From 3a3b3c5b5a35c93b9f3df79887805956208eaf5f Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Mon, 12 Feb 2018 21:23:45 +0000
Subject: [PATCH] Delete system role assignments when deleting users

Keystone removes role assignments that users have on projects and
domains when deleting users. This should also apply to system role
assignments, too.

Change-Id: Ied51b9c3b58714b2d5dbcb933eca1839d1351fc7
Closes-Bug: 1749264
---
 keystone/assignment/core.py                          | 11 +++++++++++
 keystone/tests/unit/test_v3_assignment.py            |  2 --
 releasenotes/notes/bug-1749264-676ca02902bcd169.yaml |  6 ++++++
 3 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/bug-1749264-676ca02902bcd169.yaml

diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
index d0bdd914f1..9d9885a0ba 100644
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@@ -1107,6 +1107,17 @@ class Manager(manager.Manager):
                 payload
             )
 
+    def delete_user_assignments(self, user_id):
+        # FIXME(lbragstad): This should be refactored in the Rocky release so
+        # that we can pass the user_id to the system assignment backend like we
+        # do with the project and domain assignment backend. Holding off on
+        # this because it will require an interface change to the backend,
+        # making it harder to backport for Queens RC.
+        self.driver.delete_user_assignments(user_id)
+        system_assignments = self.list_system_grants_for_user(user_id)
+        for assignment in system_assignments:
+            self.delete_system_grant_for_user(user_id, assignment['id'])
+
     def check_system_grant_for_user(self, user_id, role_id):
         """Check if a user has a specific role on the system.
 
diff --git a/keystone/tests/unit/test_v3_assignment.py b/keystone/tests/unit/test_v3_assignment.py
index 676ba4b0dd..2b4c22404e 100644
--- a/keystone/tests/unit/test_v3_assignment.py
+++ b/keystone/tests/unit/test_v3_assignment.py
@@ -24,7 +24,6 @@ import keystone.conf
 from keystone import exception
 from keystone.tests import unit
 from keystone.tests.unit import test_v3
-from keystone.tests.unit import utils as test_utils
 
 
 CONF = keystone.conf.CONF
@@ -366,7 +365,6 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
         # Make sure the role is gone
         self.head(member_url, expected_status=http_client.NOT_FOUND)
 
-    @test_utils.wip("Waiting for a fix to bug #1749264")
     def test_delete_user_before_removing_system_assignments_succeeds(self):
         system_role = self._create_new_role()
         user = self._create_user()
diff --git a/releasenotes/notes/bug-1749264-676ca02902bcd169.yaml b/releasenotes/notes/bug-1749264-676ca02902bcd169.yaml
new file mode 100644
index 0000000000..6cdbd207d1
--- /dev/null
+++ b/releasenotes/notes/bug-1749264-676ca02902bcd169.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    [`bug 1749264 <https://bugs.launchpad.net/keystone/+bug/1749264>`_]
+    A user's system role assignment will be removed when the user is deleted.
+