diff options
author | Lance Bragstad <lbragstad@gmail.com> | 2021-01-13 17:34:00 +0000 |
---|---|---|
committer | Lance Bragstad <lbragstad@gmail.com> | 2021-01-13 17:34:00 +0000 |
commit | 876ee4b01a712c407f2d78e0ced80d360ba95b22 (patch) | |
tree | 367465f7de02debe05295e1482444ea8711bc79f | |
parent | 1c3131c6dcd10a4e4e82f86a55f26d2498799b6d (diff) | |
download | keystone-876ee4b01a712c407f2d78e0ced80d360ba95b22.tar.gz |
Add details to bootstrap docs for system role assignments
In queens we added support for `keystone-manage bootstrap` to
populate a system admin role assignment:
I6b7196a28867d9a699716c8fef2609d608a5b2a2
The end-user/deployer facing documentation doesn't mention this though
and it should because it ensures deployers have a user for system-level
APIs.
Change-Id: I07616c1470cd89130250cc89635a508f48c2be06
-rw-r--r-- | doc/source/admin/bootstrap.rst | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/doc/source/admin/bootstrap.rst b/doc/source/admin/bootstrap.rst index 51142b370..888ab6112 100644 --- a/doc/source/admin/bootstrap.rst +++ b/doc/source/admin/bootstrap.rst @@ -73,10 +73,12 @@ Verbosely, keystone can be bootstrapped with: --bootstrap-internal-url http://localhost:5000 This will create an ``admin`` user with the ``admin`` role on the ``admin`` -project. The user will have the password specified in the command. Note that -both the user and the project will be created in the ``default`` domain. By not -creating an endpoint in the catalog users will need to provide endpoint -overrides to perform additional identity operations. +project and the system. This allows the user to generate project-scoped and +system-scoped tokens which ensures they have full RBAC authorization. The user +will have the password specified in the command. Note that both the user and +the project will be created in the ``default`` domain. By not creating an +endpoint in the catalog users will need to provide endpoint overrides to +perform additional identity operations. This command will also create ``member`` and ``reader`` roles. The ``admin`` role implies the ``member`` role and ``member`` role implies the ``reader`` |