Remove tenant membership during user deletion

Remove users' tenant membership on user deletion.  Resolves a FK constraint
issue that previously went unnoticed due to testing against database
configurations that do not support FK constraints (MyISAM).

Fixes LP bug 959294.

Update: * Move tenant membership cleanup to the sql identity backend
        * Add a test case to test_backend_sql

Change-Id: Ib4f5da03033f7886b36d1ab3b8b4ac37f08b2e0e

keystone/identity/backends/sql.py

@@ -327,7 +327,15 @@ def update_user(self, user_id, user):
     def delete_user(self, user_id):
         session = self.get_session()
         user_ref = session.query(User).filter_by(id=user_id).first()
+        membership_refs = session.query(UserTenantMembership)\
+                          .filter_by(user_id=user_id)\
+                          .all()
+
         with session.begin():
+            if membership_refs:
+                for membership_ref in membership_refs:
+                    session.delete(membership_ref)
+
             session.delete(user_ref)
             session.flush()
 

tests/test_backend_sql.py

@@ -37,6 +37,17 @@ def setUp(self):
         self.identity_api = identity_sql.Identity()
         self.load_fixtures(default_fixtures)
 
+    def test_delete_user_with_tenant_association(self):
+        user = {'id': 'fake',
+                'name': 'fakeuser',
+                'password': 'passwd'}
+        self.identity_api.create_user('fake', user)
+        self.identity_api.add_user_to_tenant(self.tenant_bar['id'],
+                                             user['id'])
+        self.identity_api.delete_user(user['id'])
+        tenants = self.identity_api.get_tenants_for_user(user['id'])
+        self.assertEquals(tenants, [])
+
 
 class SqlToken(test.TestCase, test_backend.TokenTests):
     def setUp(self):