Merge "Update middlewarearchitecture config options docs"

1 files changed, 45 insertions, 9 deletions

diff --git a/doc/source/middlewarearchitecture.rst b/doc/source/middlewarearchitecture.rst
index 2f54e53..245c79c 100644
--- a/doc/source/middlewarearchitecture.rst
+++ b/doc/source/middlewarearchitecture.rst
@@ -169,8 +169,26 @@ removed to use values in [keystone_authtoken] section.
 Configuration Options
 ---------------------
 
+* ``auth_admin_prefix``: Prefix to prepend at the beginning of the path
 * ``auth_host``: (required) the host providing the keystone service API endpoint
   for validating and requesting tokens
+* ``auth_port``: (optional, default `35357`) the port used to validate tokens
+* ``auth_protocol``: (optional, default `https`)
+* ``auth_uri``: (optional, defaults to
+  `auth_protocol`://`auth_host`:`auth_port`)
+* ``auth_version``: API version of the admin Identity API endpoint
+* ``delay_auth_decision``: (optional, default `0`) (off). If on, the middleware
+  will not reject invalid auth requests, but will delegate that decision to
+  downstream WSGI components.
+* ``http_connect_timeout``: (optional) Request timeout value for communicating
+  with Identity API server.
+* ``http_request_max_retries``: (default 3) How many times are we trying to
+  reconnect when communicating with Identity API Server.
+* ``http_handler``: (optional) Allows to pass in the name of a fake
+  http_handler callback function used instead of `httplib.HTTPConnection` or
+  `httplib.HTTPSConnection`. Useful for unit testing where network is not
+  available.
+
 * ``admin_token``: either this or the following three options are required. If
   set, this is a single shared secret with the keystone configuration used to
   validate tokens.
@@ -179,15 +197,8 @@ Configuration Options
   admin_tenant_name are defined as a service account which is expected to have
   been previously configured in Keystone to validate user tokens.
 
-* ``delay_auth_decision``: (optional, default `0`) (off). If on, the middleware
-  will not reject invalid auth requests, but will delegate that decision to
-  downstream WSGI components.
-* ``http_connect_timeout``: (optional, default `python default` allow increase
-  the timeout when validating token by http).
-* ``auth_port``: (optional, default `35357`) the port used to validate tokens
-* ``auth_protocol``: (optional, default `https`)
-* ``auth_uri``: (optional, defaults to
-  `auth_protocol`://`auth_host`:`auth_port`)
+* ``cache``: (optional) Env key for the swift cache
+
 * ``certfile``: (required, if Keystone server requires client cert)
 * ``keyfile``: (required, if Keystone server requires client cert)  This can be
   the same as the certfile if the certfile includes the private key.
@@ -195,10 +206,35 @@ Configuration Options
   encoded CA file/bundle that will be used to verify HTTPS connections.
 * ``insecure``: (optional, default `False`) Don't verify HTTPS connections
   (overrides `cafile`).
+
+* ``signing_dir``: (optional) Directory used to cache files related to PKI
+  tokens
+
+* ``memcached_servers``: (optional) If defined, the memcache server(s) to use
+  for caching
+* ``token_cache_time``: (default 300) In order to prevent excessive requests
+  and validations, the middleware uses an in-memory cache for the tokens the
+  Keystone API returns. This is only valid if memcache_servers s defined. Set
+  to -1 to disable caching completely.
+* ``memcache_security_strategy``: (optional) if defined, indicate whether token
+  data should be authenticated or authenticated and encrypted. Acceptable
+  values are MAC or ENCRYPT.  If MAC, token data is authenticated (with HMAC)
+  in the cache. If ENCRYPT, token data is encrypted and authenticated in the
+  cache. If the value is not one of these options or empty, auth_token will
+  raise an exception on initialization.
+* ``memcache_secret_key``: (mandatory if memcache_security_strategy is defined)
+   this string is used for key derivation.
 * ``include_service_catalog``: (optional, default `True`) Indicate whether to
   set the X-Service-Catalog header. If False, middleware will not ask for
   service catalog on token validation and will not set the X-Service-Catalog
   header.
+* ``enforce_token_bind``: (default ``permissive``) Used to control the use and
+  type of token binding. Can be set to: "disabled" to not check token binding.
+  "permissive" (default) to validate binding information if the bind type is of
+  a form known to the server and ignore it if not. "strict" like "permissive"
+  but if the bind type is unknown the token will be rejected. "required" any
+  form of token binding is needed to be allowed. Finally the name of a binding
+  method that must be present in tokens.
 
 Caching for improved response
 -----------------------------