Document endpoint interface and region behavior

After some debugging following [0] to figure out why ksm was
not connecting to the specified auth_url, found out that
ksm connects to the identity server on the 'admin' interface
[1] after authenticating with auth_url and fetching the catalog if
keystoneauth is being used. Otherwise it connects on identity_uri
and disregards the service catalog [2].  This behavior was not
documented.

[0]. http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-09-19.log.html#t2017-09-19T17:50:06
[1]. https://github.com/openstack/keystonemiddleware/blob/d1b7a1f0922419f956001f4bf14ad3e77449c860/keystonemiddleware/auth_token/__init__.py#L936-L938
[2]. https://github.com/openstack/keystonemiddleware/blob/d1b7a1f0922419f956001f4bf14ad3e77449c860/keystonemiddleware/auth_token/_auth.py#L121-L130

Change-Id: Ide40835de856012ac4dd71975beac9d32771f356

1 files changed, 5 insertions, 0 deletions

diff --git a/doc/source/middlewarearchitecture.rst b/doc/source/middlewarearchitecture.rst
index e9ec7c8..b613805 100644
--- a/doc/source/middlewarearchitecture.rst
+++ b/doc/source/middlewarearchitecture.rst
@@ -177,6 +177,11 @@ when ``auth_plugin`` is set to ``password``.
     auth_url = http://127.0.0.1:35357
     # Any of the options that could be set in api-paste.ini can be set here.
 
+If using an ``auth_plugin``, connection to the Identity service will be
+established on the ``admin`` interface as registered in the service catalog.
+In the case where you are using an ``auth_plugin`` and have multiple regions,
+also specify the ``region_name`` option to fetch the correct endpoint.
+
 If the service doesn't use the global oslo.config object (CONF), then the
 oslo config project name can be set it in paste config and
 keystonemiddleware will load the project configuration itself.