keystone: support _member_ role management

Allow to let puppet-keystone managing _member_ role which is required
by Horizon. Can be enabled with keystone_enable_member parameter (disabled
by default.)

A patch in tripleo-heat-templates will activate this boolean to true so
Horizon deployments will trigger the role creation.

Change-Id: I5272f1fc199772043db48d29b0ea99a8bfff4ed5
Related-Bug: #1741066

manifests/profile/base/keystone.pp

@@ -138,6 +138,10 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*keystone_enable_member*]
+#   (Optional) Whether _member_ role is managed or not (required for Horizon).
+#   Defaults to hiera('keystone_enable_member', false)
+#
 class tripleo::profile::base::keystone (
   $admin_endpoint_network         = hiera('keystone_admin_api_network', undef),
   $bootstrap_node                 = hiera('bootstrap_nodeid', undef),
@@ -166,6 +170,7 @@ class tripleo::profile::base::keystone (
   $barbican_notification_topics   = [],
   $extra_notification_topics      = [],
   $step                           = Integer(hiera('step')),
+  $keystone_enable_member         = hiera('keystone_enable_member', false),
 ) {
   if $::hostname == downcase($bootstrap_node) {
     $sync_db = true
@@ -280,6 +285,11 @@ class tripleo::profile::base::keystone (
 
   if $step == 3 and $manage_roles {
     include ::keystone::roles::admin
+    if $keystone_enable_member {
+      keystone_role { '_member_':
+        ensure => present,
+      }
+    }
   }
 
   if $step == 3 and $manage_endpoint {

releasenotes/notes/keystone_member-70065ba9269c4bfd.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Allow to let puppet-keystone managing _member_ role which is required
+    by Horizon. Can be enabled with keystone_enable_member parameter (disabled
+    by default.)