Description of problem:

Currently, python-openstackclient will preemptively check the existence of users and groups in ``openstack role remove --user|--group`` commands. If the user doesn't exist, the client will fail before calling keystone (DELETE /v3/projects/$project/users/$user/roles/$role) to revoke the role assignment.

Keystone defers existence checks to make it easier to clean up role assignments with non-existent users from LDAP.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create a user in LDAP (ipa user-add jsmith --first=jon --last=smith)
2. Verify the user is listed by keystone ``openstack user list --domain REDHAT``
3. Grant the user role assignments on a project ``openstack role add --user $user-id --project admin reader``
4. Remove the user from LDAP (ipa user-del jsmith)
5. List role assignments ``openstack role assignment list``
6. Verify the user still has role assignments in keyston even though they've been removed from LDAP
7. Attempt to remove the user's role assignments ``openstack role remove --user $user-id --project admin admin``

Actual results:

HTTP 404 Not Found when python-openstackclient attempts to find the user in keystone.

Expected results:

HTTP 204 No Content because keystone allows roles to be revoked on non-existent users.

Additional info: