Delete system role assignments from system_assignment table

This patch ensures to delete the system role assignments from
all the assignment tables in keystone after deleting the role
user has over the system.

This also make sure of deleting stale role assignments before
deleting role for the deployments that are already in this state.

Closes-Bug: #1878938

Change-Id: I4df19c45c870ff3fb78578ca1fb7dd0d35da3c82

3 files changed, 40 insertions, 0 deletions

diff --git a/keystone/assignment/backends/sql.py b/keystone/assignment/backends/sql.py
index 6822811ca..5eda2b724 100644
--- a/keystone/assignment/backends/sql.py
+++ b/keystone/assignment/backends/sql.py
@@ -262,6 +262,11 @@ class Assignment(base.AssignmentDriverBase):
             q = q.filter_by(role_id=role_id)
             q.delete(False)
 
+        with sql.session_for_write() as session:
+            q = session.query(SystemRoleAssignment)
+            q = q.filter_by(role_id=role_id)
+            q.delete(False)
+
     def delete_domain_assignments(self, domain_id):
         with sql.session_for_write() as session:
             q = session.query(RoleAssignment)
diff --git a/keystone/tests/unit/assignment/test_backends.py b/keystone/tests/unit/assignment/test_backends.py
index dd327c879..cdf89664a 100644
--- a/keystone/tests/unit/assignment/test_backends.py
+++ b/keystone/tests/unit/assignment/test_backends.py
@@ -4225,3 +4225,22 @@ class SystemAssignmentTests(AssignmentTestHelperMixin):
             group_id,
             role['id']
         )
+
+    def test_delete_role_with_system_assignments(self):
+        role = unit.new_role_ref()
+        PROVIDERS.role_api.create_role(role['id'], role)
+        domain = unit.new_domain_ref()
+        PROVIDERS.resource_api.create_domain(domain['id'], domain)
+        user = unit.new_user_ref(domain_id=domain['id'])
+        user = PROVIDERS.identity_api.create_user(user)
+
+        # creating a system grant for user
+        PROVIDERS.assignment_api.create_system_grant_for_user(
+            user['id'], role['id']
+        )
+        # deleting the role user has on system
+        PROVIDERS.role_api.delete_role(role['id'])
+        system_roles = PROVIDERS.assignment_api.list_role_assignments(
+            role_id=role['id']
+        )
+        self.assertEqual(len(system_roles), 0)
diff --git a/releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml b/releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml
new file mode 100644
index 000000000..37eddac1f
--- /dev/null
+++ b/releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml
@@ -0,0 +1,16 @@
+---
+fixes:
+  - |
+    [`bug 1878938 <https://bugs.launchpad.net/keystone/+bug/1878938>`_]
+    Previously when a user used to have system role assignment and tries to delete
+    the same role, the system role assignments still existed in system_assignment
+    table. This fix ensures that deleting a role should delete all the its assignments
+    from every assignment table.
+
+    If you are affected by this bug, a fix in the keystone database will be
+    needed so we recommend to remove the stale role assignmensts before doing this
+    process.
+
+    SQL:
+         - delete from assignment where role_id not in (select id from role);
+         - delete from system_assignment where role_id not in (select id from role);