Comment 2 for bug 1131087

It's not. Basically the problem is here:

https://github.com/openstack/keystone/commit/b20302aa3e08421295140576d0aeea2fa9e34188#L6L117

and here:

https://github.com/openstack/keystone/commit/b20302aa3e08421295140576d0aeea2fa9e34188#L2R22

The metadata table was recreated as user_project_metadata, and only implicit roles due to project membership were migrated, not explicit roles from the metadata table itself.

There's also the additional problem that existing deployments will generally already have a "Member" role, so once the above migration is done properly you will have a mess of _member_ and Member roles. Ideally I'd be able to set member_role_name and member_role_id in the conf to point to the existing member role and the migration would (1) add that role only if it didn't exist already and (2) add any missing Member role grants iff they don't already exist. Having "_member_" show up in the cli/dashboard is also really ugly...