Add default user role for Keystone & Horizon and tasks to create it

In Keystone v3, the _member_ role is not implicitly created on first
use like it is in v2.

This patch adds variables to define the default role name for users:
 - keystone_default_role_name:
   this is the default role name from Keystone's point of view
 - horizon_default_role_name:
   this is the default user role from Horizon's point of view

Both Keystone and Horizon's tasks ensure that the role they're using
are registered in the Keystone database.

To maintain backwards compatibility the default value for both
variables is '_member_'.

DocImpact
Closes-bug: 1474916
Change-Id: Ie01e1771c0b435815dfe55fc0ba9a6d803ebe958

defaults/main.yml

@@ -80,6 +80,7 @@ keystone_database_pool_timeout: 30
 
 ## Role info
 keystone_role_name: admin
+keystone_default_role_name: _member_
 
 ## Admin info
 keystone_admin_port: 35357

tasks/keystone_service_setup.yml

@@ -128,6 +128,22 @@
     - keystone-api-setup
     - keystone-setup
 
+# Add the default user role
+- name: Ensure default keystone user role
+  keystone:
+    command: "ensure_role"
+    token: "{{ keystone_auth_admin_token }}"
+    endpoint: "{{ keystone_service_adminurl }}"
+    role_name: "{{ keystone_default_role_name }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: add_member_role
+  until: add_member_role|success
+  retries: 5
+  delay: 10
+  tags:
+    - keystone-api-setup
+    - keystone-setup
+
 # Create a service
 - name: Ensure Keystone Service
   keystone:

templates/keystone.conf.j2

@@ -9,6 +9,7 @@ public_endpoint = {{ keystone_public_endpoint }}
 {% endif %}
 admin_endpoint = {{ keystone_service_adminuri }}
 fatal_deprecations = {{ keystone_fatal_deprecations }}
+member_role_name = {{ keystone_default_role_name }}
 
 {% if keystone_ssl | bool and keystone_secure_proxy_ssl_header is defined %}
 secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}