Allow for skipping admin roles loading on context creation

Bug 1216866

There are cases in which an admin context is created only to grab a db
session and ensure no tenant filters are applied in _model_query. In
these cases evaluating the policy engine for grabbing admin roles is not
necessary, and can cause unexpected and serious issues if the context is
grabbed before all the extensions are loaded.

Change-Id: I0cbf4b51ca1286373c16eb907840a32f4b8190c6

neutron/context.py

@@ -38,7 +38,7 @@ class ContextBase(common_context.RequestContext):
     """
 
     def __init__(self, user_id, tenant_id, is_admin=None, read_deleted="no",
-                 roles=None, timestamp=None, **kwargs):
+                 roles=None, timestamp=None, load_admin_roles=True, **kwargs):
         """Object initialization.
 
         :param read_deleted: 'no' indicates deleted records are hidden, 'yes'
@@ -58,11 +58,8 @@ class ContextBase(common_context.RequestContext):
         self.roles = roles or []
         if self.is_admin is None:
             self.is_admin = policy.check_is_admin(self)
-        elif self.is_admin:
+        elif self.is_admin and load_admin_roles:
             # Ensure context is populated with admin roles
-            # TODO(salvatore-orlando): It should not be necessary
-            # to populate roles in artificially-generated contexts
-            # address in bp/make-authz-orthogonal
             admin_roles = policy.get_admin_roles()
             if admin_roles:
                 self.roles = list(set(self.roles) | set(admin_roles))
@@ -137,11 +134,12 @@ class Context(ContextBase):
         return self._session
 
 
-def get_admin_context(read_deleted="no"):
+def get_admin_context(read_deleted="no", load_admin_roles=True):
     return Context(user_id=None,
                    tenant_id=None,
                    is_admin=True,
-                   read_deleted=read_deleted)
+                   read_deleted=read_deleted,
+                   load_admin_roles=load_admin_roles)
 
 
 def get_admin_context_without_session(read_deleted="no"):

neutron/tests/unit/test_neutron_context.py

@@ -30,6 +30,8 @@ class TestNeutronContext(base.BaseTestCase):
         self.db_api_session = self._db_api_session_patcher.start()
         self.addCleanup(self._db_api_session_patcher.stop)
 
+    # TODO(salv-orlando): Remove camelcase for test names in this module
+
     def testNeutronContextCreate(self):
         cxt = context.Context('user_id', 'tenant_id')
         self.assertEqual('user_id', cxt.user_id)
@@ -62,3 +64,11 @@ class TestNeutronContext(base.BaseTestCase):
         else:
             self.assertFalse(True, 'without_session admin context'
                                    'should has no session property!')
+
+    def test_neutron_context_with_load_roles_true(self):
+        ctx = context.get_admin_context()
+        self.assertIn('admin', ctx.roles)
+
+    def test_neutron_context_with_load_roles_false(self):
+        ctx = context.get_admin_context(load_admin_roles=False)
+        self.assertFalse(ctx.roles)