Merge "Delete system role assignments from system_assignment table" into stable/train

3 files changed, 40 insertions, 0 deletions

diff --git a/keystone/assignment/backends/sql.py b/keystone/assignment/backends/sql.py
index 6822811ca..5eda2b724 100644
--- a/keystone/assignment/backends/sql.py
+++ b/keystone/assignment/backends/sql.py
@@ -262,6 +262,11 @@ class Assignment(base.AssignmentDriverBase):
             q = q.filter_by(role_id=role_id)
             q.delete(False)
 
+        with sql.session_for_write() as session:
+            q = session.query(SystemRoleAssignment)
+            q = q.filter_by(role_id=role_id)
+            q.delete(False)
+
     def delete_domain_assignments(self, domain_id):
         with sql.session_for_write() as session:
             q = session.query(RoleAssignment)
diff --git a/keystone/tests/unit/assignment/test_backends.py b/keystone/tests/unit/assignment/test_backends.py
index 589256eff..181c42a54 100644
--- a/keystone/tests/unit/assignment/test_backends.py
+++ b/keystone/tests/unit/assignment/test_backends.py
@@ -4226,3 +4226,22 @@ class SystemAssignmentTests(AssignmentTestHelperMixin):
             group_id,
             role['id']
         )
+
+    def test_delete_role_with_system_assignments(self):
+        role = unit.new_role_ref()
+        PROVIDERS.role_api.create_role(role['id'], role)
+        domain = unit.new_domain_ref()
+        PROVIDERS.resource_api.create_domain(domain['id'], domain)
+        user = unit.new_user_ref(domain_id=domain['id'])
+        user = PROVIDERS.identity_api.create_user(user)
+
+        # creating a system grant for user
+        PROVIDERS.assignment_api.create_system_grant_for_user(
+            user['id'], role['id']
+        )
+        # deleting the role user has on system
+        PROVIDERS.role_api.delete_role(role['id'])
+        system_roles = PROVIDERS.assignment_api.list_role_assignments(
+            role_id=role['id']
+        )
+        self.assertEqual(len(system_roles), 0)
diff --git a/releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml b/releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml
new file mode 100644
index 000000000..21a53b482
--- /dev/null
+++ b/releasenotes/notes/bug-1878938-70ee2af6fdf66004.yaml
@@ -0,0 +1,16 @@
+---
+fixes:
+  - |
+    [`bug 1878938 <https://bugs.launchpad.net/keystone/+bug/1878938>`_]
+    Previously when a user used to have system role assignment and tries to delete
+    the same role, the system role assignments still existed in system_assignment
+    table. This causes keystone to return `HTTP 404 Not Found` errors when listing
+    role assignments with names (e.g., `--names` or `?include_names`).
+
+    If you are affected by this bug, you must remove stale role assignments
+    manually. The following is an example SQL statement you can use to fix the
+    issue, but you should verify it's applicability to your deployment's SQL
+    implementation and version.
+
+    SQL:
+         - delete from system_assignment where role_id not in (select id from role);