zaqar.conf¶

DEFAULT¶

admin_mode¶

Type:: boolean
Default:: False

Activate privileged endpoints.

pooling¶

Type:: boolean
Default:: False

Enable pooling across multiple storage backends. If pooling is enabled, the storage driver configuration is used to determine where the catalogue/control plane data is kept.

Deprecated Variations¶
Group	Name
DEFAULT	sharding

unreliable¶

Type:: boolean
Default:: False

Disable all reliability constraints.

enable_deprecated_api_versions¶

Type:: list
Default:: []

List of deprecated API versions to enable.

Warning

This option is deprecated for removal. Its value may be silently ignored in the future.

Reason:: Deprecated APIs no longer exist

enable_checksum¶

Type:: boolean
Default:: False

Enable a checksum for message body. The default value is False.

auth_strategy¶

Type:: string
Default:: ''

Backend to use for authentication. For no auth, keep it empty. Existing strategies: keystone. See also the keystone_authtoken section below

debug¶

Type:: boolean
Default:: False
Mutable:: This option can be changed without restarting.

If set to true, the logging level will be set to DEBUG instead of the default INFO level.

log_config_append¶

Type:: string
Default:: <None>
Mutable:: This option can be changed without restarting.

The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, log-date-format).

Deprecated Variations¶
Group	Name
DEFAULT	log-config
DEFAULT	log_config

log_date_format¶

Type:: string
Default:: %Y-%m-%d %H:%M:%S

Defines the format string for %(asctime)s in log records. Default: the value above . This option is ignored if log_config_append is set.

log_file¶

Type:: string
Default:: <None>

(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.

Deprecated Variations¶
Group	Name
DEFAULT	logfile

log_dir¶

Type:: string
Default:: <None>

(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.

Deprecated Variations¶
Group	Name
DEFAULT	logdir

use_syslog¶

Type:: boolean
Default:: False

Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.

use_journal¶

Type:: boolean
Default:: False

Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.

syslog_log_facility¶

Type:: string
Default:: LOG_USER

Syslog facility to receive log lines. This option is ignored if log_config_append is set.

use_json¶

Type:: boolean
Default:: False

Use JSON formatting for logging. This option is ignored if log_config_append is set.

use_stderr¶

Type:: boolean
Default:: False

Log output to standard error. This option is ignored if log_config_append is set.

log_color¶

Type:: boolean
Default:: False

(Optional) Set the ‘color’ key according to log levels. This option takes effect only when logging to stderr or stdout is used. This option is ignored if log_config_append is set.

log_rotate_interval¶

Type:: integer
Default:: 1

The amount of time before the log files are rotated. This option is ignored unless log_rotation_type is set to “interval”.

log_rotate_interval_type¶

Type:: string
Default:: days
Valid Values:: Seconds, Minutes, Hours, Days, Weekday, Midnight

Rotation interval type. The time of the last file change (or the time when the service was started) is used when scheduling the next rotation.

max_logfile_count¶

Type:: integer
Default:: 30

Maximum number of rotated log files.

max_logfile_size_mb¶

Type:: integer
Default:: 200

Log file maximum size in MB. This option is ignored if “log_rotation_type” is not set to “size”.

log_rotation_type¶

Type:: string
Default:: none
Valid Values:: interval, size, none

Log rotation type.

Possible values

interval: Rotate logs at predefined time intervals.
size: Rotate logs once they reach a predefined size.
none: Do not rotate log files.

logging_context_format_string¶

Type:: string
Default:: %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(global_request_id)s %(request_id)s %(user_identity)s] %(instance)s%(message)s

Format string to use for log messages with context. Used by oslo_log.formatters.ContextFormatter

logging_default_format_string¶

Type:: string
Default:: %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s

Format string to use for log messages when context is undefined. Used by oslo_log.formatters.ContextFormatter

logging_debug_format_suffix¶

Type:: string
Default:: %(funcName)s %(pathname)s:%(lineno)d

Additional data to append to log message when logging level for the message is DEBUG. Used by oslo_log.formatters.ContextFormatter

logging_exception_prefix¶

Type:: string
Default:: %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s

Prefix each line of exception output with this format. Used by oslo_log.formatters.ContextFormatter

logging_user_identity_format¶

Type:: string
Default:: %(user)s %(project)s %(domain)s %(system_scope)s %(user_domain)s %(project_domain)s

Defines the format string for %(user_identity)s that is used in logging_context_format_string. Used by oslo_log.formatters.ContextFormatter

default_log_levels¶

Type:: list
Default:: ['amqp=WARN', 'boto=WARN', 'sqlalchemy=WARN', 'suds=INFO', 'oslo.messaging=INFO', 'oslo_messaging=INFO', 'iso8601=WARN', 'requests.packages.urllib3.connectionpool=WARN', 'urllib3.connectionpool=WARN', 'websocket=WARN', 'requests.packages.urllib3.util.retry=WARN', 'urllib3.util.retry=WARN', 'keystonemiddleware=WARN', 'routes.middleware=WARN', 'stevedore=WARN', 'taskflow=WARN', 'keystoneauth=WARN', 'oslo.cache=INFO', 'oslo_policy=INFO', 'dogpile.core.dogpile=INFO']

List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.

publish_errors¶

Type:: boolean
Default:: False

Enables or disables publication of error events.

instance_format¶

Type:: string
Default:: "[instance: %(uuid)s] "

The format for an instance that is passed with the log message.

instance_uuid_format¶

Type:: string
Default:: "[instance: %(uuid)s] "

The format for an instance UUID that is passed with the log message.

rate_limit_interval¶

Type:: integer
Default:: 0

Interval, number of seconds, of log rate limiting.

rate_limit_burst¶

Type:: integer
Default:: 0

Maximum number of logged messages per rate_limit_interval.

rate_limit_except_level¶

Type:: string
Default:: CRITICAL
Valid Values:: CRITICAL, ERROR, INFO, WARNING, DEBUG, ‘’

Log level name used by rate limiting. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.

fatal_deprecations¶

Type:: boolean
Default:: False

Enables or disables fatal status of deprecations.

cache¶

config_prefix¶

Type:: string
Default:: cache.oslo

Prefix for building the configuration dictionary for the cache region. This should not need to be changed unless there is another dogpile.cache region with the same configuration name.

expiration_time¶

Type:: integer
Default:: 600
Minimum Value:: 1

Default TTL, in seconds, for any cached item in the dogpile.cache region. This applies to any cached method that doesn’t have an explicit cache expiration time defined for it.

backend_expiration_time¶

Type:: integer
Default:: <None>
Minimum Value:: 1

Expiration time in cache backend to purge expired records automatically. This should be greater than expiration_time and all cache_time options

backend¶

Type:: string
Default:: dogpile.cache.null
Valid Values:: oslo_cache.memcache_pool, oslo_cache.dict, oslo_cache.etcd3gw, dogpile.cache.pymemcache, dogpile.cache.memcached, dogpile.cache.pylibmc, dogpile.cache.bmemcached, dogpile.cache.dbm, dogpile.cache.redis, dogpile.cache.redis_sentinel, dogpile.cache.memory, dogpile.cache.memory_pickle, dogpile.cache.null

Cache backend module. For eventlet-based or environments with hundreds of threaded servers, Memcache with pooling (oslo_cache.memcache_pool) is recommended. For environments with less than 100 threaded servers, Memcached (dogpile.cache.memcached) or Redis (dogpile.cache.redis) is recommended. Test environments with a single instance of the server can use the dogpile.cache.memory backend.

backend_argument¶

Type:: multi-valued
Default:: ''

Arguments supplied to the backend module. Specify this option once per argument to be passed to the dogpile.cache backend. Example format: “<argname>:<value>”.

proxies¶

Type:: list
Default:: []

Proxy classes to import that will affect the way the dogpile.cache backend functions. See the dogpile.cache documentation on changing-backend-behavior.

enabled¶

Type:: boolean
Default:: False

Global toggle for caching.

debug_cache_backend¶

Type:: boolean
Default:: False

Extra debugging from the cache backend (cache keys, get/set/delete/etc calls). This is only really useful if you need to see the specific cache-backend get/set/delete calls with the keys/values. Typically this should be left set to false.

memcache_servers¶

Type:: list
Default:: ['localhost:11211']

Memcache servers in the format of “host:port”. This is used by backends dependent on Memcached.If dogpile.cache.memcached or oslo_cache.memcache_pool is used and a given host refer to an IPv6 or a given domain refer to IPv6 then you should prefix the given address with the address family (inet6) (e.g inet6:[::1]:11211, inet6:[fd12:3456:789a:1::1]:11211, inet6:[controller-0.internalapi]:11211). If the address family is not given then these backends will use the default inet address family which corresponds to IPv4

memcache_dead_retry¶

Type:: integer
Default:: 300

Number of seconds memcached server is considered dead before it is tried again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).

memcache_pool_maxsize¶

Type:: integer
Default:: 10

Max total number of open connections to every memcached server. (oslo_cache.memcache_pool backend only).

memcache_pool_unused_timeout¶

Type:: integer
Default:: 60

Number of seconds a connection to memcached is held unused in the pool before it is closed. (oslo_cache.memcache_pool backend only).

memcache_pool_connection_get_timeout¶

Type:: integer
Default:: 10

Number of seconds that an operation will wait to get a memcache client connection.

memcache_pool_flush_on_reconnect¶

Type:: boolean
Default:: False

Global toggle if memcache will be flushed on reconnect. (oslo_cache.memcache_pool backend only).

memcache_sasl_enabled¶

Type:: boolean
Default:: False

Enable the SASL(Simple Authentication and SecurityLayer) if the SASL_enable is true, else disable.

redis_server¶

Type:: string
Default:: localhost:6379

Redis server in the format of “host:port”

redis_db¶

Type:: integer
Default:: 0
Minimum Value:: 0

Database id in Redis server

redis_sentinels¶

Type:: list
Default:: ['localhost:26379']

Redis sentinel servers in the format of “host:port”

redis_sentinel_service_name¶

Type:: string
Default:: mymaster

Service name of the redis sentinel cluster.

username¶

Type:: string
Default:: <None>

the user name for authentication to backend.

Deprecated Variations¶
Group	Name
cache	memcache_username
cache	redis_username

password¶

Type:: string
Default:: <None>

the password for authentication to backend.

Deprecated Variations¶
Group	Name
cache	memcache_password
cache	redis_password

tls_enabled¶

Type:: boolean
Default:: False

Global toggle for TLS usage when communicating with the caching servers. Currently supported by dogpile.cache.bmemcache, dogpile.cache.pymemcache, oslo_cache.memcache_pool, dogpile.cache.redis and dogpile.cache.redis_sentinel.

tls_cafile¶

Type:: string
Default:: <None>

Path to a file of concatenated CA certificates in PEM format necessary to establish the caching servers’ authenticity. If tls_enabled is False, this option is ignored.

tls_certfile¶

Type:: string
Default:: <None>

Path to a single file in PEM format containing the client’s certificate as well as any number of CA certificates needed to establish the certificate’s authenticity. This file is only required when client side authentication is necessary. If tls_enabled is False, this option is ignored.

tls_keyfile¶

Type:: string
Default:: <None>

Path to a single file containing the client’s private key in. Otherwise the private key will be taken from the file specified in tls_certfile. If tls_enabled is False, this option is ignored.

tls_allowed_ciphers¶

Type:: string
Default:: <None>

Set the available ciphers for sockets created with the TLS context. It should be a string in the OpenSSL cipher list format. If not specified, all OpenSSL enabled ciphers will be available. Currently supported by dogpile.cache.bmemcache, dogpile.cache.pymemcache and oslo_cache.memcache_pool.

socket_timeout¶

Type:: floating point
Default:: 1.0

Timeout in seconds for every call to a server. Currently supported by dogpile.cache.memcache, oslo_cache.memcache_pool, dogpile.cache.redis and dogpile.cache.redis_sentinel.

Deprecated Variations¶
Group	Name
cache	memcache_socket_timeout
cache	redis_socket_timeout

enable_socket_keepalive¶

Type:: boolean
Default:: False

Global toggle for the socket keepalive of dogpile’s pymemcache backend

socket_keepalive_idle¶

Type:: integer
Default:: 1
Minimum Value:: 0

The time (in seconds) the connection needs to remain idle before TCP starts sending keepalive probes. Should be a positive integer most greater than zero.

socket_keepalive_interval¶

Type:: integer
Default:: 1
Minimum Value:: 0

The time (in seconds) between individual keepalive probes. Should be a positive integer greater than zero.

socket_keepalive_count¶

Type:: integer
Default:: 1
Minimum Value:: 0

The maximum number of keepalive probes TCP should send before dropping the connection. Should be a positive integer greater than zero.

enable_retry_client¶

Type:: boolean
Default:: False

Enable retry client mechanisms to handle failure. Those mechanisms can be used to wrap all kind of pymemcache clients. The wrapper allows you to define how many attempts to make and how long to wait between attempts.

retry_attempts¶

Type:: integer
Default:: 2
Minimum Value:: 1

Number of times to attempt an action before failing.

retry_delay¶

Type:: floating point
Default:: 0

Number of seconds to sleep between each attempt.

hashclient_retry_attempts¶

Type:: integer
Default:: 2
Minimum Value:: 1

Amount of times a client should be tried before it is marked dead and removed from the pool in the HashClient’s internal mechanisms.

hashclient_retry_timeout¶

Type:: floating point
Default:: 1

Time in seconds that should pass between retry attempts in the HashClient’s internal mechanisms.

Deprecated Variations¶
Group	Name
cache	hashclient_retry_delay

hashclient_dead_timeout¶

Type:: floating point
Default:: 60

Time in seconds before attempting to add a node back in the pool in the HashClient’s internal mechanisms.

Deprecated Variations¶
Group	Name
cache	dead_timeout

enforce_fips_mode¶

Type:: boolean
Default:: False

Global toggle for enforcing the OpenSSL FIPS mode. This feature requires Python support. This is available in Python 3.9 in all environments and may have been backported to older Python versions on select environments. If the Python executable used does not support OpenSSL FIPS mode, an exception will be raised. Currently supported by dogpile.cache.bmemcache, dogpile.cache.pymemcache and oslo_cache.memcache_pool.

Warning

This option is deprecated for removal. Its value may be silently ignored in the future.

Reason:: FIPS_mode_set API was removed in OpenSSL 3.0.0. This option has no effect now.

cors¶

allowed_origin¶

Type:: list
Default:: <None>

Indicate whether this resource may be shared with the domain received in the requests “origin” header. Format: “<protocol>://<host>[:<port>]”, no trailing slash. Example: https://horizon.example.com

allow_credentials¶

Type:: boolean
Default:: True

Indicate that the actual request can include user credentials

expose_headers¶

Type:: list
Default:: []

Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.

max_age¶

Type:: integer
Default:: 3600

Maximum cache age of CORS preflight requests.

allow_methods¶

Type:: list
Default:: ['OPTIONS', 'GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'TRACE', 'PATCH']

Indicate which methods can be used during the actual request.

allow_headers¶

Type:: list
Default:: []

Indicate which header field names may be used during the actual request.

drivers¶

transport¶

Type:: string
Default:: wsgi
Valid Values:: wsgi, websocket

Transport driver to use.

message_store¶

Type:: string
Default:: mongodb

Storage driver to use as the messaging store.

Deprecated Variations¶
Group	Name
drivers	storage

management_store¶

Type:: string
Default:: mongodb

Storage driver to use as the management store.

drivers:management_store:mongodb¶

ssl_keyfile¶

Type:: string
Default:: <None>

The private keyfile used to identify the local connection against mongod. If included with the certifle then only the ssl_certfile is needed.

ssl_certfile¶

Type:: string
Default:: <None>

The certificate file used to identify the local connection against mongod.

ssl_cert_reqs¶

Type:: string
Default:: CERT_REQUIRED
Valid Values:: CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED

Specifies whether a certificate is required from the other side of the connection, and whether it will be validated if provided. If the value of this parameter is not CERT_NONE, then the ssl_ca_cert parameter must point to a file of CA certificates.

Possible values

CERT_NONE: Certificates are ignored
CERT_OPTIONAL: Certificates are not required, but validated if provided
CERT_REQUIRED: Certificates are required and validated

ssl_ca_certs¶

Type:: string
Default:: <None>

The ca_certs file contains a set of concatenated “certification authority” certificates, which are used to validate certificates passed from the other end of the connection.

uri¶

Type:: string
Default:: <None>

Mongodb Connection URI. If ssl connection enabled, then ssl_keyfile, ssl_certfile, ssl_cert_reqs, ssl_ca_certs need to be set accordingly.

database¶

Type:: string
Default:: zaqar

Database name.

max_attempts¶

Type:: integer
Default:: 1000
Minimum Value:: 0

Maximum number of times to retry a failed operation. Currently only used for retrying a message post.

max_retry_sleep¶

Type:: floating point
Default:: 0.1

Maximum sleep interval between retries (actual sleep time increases linearly according to number of attempts performed).

max_retry_jitter¶

Type:: floating point
Default:: 0.005

Maximum jitter interval, to be added to the sleep interval, in order to decrease probability that parallel requests will retry at the same instant.

max_reconnect_attempts¶

Type:: integer
Default:: 10

Maximum number of times to retry an operation that failed due to a primary node failover.

reconnect_sleep¶

Type:: floating point
Default:: 0.02

Base sleep interval between attempts to reconnect after a primary node failover. The actual sleep time increases exponentially (power of 2) each time the operation is retried.

drivers:management_store:redis¶

uri¶

Type:: string
Default:: redis://127.0.0.1:6379

Redis connection URI, taking one of three forms. For a direct connection to a Redis server, use the form “redis://[:password]@host[:port][?options]”, where password is redis-server’s password, whenredis-server is set password, the password optionneeds to be set. port defaults to 6379 if notspecified. For an HA master-slave Redis cluster using Redis Sentinel, use the form “redis://[:password]@host1[:port1][,host2[:port2],…,hostN[:portN]][?options]”, where each host specified corresponds to an instance of redis-sentinel. In this form, the name of the Redis master used in the Sentinel configuration must be included in the query string as “master=<name>”. Finally, to connect to a local instance of Redis over a unix socket, you may use the form “redis://[:password]@/path/to/redis.sock[?options]”. In all forms, the “socket_timeout” option may bespecified in the query string. Its value is given in seconds. If not provided, “socket_timeout” defaults to 0.1 seconds.There are multiple database instances in redis database, for example in the /etc/redis/redis.conf, if the parameter is “database 16”, there are 16 database instances. By default, the data is stored in db = 0 database, if you want to use db = 1 database, you can use the following form: “redis://host[:port][?dbid=1]”.

max_reconnect_attempts¶

Type:: integer
Default:: 10

Maximum number of times to retry an operation that failed due to a redis node failover.

reconnect_sleep¶

Type:: floating point
Default:: 1.0

Base sleep interval between attempts to reconnect after a redis node failover.

drivers:management_store:sqlalchemy¶

uri¶

Type:: string
Default:: sqlite:///:memory:

An sqlalchemy URL

drivers:message_store:mongodb¶

ssl_keyfile¶

Type:: string
Default:: <None>

The private keyfile used to identify the local connection against mongod. If included with the certifle then only the ssl_certfile is needed.

ssl_certfile¶

Type:: string
Default:: <None>

The certificate file used to identify the local connection against mongod.

ssl_cert_reqs¶

Type:: string
Default:: CERT_REQUIRED
Valid Values:: CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED

Possible values

CERT_NONE: Certificates are ignored
CERT_OPTIONAL: Certificates are not required, but validated if provided
CERT_REQUIRED: Certificates are required and validated

ssl_ca_certs¶

Type:: string
Default:: <None>

The ca_certs file contains a set of concatenated “certification authority” certificates, which are used to validate certificates passed from the other end of the connection.

uri¶

Type:: string
Default:: <None>

Mongodb Connection URI. If ssl connection enabled, then ssl_keyfile, ssl_certfile, ssl_cert_reqs, ssl_ca_certs need to be set accordingly.

database¶

Type:: string
Default:: zaqar

Database name.

max_attempts¶

Type:: integer
Default:: 1000
Minimum Value:: 0

Maximum number of times to retry a failed operation. Currently only used for retrying a message post.

max_retry_sleep¶

Type:: floating point
Default:: 0.1

Maximum sleep interval between retries (actual sleep time increases linearly according to number of attempts performed).

max_retry_jitter¶

Type:: floating point
Default:: 0.005

Maximum jitter interval, to be added to the sleep interval, in order to decrease probability that parallel requests will retry at the same instant.

max_reconnect_attempts¶

Type:: integer
Default:: 10

Maximum number of times to retry an operation that failed due to a primary node failover.

reconnect_sleep¶

Type:: floating point
Default:: 0.02

Base sleep interval between attempts to reconnect after a primary node failover. The actual sleep time increases exponentially (power of 2) each time the operation is retried.

partitions¶

Type:: integer
Default:: 2

Number of databases across which to partition message data, in order to reduce writer lock %. DO NOT change this setting after initial deployment. It MUST remain static. Also, you should not need a large number of partitions to improve performance, esp. if deploying MongoDB on SSD storage.

drivers:message_store:redis¶

uri¶

Type:: string
Default:: redis://127.0.0.1:6379

max_reconnect_attempts¶

Type:: integer
Default:: 10

Maximum number of times to retry an operation that failed due to a redis node failover.

reconnect_sleep¶

Type:: floating point
Default:: 1.0

Base sleep interval between attempts to reconnect after a redis node failover.

drivers:message_store:swift¶

auth_url¶

Type:: string
Default:: http://127.0.0.1:5000/v3/

URI of Keystone endpoint to discover Swift

uri¶

Type:: string
Default:: swift://demo:nomoresecrete@/demo

Custom URI describing the swift connection.

insecure¶

Type:: boolean
Default:: False

Don’t check SSL certificate

project_domain_id¶

Type:: string
Default:: <None>

Domain ID containing project

project_domain_name¶

Type:: string
Default:: Default

Domain name containing project

user_domain_id¶

Type:: string
Default:: <None>

User’s domain id

user_domain_name¶

Type:: string
Default:: Default

User’s domain name

region_name¶

Type:: string
Default:: <None>

Region name

interface¶

Type:: string
Default:: publicURL

The default interface for endpoint URL discovery.

drivers:transport:websocket¶

bind¶

Type:: host address
Default:: 127.0.0.1

Address on which the self-hosting server will listen.

port¶

Type:: port number
Default:: 9000
Minimum Value:: 0
Maximum Value:: 65535

Port on which the self-hosting server will listen.

external_port¶

Type:: port number
Default:: <None>
Minimum Value:: 0
Maximum Value:: 65535

Port on which the service is provided to the user.

notification_bind¶

Type:: host address
Default:: <None>

Address on which the notification server will listen.

notification_port¶

Type:: port number
Default:: 0
Minimum Value:: 0
Maximum Value:: 65535

Port on which the notification server will listen.

drivers:transport:wsgi¶

bind¶

Type:: host address
Default:: 127.0.0.1

Address on which the self-hosting server will listen.

port¶

Type:: port number
Default:: 8888
Minimum Value:: 0
Maximum Value:: 65535

Port on which the self-hosting server will listen.

keystone_authtoken¶

www_authenticate_uri¶

Type:: string
Default:: <None>

Complete “public” Identity API endpoint. This endpoint should not be an “admin” endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.

Deprecated Variations¶
Group	Name
keystone_authtoken	auth_uri

auth_uri¶

Type:: string
Default:: <None>

Warning

This option is deprecated for removal since Queens. Its value may be silently ignored in the future.

Reason:: The auth_uri option is deprecated in favor of www_authenticate_uri and will be removed in the S release.

auth_version¶

Type:: string
Default:: <None>

API version of the Identity API endpoint.

interface¶

Type:: string
Default:: internal

Interface to use for the Identity API endpoint. Valid values are “public”, “internal” (default) or “admin”.

delay_auth_decision¶

Type:: boolean
Default:: False

Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.

http_connect_timeout¶

Type:: integer
Default:: <None>

Request timeout value for communicating with Identity API server.

http_request_max_retries¶

Type:: integer
Default:: 3

How many times are we trying to reconnect when communicating with Identity API Server.

cache¶

Type:: string
Default:: <None>

Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the memcached_servers option instead.

certfile¶

Type:: string
Default:: <None>

Required if identity server requires client certificate

keyfile¶

Type:: string
Default:: <None>

Required if identity server requires client certificate

cafile¶

Type:: string
Default:: <None>

A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.

insecure¶

Type:: boolean
Default:: False

Verify HTTPS connections.

region_name¶

Type:: string
Default:: <None>

The region in which the identity server can be found.

memcached_servers¶

Type:: list
Default:: <None>

Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.

Deprecated Variations¶
Group	Name
keystone_authtoken	memcache_servers

token_cache_time¶

Type:: integer
Default:: 300

In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.

memcache_security_strategy¶

Type:: string
Default:: None
Valid Values:: None, MAC, ENCRYPT

(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.

memcache_secret_key¶

Type:: string
Default:: <None>

(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.

memcache_tls_enabled¶

Type:: boolean
Default:: False

(Optional) Global toggle for TLS usage when comunicating with the caching servers.

memcache_tls_cafile¶

Type:: string
Default:: <None>

(Optional) Path to a file of concatenated CA certificates in PEM format necessary to establish the caching server’s authenticity. If tls_enabled is False, this option is ignored.

memcache_tls_certfile¶

Type:: string
Default:: <None>

(Optional) Path to a single file in PEM format containing the client’s certificate as well as any number of CA certificates needed to establish the certificate’s authenticity. This file is only required when client side authentication is necessary. If tls_enabled is False, this option is ignored.

memcache_tls_keyfile¶

Type:: string
Default:: <None>

(Optional) Path to a single file containing the client’s private key in. Otherwhise the private key will be taken from the file specified in tls_certfile. If tls_enabled is False, this option is ignored.

memcache_tls_allowed_ciphers¶

Type:: string
Default:: <None>

(Optional) Set the available ciphers for sockets created with the TLS context. It should be a string in the OpenSSL cipher list format. If not specified, all OpenSSL enabled ciphers will be available.

memcache_pool_dead_retry¶

Type:: integer
Default:: 300

(Optional) Number of seconds memcached server is considered dead before it is tried again.

memcache_pool_maxsize¶

Type:: integer
Default:: 10

(Optional) Maximum total number of open connections to every memcached server.

memcache_pool_socket_timeout¶

Type:: integer
Default:: 3

(Optional) Socket timeout in seconds for communicating with a memcached server.

memcache_pool_unused_timeout¶

Type:: integer
Default:: 60

(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.

memcache_pool_conn_get_timeout¶

Type:: integer
Default:: 10

(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.

memcache_use_advanced_pool¶

Type:: boolean
Default:: True

(Optional) Use the advanced (eventlet safe) memcached client pool.

include_service_catalog¶

Type:: boolean
Default:: True

(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.

enforce_token_bind¶

Type:: string
Default:: permissive

Used to control the use and type of token binding. Can be set to: “disabled” to not check token binding. “permissive” (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. “strict” like “permissive” but if the bind type is unknown the token will be rejected. “required” any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.

service_token_roles¶

Type:: list
Default:: ['service']

A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.

service_token_roles_required¶

Type:: boolean
Default:: False

For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.

service_type¶

Type:: string
Default:: <None>

The name or type of the service as it appears in the service catalog. This is used to validate tokens that have restricted access rules.

memcache_sasl_enabled¶

Type:: boolean
Default:: False

Enable the SASL(Simple Authentication and Security Layer) if the SASL_enable is true, else disable.

memcache_username¶

Type:: string
Default:: ''

the user name for the SASL

memcache_password¶

Type:: string
Default:: ''

the username password for SASL

auth_type¶

Type:: unknown type
Default:: <None>

Authentication type to load

Deprecated Variations¶
Group	Name
keystone_authtoken	auth_plugin

auth_section¶

Type:: unknown type
Default:: <None>

Config Section from which to load plugin specific options

notification¶

smtp_mode¶

Type:: string
Default:: third_part
Valid Values:: third_part, self_local

There are two values can be chosen: third_part or self_local. third_part means Zaqar will use the tools from config option smtp_commnd. self_local means the smtp python library will be used.

smtp_host¶

Type:: host address
Default:: <None>

The host IP for the email system. It should be set when smtp_mode is set to self_local.

smtp_port¶

Type:: port number
Default:: <None>
Minimum Value:: 0
Maximum Value:: 65535

The port for the email system. It should be set when smtp_mode is set to self_local.

smtp_user_name¶

Type:: string
Default:: <None>

The user name for the email system to login. It should be set when smtp_mode is set to self_local.

smtp_user_password¶

Type:: string
Default:: <None>

The user password for the email system to login. It should be set when smtp_mode is set to self_local.

smtp_command¶

Type:: string
Default:: /usr/sbin/sendmail -t -oi

The command of smtp to send email. The format is “command_name arg1 arg2”.

max_notifier_workers¶

Type:: integer
Default:: 10

The max amount of the notification workers.

require_confirmation¶

Type:: boolean
Default:: False

Whether the http/https/email subscription need to be confirmed before notification.

external_confirmation_url¶

Type:: string
Default:: <None>

The confirmation page url that will be used in email subscription confirmation before notification.

subscription_confirmation_email_template¶

Type:: dict
Default:: {'topic': 'Zaqar Notification - Subscription Confirmation', 'body': 'You have chosen to subscribe to the queue: {0}. This queue belongs to project: {1}. To confirm this subscription, click or visit this link below: {2}', 'sender': 'Zaqar Notifications <no-reply@openstack.org>'}

Defines the set of subscription confirmation email content, including topic, body and sender. There is a mapping is {0} -> queue name, {1} ->project id, {2}-> confirm url in body string. User can use any of the three values. But they can’t use more than three.

unsubscribe_confirmation_email_template¶

Type:: dict
Default:: {'topic': 'Zaqar Notification - Unsubscribe Confirmation', 'body': 'You have unsubscribed successfully to the queue: {0}. This queue belongs to project: {1}. To resubscribe this subscription, click or visit this link below: {2}', 'sender': 'Zaqar Notifications <no-reply@openstack.org>'}

Defines the set of unsubscribe confirmation email content, including topic, body and sender. There is a mapping is {0} -> queue name, {1} ->project id, {2}-> confirm url in body string. User can use any of the three values. But they can’t use more than three.

oslo_policy¶

enforce_scope¶

Type:: boolean
Default:: True

This option controls whether or not to enforce scope when evaluating policies. If True, the scope of the token used in the request is compared to the scope_types of the policy being enforced. If the scopes do not match, an InvalidScope exception will be raised. If False, a message will be logged informing operators that policies are being invoked with mismatching scope.

Warning

This option is deprecated for removal. Its value may be silently ignored in the future.

Reason:: This configuration was added temporarily to facilitate a smooth transition to the new RBAC. OpenStack will always enforce scope checks. This configuration option is deprecated and will be removed in the 2025.2 cycle.

enforce_new_defaults¶

Type:: boolean
Default:: True

This option controls whether or not to use old deprecated defaults when evaluating policies. If True, the old deprecated defaults are not going to be evaluated. This means if any existing token is allowed for old defaults but is disallowed for new defaults, it will be disallowed. It is encouraged to enable this flag along with the enforce_scope flag so that you can get the benefits of new defaults and scope_type together. If False, the deprecated policy check string is logically OR’d with the new policy check string, allowing for a graceful upgrade experience between releases with new policies, which is the default behavior.

policy_file¶

Type:: string
Default:: policy.yaml

The relative or absolute path of a file that maps roles to permissions for a given service. Relative paths must be specified in relation to the configuration file setting this option.

policy_default_rule¶

Type:: string
Default:: default

Default rule. Enforced when a requested rule is not found.

policy_dirs¶

Type:: multi-valued
Default:: policy.d

Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.

remote_content_type¶

Type:: string
Default:: application/x-www-form-urlencoded
Valid Values:: application/x-www-form-urlencoded, application/json

Content Type to send and receive data for REST based policy check

remote_ssl_verify_server_crt¶

Type:: boolean
Default:: False

server identity verification for REST based policy check

remote_ssl_ca_crt_file¶

Type:: string
Default:: <None>

Absolute path to ca cert file for REST based policy check

remote_ssl_client_crt_file¶

Type:: string
Default:: <None>

Absolute path to client cert for REST based policy check

remote_ssl_client_key_file¶

Type:: string
Default:: <None>

Absolute path client key file REST based policy check

remote_timeout¶

Type:: floating point
Default:: 60
Minimum Value:: 0

Timeout in seconds for REST based policy check

oslo_reports¶

log_dir¶

Type:: string
Default:: <None>

Path to a log directory where to create a file

file_event_handler¶

Type:: string
Default:: <None>

The path to a file to watch for changes to trigger the reports, instead of signals. Setting this option disables the signal trigger for the reports. If application is running as a WSGI application it is recommended to use this instead of signals.

file_event_handler_interval¶

Type:: integer
Default:: 1

How many seconds to wait between polls when file_event_handler is set

pooling:catalog¶

enable_virtual_pool¶

Type:: boolean
Default:: False

If enabled, the message_store will be used as the storage for the virtual pool.

profiler¶

trace_wsgi_transport¶

Type:: boolean
Default:: False

If False doesn’t trace any transport requests.Please note that it doesn’t work for websocket now.

trace_message_store¶

Type:: boolean
Default:: False

If False doesn’t trace any message store requests.

trace_management_store¶

Type:: boolean
Default:: False

If False doesn’t trace any management store requests.

enabled¶

Type:: boolean
Default:: False

Enable the profiling for all services on this node.

Default value is False (fully disable the profiling feature).

Possible values:

True: Enables the feature
False: Disables the feature. The profiling cannot be started via this project operations. If the profiling is triggered by another project, this project part will be empty.

Deprecated Variations¶
Group	Name
profiler	profiler_enabled

trace_sqlalchemy¶

Type:: boolean
Default:: False

Enable SQL requests profiling in services.

Default value is False (SQL requests won’t be traced).

Possible values:

True: Enables SQL requests profiling. Each SQL query will be part of the trace and can the be analyzed by how much time was spent for that.
False: Disables SQL requests profiling. The spent time is only shown on a higher level of operations. Single SQL queries cannot be analyzed this way.

trace_requests¶

Type:: boolean
Default:: False

Enable python requests package profiling.

Supported drivers: jaeger+otlp

Default value is False.

Possible values:

True: Enables requests profiling.
False: Disables requests profiling.

hmac_keys¶

Type:: string
Default:: SECRET_KEY

Secret key(s) to use for encrypting context data for performance profiling.

This string value should have the following format: <key1>[,<key2>,…<keyn>], where each key is some random string. A user who triggers the profiling via the REST API has to set one of these keys in the headers of the REST API call to include profiling results of this node for this particular project.

Both “enabled” flag and “hmac_keys” config options should be set to enable profiling. Also, to generate correct profiling information across all services at least one key needs to be consistent between OpenStack projects. This ensures it can be used from client side to generate the trace, containing information from all possible resources.

connection_string¶

Type:: string
Default:: messaging://

Connection string for a notifier backend.

Default value is messaging:// which sets the notifier to oslo_messaging.

Examples of possible values:

messaging:// - use oslo_messaging driver for sending spans.
redis://127.0.0.1:6379 - use redis driver for sending spans.
mongodb://127.0.0.1:27017 - use mongodb driver for sending spans.
elasticsearch://127.0.0.1:9200 - use elasticsearch driver for sending spans.
jaeger://127.0.0.1:6831 - use jaeger tracing as driver for sending spans.

es_doc_type¶

Type:: string
Default:: notification

Document type for notification indexing in elasticsearch.

es_scroll_time¶

Type:: string
Default:: 2m

This parameter is a time value parameter (for example: es_scroll_time=2m), indicating for how long the nodes that participate in the search will maintain relevant resources in order to continue and support it.

es_scroll_size¶

Type:: integer
Default:: 10000

Elasticsearch splits large requests in batches. This parameter defines maximum size of each batch (for example: es_scroll_size=10000).

socket_timeout¶

Type:: floating point
Default:: 0.1

Redissentinel provides a timeout option on the connections. This parameter defines that timeout (for example: socket_timeout=0.1).

sentinel_service_name¶

Type:: string
Default:: mymaster

Redissentinel uses a service name to identify a master redis service. This parameter defines the name (for example: sentinal_service_name=mymaster).

filter_error_trace¶

Type:: boolean
Default:: False

Enable filter traces that contain error/exception to a separated place.

Default value is set to False.

Possible values:

True: Enable filter traces that contain error/exception.
False: Disable the filter.

profiler_jaeger¶

service_name_prefix¶

Type:: string
Default:: <None>

Set service name prefix to Jaeger service name.

process_tags¶

Type:: dict
Default:: {}

Set process tracer tags.

profiler_otlp¶

service_name_prefix¶

Type:: string
Default:: <None>

Set service name prefix to OTLP exporters.

signed_url¶

secret_key¶

Type:: string
Default:: <None>

Secret key used to encrypt pre-signed URLs.

storage¶

queue_pipeline¶

Type:: list
Default:: []

Pipeline to use for processing queue operations. This pipeline will be consumed before calling the storage driver’s controller methods.

message_pipeline¶

Type:: list
Default:: []

Pipeline to use for processing message operations. This pipeline will be consumed before calling the storage driver’s controller methods.

claim_pipeline¶

Type:: list
Default:: []

Pipeline to use for processing claim operations. This pipeline will be consumed before calling the storage driver’s controller methods.

subscription_pipeline¶

Type:: list
Default:: []

Pipeline to use for processing subscription operations. This pipeline will be consumed before calling the storage driver’s controller methods.

topic_pipeline¶

Type:: list
Default:: []

Pipeline to use for processing topic operations. This pipeline will be consumed before calling the storage driver’s controller methods.

transport¶

default_message_ttl¶

Type:: integer
Default:: 3600

Defines how long a message will be accessible.

default_message_delay¶

Type:: integer
Default:: 0

Defines the defautl value for queue delay seconds.The 0 means the delayed queues feature is close.

default_claim_ttl¶

Type:: integer
Default:: 300

Defines how long a message will be in claimed state.

default_claim_grace¶

Type:: integer
Default:: 60

Defines the message grace period in seconds.

default_subscription_ttl¶

Type:: integer
Default:: 3600

Defines how long a subscription will be available.

max_queues_per_page¶

Type:: integer
Default:: 20

Defines the maximum number of queues per page.

max_messages_per_page¶

Type:: integer
Default:: 20

Defines the maximum number of messages per page.

max_subscriptions_per_page¶

Type:: integer
Default:: 20

Defines the maximum number of subscriptions per page.

max_messages_per_claim_or_pop¶

Type:: integer
Default:: 20

The maximum number of messages that can be claimed (OR) popped in a single request

max_queue_metadata¶

Type:: integer
Default:: 65536

Defines the maximum amount of metadata in a queue.

max_messages_post_size¶

Type:: integer
Default:: 262144

Defines the maximum size of message posts.

max_message_ttl¶

Type:: integer
Default:: 1209600

Maximum amount of time a message will be available.

max_message_delay¶

Type:: integer
Default:: 900

Maximum delay seconds for messages can be claimed.

max_claim_ttl¶

Type:: integer
Default:: 43200

Maximum length of a message in claimed state.

max_claim_grace¶

Type:: integer
Default:: 43200

Defines the maximum message grace period in seconds.

subscriber_types¶

Type:: list
Default:: ['http', 'https', 'mailto', 'trust+http', 'trust+https']

Defines supported subscriber types.

max_flavors_per_page¶

Type:: integer
Default:: 20

Defines the maximum number of flavors per page.

max_pools_per_page¶

Type:: integer
Default:: 20

Defines the maximum number of pools per page.

client_id_uuid_safe¶

Type:: string
Default:: strict
Valid Values:: strict, off

Defines the format of client id.

Possible values

strict: accept only valid uuid
off: accept any string

min_length_client_id¶

Type:: integer
Default:: 10

Defines the minimum length of client id This is used only when client_id_uuid_safe is off.

max_length_client_id¶

Type:: integer
Default:: 36

Defines the maximum length of client id. This is used only when client_id_uuid_safe is off.

message_delete_with_claim_id¶

Type:: boolean
Default:: False

Enable delete messages must be with claim IDS. This will improve the security of the message avoiding delete messages before they are claimed and handled.

message_encryption_algorithms¶

Type:: string
Default:: AES256
Valid Values:: AES256, RSA

Defines the encryption algorithms of messages, the value could be “AES256” for now.

message_encryption_key¶

Type:: string
Default:: AES256

Defines the encryption key of algorithms.

zaqar.conf

zaqar.conf¶

DEFAULT¶

cache¶

cors¶

drivers¶

drivers:management_store:mongodb¶

drivers:management_store:redis¶

drivers:management_store:sqlalchemy¶

drivers:message_store:mongodb¶

drivers:message_store:redis¶

drivers:message_store:swift¶

drivers:transport:websocket¶

drivers:transport:wsgi¶

keystone_authtoken¶

notification¶

oslo_policy¶

oslo_reports¶

pooling:catalog¶

profiler¶

profiler_jaeger¶

profiler_otlp¶

signed_url¶

storage¶

transport¶

zaqar 21.1.0.dev51

Page Contents