Allow for skipping admin roles loading on context creation

Bug 1216866

There are cases in which an admin context is created only to grab a db
session and ensure no tenant filters are applied in _model_query. In
these cases evaluating the policy engine for grabbing admin roles is not
necessary, and can cause unexpected and serious issues if the context is
grabbed before all the extensions are loaded.

Change-Id: I0cbf4b51ca1286373c16eb907840a32f4b8190c6

diff --git a/neutron/context.py b/neutron/context.py
index 9a7bf777ab2201694e178d559698346e4a7ef297..f55022079299c4a74962ceeca9119549a546fe96 100644 (file)
--- a/neutron/context.py
+++ b/neutron/context.py
@@ -38,7 +38,7 @@ class ContextBase(common_context.RequestContext):
     """
 
     def __init__(self, user_id, tenant_id, is_admin=None, read_deleted="no",
-                 roles=None, timestamp=None, **kwargs):
+                 roles=None, timestamp=None, load_admin_roles=True, **kwargs):
         """Object initialization.
 
         :param read_deleted: 'no' indicates deleted records are hidden, 'yes'
@@ -58,11 +58,8 @@ class ContextBase(common_context.RequestContext):
         self.roles = roles or []
         if self.is_admin is None:
             self.is_admin = policy.check_is_admin(self)
-        elif self.is_admin:
+        elif self.is_admin and load_admin_roles:
             # Ensure context is populated with admin roles
-            # TODO(salvatore-orlando): It should not be necessary
-            # to populate roles in artificially-generated contexts
-            # address in bp/make-authz-orthogonal
             admin_roles = policy.get_admin_roles()
             if admin_roles:
                 self.roles = list(set(self.roles) | set(admin_roles))
@@ -137,11 +134,12 @@ class Context(ContextBase):
         return self._session
 
 
-def get_admin_context(read_deleted="no"):
+def get_admin_context(read_deleted="no", load_admin_roles=True):
     return Context(user_id=None,
                    tenant_id=None,
                    is_admin=True,
-                   read_deleted=read_deleted)
+                   read_deleted=read_deleted,
+                   load_admin_roles=load_admin_roles)
 
 
 def get_admin_context_without_session(read_deleted="no"):

diff --git a/neutron/tests/unit/test_neutron_context.py b/neutron/tests/unit/test_neutron_context.py
index f68d4c97977af941295742dd54cc26cc19f3fbca..74c656f3fe75b27d523515ab46eef122820c8184 100644 (file)
--- a/neutron/tests/unit/test_neutron_context.py
+++ b/neutron/tests/unit/test_neutron_context.py
@@ -30,6 +30,8 @@ class TestNeutronContext(base.BaseTestCase):
         self.db_api_session = self._db_api_session_patcher.start()
         self.addCleanup(self._db_api_session_patcher.stop)
 
+    # TODO(salv-orlando): Remove camelcase for test names in this module
+
     def testNeutronContextCreate(self):
         cxt = context.Context('user_id', 'tenant_id')
         self.assertEqual('user_id', cxt.user_id)
@@ -62,3 +64,11 @@ class TestNeutronContext(base.BaseTestCase):
         else:
             self.assertFalse(True, 'without_session admin context'
                                    'should has no session property!')
+
+    def test_neutron_context_with_load_roles_true(self):
+        ctx = context.get_admin_context()
+        self.assertIn('admin', ctx.roles)
+
+    def test_neutron_context_with_load_roles_false(self):
+        ctx = context.get_admin_context(load_admin_roles=False)
+        self.assertFalse(ctx.roles)