Handling auth expiry for long-running deployments (keystone trusts)

After talking to Steve Hardy, heat supports trust delegation (and it will be the default at some point), so in theory (TM) once the initial stack-create succeeds, Heat should be able to continue functioning.

It should be possible for Murano to do the same; use the initial token to generate a trust that will be valid for e.g. checking heat stack status forever. Since trust chaining is NOT yet implemented, the initial operations still have to be done with a scoped, non-trusted-generated token (e.g. from horizon or from keystone).

[Stan Lagun]
After some research and attempts to implement trusts I discovered that Icehouse Heat has a but that prevents it from doing anything with a token obtained from trust. Because of this bug we cannot issue new token and access stack using it. This bug was recently fixed so I'm trying to set up myself Juno Heat and test on it. Also I need to make config setting to not to use trusts (and make it default) so that Murano could still be used with Icehouse.

Also in order to use trusts with Heat the later needs to be specially configured (trusts are disabled by default) and user need to have special role (that you cannot create/add in Horizon). Thus we also need to update devstack scripts for new configuration because otherwise nothing will work with trusts enabled even on Juno

Gerrit topic: https://review.openstack.org/#q,topic:bp/auth-for-long-running-requests,n,z

Addressed by: https://review.openstack.org/119042
    Use Keystone trusts to get fresh token

[asalkeld] let me know if you need help, i got solum working in this situation:
https://github.com/stackforge/solum/blob/master/solum/api/handlers/pipeline_handler.py#L47-L63
https://github.com/stackforge/solum/blob/master/solum/common/solum_keystoneclient.py