Return properly elevated context by get_admin_context() helper

In neutron_lib.context module there are two simple helper functions: get_admin_context and get_admin_context_without_session. Both returned Context object with is_admin=True but without admin role set and due to that it wasn't proper admin context when new secure RBAC policies are used. With this patch both those helper functions returns properly elevated Context object with admin role set. Closes-Bug: #2015987 Change-Id: Ibde6acdb99555a6e43ca253523df7cbe4d150787
2023-04-12 12:02:49 +02:00 · 2023-04-12 12:02:49 +02:00 · 09af59caa9
parent c5413d56b6
commit 09af59caa9
2 changed files with 10 additions and 4 deletions
--- a/neutron_lib/context.py
+++ b/neutron_lib/context.py
@ -176,13 +176,17 @@ class Context(ContextBaseWithSession):


 def get_admin_context():
+    # NOTE(slaweq): elevated() method will set is_admin=True but setting it
+    # explicity here will avoid checking in policy rules if is_admin should be
+    # set to True or not
    return Context(user_id=None,
                   tenant_id=None,
                   is_admin=True,
-                   overwrite=False)
+                   overwrite=False).elevated()


 def get_admin_context_without_session():
-    return ContextBase(user_id=None,
-                       tenant_id=None,
-                       is_admin=True)
+    # NOTE(slaweq): elevated() method will set is_admin=True but setting it
+    # explicity here will avoid checking in policy rules if is_admin should be
+    # set to True or not
+    return ContextBase(user_id=None, tenant_id=None, is_admin=True).elevated()
--- a/neutron_lib/tests/unit/test_context.py
+++ b/neutron_lib/tests/unit/test_context.py
@ -143,6 +143,7 @@ class TestNeutronContext(_base.BaseTestCase):
        self.assertIsNone(ctx_dict['tenant_id'])
        self.assertIsNone(ctx_dict['auth_token'])
        self.assertTrue(ctx_dict['is_admin'])
+        self.assertIn('admin', ctx_dict['roles'])
        self.assertIsNotNone(ctx.session)
        self.assertNotIn('session', ctx_dict)

@ -152,6 +153,7 @@ class TestNeutronContext(_base.BaseTestCase):
        self.assertIsNone(ctx_dict['user_id'])
        self.assertIsNone(ctx_dict['tenant_id'])
        self.assertIsNone(ctx_dict['auth_token'])
+        self.assertIn('admin', ctx_dict['roles'])
        self.assertFalse(hasattr(ctx, 'session'))

    def test_neutron_context_elevated_retains_request_id(self):