Comment 8 for bug 1635306

Keystone will automatically create the _member_ role (or whatever role name/id is configured in keystone.conf) when a user is added to a project if the role doesn't exist already:

  https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L166-L173

The method that this code is a part of is only used by the v2 User class in identity/controller.py:

  https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L33

I suspect that we are only using the v3 API during deployment now, which means that the _member_ role will not be automatically created by Keystone. We should have puppet create the _member_ role.