Allow for skipping admin roles loading on context creation
Bug 1216866 There are cases in which an admin context is created only to grab a db session and ensure no tenant filters are applied in _model_query. In these cases evaluating the policy engine for grabbing admin roles is not necessary, and can cause unexpected and serious issues if the context is grabbed before all the extensions are loaded. Change-Id: I0cbf4b51ca1286373c16eb907840a32f4b8190c6
This commit is contained in:
parent
69753b9d1d
commit
8f645a505f
@ -38,7 +38,7 @@ class ContextBase(common_context.RequestContext):
|
||||
"""
|
||||
|
||||
def __init__(self, user_id, tenant_id, is_admin=None, read_deleted="no",
|
||||
roles=None, timestamp=None, **kwargs):
|
||||
roles=None, timestamp=None, load_admin_roles=True, **kwargs):
|
||||
"""Object initialization.
|
||||
|
||||
:param read_deleted: 'no' indicates deleted records are hidden, 'yes'
|
||||
@ -58,11 +58,8 @@ class ContextBase(common_context.RequestContext):
|
||||
self.roles = roles or []
|
||||
if self.is_admin is None:
|
||||
self.is_admin = policy.check_is_admin(self)
|
||||
elif self.is_admin:
|
||||
elif self.is_admin and load_admin_roles:
|
||||
# Ensure context is populated with admin roles
|
||||
# TODO(salvatore-orlando): It should not be necessary
|
||||
# to populate roles in artificially-generated contexts
|
||||
# address in bp/make-authz-orthogonal
|
||||
admin_roles = policy.get_admin_roles()
|
||||
if admin_roles:
|
||||
self.roles = list(set(self.roles) | set(admin_roles))
|
||||
@ -137,11 +134,12 @@ class Context(ContextBase):
|
||||
return self._session
|
||||
|
||||
|
||||
def get_admin_context(read_deleted="no"):
|
||||
def get_admin_context(read_deleted="no", load_admin_roles=True):
|
||||
return Context(user_id=None,
|
||||
tenant_id=None,
|
||||
is_admin=True,
|
||||
read_deleted=read_deleted)
|
||||
read_deleted=read_deleted,
|
||||
load_admin_roles=load_admin_roles)
|
||||
|
||||
|
||||
def get_admin_context_without_session(read_deleted="no"):
|
||||
|
@ -30,6 +30,8 @@ class TestNeutronContext(base.BaseTestCase):
|
||||
self.db_api_session = self._db_api_session_patcher.start()
|
||||
self.addCleanup(self._db_api_session_patcher.stop)
|
||||
|
||||
# TODO(salv-orlando): Remove camelcase for test names in this module
|
||||
|
||||
def testNeutronContextCreate(self):
|
||||
cxt = context.Context('user_id', 'tenant_id')
|
||||
self.assertEqual('user_id', cxt.user_id)
|
||||
@ -62,3 +64,11 @@ class TestNeutronContext(base.BaseTestCase):
|
||||
else:
|
||||
self.assertFalse(True, 'without_session admin context'
|
||||
'should has no session property!')
|
||||
|
||||
def test_neutron_context_with_load_roles_true(self):
|
||||
ctx = context.get_admin_context()
|
||||
self.assertIn('admin', ctx.roles)
|
||||
|
||||
def test_neutron_context_with_load_roles_false(self):
|
||||
ctx = context.get_admin_context(load_admin_roles=False)
|
||||
self.assertFalse(ctx.roles)
|
||||
|
Loading…
Reference in New Issue
Block a user