4 files changed, 45 insertions, 0 deletions

diff --git a/keystone/identity/backends/kvs.py b/keystone/identity/backends/kvs.py
index 81909ba5..ad6ca0f1 100644
--- a/keystone/identity/backends/kvs.py
+++ b/keystone/identity/backends/kvs.py
@@ -356,6 +356,17 @@ class Identity(kvs.Base, identity.Driver):
     def delete_role(self, role_id):
         try:
             self.db.delete('role-%s' % role_id)
+            metadata_keys = filter(lambda x: x.startswith("metadata-"),
+                                   self.db.keys())
+            for key in metadata_keys:
+                tenant_id = key.split('-')[1]
+                user_id = key.split('-')[2]
+                try:
+                    self.remove_role_from_user_and_tenant(user_id,
+                                                          tenant_id,
+                                                          role_id)
+                except exception.RoleNotFound:
+                    pass
         except exception.NotFound:
             raise exception.RoleNotFound(role_id=role_id)
         role_list = set(self.db.get('role_list', []))
diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
index 352abd7d..540679c0 100644
--- a/keystone/identity/backends/ldap/core.py
+++ b/keystone/identity/backends/ldap/core.py
@@ -969,3 +969,16 @@ class RoleApi(common_ldap.BaseLdap, ApiShimMixin):
             super(RoleApi, self).update(role_id, role)
         except exception.NotFound:
             raise exception.RoleNotFound(role_id=role_id)
+
+    def delete(self, id):
+        conn = self.get_connection()
+        query = '(objectClass=%s)' % self.object_class
+        tenant_dn = self.tenant_api.tree_dn
+        try:
+            for role_dn, _ in conn.search_s(tenant_dn,
+                                            ldap.SCOPE_SUBTREE,
+                                            query):
+                conn.delete_s(role_dn)
+        except ldap.NO_SUCH_OBJECT:
+            pass
+        super(RoleApi, self).delete(id)
diff --git a/keystone/identity/backends/sql.py b/keystone/identity/backends/sql.py
index ebacf973..f8d836ac 100644
--- a/keystone/identity/backends/sql.py
+++ b/keystone/identity/backends/sql.py
@@ -487,6 +487,17 @@ class Identity(sql.Base, identity.Driver):
     def delete_role(self, role_id):
         session = self.get_session()
         with session.begin():
+            metadata_refs = session.query(Metadata)
+            for metadata_ref in metadata_refs:
+                metadata = metadata_ref.to_dict()
+                user_id = metadata['user_id']
+                tenant_id = metadata['tenant_id']
+                try:
+                    self.remove_role_from_user_and_tenant(user_id,
+                                                          tenant_id,
+                                                          role_id)
+                except exception.RoleNotFound:
+                    pass
             if not session.query(Role).filter_by(id=role_id).delete():
                 raise exception.RoleNotFound(role_id=role_id)
             session.flush()
diff --git a/tests/test_backend.py b/tests/test_backend.py
index eb6fa671..696e125d 100644
--- a/tests/test_backend.py
+++ b/tests/test_backend.py
@@ -636,6 +636,16 @@ class IdentityTests(object):
                           self.identity_api.get_tenant,
                           tenant['id'])
 
+    def test_delete_role_check_role_grant(self):
+        role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
+        self.identity_api.create_role(role['id'], role)
+        self.identity_api.add_role_to_user_and_tenant(
+            self.user_foo['id'], self.tenant_bar['id'], role['id'])
+        self.identity_api.delete_role(role['id'])
+        roles_ref = self.identity_api.get_roles_for_user_and_tenant(
+            self.user_foo['id'], self.tenant_bar['id'])
+        self.assertNotIn(role['id'], roles_ref)
+
 
 class TokenTests(object):
     def test_token_crud(self):