Implements: blueprint api-v3-support
This patch implements these parts of the blueprint:
1) Implements the domain aware keystone_user_role resource.
With Keystone v3, you can assign a role to a user on a domain
or a project/tenant. e.g.
assign role 'admin' to user 'admin' for domain 'services'
assign role 'admin' to user 'admin' for project 'services'
That is, domain and project are mutually exclusive - you cannot
assign a role for both a domain and a project at the same time.
Accepts a 'username@thing' name/title in the following formats::
username@project
username::userdomain@::domain
username::userdomain@project::projectdomain
username::userdomain@project
et. al. other combinations. Use the @::domain to assign a role
for a domain. Use the short names wherever possible, when you are
absolutely sure that there is only 1 user or project with the given
name. For example, if you are absolutely sure that there is only 1
user named 'glance' in all domains, and only 1 project named 'services'
in all domains, you can use 'glance@services' as the user role name.
Otherwise, you will have to use the domain qualifier ::domain to
distinguish 'glance::domain1' from 'glance::domain2'.
Note that the user id and project id must be used when assigning
a role for a user for a project for the role add and role delete
commands, which is why #create, #destroy, and #roles= have to look
up the user and project ids (via the convenience #properties method).
Change-Id: I70fad491096d4ad876634aac173cd4e321274d65
f66a3b8f2e