Roles lost in Folsom to Grizzly upgrade

In a Folsom -> Grizzly upgrade I noticed my admin user wasn't authorised to admininster keystone any more. I had to hack my policy.json so I could interrogate keystone to find out why.

keystone user-role-list has one entry. Giving my admin user the '_member_' role:

| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 139113774ba44497a7fe9bbe268dfdac | 8b79e14d24e645a39be0f6bf1f68208b |

So the "Admin" role was missing. Different roles are missing from other users too.

Original Folsom tables:

mysql> show tables;
+------------------------+
| Tables_in_keystone |
+------------------------+
| ec2_credential |
| endpoint |
| metadata |
| migrate_version |
| role |
| service |
| tenant |
| token |
| user |
| user_tenant_membership |
+------------------------+
10 rows in set (0.00 sec)

From what I can tell, roles used to be stored in the 'metadata' table in Folsom.

mysql> describe metadata;
+-----------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------+-------------+------+-----+---------+-------+
| user_id | varchar(64) | NO | PRI | NULL | |
| tenant_id | varchar(64) | NO | PRI | NULL | |
| data | text | YES | | NULL | |
+-----------+-------------+------+-----+---------+-------+
3 rows in set (0.01 sec)

Sample row:
  user_id: 671dcaba8087487c8a28afe42b6672fa
tenant_id: e4eee8dbc16a49dcbc76edac96674e96
     data: {"roles": ["ce685d2405f14ef09568da65b102b1e9", "75fc2fd3a6004c37bbd6c518c25cdaaa"]}

At version 7 keystone adds a new 'user_domain_metadata' table which seems awfully similar to the metadata table. The metadata table is never touched ever again after this.

    user_domain_metadata_table = sql.Table(
        'user_domain_metadata',
        meta,
        sql.Column(
            'user_id',
            sql.String(64),
            sql.ForeignKey('user.id'),
            primary_key=True),
        sql.Column(
            'domain_id',
            sql.String(64),
            sql.ForeignKey('domain.id'),
            primary_key=True),
        sql.Column('data', sql.Text()))
    user_domain_metadata_table.create(migrate_engine, checkfirst=True)

At version 17 there's another similar-looking 'user_project_metadata' table created.

If I drop the user_project_metadata table and put my metadata table in its place (with column tenant_id renamed to project_id) everything seems to just work.