From 2e97ec5770e0f042c9710f9535ff228740e7ed70 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Tue, 11 Feb 2020 10:59:01 -0800 Subject: [PATCH] Add docs about bootstrapping immutable roles Add a note to the ``keystone-manage bootstrap`` documentation about the behavior of immutable roles. Change-Id: I1cdbdc8668ed4312660ec269c40e1259517b327c Depends-on: https://review.opendev.org/705859 --- doc/source/admin/bootstrap.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/source/admin/bootstrap.rst b/doc/source/admin/bootstrap.rst index 8b9fc92afc..51142b3700 100644 --- a/doc/source/admin/bootstrap.rst +++ b/doc/source/admin/bootstrap.rst @@ -80,7 +80,10 @@ overrides to perform additional identity operations. This command will also create ``member`` and ``reader`` roles. The ``admin`` role implies the ``member`` role and ``member`` role implies the ``reader`` -role. +role. By default, these three roles are immutable, meaning they are created with +the ``immutable`` resource option and cannot be modified or deleted unless the +option is removed. To disable this behavior, add the ``--no-immutable-roles`` +flag. By creating an ``admin`` user and an identity endpoint you may authenticate to keystone and perform identity operations like creating