diff --git a/keystone/identity/core.py b/keystone/identity/core.py
index 83b1798e26..a0704f1216 100644
--- a/keystone/identity/core.py
+++ b/keystone/identity/core.py
@@ -457,6 +457,7 @@ def get_user_roles(self, context, user_id, tenant_id=None):
         not implementing them in hopes that the idea will die off.
 
         """
+        self.assert_admin(context)
         if tenant_id is None:
             raise exception.NotImplemented(message='User roles not supported: '
                                                    'tenant ID required')
diff --git a/tests/test_content_types.py b/tests/test_content_types.py
index df73dff6f3..49550848cf 100644
--- a/tests/test_content_types.py
+++ b/tests/test_content_types.py
@@ -587,6 +587,17 @@ def test_service_crud_requires_auth(self):
                                expected_status=401)
         self.assertValidErrorResponse(r)
 
+    def test_user_role_list_requires_auth(self):
+        """User role list should 401 without an X-Auth-Token (bug 1006815)."""
+        # values here don't matter because we should 401 before they're checked
+        path = '/v2.0/tenants/%(tenant_id)s/users/%(user_id)s/roles' % {
+                'tenant_id': uuid.uuid4().hex,
+                'user_id': uuid.uuid4().hex,
+        }
+
+        r = self.admin_request(path=path, expected_status=401)
+        self.assertValidErrorResponse(r)
+
 
 class XmlTestCase(RestfulTestCase, CoreApiTests):
     xmlns = 'http://docs.openstack.org/identity/api/v2.0'