Cinder: add creator role when barbican is enabled

When barbican is enabled, add the "creator" role to cinder's service
user so that cinder can create secrets. Cinder needs to create
barbican secrets when migrating encryption keys from the legacy
ConfKeyManager to barbican. Cinder also needs to create barbican
secrets in order to support transferring encrypted volumes.

Implements: bp/transfer-encrypted-volume
Depends-On: I216f78e8a300ab3f79bbcbb38110adf2bbec2196
Change-Id: Ia3f414c4b9b0829f60841a6dd63c97a893fdde4d
diff --git a/lib/cinder b/lib/cinder
index ca2c084..7dd7539 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -388,16 +388,24 @@
 
 # create_cinder_accounts() - Set up common required cinder accounts
 
-# Tenant               User       Roles
+# Project              User       Roles
 # ------------------------------------------------------------------
-# service              cinder     admin        # if enabled
+# SERVICE_PROJECT_NAME cinder     service
+# SERVICE_PROJECT_NAME cinder     creator (if Barbican is enabled)
 
 # Migrated from keystone_data.sh
 function create_cinder_accounts {
     # Cinder
     if [[ "$ENABLED_SERVICES" =~ "c-api" ]]; then
 
-        create_service_user "cinder"
+        local extra_role=""
+
+        # cinder needs the "creator" role in order to interact with barbican
+        if is_service_enabled barbican; then
+            extra_role=$(get_or_create_role "creator")
+        fi
+
+        create_service_user "cinder" $extra_role
 
         # block-storage is the official service type
         get_or_create_service "cinder" "block-storage" "Cinder Volume Service"