Comment 21 for bug 1300246

It's somewhat hard to know the best approach in terms of sample config generation - from the heat perspective all we define is a "trustee" config group, and the required contents of that are entirely dependent on keystoneclient, and which auth_plugin is selected.

So, arguably we should only be documenting the "auth_plugin" and "auth_section" options which are common to all plugins, only that makes the sample config less self documenting than what I've proposed in https://review.openstack.org/#/c/254145/, e.g there we accept that the only known plugin that works in this case is a password plugin that supports trusts, but in theory other plugins could work provided trust scoping is possible (we pass trust_id internally)