From 8f645a505fa1ae60863c5f8b99096e7ed7c5351b Mon Sep 17 00:00:00 2001 From: Salvatore Orlando Date: Wed, 28 Aug 2013 00:32:31 -0700 Subject: [PATCH] Allow for skipping admin roles loading on context creation Bug 1216866 There are cases in which an admin context is created only to grab a db session and ensure no tenant filters are applied in _model_query. In these cases evaluating the policy engine for grabbing admin roles is not necessary, and can cause unexpected and serious issues if the context is grabbed before all the extensions are loaded. Change-Id: I0cbf4b51ca1286373c16eb907840a32f4b8190c6 --- neutron/context.py | 12 +++++------- neutron/tests/unit/test_neutron_context.py | 10 ++++++++++ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/neutron/context.py b/neutron/context.py index 9a7bf777ab..f550220792 100644 --- a/neutron/context.py +++ b/neutron/context.py @@ -38,7 +38,7 @@ class ContextBase(common_context.RequestContext): """ def __init__(self, user_id, tenant_id, is_admin=None, read_deleted="no", - roles=None, timestamp=None, **kwargs): + roles=None, timestamp=None, load_admin_roles=True, **kwargs): """Object initialization. :param read_deleted: 'no' indicates deleted records are hidden, 'yes' @@ -58,11 +58,8 @@ class ContextBase(common_context.RequestContext): self.roles = roles or [] if self.is_admin is None: self.is_admin = policy.check_is_admin(self) - elif self.is_admin: + elif self.is_admin and load_admin_roles: # Ensure context is populated with admin roles - # TODO(salvatore-orlando): It should not be necessary - # to populate roles in artificially-generated contexts - # address in bp/make-authz-orthogonal admin_roles = policy.get_admin_roles() if admin_roles: self.roles = list(set(self.roles) | set(admin_roles)) @@ -137,11 +134,12 @@ class Context(ContextBase): return self._session -def get_admin_context(read_deleted="no"): +def get_admin_context(read_deleted="no", load_admin_roles=True): return Context(user_id=None, tenant_id=None, is_admin=True, - read_deleted=read_deleted) + read_deleted=read_deleted, + load_admin_roles=load_admin_roles) def get_admin_context_without_session(read_deleted="no"): diff --git a/neutron/tests/unit/test_neutron_context.py b/neutron/tests/unit/test_neutron_context.py index f68d4c9797..74c656f3fe 100644 --- a/neutron/tests/unit/test_neutron_context.py +++ b/neutron/tests/unit/test_neutron_context.py @@ -30,6 +30,8 @@ class TestNeutronContext(base.BaseTestCase): self.db_api_session = self._db_api_session_patcher.start() self.addCleanup(self._db_api_session_patcher.stop) + # TODO(salv-orlando): Remove camelcase for test names in this module + def testNeutronContextCreate(self): cxt = context.Context('user_id', 'tenant_id') self.assertEqual('user_id', cxt.user_id) @@ -62,3 +64,11 @@ class TestNeutronContext(base.BaseTestCase): else: self.assertFalse(True, 'without_session admin context' 'should has no session property!') + + def test_neutron_context_with_load_roles_true(self): + ctx = context.get_admin_context() + self.assertIn('admin', ctx.roles) + + def test_neutron_context_with_load_roles_false(self): + ctx = context.get_admin_context(load_admin_roles=False) + self.assertFalse(ctx.roles)