From 876ee4b01a712c407f2d78e0ced80d360ba95b22 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 13 Jan 2021 17:34:00 +0000 Subject: [PATCH] Add details to bootstrap docs for system role assignments In queens we added support for `keystone-manage bootstrap` to populate a system admin role assignment: I6b7196a28867d9a699716c8fef2609d608a5b2a2 The end-user/deployer facing documentation doesn't mention this though and it should because it ensures deployers have a user for system-level APIs. Change-Id: I07616c1470cd89130250cc89635a508f48c2be06 --- doc/source/admin/bootstrap.rst | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/doc/source/admin/bootstrap.rst b/doc/source/admin/bootstrap.rst index 51142b3700..888ab6112e 100644 --- a/doc/source/admin/bootstrap.rst +++ b/doc/source/admin/bootstrap.rst @@ -73,10 +73,12 @@ Verbosely, keystone can be bootstrapped with: --bootstrap-internal-url http://localhost:5000 This will create an ``admin`` user with the ``admin`` role on the ``admin`` -project. The user will have the password specified in the command. Note that -both the user and the project will be created in the ``default`` domain. By not -creating an endpoint in the catalog users will need to provide endpoint -overrides to perform additional identity operations. +project and the system. This allows the user to generate project-scoped and +system-scoped tokens which ensures they have full RBAC authorization. The user +will have the password specified in the command. Note that both the user and +the project will be created in the ``default`` domain. By not creating an +endpoint in the catalog users will need to provide endpoint overrides to +perform additional identity operations. This command will also create ``member`` and ``reader`` roles. The ``admin`` role implies the ``member`` role and ``member`` role implies the ``reader``