From: Salvatore Orlando <salv.orlando@gmail.com>
Date: Wed, 28 Aug 2013 07:32:31 +0000 (-0700)
Subject: Allow for skipping admin roles loading on context creation
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=a8b619dd611fb68167332fa7373bbd3fe578ecde;p=openstack-build%2Fneutron-build.git

Allow for skipping admin roles loading on context creation

Bug 1216866

There are cases in which an admin context is created only to grab a db
session and ensure no tenant filters are applied in _model_query. In
these cases evaluating the policy engine for grabbing admin roles is not
necessary, and can cause unexpected and serious issues if the context is
grabbed before all the extensions are loaded.

Change-Id: I0cbf4b51ca1286373c16eb907840a32f4b8190c6
---

diff --git a/neutron/context.py b/neutron/context.py
index 9a7bf777a..f55022079 100644
--- a/neutron/context.py
+++ b/neutron/context.py
@@ -38,7 +38,7 @@ class ContextBase(common_context.RequestContext):
     """
 
     def __init__(self, user_id, tenant_id, is_admin=None, read_deleted="no",
-                 roles=None, timestamp=None, **kwargs):
+                 roles=None, timestamp=None, load_admin_roles=True, **kwargs):
         """Object initialization.
 
         :param read_deleted: 'no' indicates deleted records are hidden, 'yes'
@@ -58,11 +58,8 @@ class ContextBase(common_context.RequestContext):
         self.roles = roles or []
         if self.is_admin is None:
             self.is_admin = policy.check_is_admin(self)
-        elif self.is_admin:
+        elif self.is_admin and load_admin_roles:
             # Ensure context is populated with admin roles
-            # TODO(salvatore-orlando): It should not be necessary
-            # to populate roles in artificially-generated contexts
-            # address in bp/make-authz-orthogonal
             admin_roles = policy.get_admin_roles()
             if admin_roles:
                 self.roles = list(set(self.roles) | set(admin_roles))
@@ -137,11 +134,12 @@ class Context(ContextBase):
         return self._session
 
 
-def get_admin_context(read_deleted="no"):
+def get_admin_context(read_deleted="no", load_admin_roles=True):
     return Context(user_id=None,
                    tenant_id=None,
                    is_admin=True,
-                   read_deleted=read_deleted)
+                   read_deleted=read_deleted,
+                   load_admin_roles=load_admin_roles)
 
 
 def get_admin_context_without_session(read_deleted="no"):
diff --git a/neutron/tests/unit/test_neutron_context.py b/neutron/tests/unit/test_neutron_context.py
index f68d4c979..74c656f3f 100644
--- a/neutron/tests/unit/test_neutron_context.py
+++ b/neutron/tests/unit/test_neutron_context.py
@@ -30,6 +30,8 @@ class TestNeutronContext(base.BaseTestCase):
         self.db_api_session = self._db_api_session_patcher.start()
         self.addCleanup(self._db_api_session_patcher.stop)
 
+    # TODO(salv-orlando): Remove camelcase for test names in this module
+
     def testNeutronContextCreate(self):
         cxt = context.Context('user_id', 'tenant_id')
         self.assertEqual('user_id', cxt.user_id)
@@ -62,3 +64,11 @@ class TestNeutronContext(base.BaseTestCase):
         else:
             self.assertFalse(True, 'without_session admin context'
                                    'should has no session property!')
+
+    def test_neutron_context_with_load_roles_true(self):
+        ctx = context.get_admin_context()
+        self.assertIn('admin', ctx.roles)
+
+    def test_neutron_context_with_load_roles_false(self):
+        ctx = context.get_admin_context(load_admin_roles=False)
+        self.assertFalse(ctx.roles)