From 5fa536e6c51c22ab1cce958fb69a9eb7285ea607 Mon Sep 17 00:00:00 2001 From: Kristi Nikolla Date: Tue, 19 Sep 2017 15:53:09 -0400 Subject: [PATCH] Document endpoint interface and region behavior After some debugging following [0] to figure out why ksm was not connecting to the specified auth_url, found out that ksm connects to the identity server on the 'admin' interface [1] after authenticating with auth_url and fetching the catalog if keystoneauth is being used. Otherwise it connects on identity_uri and disregards the service catalog [2]. This behavior was not documented. [0]. http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-09-19.log.html#t2017-09-19T17:50:06 [1]. https://github.com/openstack/keystonemiddleware/blob/d1b7a1f0922419f956001f4bf14ad3e77449c860/keystonemiddleware/auth_token/__init__.py#L936-L938 [2]. https://github.com/openstack/keystonemiddleware/blob/d1b7a1f0922419f956001f4bf14ad3e77449c860/keystonemiddleware/auth_token/_auth.py#L121-L130 Change-Id: Ide40835de856012ac4dd71975beac9d32771f356 --- doc/source/middlewarearchitecture.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/source/middlewarearchitecture.rst b/doc/source/middlewarearchitecture.rst index e9ec7c8a..b6138055 100644 --- a/doc/source/middlewarearchitecture.rst +++ b/doc/source/middlewarearchitecture.rst @@ -177,6 +177,11 @@ when ``auth_plugin`` is set to ``password``. auth_url = http://127.0.0.1:35357 # Any of the options that could be set in api-paste.ini can be set here. +If using an ``auth_plugin``, connection to the Identity service will be +established on the ``admin`` interface as registered in the service catalog. +In the case where you are using an ``auth_plugin`` and have multiple regions, +also specify the ``region_name`` option to fetch the correct endpoint. + If the service doesn't use the global oslo.config object (CONF), then the oslo config project name can be set it in paste config and keystonemiddleware will load the project configuration itself.