Add roles for CI users

Without this patch, puppet does not idempotently create the openstackci
and openstackjenkins users. Puppet will create the openstackci and
openstackjenkins users, but won't assign them any kind of membership in
the openstackci and openstackjenkins projects. Then on the second
puppet run, puppet tries to check the users' passwords by issuing an
'openstack token issue' command. Without a role, the users can't
authenticate and receive a 401. Puppet then reports that it 'changed
password' because the password check failed.

The name of the role, 'user', is not significant.

The strange syntax of the keystone_user_role resource is explained in
the keystone module[1].

[1] http://git.openstack.org/cgit/openstack/puppet-keystone/tree/examples/user_project_user_role_composite_namevar.pp

Change-Id: I4fb94722ccafb80cdbefa9500b2124a82ddd57cf

modules/openstack_project/manifests/infracloud/controller.pp

@@ -85,6 +85,17 @@ class openstack_project::infracloud::controller (
     password => $openstackjenkins_password,
     require  => Keystone_tenant['openstackjenkins'],
   }
+
+  keystone_role { 'user': ensure => present }
+
+  keystone_user_role { 'openstackci::infra@openstackci::infra':
+    roles => 'user',
+  }
+
+  keystone_user_role { 'openstackjenkins::infra@openstackjenkins::infra':
+    roles => 'user',
+  }
+
   realize (
     User::Virtual::Localuser['colleen'],
     User::Virtual::Localuser['rcarrillocruz'],