Comment 2 for bug 1714858

@Eric Harney, @Jeremy Stanely, I think this bug not belongs to a Public Security or even Security/Critial bug as non-administrator still can not query the resource which doesn't in his tenant.

This bug is more about should we make our policy enforcement system work exactly as what is define, for instance:
we have our policy rule: admin_or_owner:
```
policy.RuleDefault('admin_or_owner',
                       'is_admin:True or (role:admin and '
                       'is_admin_project:True) or project_id:%(project_id)s',
                       description="Default rule for most non-Admin APIs."),
```
and enforce policy in code:
```
    def get_snapshot(self, context, snapshot_id):
        context.authorize(snapshot_policy.GET_POLICY)
        snapshot = objects.Snapshot.get_by_id(context, snapshot_id)
```
the problem is when non-administrator wants to query resource which doesn't below to his tenant, the authorize will always succeed and he will get a 404 rather than 403.