Policy definition (policy.json) is not honored for admin tenant

For example, in the following code from designate/central/service.py.

Line number 2 (get_domain) will return no domain for 'admin' tenant, as the current
tenant_id in the 'context' is admin tenant id, but the domain might be owned by some other
tenant who might not be an admin.

================================================================================
1.def create_recordset(self, context, domain_id, values):

2. domain = self.storage_api.get_domain(context, domain_id)

 3. target = {
            'domain_id': domain_id,
            'domain_name': domain['name'],
            'recordset_name': values['name'],
            'tenant_id': domain['tenant_id'],
           }

4. policy.check('create_recordset', context, target)

......
=================================================================

The 'X-Auth-All-Projects' flag needs to be passed to the API to be able to do this.
https://github.com/openstack/designate/blob/master/designate/api/middleware.py#L74

This should be documented, we will make that happen.

Ok. May be I was unclear with my description.
'admin' tenant is not able list the domains crreated by other tenants though the policy is defined properly. I am using python-designateclient.

I do not understand why the user has to pass another header 'X-Auth-All-Projects'. Designate must be able to identify the calling user as admin (if he is an admin) and act accordingly, without any headers.

This is an issue in the client instead of designate itself.

Designate will always restrict the viewing of domains to the current tenant (or the tenant specified in the X-Auth-Sudo-Tenant-ID header).

We should provide a way to pass the ''"X-Auth-All-Tenants" header to designate from the client.

Fix proposed to branch: master
Review: https://review.openstack.org/160397

Reviewed: https://review.openstack.org/160397
Committed: https://git.openstack.org/cgit/openstack/python-designateclient/commit/?id=debf39a62981b3a5ad6eaf745c73f90af4971a67
Submitter: Jenkins
Branch: master

commit debf39a62981b3a5ad6eaf745c73f90af4971a67
Author: Satyanarayana Patibandla <email address hidden>
Date: Mon Feb 23 20:41:22 2015 +0530

    Added extra previllege to list all domains from all tenants

    The user has to use the command "designate --all-tenants domain-list" to list all domains from all tenants.
    When the above command is used "X-Auth-All-Projects" value is set to true and it is passed as a header to
    designate.This will allow us to list all domains from all tenants.

    Change-Id: I4cd4dd5427f5f35cdec95dbdf36c7386b60a2949
    Fixes: bug #1418156

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/190112

Reviewed: https://review.openstack.org/190112
Committed: https://git.openstack.org/cgit/openstack/python-designateclient/commit/?id=eba7c2e58472638c5675f4b7dac95415daf23ec8
Submitter: Jenkins
Branch: stable/kilo

commit eba7c2e58472638c5675f4b7dac95415daf23ec8
Author: Satyanarayana Patibandla <email address hidden>
Date: Mon Feb 23 20:41:22 2015 +0530

    Added extra previllege to list all domains from all tenants

    The user has to use the command "designate --all-tenants domain-list" to list all domains from all tenants.
    When the above command is used "X-Auth-All-Projects" value is set to true and it is passed as a header to
    designate.This will allow us to list all domains from all tenants.

    Change-Id: I4cd4dd5427f5f35cdec95dbdf36c7386b60a2949
    Fixes: bug #1418156