Chapter 12. Identity (keystone) Parameters

AdminToken

The OpenStack Identity (keystone) secret and database password.

ApacheCertificateKeySize

Override the private key size used when creating the certificate for this service.

ApacheTimeout

The timeout in seconds for Apache, which defines duration Apache waits for I/O operations. The default value is 90.

CertificateKeySize

Specifies the private key size used when creating the certificate. The default value is 2048.

EnableCache

Enable caching with memcached. The default value is true.

EnablePublicTLS

Whether to enable TLS on the public interface or not. The default value is true.

EnableSQLAlchemyCollectd

Set to true to enable the SQLAlchemy-collectd server plugin. The default value is false.

EnforceSecureRbac

Setting this option to True will configure each OpenStack service to enforce Secure RBAC by setting [oslo_policy] enforce_new_defaults and [oslo_policy] enforce_scope to True. This introduces a consistent set of RBAC personas across OpenStack services that include support for system and project scope, as well as keystone’s default roles, admin, member, and reader. Do not enable this functionality until all services in your deployment actually support secure RBAC. The default value is false.

KeystoneAuthMethods

A list of methods used for authentication.

KeystoneChangePasswordUponFirstUse

Enabling this option requires users to change their password when the user is created, or upon administrative reset.

KeystoneCorsAllowedOrigin

Indicate whether this resource may be shared with the domain received in the request "origin" header.

KeystoneCredential0

The first OpenStack Identity (keystone) credential key. Must be a valid key.

KeystoneCredential1

The second OpenStack Identity (keystone) credential key. Must be a valid key.

KeystoneCronTrustFlushDestination

Cron to purge expired or soft-deleted trusts - Log destination. The default value is /var/log/keystone/keystone-trustflush.log.

KeystoneCronTrustFlushEnsure

Cron to purge expired or soft-deleted trusts - Ensure. The default value is present.

KeystoneCronTrustFlushHour

Cron to purge expired or soft-deleted trusts - Hour. The default value is *.

KeystoneCronTrustFlushMaxDelay

Cron to purge expired or soft-deleted trusts - Max Delay. The default value is 0.

KeystoneCronTrustFlushMinute

Cron to purge expired or soft-deleted trusts - Minute. The default value is 1.

KeystoneCronTrustFlushMonth

Cron to purge expired or soft-deleted trusts - Month. The default value is *.

KeystoneCronTrustFlushMonthday

Cron to purge expired or soft-deleted trusts - Month Day. The default value is *.

KeystoneCronTrustFlushUser

Cron to purge expired or soft-deleted trusts - User. The default value is keystone.

KeystoneCronTrustFlushWeekday

Cron to purge expired or soft-deleted trusts - Week Day. The default value is *.

KeystoneDisableUserAccountDaysInactive

The maximum number of days a user can go without authenticating before being considered "inactive" and automatically disabled (locked).

KeystoneEnableDBPurge

Whether to create cron job for purging soft deleted rows in OpenStack Identity (keystone) database. The default value is true.

KeystoneEnableMember

Create the member role, useful for undercloud deployment. The default value is False.

KeystoneFederationEnable

Enable support for federated authentication. The default value is false.

KeystoneFernetKeys

Mapping containing OpenStack Identity (keystone) fernet keys and their paths.

KeystoneFernetMaxActiveKeys

The maximum active keys in the OpenStack Identity (keystone) fernet key repository. The default value is 5.

KeystoneLDAPBackendConfigs

Hash containing the configurations for the LDAP backends configured in keystone.

KeystoneLDAPDomainEnable

Trigger to call ldap_backend puppet keystone define. The default value is False.

KeystoneLockoutDuration

The number of seconds a user account will be locked when the maximum number of failed authentication attempts (as specified by KeystoneLockoutFailureAttempts) is exceeded.

KeystoneLockoutFailureAttempts

The maximum number of times that a user can fail to authenticate before the user account is locked for the number of seconds specified by KeystoneLockoutDuration.

KeystoneMinimumPasswordAge

The number of days that a password must be used before the user can change it. This prevents users from changing their passwords immediately in order to wipe out their password history and reuse an old password.

KeystoneNotificationDriver

Comma-separated list of Oslo notification drivers used by OpenStack Identity (keystone).

KeystoneNotificationFormat

The OpenStack Identity (keystone) notification format. The default value is basic.

KeystoneNotificationTopics

OpenStack Identity (keystone) notification topics to enable.

KeystoneOpenIdcClientId

The client ID to use when handshaking with your OpenID Connect provider.

KeystoneOpenIdcClientSecret

The client secret to use when handshaking with your OpenID Connect provider.

KeystoneOpenIdcCryptoPassphrase

Passphrase to use when encrypting data for OpenID Connect handshake. The default value is openstack.

KeystoneOpenIdcEnable

Enable support for OpenIDC federation. The default value is false.

KeystoneOpenIdcEnableOAuth

Enable OAuth 2.0 integration. The default value is false.

KeystoneOpenIdcIdpName

The name associated with the IdP in OpenStack Identity (keystone).

KeystoneOpenIdcIntrospectionEndpoint

OAuth 2.0 introspection endpoint for mod_auth_openidc.

KeystoneOpenIdcProviderMetadataUrl

The url that points to your OpenID Connect provider metadata.

KeystoneOpenIdcRemoteIdAttribute

Attribute to be used to obtain the entity ID of the Identity Provider from the environment. The default value is HTTP_OIDC_ISS.

KeystoneOpenIdcResponseType

Response type to be expected from the OpenID Connect provider. The default value is id_token.

KeystonePasswordExpiresDays

The number of days for which a password will be considered valid before requiring it to be changed.

KeystonePasswordRegex

The regular expression used to validate password strength requirements.

KeystonePasswordRegexDescription

Describe your password regular expression here in language for humans.

KeystoneSSLCertificate

OpenStack Identity (keystone) certificate for verifying token validity.

KeystoneSSLCertificateKey

OpenStack Identity (keystone) key for signing tokens.

KeystoneTokenProvider

The OpenStack Identity (keystone) token format. The default value is fernet.

KeystoneTrustedDashboards

A list of dashboard URLs trusted for single sign-on.

KeystoneUniqueLastPasswordCount

This controls the number of previous user password iterations to keep in history, in order to enforce that newly created passwords are unique.

KeystoneWorkers

Set the number of workers for the OpenStack Identity (keystone) service. Note that more workers creates a larger number of processes on systems, which results in excess memory consumption. It is recommended to choose a suitable non-default value on systems with high CPU core counts. 0 sets to the OpenStack internal default, which is equal to the number of CPU cores on the node. The default value is equal to the number of vCPU cores on the physical node.

ManageKeystoneFernetKeys

Whether director should manage the OpenStack Identity (keystone) fernet keys or not. If set to True, the fernet keys will get the values from the saved keys repository in OpenStack Workflow (mistral) from the KeystoneFernetKeys variable. If set to false, only the stack creation initializes the keys, but subsequent updates will not touch them. The default value is true.

MemcachedTLS

Set to True to enable TLS on Memcached service. Because not all services support Memcached TLS, during the migration period, Memcached will listen on 2 ports - on the port set with MemcachedPort parameter (above) and on 11211, without TLS. The default value is false.

NotificationDriver

Driver or drivers to handle sending notifications. The default value is noop.

PublicSSLCertificateAutogenerated

Whether the public SSL certificate was autogenerated or not. The default value is false.

PublicTLSCAFile

Specifies the default CA cert to use if TLS is used for services in the public network.

SSLCertificate

The content of the SSL certificate (without Key) in PEM format.

TokenExpiration

Set a token expiration time in seconds. The default value is 3600.