From 30a683f20a9881f8f4a43c19681b6c6d399e3e08 Mon Sep 17 00:00:00 2001
From: Frode Nordahl <frode.nordahl@canonical.com>
Date: Mon, 28 Jan 2019 17:02:19 +0100
Subject: [PATCH] Add paragraph about Octavia Policies and end user API access

Change-Id: I214c22ceda5fdc16ac8e8d1bb71c4709faff41f0
Closes-Bug: #1813602
---
 deploy-guide/source/app-octavia.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/deploy-guide/source/app-octavia.rst b/deploy-guide/source/app-octavia.rst
index dc72a99..f24c0d0 100644
--- a/deploy-guide/source/app-octavia.rst
+++ b/deploy-guide/source/app-octavia.rst
@@ -143,6 +143,12 @@ on the lead octavia unit:
 
 This action must be run before Octavia is fully operational.
 
+Access to the Octavia load-balancer API is guarded by policies and end users
+must have specific roles to gain access to the service.  The charm will request
+Keystone to pre-create these roles for you on deployment but you must assign the
+roles to your end users as you see fit.  Take a look at
+`Octavia Policies <https://docs.openstack.org/octavia/latest/configuration/policy.html>`_.
+
 The charm also allows the operator to pre-configure these resources to support
 full custom configuration of the management network for Octavia. If you want
 to manage these resources yourself you must set the `create-mgmt-network`