Add docs about bootstrapping immutable roles

Add a note to the ``keystone-manage bootstrap`` documentation about the behavior of immutable roles. Change-Id: I1cdbdc8668ed4312660ec269c40e1259517b327c Depends-on: https://review.opendev.org/705859
2020-02-11 10:59:01 -08:00 · 2020-02-11 10:59:01 -08:00 · 2e97ec5770
parent 37aee24a01
commit 2e97ec5770
1 changed files with 4 additions and 1 deletions
--- a/doc/source/admin/bootstrap.rst
+++ b/doc/source/admin/bootstrap.rst
@ -80,7 +80,10 @@ overrides to perform additional identity operations.

 This command will also create ``member`` and ``reader`` roles. The ``admin``
 role implies the ``member`` role and ``member`` role implies the ``reader``
-role.
+role. By default, these three roles are immutable, meaning they are created with
+the ``immutable`` resource option and cannot be modified or deleted unless the
+option is removed. To disable this behavior, add the ``--no-immutable-roles``
+flag.

 By creating an ``admin`` user and an identity endpoint you may
 authenticate to keystone and perform identity operations like creating