3998N/A# Enables exposing configuration settings via HTTP GET /info. 3998N/A# Key to use for admin calls that are HMAC signed. Default is empty, 3998N/A# which will disable admin calls to /info. 3998N/A# admin_key = secret_admin_key 3998N/A# Allows the ability to withhold sections from showing up in the public calls 3998N/A# to /info. You can withhold subsections by separating the dict level with a 3998N/A# ".". The following would cause the sections 'container_quotas' and 'tempurl' 3998N/A# to not be listed, and the key max_failed_deletes would be removed from 3998N/A# bulk_delete. Default is empty, allowing all registered fetures to be listed 2892N/A# Use an integer to override the number of pre-forked processes that will 2892N/A# accept connections. Should default to the number of effective cpu 2892N/A# cores in the system. It's worth noting that individual workers will 2892N/A# use many eventlet co-routines to service multiple concurrent requests. 2892N/A# Maximum concurrent requests per worker 2801N/A# Set the following two lines to enable SSL. This is for testing only. 2801N/A# expiring_objects_container_divisor = 86400 3998N/A# expiring_objects_account_name = expiring_objects 2801N/A# You can specify default log routing here if you want: 3998N/A# The following caps the length of log lines to the value given; no limit if 2892N/A# This optional suffix (default is empty) that would be appended to the swift transaction 2892N/A# id allows one to easily figure out from which cluster that X-Trans-Id belongs to. 2892N/A# This is very useful when one is managing more than one swift cluster. 2801N/A# comma separated list of functions to call to setup custom log handlers. 2801N/A# functions get passed: conf, name, log_to_console, log_route, fmt, logger, 2801N/A# If set, log_udp_host will override log_address 2801N/A# You can enable StatsD logging here: 2801N/A# log_statsd_host = localhost 2801N/A# log_statsd_default_sample_rate = 1.0 2801N/A# log_statsd_sample_rate_factor = 1.0 2801N/A# log_statsd_metric_prefix = 2801N/A# You can override the default log routing for this app here: 2801N/A# set log_name = proxy-server 2801N/A# set log_facility = LOG_LOCAL0 2801N/A# recheck_account_existence = 60 2801N/A# recheck_container_existence = 60 3998N/A# How long the proxy server will wait on responses from the a/c/o servers. 3998N/A# How long the proxy server will wait for an initial response and to read a 3998N/A# chunk of data from the object servers while serving GET / HEAD requests. 3998N/A# Timeouts from these requests can be recovered from so setting this to 3998N/A# something lower than node_timeout would provide quicker error recovery 3998N/A# while allowing for a longer timeout for non-recoverable requests (PUTs). 3998N/A# Defaults to node_timeout, should be overriden if node_timeout is set to a 3998N/A# high number to prevent client timeouts from firing before the proxy server 3998N/A# recoverable_node_timeout = node_timeout 3998N/A# How long to wait for requests to finish after a quorum has been established. 2801N/A# How long without an error before a node's error count is reset. This will 2801N/A# also be how long before a node is reenabled after suppression is triggered. 2801N/A# error_suppression_interval = 60 2801N/A# How many errors can accumulate before a node is temporarily ignored. 2801N/A# error_suppression_limit = 10 2801N/A# If set to 'true' any authorized user may create and delete accounts; if 2801N/A# 'false' no one, even authorized, can. 2801N/A# allow_account_management = false 2801N/A# Set object_post_as_copy = false to turn on fast posts where only the metadata 2801N/A# changes are stored anew and the original data file is kept in place. This 2801N/A# makes for quicker posts; but since the container metadata isn't updated in 2801N/A# this mode, features like container sync won't be able to sync posts. 2801N/A# object_post_as_copy = true 2801N/A# If set to 'true' authorized accounts that do not yet exist within the Swift 2801N/A# cluster will be automatically created. 2801N/A# If set to a positive value, trying to create a container when the account 2801N/A# already has at least this maximum containers will result in a 403 Forbidden. 2801N/A# Note: This is a soft limit, meaning a user might exceed the cap for 2801N/A# recheck_account_existence before the 403s kick in. 2801N/A# max_containers_per_account = 0 2801N/A# This is a comma separated list of account hashes that ignore the 2801N/A# max_containers_per_account cap. 2801N/A# max_containers_whitelist = 2801N/A# Comma separated list of Host headers to which the proxy will deny requests. 2801N/A# Prefix used when automatically creating accounts. 2801N/A# auto_create_account_prefix = . 2801N/A# Depth of the proxy put queue. 2892N/A# Storage nodes can be chosen at random (shuffle), by using timing 2892N/A# measurements (timing), or by using an explicit match (affinity). 2892N/A# Using timing measurements may allow for lower overall latency, while 2892N/A# using affinity allows for finer control. In both the timing and 2892N/A# affinity cases, equally-sorting nodes are still randomly chosen to 2892N/A# The valid values for sorting_method are "affinity", "shuffle", and "timing". 2892N/A# If the "timing" sorting_method is used, the timings will only be valid for 2801N/A# the number of seconds configured by timing_expiry. 2892N/A# The maximum time (seconds) that a large object connection is allowed to last. 2892N/A# max_large_object_get_time = 86400 2892N/A# Set to the number of nodes to contact for a normal request. You can use 2892N/A# '* replicas' at the end to have it use the number given times the number of 2892N/A# replicas for the ring being used for the request. 2892N/A# request_node_count = 2 * replicas 2892N/A# Which backend servers to prefer on reads. Format is r<N> for region 2892N/A# N or r<N>z<M> for region N, zone M. The value after the equals is 2892N/A# the priority; lower numbers are higher priority. 2892N/A# Example: first read from region 1 zone 1, then region 1 zone 2, then 2892N/A# anything in region 2, then everything else: 2892N/A# read_affinity = r1z1=100, r1z2=200, r2=300 2892N/A# Default is empty, meaning no preference. 2892N/A# Which backend servers to prefer on writes. Format is r<N> for region 2892N/A# N or r<N>z<M> for region N, zone M. If this is set, then when 2892N/A# handling an object PUT request, some number (see setting 2892N/A# write_affinity_node_count) of local backend servers will be tried 2892N/A# Example: try to write to regions 1 and 2 before writing to any other 2892N/A# Default is empty, meaning no preference. 2892N/A# The number of local (as governed by the write_affinity setting) 2892N/A# nodes to attempt to contact first, before any non-local ones. You 2892N/A# can use '* replicas' at the end to have it use the number given 2892N/A# times the number of replicas for the ring being used for the 2892N/A# write_affinity_node_count = 2 * replicas 2892N/A# These are the headers whose values will only be shown to swift_owners. The 2892N/A# exact definition of a swift_owner is up to the auth system in use, but 2892N/A# usually indicates administrative responsibilities. 3998N/A# swift_owner_headers = x-container-read, x-container-write, x-container-sync-key, x-container-sync-to, x-account-meta-temp-url-key, x-account-meta-temp-url-key-2, x-account-access-control 2801N/A# You can override the default log routing for this filter here: 2801N/A# set log_facility = LOG_LOCAL0 2801N/A# The reseller prefix will verify a token begins with this prefix before even 2801N/A# attempting to validate it. Also, with authorization, only Swift storage 2801N/A# accounts with this prefix will be authorized by this middleware. Useful if 2801N/A# multiple auth systems are in use for one Swift cluster. 2801N/A# The auth prefix will cause requests beginning with this prefix to be routed 2801N/A# to the auth subsystem, for granting tokens, etc. 2801N/A# This allows middleware higher in the WSGI pipeline to override auth 2801N/A# processing, useful for middleware such as tempurl and formpost. If you know 2801N/A# you're not going to use such middleware and you want a bit of extra security, 2801N/A# you can set this to false. 2801N/A# This specifies what scheme to return with storage urls: 2801N/A# http, https, or default (chooses based on what the server is running as) 2801N/A# This can be useful with an SSL load balancer in front of a non-SSL server. 2801N/A# storage_url_scheme = default 2801N/A# user_<account>_<user> = <key> [group] [group] [...] [storage_url] 2801N/A# or if you want underscores in <account> or <user>, you can base64 encode them 2801N/A# (with no equal signs) and use this format: 2801N/A# user64_<account_b64>_<user_b64> = <key> [group] [group] [...] [storage_url] 2801N/A# There are special groups of: 2801N/A# .reseller_admin = can do anything to any account for this auth 2801N/A# .admin = can do anything within the account 2801N/A# If neither of these groups are specified, the user can only access containers 2801N/A# that have been explicitly allowed for them by a .admin or .reseller_admin. 2801N/A# The trailing optional storage_url allows you to specify an alternate url to 2801N/A# hand back to the user upon authentication. If not specified, this defaults to 2801N/A# $HOST/v1/<reseller_prefix>_<account> where $HOST will do its best to resolve 2801N/A# to what the requester would need to use to reach this host. 2801N/A# Here are example entries, required for running the tests: 2801N/A# To enable Keystone authentication you need to have the auth token 2801N/A# middleware first to be configured. Here is an example below, please 2801N/A# refer to the keystone's documentation for details about the 2801N/A# You'll need to have as well the keystoneauth middleware enabled 2801N/A# and have it in your main pipeline so instead of having tempauth in 2892N/A# there you can change it to: authtoken keystoneauth 2801N/A# Operator roles is the role which user would be allowed to manage a 2801N/A# tenant and be able to create container or give ACL to others. 2801N/A# operator_roles = admin, swiftoperator 2892N/A# The reseller admin role has the ability to create and delete accounts 2892N/A# reseller_admin_role = ResellerAdmin 3998N/A# For backwards compatibility, keystoneauth will match names in cross-tenant 3998N/A# access control lists (ACLs) when both the requesting user and the tenant 3998N/A# are in the default domain i.e the domain to which existing tenants are 3998N/A# migrated. The default_domain_id value configured here should be the same as 3998N/A# the value used during migration of tenants to keystone domains. 3998N/A# default_domain_id = default 3998N/A# For a new installation, or an installation in which keystone projects may 3998N/A# move between domains, you should disable backwards compatible name matching 3998N/A# in ACLs by setting allow_names_in_acls to false: 3998N/A# allow_names_in_acls = true 2801N/A# An optional filesystem path, which if present, will cause the healthcheck 2801N/A# URL to return "503 Service Unavailable" with a body of "DISABLED BY FILE". 2801N/A# This facility may be used to temporarily remove a Swift node from a load 2801N/A# balancer pool during maintenance or upgrade (remove the file to allow the 2801N/A# node back into the load balancer pool). 2801N/A# You can override the default log routing for this filter here: 2801N/A# set log_facility = LOG_LOCAL0 2801N/A# If not set here, the value for memcache_servers will be read from 2801N/A# default to the value below. You can specify multiple servers separated with 2801N/A# commas, as in: 10.1.2.3:11211,10.1.2.4:11211 2801N/A# memcache_servers = 127.0.0.1:11211 2801N/A# Sets how memcache values are serialized and deserialized: 2801N/A# 0 = older, insecure pickle serialization 2801N/A# 1 = json serialization but pickles can still be read (still insecure) 2801N/A# 2 = json serialization only (secure and the default) 2801N/A# If not set here, the value for memcache_serialization_support will be read 2801N/A# To avoid an instant full cache flush, existing installations should 2801N/A# upgrade with 0, then set to 1 and reload, then after some time (24 hours) 2801N/A# In the future, the ability to use pickle serialization will be removed. 2801N/A# memcache_serialization_support = 2 3998N/A# Sets the maximum number of connections to each memcached server per worker 3998N/A# memcache_max_connections = 2 2801N/A# You can override the default log routing for this filter here: 2801N/A# set log_facility = LOG_LOCAL0 2801N/A# clock_accuracy should represent how accurate the proxy servers' system clocks 2801N/A# are with each other. 1000 means that all the proxies' clock are accurate to 2801N/A# each other within 1 millisecond. No ratelimit should be higher than the 2801N/A# max_sleep_time_seconds = 60 2801N/A# log_sleep_time_seconds of 0 means disabled 2801N/A# log_sleep_time_seconds = 0 2801N/A# allows for slow rates (e.g. running up to 5 sec's behind) to catch up. 2801N/A# account_ratelimit of 0 means disabled 2801N/A# these are comma separated lists of account names 2801N/A# with container_limit_x = r 2892N/A# for containers of size x limit write requests per second to r. The container 2801N/A# rate will be linearly interpolated from the values given. With the values 2801N/A# below, a container of size 5 will get a rate of 75. 2801N/A# container_ratelimit_0 = 100 2801N/A# container_ratelimit_10 = 50 2801N/A# container_ratelimit_50 = 20 2892N/A# Similarly to the above container-level write limits, the following will limit 2892N/A# container GET (listing) requests. 2892N/A# container_listing_ratelimit_0 = 100 2892N/A# container_listing_ratelimit_10 = 50 2892N/A# container_listing_ratelimit_50 = 20 2801N/A# You can override the default log routing for this filter here: 2801N/A# set log_name = domain_remap 2801N/A# set log_facility = LOG_LOCAL0 2801N/A# You can override the default log routing for this filter here: 2801N/A# set log_name = catch_errors 2801N/A# set log_facility = LOG_LOCAL0 2801N/A# Note: this middleware requires python-dnspython 2801N/A# You can override the default log routing for this filter here: 2801N/A# set log_name = cname_lookup 2801N/A# set log_facility = LOG_LOCAL0 3998N/A# Specify the storage_domain that match your cloud, multiple domains 3998N/A# can be specified separated by a comma 2801N/A# Note: Put staticweb just after your auth filter(s) in the pipeline 3998N/A# Note: Put tempurl before dlo, slo and your auth filter(s) in the pipeline 2892N/A# The methods allowed with Temp URLs. 3998N/A# methods = GET HEAD PUT POST DELETE 2801N/A# The headers to remove from incoming requests. Simply a whitespace delimited 2801N/A# list of header names and names can optionally end with '*' to indicate a 2801N/A# prefix match. incoming_allow_headers is a list of exceptions to these 2801N/A# incoming_remove_headers = x-timestamp 2801N/A# The headers allowed as exceptions to incoming_remove_headers. Simply a 2801N/A# whitespace delimited list of header names and names can optionally end with 2801N/A# '*' to indicate a prefix match. 2801N/A# The headers to remove from outgoing responses. Simply a whitespace delimited 2801N/A# list of header names and names can optionally end with '*' to indicate a 2801N/A# prefix match. outgoing_allow_headers is a list of exceptions to these 2801N/A# outgoing_remove_headers = x-object-meta-* 2801N/A# The headers allowed as exceptions to outgoing_remove_headers. Simply a 2801N/A# whitespace delimited list of header names and names can optionally end with 2801N/A# '*' to indicate a prefix match. 2801N/A# outgoing_allow_headers = x-object-meta-public-* 2801N/A# Note: Put formpost just before your auth filter(s) in the pipeline 2801N/A# Note: Just needs to be placed before the proxy-server in the pipeline. 2801N/A# forbidden_regexp = /\./|/\.\./|/\.$|/\.\.$ 2801N/A# list_endpoints_path = /endpoints/ 2801N/A# If not set, logging directives from [DEFAULT] without "access_" will be used 2801N/A# access_log_facility = LOG_LOCAL0 2801N/A# If set, access_log_udp_host will override access_log_address 2801N/A# You can use log_statsd_* from [DEFAULT] or override them here: 2801N/A# access_log_statsd_host = localhost 2801N/A# access_log_statsd_port = 8125 2801N/A# access_log_statsd_default_sample_rate = 1.0 2801N/A# access_log_statsd_sample_rate_factor = 1.0 2801N/A# access_log_statsd_metric_prefix = 2892N/A# access_log_headers = false 3998N/A# If access_log_headers is True and access_log_headers_only is set only 3998N/A# these headers are logged. Multiple headers can be defined as comma separated 3998N/A# list like this: access_log_headers_only = Host, X-Object-Meta-Mtime 2892N/A# By default, the X-Auth-Token is logged. To obscure the value, 2892N/A# set reveal_sensitive_prefix to the number of characters to log. 2892N/A# For example, if set to 12, only the first 12 characters of the 2892N/A# token appear in the log. An unauthorized access of the log file 2892N/A# won't allow unauthorized usage of the token. However, the first 2892N/A# token usage. Set to 0 to suppress the token completely (replaced 2892N/A# Note: reveal_sensitive_prefix will not affect the value 2892N/A# logged with access_log_headers=True. 3998N/A# reveal_sensitive_prefix = 16 2801N/A# What HTTP methods are allowed for StatsD logging (comma-sep); request methods 2801N/A# not in this list will have "BAD_METHOD" for the <verb> portion of the metric. 2801N/A# log_statsd_valid_http_methods = GET,HEAD,POST,PUT,DELETE,COPY,OPTIONS 2801N/A# Note: The double proxy-logging in the pipeline is not a mistake. The 2801N/A# left-most proxy-logging is there to log requests that were handled in 2801N/A# middleware and never made it through to the right-most middleware (and 2801N/A# proxy server). Double logging is prevented for normal requests. See 2801N/A# Note: Put before both ratelimit and auth in the pipeline. 2801N/A# max_containers_per_extraction = 10000 2892N/A# max_failed_extractions = 1000 2892N/A# max_deletes_per_request = 10000 3998N/A# In order to keep a connection active during a potentially long bulk request, 3998N/A# Swift may return whitespace prepended to the actual response body. This 3998N/A# whitespace will be yielded no more than every yield_frequency seconds. 3998N/A# Note: The following parameter is used during a bulk delete of objects and 3998N/A# their container. This would frequently fail because it is very likely 3998N/A# that all replicated objects have not been deleted by the time the middleware got a 3998N/A# successful response. It can be configured the number of retries. And the 3998N/A# number of seconds to wait between each retry will be 1.5**retry 3998N/A# delete_container_retry_count = 0 2801N/A# Note: Put after auth in the pipeline. 3998N/A# Note: Put after auth and staticweb in the pipeline. 2801N/A# max_manifest_segments = 1000 2801N/A# max_manifest_size = 2097152 2801N/A# min_segment_size = 1048576 3998N/A# Start rate-limiting SLO segment serving after the Nth segment of a 3998N/A# rate_limit_after_segment = 10 3998N/A# Once segment rate-limiting kicks in for an object, limit segments served 3998N/A# to N per second. 0 means no rate-limiting. 3998N/A# rate_limit_segments_per_sec = 0 3998N/A# Time limit on GET requests (seconds) 3998N/A# Note: Put after auth and staticweb in the pipeline. 3998N/A# If you don't put it in the pipeline, it will be inserted for you. 3998N/A# Start rate-limiting DLO segment serving after the Nth segment of a 3998N/A# rate_limit_after_segment = 10 3998N/A# Once segment rate-limiting kicks in for an object, limit segments served 3998N/A# to N per second. 0 means no rate-limiting. 3998N/A# rate_limit_segments_per_sec = 1 3998N/A# Time limit on GET requests (seconds) 3998N/A# You can override the default log routing for this filter here: 3998N/A# set log_facility = LOG_LOCAL0 3998N/A# Set this to false if you want to disallow any full url values to be set for 3998N/A# any new X-Container-Sync-To headers. This will keep any new full urls from 3998N/A# coming in, but won't change any existing values already in the cluster. 3998N/A# Updating those will have to be done manually, as knowing what the true realm 3998N/A# endpoint should be cannot always be guessed. 3998N/A# Note: Put it at the beginning of the pipleline to profile all middleware. But 3998N/A# it is safer to put this after catch_errors, gatekeeper and healthcheck. 3998N/A# This option enable you to switch profilers which should inherit from python 3998N/A# standard profiler. Currently the supported value can be 'cProfile', 3998N/A# This prefix will be used to combine process ID and timestamp to name the 3998N/A# profile data file. Make sure the executing user has permission to write 3998N/A# into this path (missing path segments will be created, if necessary). 3998N/A# If you enable profiling in more than one type of daemon, you must override 3998N/A# the profile data will be dumped to local disk based on above naming rule 3998N/A# Be careful, this option will enable profiler to dump data into the file with 3998N/A# time stamp which means there will be lots of files piled up in the directory. 3998N/A# This is the path of the URL to access the mini web UI. 3998N/A# Clear the data when the wsgi server shutdown. 3998N/A# unwind the iterator of applications