Add details to bootstrap docs for system role assignments

In queens we added support for `keystone-manage bootstrap` to populate a system admin role assignment: I6b7196a28867d9a699716c8fef2609d608a5b2a2 The end-user/deployer facing documentation doesn't mention this though and it should because it ensures deployers have a user for system-level APIs. Change-Id: I07616c1470cd89130250cc89635a508f48c2be06
2021-01-13 17:34:00 +00:00
parent 1c3131c6dc
commit 876ee4b01a
1 changed files with 6 additions and 4 deletions
--- a/doc/source/admin/bootstrap.rst
+++ b/doc/source/admin/bootstrap.rst
@@ -73,10 +73,12 @@ Verbosely, keystone can be bootstrapped with:
        --bootstrap-internal-url http://localhost:5000

 This will create an ``admin`` user with the ``admin`` role on the ``admin``
-project. The user will have the password specified in the command. Note that
-both the user and the project will be created in the ``default`` domain. By not
-creating an endpoint in the catalog users will need to provide endpoint
-overrides to perform additional identity operations.
+project and the system. This allows the user to generate project-scoped and
+system-scoped tokens which ensures they have full RBAC authorization. The user
+will have the password specified in the command.  Note that both the user and
+the project will be created in the ``default`` domain. By not creating an
+endpoint in the catalog users will need to provide endpoint overrides to
+perform additional identity operations.

 This command will also create ``member`` and ``reader`` roles. The ``admin``
 role implies the ``member`` role and ``member`` role implies the ``reader``