3 files changed, 13 insertions, 6 deletions

diff --git a/keystone/identity/backends/kvs.py b/keystone/identity/backends/kvs.py
index 7efc7ab5..95286a9f 100644
--- a/keystone/identity/backends/kvs.py
+++ b/keystone/identity/backends/kvs.py
@@ -97,8 +97,7 @@ class Identity(kvs.Base, identity.Driver):
         return self.db.get('metadata-%s-%s' % (tenant_id, user_id)) or {}
 
     def get_role(self, role_id):
-        role_ref = self.db.get('role-%s' % role_id)
-        return role_ref
+        return self.db.get('role-%s' % role_id)
 
     def list_users(self):
         user_ids = self.db.get('user_list', [])
diff --git a/keystone/identity/backends/sql.py b/keystone/identity/backends/sql.py
index 16cfb5fd..00dedcba 100644
--- a/keystone/identity/backends/sql.py
+++ b/keystone/identity/backends/sql.py
@@ -210,8 +210,7 @@ class Identity(sql.Base, identity.Driver):
 
     def get_role(self, role_id):
         session = self.get_session()
-        role_ref = session.query(Role).filter_by(id=role_id).first()
-        return role_ref
+        return session.query(Role).filter_by(id=role_id).first()
 
     def list_users(self):
         session = self.get_session()
diff --git a/keystone/identity/core.py b/keystone/identity/core.py
index a99671d6..f8af897f 100644
--- a/keystone/identity/core.py
+++ b/keystone/identity/core.py
@@ -425,7 +425,15 @@ class RoleController(wsgi.Application):
         """
         if tenant_id is None:
             raise exception.NotImplemented(message='User roles not supported: '
-                                                   'tenant_id required')
+                                                   'tenant ID required')
+
+        user = self.identity_api.get_user(context, user_id)
+        if user is None:
+            raise exception.UserNotFound(user_id=user_id)
+        tenant = self.identity_api.get_tenant(context, tenant_id)
+        if tenant is None:
+            raise exception.TenantNotFound(tenant_id=tenant_id)
+
         roles = self.identity_api.get_roles_for_user_and_tenant(
                 context, user_id, tenant_id)
         return {'roles': [self.identity_api.get_role(context, x)
@@ -449,7 +457,8 @@ class RoleController(wsgi.Application):
 
     def delete_role(self, context, role_id):
         self.assert_admin(context)
-        role_ref = self.identity_api.delete_role(context, role_id)
+        self.get_role(context, role_id)
+        self.identity_api.delete_role(context, role_id)
 
     def get_roles(self, context):
         self.assert_admin(context)