3 |
(Optional) Socket timeout in seconds for communicating with a memcached server.
memcache_pool_unused_timeout
¶Type: | integer |
---|---|
Default: | 60 |
(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.
memcache_pool_conn_get_timeout
¶Type: | integer |
---|---|
Default: | 10 |
(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.
memcache_use_advanced_pool
¶Type: | boolean |
---|---|
Default: | false |
(Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.
include_service_catalog
¶Type: | boolean |
---|---|
Default: | true |
(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
enforce_token_bind
¶Type: | string |
---|---|
Default: | permissive |
Used to control the use and type of token binding. Can be set to: “disabled” to not check token binding. “permissive” (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. “strict” like “permissive” but if the bind type is unknown the token will be rejected. “required” any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
check_revocations_for_cached
¶Type: | boolean |
---|---|
Default: | false |
If true, the revocation list will be checked for cached tokens. This requires that PKI tokens are configured on the identity server.
Warning
This option is deprecated for removal since Ocata. Its value may be silently ignored in the future.
Reason: | PKI token format is no longer supported. |
---|
hash_algorithms
¶Type: | list |
---|---|
Default: | md5 |
Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance.
Warning
This option is deprecated for removal since Ocata. Its value may be silently ignored in the future.
Reason: | PKI token format is no longer supported. |
---|
service_token_roles
¶Type: | list |
---|---|
Default: | service |
A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.
service_token_roles_required
¶Type: | boolean |
---|---|
Default: | false |
For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.
auth_type
¶Type: | unknown type |
---|---|
Default: | <None> |
Authentication type to load
Group | Name |
---|---|
keystone_authtoken | auth_plugin |
auth_section
¶Type: | unknown type |
---|---|
Default: | <None> |
Config Section from which to load plugin specific options
service_name
¶Type: | string |
---|---|
Default: | <None> |
The name of service registered in Keystone
service_type
¶Type: | string |
---|---|
Default: | <None> |
The type of service registered in Keystone
version
¶Type: | string |
---|---|
Default: | <None> |
The version of service client
region_id
¶Type: | string |
---|---|
Default: | RegionOne |
The region id which the service belongs to.
interface
¶Type: | string |
---|---|
Default: | internal |
The network interface of the endpoint. Valid values are: public, admin, internal.
ca_cert_file
¶Type: | string |
---|---|
Default: | <None> |
Location of the CA certificate file to use for client requests in SSL connections.
auth_insecure
¶Type: | boolean |
---|---|
Default: | false |
Bypass verification of server certificate when making SSL connection to service.
manila_endpoint
¶Type: | string |
---|---|
Default: | <None> |
URL of the manila endpoint.
manila_catalog_info
¶Type: | string |
---|---|
Default: | sharev2:manilav2:publicURL |
Info to match when looking for manila in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if manila_endpoint is unset
manila_ca_cert_file
¶Type: | string |
---|---|
Default: | <None> |
Location of the CA certificate file to use for client requests in SSL connections.
manila_auth_insecure
¶Type: | boolean |
---|---|
Default: | false |
Bypass verification of server certificate when making SSL connection to manila.
service_name
¶Type: | string |
---|---|
Default: | <None> |
The name of service registered in Keystone
service_type
¶Type: | string |
---|---|
Default: | <None> |
The type of service registered in Keystone
version
¶Type: | string |
---|---|
Default: | <None> |
The version of service client
region_id
¶Type: | string |
---|---|
Default: | RegionOne |
The region id which the service belongs to.
interface
¶Type: | string |
---|---|
Default: | internal |
The network interface of the endpoint. Valid values are: public, admin, internal.
ca_cert_file
¶Type: | string |
---|---|
Default: | <None> |
Location of the CA certificate file to use for client requests in SSL connections.
auth_insecure
¶Type: | boolean |
---|---|
Default: | false |
Bypass verification of server certificate when making SSL connection to service.
neutron_endpoint
¶Type: | string |
---|---|
Default: | <None> |
URL of the neutron endpoint.
neutron_catalog_info
¶Type: | string |
---|---|
Default: | network:neutron:publicURL |
Info to match when looking for neutron in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if neutron_endpoint is unset
neutron_ca_cert_file
¶Type: | string |
---|---|
Default: | <None> |
Location of the CA certificate file to use for client requests in SSL connections.
neutron_auth_insecure
¶Type: | boolean |
---|---|
Default: | false |
Bypass verification of server certificate when making SSL connection to Neutron.
service_name
¶Type: | string |
---|---|
Default: | <None> |
The name of service registered in Keystone
service_type
¶Type: | string |
---|---|
Default: | <None> |
The type of service registered in Keystone
version
¶Type: | string |
---|---|
Default: | <None> |
The version of service client
region_id
¶Type: | string |
---|---|
Default: | RegionOne |
The region id which the service belongs to.
interface
¶Type: | string |
---|---|
Default: | internal |
The network interface of the endpoint. Valid values are: public, admin, internal.
ca_cert_file
¶Type: | string |
---|---|
Default: | <None> |
Location of the CA certificate file to use for client requests in SSL connections.
auth_insecure
¶Type: | boolean |
---|---|
Default: | false |
Bypass verification of server certificate when making SSL connection to service.
nova_endpoint
¶Type: | string |
---|---|
Default: | <None> |
URL of the nova endpoint. <endpoint_url>
nova_catalog_info
¶Type: | string |
---|---|
Default: | compute:nova:publicURL |
Info to match when looking for nova in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if nova_endpoint is unset
nova_ca_cert_file
¶Type: | string |
---|---|
Default: | <None> |
Location of the CA certificate file to use for client requests in SSL connections.
nova_auth_insecure
¶Type: | boolean |
---|---|
Default: | false |
Bypass verification of server certificate when making SSL connection to Nova.
max_concurrent_operations
¶Type: | integer |
---|---|
Default: | 0 |
number of maximum concurrent running operations,0 means no hard limit
executor
¶Type: | string |
---|---|
Default: | green_thread |
Valid Values: | thread_pool, green_thread |
The name of executor which is used to run operations
disable_process_locking
¶Type: | boolean |
---|---|
Default: | false |
Enables or disables inter-process locks.
Group | Name |
---|---|
DEFAULT | disable_process_locking |
lock_path
¶Type: | string |
---|---|
Default: | <None> |
Directory to use for lock files. For security, the specified directory should only be writable by the user running the processes that need locking. Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, a lock path must be set.
Group | Name |
---|---|
DEFAULT | lock_path |
enforce_scope
¶Type: | boolean |
---|---|
Default: | false |
This option controls whether or not to enforce scope when evaluating policies. If True
, the scope of the token used in the request is compared to the scope_types
of the policy being enforced. If the scopes do not match, an InvalidScope
exception will be raised. If False
, a message will be logged informing operators that policies are being invoked with mismatching scope.
policy_file
¶Type: | string |
---|---|
Default: | policy.json |
The file that defines policies.
Group | Name |
---|---|
DEFAULT | policy_file |
policy_default_rule
¶Type: | string |
---|---|
Default: | default |
Default rule. Enforced when a requested rule is not found.
Group | Name |
---|---|
DEFAULT | policy_default_rule |
policy_dirs
¶Type: | multi-valued |
---|---|
Default: | policy.d |
Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
Group | Name |
---|---|
DEFAULT | policy_dirs |
remote_content_type
¶Type: | string |
---|---|
Default: | application/x-www-form-urlencoded |
Valid Values: | application/x-www-form-urlencoded, application/json |
Content Type to send and receive data for REST based policy check
remote_ssl_verify_server_crt
¶Type: | boolean |
---|---|
Default: | false |
server identity verification for REST based policy check
remote_ssl_ca_crt_file
¶Type: | string |
---|---|
Default: | <None> |
Absolute path to ca cert file for REST based policy check
remote_ssl_client_crt_file
¶Type: | string |
---|---|
Default: | <None> |
Absolute path to client cert for REST based policy check
remote_ssl_client_key_file
¶Type: | string |
---|---|
Default: | <None> |
Absolute path client key file REST based policy check
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.