from http://etherpad.openstack.org/keystone-admin-config
auth_token should NOT be configured with the service token, it should use the tenant/user
(heckj) ^^ the idea being set up "users" for each of the services to query agnostic of the individual user actions?
(jesse) at least we should document that you can - we can create "nova" and "other" in devstack as the example...
(dean) what roles would be required for these?
(jesse) currently ADMIN, but it would be nice if it was "admin:service" OR something like that (termie?)
(termie) recap: we set up users in a service tenant for each service, provide them with a username and password, the works, and we tell the service to use that username and password for all of its adminservice calls. Today the role is 'admin' which lets that service do literally anything in the system, in the future we might do something like 'service' instead which would limit the scope of the token. Keystone_data.sh can do all of this today.
(heckj) What additional needs to happen with auth_token middlware to take advantage of this as opposed to using (the) service token?
(heckj) Have it always take a username, password and pass that in from the service and relevant configs that are defined earlier by devstack in "keystone_data.sh".
(termie) what that person said, he answered his own question.
Don't forget tools/sample_ data.sh in Keystone (devstack should eventually use that)