diff options
author | Ben Nemec <bnemec@redhat.com> | 2020-01-15 18:02:35 +0000 |
---|---|---|
committer | Ben Nemec <bnemec@redhat.com> | 2020-01-15 18:02:35 +0000 |
commit | 30f5df1b8c4f80ef5685882674aa3faf424f22e3 (patch) | |
tree | 5b314adcafd1206f000a033e4875f4368abe5245 /doc | |
parent | e49b2ae61275eac8219f1a096be0ae9b5aa79f5d (diff) | |
download | oslo-policy-30f5df1b8c4f80ef5685882674aa3faf424f22e3.tar.gz |
Link to the Keystone role documentation
The oslo.policy docs on writing custom policy checks use things like
the admin role without explaining where it comes from. This change
adds a link to the Keystone docs that explain which roles are created
by default and what they provide access to.
Change-Id: I70c01ad88344edd2db384da8b24ba0238764a8ec
Diffstat (limited to 'doc')
-rw-r--r-- | doc/source/admin/policy-json-file.rst | 4 | ||||
-rw-r--r-- | doc/source/admin/policy-yaml-file.rst | 4 |
2 files changed, 8 insertions, 0 deletions
diff --git a/doc/source/admin/policy-json-file.rst b/doc/source/admin/policy-json-file.rst index 8d918d8..b0c3b96 100644 --- a/doc/source/admin/policy-json-file.rst +++ b/doc/source/admin/policy-json-file.rst @@ -76,6 +76,10 @@ administrators can create new users in the Identity database: "identity:create_user" : "role:admin" +.. note:: ``admin`` is a built-in default role in Keystone. For more + details and other roles that may be available, see the + `Keystone documentation on default roles. <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html>`_ + You can limit APIs to any role. For example, the Orchestration service defines a role named ``heat_stack_user``. Whoever has this role is not allowed to create stacks: diff --git a/doc/source/admin/policy-yaml-file.rst b/doc/source/admin/policy-yaml-file.rst index 0018f8a..1cef8fe 100644 --- a/doc/source/admin/policy-yaml-file.rst +++ b/doc/source/admin/policy-yaml-file.rst @@ -71,6 +71,10 @@ administrators can create new users in the Identity database: "identity:create_user" : "role:admin" +.. note:: ``admin`` is a built-in default role in Keystone. For more + details and other roles that may be available, see the + `Keystone documentation on default roles. <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html>`_ + You can limit APIs to any role. For example, the Orchestration service defines a role named ``heat_stack_user``. Whoever has this role is not allowed to create stacks: |