From 30f5df1b8c4f80ef5685882674aa3faf424f22e3 Mon Sep 17 00:00:00 2001 From: Ben Nemec Date: Wed, 15 Jan 2020 18:02:35 +0000 Subject: [PATCH] Link to the Keystone role documentation The oslo.policy docs on writing custom policy checks use things like the admin role without explaining where it comes from. This change adds a link to the Keystone docs that explain which roles are created by default and what they provide access to. Change-Id: I70c01ad88344edd2db384da8b24ba0238764a8ec --- doc/source/admin/policy-json-file.rst | 4 ++++ doc/source/admin/policy-yaml-file.rst | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/doc/source/admin/policy-json-file.rst b/doc/source/admin/policy-json-file.rst index 8d918d8a..b0c3b96f 100644 --- a/doc/source/admin/policy-json-file.rst +++ b/doc/source/admin/policy-json-file.rst @@ -76,6 +76,10 @@ administrators can create new users in the Identity database: "identity:create_user" : "role:admin" +.. note:: ``admin`` is a built-in default role in Keystone. For more + details and other roles that may be available, see the + `Keystone documentation on default roles. `_ + You can limit APIs to any role. For example, the Orchestration service defines a role named ``heat_stack_user``. Whoever has this role is not allowed to create stacks: diff --git a/doc/source/admin/policy-yaml-file.rst b/doc/source/admin/policy-yaml-file.rst index 0018f8ad..1cef8fed 100644 --- a/doc/source/admin/policy-yaml-file.rst +++ b/doc/source/admin/policy-yaml-file.rst @@ -71,6 +71,10 @@ administrators can create new users in the Identity database: "identity:create_user" : "role:admin" +.. note:: ``admin`` is a built-in default role in Keystone. For more + details and other roles that may be available, see the + `Keystone documentation on default roles. `_ + You can limit APIs to any role. For example, the Orchestration service defines a role named ``heat_stack_user``. Whoever has this role is not allowed to create stacks: