rgw/iam: fix role deletion replication

Signed-off-by: Alex Wojno <awojno@bloomberg.net>

4 files changed, 49 insertions, 0 deletions

diff --git a/src/test/rgw/rgw_multi/tests.py b/src/test/rgw/rgw_multi/tests.py
index 156fac12e7f..c720423e923 100644
--- a/src/test/rgw/rgw_multi/tests.py
+++ b/src/test/rgw/rgw_multi/tests.py
@@ -1705,6 +1705,30 @@ def test_role_sync():
 
             check_role_eq(source_conn, target_conn, role)
 
+def test_role_delete_sync():
+    zonegroup = realm.master_zonegroup()
+    zonegroup_conns = ZonegroupConns(zonegroup)
+    role_name = gen_role_name()
+    log.info('create role zone=%s name=%s', zonegroup_conns.master_zone.name, role_name)
+    zonegroup_conns.master_zone.create_role("", role_name, None, "")
+
+    zonegroup_meta_checkpoint(zonegroup)
+
+    for zone in zonegroup_conns.zones:
+        log.info(f'checking if zone: {zone.name} has role: {role_name}')
+        assert(zone.has_role(role_name))
+        log.info(f'success, zone: {zone.name} has role: {role_name}')
+
+    log.info(f"deleting role: {role_name}")
+    zonegroup_conns.master_zone.delete_role(role_name)
+    zonegroup_meta_checkpoint(zonegroup)
+
+    for zone in zonegroup_conns.zones:
+        log.info(f'checking if zone: {zone.name} does not have role: {role_name}')
+        assert(not zone.has_role(role_name))
+        log.info(f'success, zone: {zone.name} does not have role: {role_name}')
+
+
 @attr('data_sync_init')
 def test_bucket_full_sync_after_data_sync_init():
     zonegroup = realm.master_zonegroup()
diff --git a/src/test/rgw/rgw_multi/zone_cloud.py b/src/test/rgw/rgw_multi/zone_cloud.py
index dd5640cf271..7c94aaa8a60 100644
--- a/src/test/rgw/rgw_multi/zone_cloud.py
+++ b/src/test/rgw/rgw_multi/zone_cloud.py
@@ -304,6 +304,12 @@ class CloudZone(Zone):
         def create_role(self, path, rolename, policy_document, tag_list):
             assert False
 
+        def delete_role(self, role_name):
+            assert False
+
+        def has_role(self, role_name):
+            assert False
+
     def get_conn(self, credentials):
         return self.Conn(self, credentials)
 
diff --git a/src/test/rgw/rgw_multi/zone_es.py b/src/test/rgw/rgw_multi/zone_es.py
index e98b3fdd8fa..84628b775d1 100644
--- a/src/test/rgw/rgw_multi/zone_es.py
+++ b/src/test/rgw/rgw_multi/zone_es.py
@@ -246,6 +246,12 @@ class ESZone(Zone):
         def create_role(self, path, rolename, policy_document, tag_list):
             assert False
 
+        def delete_role(self, role_name):
+            assert False
+
+        def has_role(self, role_name):
+            assert False
+
     def get_conn(self, credentials):
         return self.Conn(self, credentials)
 
diff --git a/src/test/rgw/rgw_multi/zone_rados.py b/src/test/rgw/rgw_multi/zone_rados.py
index ac4edd004d6..7b7fe5228cb 100644
--- a/src/test/rgw/rgw_multi/zone_rados.py
+++ b/src/test/rgw/rgw_multi/zone_rados.py
@@ -1,5 +1,6 @@
 import logging
 from boto.s3.deletemarker import DeleteMarker
+from boto.exception import BotoServerError
 
 from itertools import zip_longest  # type: ignore
 
@@ -127,8 +128,20 @@ class RadosZone(Zone):
             return True
 
         def create_role(self, path, rolename, policy_document, tag_list):
+            if policy_document is None:
+                policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/testuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
             return self.iam_conn.create_role(rolename, policy_document, path)
 
+        def delete_role(self, role_name):
+            return self.iam_conn.delete_role(role_name)
+
+        def has_role(self, role_name):
+            try:
+                self.get_role(role_name)
+            except BotoServerError:
+                return False
+            return True
+
     def get_conn(self, credentials):
         return self.Conn(self, credentials)