Link to the Keystone role documentation

The oslo.policy docs on writing custom policy checks use things like
the admin role without explaining where it comes from. This change
adds a link to the Keystone docs that explain which roles are created
by default and what they provide access to.

Change-Id: I70c01ad88344edd2db384da8b24ba0238764a8ec

doc/source/admin/policy-json-file.rst

@@ -76,6 +76,10 @@ administrators can create new users in the Identity database:
 
     "identity:create_user" : "role:admin"
 
+.. note:: ``admin`` is a built-in default role in Keystone. For more
+          details and other roles that may be available, see the
+          `Keystone documentation on default roles. <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html>`_
+
 You can limit APIs to any role. For example, the Orchestration service
 defines a role named ``heat_stack_user``. Whoever has this role is not
 allowed to create stacks:

doc/source/admin/policy-yaml-file.rst

@@ -71,6 +71,10 @@ administrators can create new users in the Identity database:
 
     "identity:create_user" : "role:admin"
 
+.. note:: ``admin`` is a built-in default role in Keystone. For more
+          details and other roles that may be available, see the
+          `Keystone documentation on default roles. <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html>`_
+
 You can limit APIs to any role. For example, the Orchestration service
 defines a role named ``heat_stack_user``. Whoever has this role is not
 allowed to create stacks: