Handle Forbidden exception when creating role

Until now the code has been counting on the fact that demo user
can't list roles. This has changed and the code has started
faling on creating a new role because demo user doesn't have
proper permissions. The patch wraps the whole logic around listing
and creating roles to try except block.
The patch also sets refstack-client-devstack-tempestconf as non
voting, because in order to fix it this review needs to be
merged first.

Change-Id: Ief0916e4ec51a23c72ffd1cde529ecb33f949dec

.zuul.yaml

@@ -13,7 +13,8 @@
         - python-tempestconf-tempest-packstack-admin
         - python-tempestconf-tempest-packstack-demo
         - tripleo-ci-centos-7-scenario002-multinode-oooq-container
-        - refstack-client-devstack-tempestconf
+        - refstack-client-devstack-tempestconf:
+            voting: false
     gate:
       jobs:
         - python-tempestconf-tempest-devstack-admin
@@ -21,7 +22,8 @@
         - python-tempestconf-tempest-packstack-admin
         - python-tempestconf-tempest-packstack-demo
         - tripleo-ci-centos-7-scenario002-multinode-oooq-container
-        - refstack-client-devstack-tempestconf
+        - refstack-client-devstack-tempestconf:
+            voting: false
 
 - job:
     name: python-tempestconf-devstack-base

config_tempest/services/object_storage.py

@@ -40,22 +40,21 @@ class ObjectStorageService(Service):
     def list_create_roles(self, conf, client):
         try:
             roles = client.list_roles()['roles']
+            for section_key in ["operator_role", "reseller_admin_role"]:
+                key_value = conf.get_defaulted("object-storage", section_key)
+                if key_value not in [r['name'] for r in roles]:
+                    LOG.info("Creating %s role", key_value)
+                    try:
+                        client.create_role(name=key_value)
+                    except exceptions.Conflict:
+                        LOG.info("Role %s already exists", key_value)
+            conf.set('object-storage', 'operator_role', 'admin')
         except exceptions.Forbidden:
-            LOG.info("Roles can't be listed - the user needs permissions.")
+            LOG.info("Roles can't be listed or created. The user doesn't have "
+                     "permissions.")
             # If is not admin, we set the operator_role to Member
             # otherwise we set to admin
             conf.set('object-storage', 'operator_role', 'Member')
-            return
-
-        for section_key in ["operator_role", "reseller_admin_role"]:
-            key_value = conf.get_defaulted("object-storage", section_key)
-            if key_value not in [r['name'] for r in roles]:
-                LOG.info("Creating %s role", key_value)
-                try:
-                    client.create_role(name=key_value)
-                except exceptions.Conflict:
-                    LOG.info("Role %s already exists", key_value)
-        conf.set('object-storage', 'operator_role', 'admin')
 
     def get_feature_name(self):
         return 'object-storage'