test/rgw/multisite: test error handling of forwarded iam:DeleteRole

DeleteRole's conflict handling happens after forwarding, so use
test_role_delete_sync() to test that forwarded 409 Conflict errors
preserve the DeleteConflict code and error message

without the fix to forward_iam_request_to_master(), DeleteRole instead
fails with:

> botocore.exceptions.ClientError: An error occurred (BucketNotEmpty) when calling the DeleteRole operation: None

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 3e9faa4de0d210623f7482aa243384ed1eaf1350)

diff --git a/src/test/rgw/rgw_multi/tests.py b/src/test/rgw/rgw_multi/tests.py
index 616a41f2992baec3e39f51fe3a79e5302f873799..150864c61c3b909d9aa8e76076078b3b8ef4c7ae 100644 (file)
--- a/src/test/rgw/rgw_multi/tests.py
+++ b/src/test/rgw/rgw_multi/tests.py
@@ -2188,6 +2188,18 @@ def test_role_delete_sync():
         zone.iam_conn.get_role(RoleName=role_name)
         log.info(f'success, zone: {zone.name} has role: {role_name}')
 
+    # attach a role policy that prevents role deletion
+    policy_arn = 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
+    zonegroup_conns.master_zone.iam_conn.attach_role_policy(RoleName=role_name, PolicyArn=policy_arn)
+
+    for zone in zonegroup_conns.zones:
+        e = assert_raises(zone.iam_conn.exceptions.DeleteConflictException,
+                          zone.iam_conn.delete_role, RoleName=role_name)
+        assert e.response['Error']['Code'] == 'DeleteConflict'
+        assert e.response['Error']['Message']
+
+    zonegroup_conns.master_zone.iam_conn.detach_role_policy(RoleName=role_name, PolicyArn=policy_arn)
+
     log.info(f"deleting role: {role_name}")
     zonegroup_conns.master_zone.iam_conn.delete_role(RoleName=role_name)
     zonegroup_meta_checkpoint(zonegroup)