From: Casey Bodley Date: Sun, 27 Apr 2025 16:44:40 +0000 (-0400) Subject: test/rgw/multisite: test error handling of forwarded iam:DeleteRole X-Git-Tag: testing/wip-khiremat-testing-20250607.065055-tentacle-debug~46^2~1 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=5fcf10087b1ea9216c50956c3cfbfe91388795a5;p=ceph-ci.git test/rgw/multisite: test error handling of forwarded iam:DeleteRole DeleteRole's conflict handling happens after forwarding, so use test_role_delete_sync() to test that forwarded 409 Conflict errors preserve the DeleteConflict code and error message without the fix to forward_iam_request_to_master(), DeleteRole instead fails with: > botocore.exceptions.ClientError: An error occurred (BucketNotEmpty) when calling the DeleteRole operation: None Signed-off-by: Casey Bodley (cherry picked from commit 3e9faa4de0d210623f7482aa243384ed1eaf1350) --- diff --git a/src/test/rgw/rgw_multi/tests.py b/src/test/rgw/rgw_multi/tests.py index 616a41f2992..150864c61c3 100644 --- a/src/test/rgw/rgw_multi/tests.py +++ b/src/test/rgw/rgw_multi/tests.py @@ -2188,6 +2188,18 @@ def test_role_delete_sync(): zone.iam_conn.get_role(RoleName=role_name) log.info(f'success, zone: {zone.name} has role: {role_name}') + # attach a role policy that prevents role deletion + policy_arn = 'arn:aws:iam::aws:policy/AmazonS3FullAccess' + zonegroup_conns.master_zone.iam_conn.attach_role_policy(RoleName=role_name, PolicyArn=policy_arn) + + for zone in zonegroup_conns.zones: + e = assert_raises(zone.iam_conn.exceptions.DeleteConflictException, + zone.iam_conn.delete_role, RoleName=role_name) + assert e.response['Error']['Code'] == 'DeleteConflict' + assert e.response['Error']['Message'] + + zonegroup_conns.master_zone.iam_conn.detach_role_policy(RoleName=role_name, PolicyArn=policy_arn) + log.info(f"deleting role: {role_name}") zonegroup_conns.master_zone.iam_conn.delete_role(RoleName=role_name) zonegroup_meta_checkpoint(zonegroup)