[cern] Allow OS magnum admin to get cluster certificate

Closes: https://gitlab.cern.ch/kubernetes/project/-/issues/153 Change-Id: Ibc02c96e94be33e4329fc71a382d3bb1e953f96b

magnum/api/controllers/v1/certificate.py

@@ -142,6 +142,10 @@ class CertificateController(base.Controller):
         logical name of the cluster.
         """
         context = pecan.request.context
+        if context.is_admin:
+            policy.enforce(context, "certificate:get_one_all_projects",
+                           action="certificate:get_one_all_projects")
+            context.all_tenants = True
         cluster = api_utils.get_resource('Cluster', cluster_ident)
         policy.enforce(context, 'certificate:get', cluster.as_dict(),
                        action='certificate:get')
@@ -170,6 +174,10 @@ class CertificateController(base.Controller):
     @expose.expose(None, types.uuid_or_name, status_code=202)
     def patch(self, cluster_ident):
         context = pecan.request.context
+        if context.is_admin:
+            policy.enforce(context, "certificate:rotate_one_ca_all_projects",
+                           action="certificate:rotate_one_ca_all_projects")
+            context.all_tenants = True
         cluster = api_utils.get_resource('Cluster', cluster_ident)
         policy.enforce(context, 'certificate:rotate_ca', cluster.as_dict(),
                        action='certificate:rotate_ca')