Update designate for RBAC "direction change"

The RBAC goal has changed[1] and system scope is no longer going to be used. This patch updates Designate to align to this change in direction by removing the system scope from the policies. It also updates the functional tests to be ready for the switch to using the new keystone roles by default. [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change Depends-On: https://review.opendev.org/c/openstack/designate-tempest-plugin/+/879111 Change-Id: I1937e215dbd072b0a095df659c75f17a3f48c937
2023-03-28 00:16:32 +00:00 · 2023-03-28 00:16:32 +00:00 · c2e51939b4
commit c2e51939b4
parent b8ec3b450b
31 changed files with 551 additions and 359 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -62,7 +62,7 @@
      nslookup_target: 'opendev.org'
 - job:
-    name: designate-bind9-scoped-tokens
+    name: designate-bind9-keystone-default-roles
    post-run: playbooks/designate-bind9/post.yaml
    parent: designate-base
    vars:
@ -70,12 +70,9 @@
        post-config:
          $DESIGNATE_CONF:
            oslo_policy:
              enforce_scope: True
              enforce_new_defaults: True
        test-config:
          "$TEMPEST_CONFIG":
            enforce_scope:
              designate: True
            dns_feature_enabled:
              enforce_new_defaults: True
@ -189,7 +186,7 @@
            voting: false
        - designate-bind9-centos-9-stream:
            voting: false
-        - designate-bind9-scoped-tokens
+        - designate-bind9-keystone-default-roles
        - designate-pdns4
        - designate-grenade-bind9
        - designate-grenade-pdns4
@ -199,7 +196,7 @@
      fail-fast: true
      jobs:
        - designate-bind9
-        - designate-bind9-scoped-tokens
+        - designate-bind9-keystone-default-roles
        - designate-pdns4
        - designate-grenade-pdns4
        - designate-ipv6-only-pdns4
--- a/designate/api/middleware.py
+++ b/designate/api/middleware.py
@ -202,11 +202,22 @@ class TestContextMiddleware(ContextMiddleware):
        all_tenants = strutils.bool_from_string(
            headers.get('X-Test-All-Tenants', 'False'))
        role_header = headers.get('X-Test-Role', None)
        role_header = role_header.lower() if role_header else None
        if role_header == 'admin':
            roles = ['admin', 'member', 'reader']
        elif role_header == 'member':
            roles = ['member', 'reader']
        elif role_header == 'reader':
            roles = ['reader']
        else:
            roles = []
        self.make_context(
            request,
            user_id=headers.get('X-Test-User-ID', self.default_user_id),
            project_id=headers.get('X-Test-Tenant-ID', self.default_tenant_id),
-            all_tenants=all_tenants
+            all_tenants=all_tenants, roles=roles
        )
--- a/designate/common/constants.py
+++ b/designate/common/constants.py
@ -49,3 +49,6 @@ QUOTA_ZONE_RECORDSETS = 'zone_recordsets'
 QUOTA_ZONES = 'zones'
 VALID_QUOTAS = [QUOTA_API_EXPORT_SIZE, QUOTA_RECORDSET_RECORDS,
                QUOTA_ZONE_RECORDS, QUOTA_ZONE_RECORDSETS, QUOTA_ZONES]
 # RBAC scopes
 PROJECT = 'project'
--- a/designate/common/policies/base.py
+++ b/designate/common/policies/base.py
@ -27,13 +27,13 @@ RULE_ANY = "@"
 # They're allowed to create, read, update, or delete any system-specific
 # resource. They can also operate on project-specific resources where
 # applicable (e.g., cleaning up blacklists)
-SYSTEM_ADMIN = 'role:admin and system_scope:all'
+SYSTEM_ADMIN = 'role:admin'
 # Generic policy check string for read-only access to system-level resources.
 # This persona is useful for someone who needs access for auditing or even
 # support. These uses are also able to view project-specific resources where
 # applicable (e.g., listing all pools)
-SYSTEM_READER = 'role:reader and system_scope:all'
+SYSTEM_READER = 'role:admin'
 # This check string is reserved for actions that require the highest level of
 # authorization on a project or resources within the project
--- a/designate/common/policies/blacklist.py
+++ b/designate/common/policies/blacklist.py
@ -16,6 +16,7 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 from designate.common import constants
 from designate.common.policies import base
 DEPRECATED_REASON = """
@ -64,7 +65,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="create_blacklist",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Create blacklist.',
        operations=[
            {
@ -77,7 +78,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="find_blacklists",
        check_str=base.SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Find blacklists.',
        operations=[
            {
@ -90,7 +91,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="get_blacklist",
        check_str=base.SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Get blacklist.',
        operations=[
            {
@ -103,7 +104,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="update_blacklist",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Update blacklist.',
        operations=[
            {
@ -116,7 +117,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="delete_blacklist",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Delete blacklist.',
        operations=[
            {
@ -129,7 +130,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="use_blacklisted_zone",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Allowed bypass the blacklist.',
        operations=[
            {
--- a/designate/common/policies/context.py
+++ b/designate/common/policies/context.py
@ -16,6 +16,7 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 from designate.common import constants
 from designate.common.policies import base
@ -54,31 +55,31 @@ rules = [
    policy.RuleDefault(
        name="all_tenants",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Action on all tenants.',
        deprecated_rule=deprecated_all_tenants),
    policy.RuleDefault(
        name="edit_managed_records",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Edit managed records.',
        deprecated_rule=deprecated_edit_managed_records),
    policy.RuleDefault(
        name="use_low_ttl",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Use low TTL.',
        deprecated_rule=deprecated_use_low_ttl),
    policy.RuleDefault(
        name="use_sudo",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Accept sudo from user to tenant.',
        deprecated_rule=deprecated_use_sudo),
    policy.RuleDefault(
        name="hard_delete",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="Clean backend resources associated with zone",
        deprecated_rule=deprecated_hard_delete),
 ]
--- a/designate/common/policies/pool.py
+++ b/designate/common/policies/pool.py
@ -16,6 +16,7 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 from designate.common import constants
 from designate.common.policies import base
 DEPRECATED_REASON = """
@ -70,14 +71,14 @@ rules = [
    policy.RuleDefault(
        name="create_pool",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Create pool.',
        deprecated_rule=deprecated_create_pool
    ),
    policy.DocumentedRuleDefault(
        name="find_pools",
        check_str=base.SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Find pool.',
        operations=[
            {
@ -90,7 +91,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="find_pool",
        check_str=base.SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Find pools.',
        operations=[
            {
@ -103,7 +104,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="get_pool",
        check_str=base.SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Get pool.',
        operations=[
            {
@ -116,21 +117,21 @@ rules = [
    policy.RuleDefault(
        name="update_pool",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Update pool.',
        deprecated_rule=deprecated_update_pool
    ),
    policy.RuleDefault(
        name="delete_pool",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Delete pool.',
        deprecated_rule=deprecated_delete_pool
    ),
    policy.DocumentedRuleDefault(
        name="zone_create_forced_pool",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='load and set the pool to the one provided in the Zone attributes.',  # noqa
        operations=[
            {
--- a/designate/common/policies/quota.py
+++ b/designate/common/policies/quota.py
@ -16,6 +16,7 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 from designate.common import constants
 from designate.common.policies import base
 DEPRECATED_REASON = """
@ -45,7 +46,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="get_quotas",
        check_str=base.SYSTEM_OR_PROJECT_READER_OR_ALL_TENANTS_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="View Current Project's Quotas.",
        operations=[
            {
@ -58,7 +59,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="set_quota",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Set Quotas.',
        operations=[
            {
@ -71,7 +72,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="reset_quotas",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description='Reset Quotas.',
        operations=[
            {
--- a/designate/common/policies/record.py
+++ b/designate/common/policies/record.py
@ -16,6 +16,7 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 from designate.common import constants
 from designate.common.policies import base
 DEPRECATED_REASON = """
@ -40,7 +41,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="find_records",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description='Find records.',
        operations=[
            {
@ -56,7 +57,7 @@ rules = [
    policy.RuleDefault(
        name="count_records",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        deprecated_rule=deprecated_count_records
    )
 ]
--- a/designate/common/policies/recordset.py
+++ b/designate/common/policies/recordset.py
@ -16,6 +16,7 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 from designate.common import constants
 from designate.common.policies import base
 DEPRECATED_REASON = """
@ -125,7 +126,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="create_recordset",
        check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_ZONE_TYPE,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Create Recordset",
        operations=[
            {
@ -138,13 +139,13 @@ rules = [
    policy.RuleDefault(
        name="get_recordsets",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        deprecated_rule=deprecated_get_recordsets
    ),
    policy.DocumentedRuleDefault(
        name="get_recordset",
        check_str=base.SYSTEM_OR_PROJECT_READER_OR_SHARED,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Get recordset",
        operations=[
            {
@ -157,14 +158,14 @@ rules = [
    policy.RuleDefault(
        name="find_recordset",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="List a Recordset in a Zone",
        deprecated_rule=deprecated_find_recordset
    ),
    policy.DocumentedRuleDefault(
        name="find_recordsets",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="List Recordsets in a Zone",
        operations=[
            {
@ -177,7 +178,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="update_recordset",
        check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_RECORD_OWNER_ZONE_TYPE,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Update recordset",
        operations=[
            {
@ -190,7 +191,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="delete_recordset",
        check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_RECORD_OWNER_ZONE_TYPE,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Delete RecordSet",
        operations=[
            {
@ -203,7 +204,7 @@ rules = [
    policy.RuleDefault(
        name="count_recordset",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Count recordsets",
        deprecated_rule=deprecated_count_recordset,
    )
--- a/designate/common/policies/service_status.py
+++ b/designate/common/policies/service_status.py
@ -16,6 +16,7 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 from designate.common import constants
 from designate.common.policies import base
 DEPRECATED_REASON = """
@ -46,7 +47,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="find_service_status",
        check_str=base.SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="Find a single Service Status",
        operations=[
            {
@ -59,7 +60,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="find_service_statuses",
        check_str=base.SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="List service statuses.",
        operations=[
            {
@ -72,7 +73,7 @@ rules = [
    policy.RuleDefault(
        name="update_service_status",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        deprecated_rule=deprecated_update_service_status
    )
 ]
--- a/designate/common/policies/shared_zones.py
+++ b/designate/common/policies/shared_zones.py
@ -14,6 +14,7 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 from designate.common import constants
 from designate.common.policies import base
@ -53,7 +54,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="get_zone_share",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Get a Zone Share",
        operations=[
            {
@ -66,7 +67,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="share_zone",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Share a Zone",
        operations=[
            {
@ -92,14 +93,14 @@ rules = [
    policy.RuleDefault(
        name="find_project_zone_share",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Check the can query for a specific projects shares.",
        deprecated_rule=deprecated_find_project_zone_share
    ),
    policy.DocumentedRuleDefault(
        name="unshare_zone",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Unshare Zone",
        operations=[
            {
--- a/designate/common/policies/tenant.py
+++ b/designate/common/policies/tenant.py
@ -16,6 +16,7 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 from designate.common import constants
 from designate.common.policies import base
 DEPRECATED_REASON = """
@ -46,21 +47,21 @@ rules = [
    policy.RuleDefault(
        name="find_tenants",
        check_str=base.SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="Find all Tenants.",
        deprecated_rule=deprecated_find_tenants
    ),
    policy.RuleDefault(
        name="get_tenant",
        check_str=base.SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="Get all Tenants.",
        deprecated_rule=deprecated_get_tenant
    ),
    policy.RuleDefault(
        name="count_tenants",
        check_str=base.SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="Count tenants",
        deprecated_rule=deprecated_count_tenants
    )
--- a/designate/common/policies/tld.py
+++ b/designate/common/policies/tld.py
@ -16,6 +16,7 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 from designate.common import constants
 from designate.common.policies import base
 DEPRECATED_REASON = """
@ -58,7 +59,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="create_tld",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="Create Tld",
        operations=[
            {
@ -71,7 +72,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="find_tlds",
        check_str=base.SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="List Tlds",
        operations=[
            {
@ -84,7 +85,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="get_tld",
        check_str=base.SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="Show Tld",
        operations=[
            {
@ -97,7 +98,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="update_tld",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="Update Tld",
        operations=[
            {
@ -110,7 +111,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="delete_tld",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="Delete Tld",
        operations=[
            {
--- a/designate/common/policies/tsigkey.py
+++ b/designate/common/policies/tsigkey.py
@ -16,6 +16,7 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 from designate.common import constants
 from designate.common.policies import base
 DEPRECATED_REASON = """
@ -58,7 +59,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="create_tsigkey",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="Create Tsigkey",
        operations=[
            {
@ -71,7 +72,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="find_tsigkeys",
        check_str=base.SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="List Tsigkeys",
        operations=[
            {
@ -84,7 +85,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="get_tsigkey",
        check_str=base.SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="Show a Tsigkey",
        operations=[
            {
@ -97,7 +98,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="update_tsigkey",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="Update Tsigkey",
        operations=[
            {
@ -110,7 +111,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="delete_tsigkey",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="Delete a Tsigkey",
        operations=[
            {
--- a/designate/common/policies/zone.py
+++ b/designate/common/policies/zone.py
@ -16,6 +16,7 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 from designate.common import constants
 from designate.common.policies import base
 DEPRECATED_REASON = """
@ -106,7 +107,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="create_zone",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Create Zone",
        operations=[
            {
@ -119,13 +120,13 @@ rules = [
    policy.RuleDefault(
        name="get_zones",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        deprecated_rule=deprecated_get_zones
    ),
    policy.DocumentedRuleDefault(
        name="get_zone",
        check_str=base.SYSTEM_OR_PROJECT_READER_OR_SHARED,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Get Zone",
        operations=[
            {
@ -138,13 +139,13 @@ rules = [
    policy.RuleDefault(
        name="get_zone_servers",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        deprecated_rule=deprecated_get_zone_servers
    ),
    policy.DocumentedRuleDefault(
        name="get_zone_ns_records",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Get the Name Servers for a Zone",
        operations=[
            {
@ -157,7 +158,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="find_zones",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="List existing zones",
        operations=[
            {
@ -170,7 +171,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="update_zone",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Update Zone",
        operations=[
            {
@ -183,7 +184,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="delete_zone",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Delete Zone",
        operations=[
            {
@ -196,7 +197,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="xfr_zone",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Manually Trigger an Update of a Secondary Zone",
        operations=[
            {
@ -209,7 +210,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="abandon_zone",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="Abandon Zone",
        operations=[
            {
@ -222,19 +223,19 @@ rules = [
    policy.RuleDefault(
        name="count_zones",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        deprecated_rule=deprecated_count_zones
    ),
    policy.RuleDefault(
        name="count_zones_pending_notify",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        deprecated_rule=deprecated_count_zones_pending_notify
    ),
    policy.RuleDefault(
        name="purge_zones",
        check_str=base.SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        deprecated_rule=deprecated_purge_zones
    ),
 ]
--- a/designate/common/policies/zone_export.py
+++ b/designate/common/policies/zone_export.py
@ -16,6 +16,7 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 from designate.common import constants
 from designate.common.policies import base
 DEPRECATED_REASON = """
@ -64,7 +65,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="zone_export",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Retrive a Zone Export from the Designate Datastore",
        operations=[
            {
@ -77,7 +78,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="create_zone_export",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Create Zone Export",
        operations=[
            {
@ -90,7 +91,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="find_zone_exports",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="List Zone Exports",
        operations=[
            {
@ -103,7 +104,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="get_zone_export",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Get Zone Exports",
        operations=[
            {
@ -116,7 +117,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="update_zone_export",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Update Zone Exports",
        operations=[
            {
@ -129,7 +130,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="delete_zone_export",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Delete a zone export",
        operations=[
            {
--- a/designate/common/policies/zone_import.py
+++ b/designate/common/policies/zone_import.py
@ -16,6 +16,7 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 from designate.common import constants
 from designate.common.policies import base
 DEPRECATED_REASON = """
@ -58,7 +59,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="create_zone_import",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Create Zone Import",
        operations=[
            {
@ -71,7 +72,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="find_zone_imports",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="List all Zone Imports",
        operations=[
            {
@ -84,7 +85,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="get_zone_import",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Get Zone Imports",
        operations=[
            {
@ -97,7 +98,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="update_zone_import",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Update Zone Imports",
        operations=[
            {
@ -110,7 +111,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="delete_zone_import",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Delete a Zone Import",
        operations=[
            {
--- a/designate/common/policies/zone_transfer_accept.py
+++ b/designate/common/policies/zone_transfer_accept.py
@ -16,6 +16,7 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 from designate.common import constants
 from designate.common.policies import base
 DEPRECATED_REASON = """
@ -46,7 +47,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="create_zone_transfer_accept",
        check_str=base.RULE_ZONE_TRANSFER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Create Zone Transfer Accept",
        operations=[
            {
@ -59,7 +60,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="get_zone_transfer_accept",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Get Zone Transfer Accept",
        operations=[
            {
@ -72,7 +73,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="find_zone_transfer_accepts",
        check_str=base.SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=[constants.PROJECT],
        description="List Zone Transfer Accepts",
        operations=[
            {
--- a/designate/common/policies/zone_transfer_request.py
+++ b/designate/common/policies/zone_transfer_request.py
@ -16,6 +16,7 @@
 from oslo_log import versionutils
 from oslo_policy import policy
 from designate.common import constants
 from designate.common.policies import base
 DEPRECATED_REASON = """
@ -58,7 +59,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="create_zone_transfer_request",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Create Zone Transfer Accept",
        operations=[
            {
@ -71,7 +72,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="get_zone_transfer_request",
        check_str=base.RULE_ZONE_TRANSFER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Show a Zone Transfer Request",
        operations=[
            {
@ -84,7 +85,7 @@ rules = [
    policy.RuleDefault(
        name="get_zone_transfer_request_detailed",
        check_str=base.SYSTEM_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        deprecated_rule=deprecated_create_zone_transfer_request
    ),
    policy.DocumentedRuleDefault(
@ -101,7 +102,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="update_zone_transfer_request",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Update a Zone Transfer Request",
        operations=[
            {
@ -114,7 +115,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name="delete_zone_transfer_request",
        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=[constants.PROJECT],
        description="Delete a Zone Transfer Request",
        operations=[
            {
--- a/designate/context.py
+++ b/designate/context.py
@ -151,7 +151,6 @@ class DesignateContext(context.RequestContext):
        # TODO(kiall): Remove Me
        kwargs['is_admin'] = True
        kwargs['roles'] = ['admin', 'reader']
        kwargs['system_scope'] = 'all'
        return cls(None, **kwargs)
--- a/designate/tests/test_api/test_v2/init.py
+++ b/designate/tests/test_api/test_v2/init.py
@ -120,7 +120,8 @@ class ApiV2TestCase(ApiTestCase):
            if marker is not None:
                params['marker'] = marker
-            r = self.client.get(url, params, status=expected_status)
+            r = self.client.get(url, params, status=expected_status,
                                headers={'X-Test-Role': 'member'})
            if expected_status != 200:
                if expected_type:
                    self._assert_exception(expected_type, expected_status, r)
--- a/designate/tests/test_api/test_v2/test_floatingips.py
+++ b/designate/tests/test_api/test_v2/test_floatingips.py
@ -202,7 +202,8 @@ class ApiV2ReverseFloatingIPTest(ApiV2TestCase):
        response = self.client.patch_json(
            '/reverse/floatingips/%s' % ":".join([fip['region'], fip['id']]),
            fixture.to_dict(),
-            headers={'X-Test-Tenant-Id': 'tenant'})
+            headers={'X-Test-Tenant-Id': 'tenant',
                     'X-Test-Role': 'member'})
        self.assertEqual(202, response.status_int)
        self.assertEqual('application/json', response.content_type)
--- a/designate/tests/test_api/test_v2/test_hostheaders.py
+++ b/designate/tests/test_api/test_v2/test_hostheaders.py
@ -30,7 +30,8 @@ class ApiV2HostHeadersTest(ApiV2TestCase):
        fixture = self.get_zone_fixture(fixture=0)
        response = self.client.post_json('/zones/',
                                         fixture,
-                                         headers={'Host': 'testhost.com'})
+                                         headers={'Host': 'testhost.com',
                                                  'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(202, response.status_int)
        self.assertEqual('application/json', response.content_type)
@ -41,7 +42,8 @@ class ApiV2HostHeadersTest(ApiV2TestCase):
        # Get zone with host header
        response = self.client.get('/zones/',
-                                   headers={'Host': 'testhost.com'})
+                                   headers={'Host': 'testhost.com',
                                            'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
--- a/designate/tests/test_api/test_v2/test_import_export.py
+++ b/designate/tests/test_api/test_v2/test_import_export.py
@ -50,14 +50,15 @@ class APIV2ZoneImportExportTest(ApiV2TestCase):
        fixture = self.get_zonefile_fixture(variant='noorigin')
        response = self.client.post_json('/zones/tasks/imports', fixture,
-                        headers={'Content-type': 'text/dns'})
+                        headers={'Content-type': 'text/dns',
                                 'X-Test-Role': 'member'})
        import_id = response.json_body['id']
        self.wait_for_import(import_id, error_is_ok=True)
        url = '/zones/tasks/imports/%s' % import_id
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        self.assertEqual('ERROR', response.json['status'])
        origin_msg = ("The $ORIGIN statement is required and must be the"
                     " first statement in the zonefile.")
@ -67,14 +68,15 @@ class APIV2ZoneImportExportTest(ApiV2TestCase):
        fixture = self.get_zonefile_fixture(variant='nosoa')
        response = self.client.post_json('/zones/tasks/imports', fixture,
-                        headers={'Content-type': 'text/dns'})
+                        headers={'Content-type': 'text/dns',
                                 'X-Test-Role': 'member'})
        import_id = response.json_body['id']
        self.wait_for_import(import_id, error_is_ok=True)
        url = '/zones/tasks/imports/%s' % import_id
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        self.assertEqual('ERROR', response.json['status'])
        origin_msg = ("Malformed zonefile.")
        self.assertEqual(origin_msg, response.json['message'])
@ -83,14 +85,15 @@ class APIV2ZoneImportExportTest(ApiV2TestCase):
        fixture = self.get_zonefile_fixture(variant='malformed')
        response = self.client.post_json('/zones/tasks/imports', fixture,
-                        headers={'Content-type': 'text/dns'})
+                        headers={'Content-type': 'text/dns',
                                 'X-Test-Role': 'member'})
        import_id = response.json_body['id']
        self.wait_for_import(import_id, error_is_ok=True)
        url = '/zones/tasks/imports/%s' % import_id
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        self.assertEqual('ERROR', response.json['status'])
        origin_msg = ("Malformed zonefile.")
        self.assertEqual(origin_msg, response.json['message'])
@ -100,13 +103,14 @@ class APIV2ZoneImportExportTest(ApiV2TestCase):
        # fixture, making sure they're the same according to dnspython
        post_response = self.client.post('/zones/tasks/imports',
                                         self.get_zonefile_fixture(),
-                                         headers={'Content-type': 'text/dns'})
+                                         headers={'Content-type': 'text/dns',
                                                  'X-Test-Role': 'member'})
        import_id = post_response.json_body['id']
        self.wait_for_import(import_id)
        url = '/zones/tasks/imports/%s' % import_id
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        self.policy({'zone_export': '@'})
        get_response = self.adminclient.get('/zones/export/%s' %
@ -134,7 +138,8 @@ class APIV2ZoneImportExportTest(ApiV2TestCase):
    def test_delete_import(self):
        post_response = self.client.post('/zones/tasks/imports',
                                         self.get_zonefile_fixture(),
-                                         headers={'Content-type': 'text/dns'})
+                                         headers={'Content-type': 'text/dns',
                                                  'X-Test-Role': 'member'})
        import_id = post_response.json_body['id']
@ -142,6 +147,7 @@ class APIV2ZoneImportExportTest(ApiV2TestCase):
        delete_response = self.client.delete(
            '/zones/tasks/imports/%s' % import_id,
            headers={'X-Test-Role': 'member'}
        )
        self.assertEqual('', delete_response.text)
@ -151,14 +157,16 @@ class APIV2ZoneImportExportTest(ApiV2TestCase):
    # Metadata tests
    def test_metadata_exists_imports(self):
-        response = self.client.get('/zones/tasks/imports')
+        response = self.client.get('/zones/tasks/imports',
                                   headers={'X-Test-Role': 'member'})
        # Make sure the fields exist
        self.assertIn('metadata', response.json)
        self.assertIn('total_count', response.json['metadata'])
    def test_metadata_exists_exports(self):
-        response = self.client.get('/zones/tasks/imports')
+        response = self.client.get('/zones/tasks/imports',
                                   headers={'X-Test-Role': 'member'})
        # Make sure the fields exist
        self.assertIn('metadata', response.json)
@ -166,7 +174,8 @@ class APIV2ZoneImportExportTest(ApiV2TestCase):
    @unittest.skip("See bug 1582241 and 1570859")
    def test_total_count_imports(self):
-        response = self.client.get('/zones/tasks/imports')
+        response = self.client.get('/zones/tasks/imports',
                                   headers={'X-Test-Role': 'member'})
        # There are no imported zones by default
        self.assertEqual(0, response.json['metadata']['total_count'])
@ -174,15 +183,18 @@ class APIV2ZoneImportExportTest(ApiV2TestCase):
        # Create a zone import
        self.client.post('/zones/tasks/imports',
                         self.get_zonefile_fixture(),
-                         headers={'Content-type': 'text/dns'})
+                         headers={'Content-type': 'text/dns',
                                  'X-Test-Role': 'member'})
-        response = self.client.get('/zones/tasks/imports')
+        response = self.client.get('/zones/tasks/imports',
                                   headers={'X-Test-Role': 'member'})
        # Make sure total_count picked it up
        self.assertEqual(1, response.json['metadata']['total_count'])
    def test_total_count_exports(self):
-        response = self.client.get('/zones/tasks/exports')
+        response = self.client.get('/zones/tasks/exports',
                                   headers={'X-Test-Role': 'member'})
        # There are no exported zones by default
        self.assertEqual(0, response.json['metadata']['total_count'])
@ -190,14 +202,16 @@ class APIV2ZoneImportExportTest(ApiV2TestCase):
    def test_create_export(self):
        zone = self.create_zone()
        create_response = self.client.post(
-            '/zones/%s/tasks/export' % zone['id']
+            '/zones/%s/tasks/export' % zone['id'],
            headers={'X-Test-Role': 'member'}
        )
        self.assertEqual('PENDING', create_response.json_body['status'])
        self.assertEqual(zone['id'], create_response.json_body['zone_id'])
        get_response = self.client.get(
-            '/zones/tasks/exports/%s' % create_response.json_body['id']
+            '/zones/tasks/exports/%s' % create_response.json_body['id'],
            headers={'X-Test-Role': 'member'}
        )
        self.assertEqual('PENDING', get_response.json_body['status'])
@ -206,39 +220,45 @@ class APIV2ZoneImportExportTest(ApiV2TestCase):
    def test_update_export(self):
        zone = self.create_zone()
        create_response = self.client.post(
-            '/zones/%s/tasks/export' % zone['id']
+            '/zones/%s/tasks/export' % zone['id'],
            headers={'X-Test-Role': 'member'}
        )
        self.assertEqual('PENDING', create_response.json_body['status'])
        self.assertEqual(zone['id'], create_response.json_body['zone_id'])
        delete_response = self.client.delete(
-            '/zones/tasks/exports/%s' % create_response.json_body['id']
+            '/zones/tasks/exports/%s' % create_response.json_body['id'],
            headers={'X-Test-Role': 'member'}
        )
        self.assertEqual('', delete_response.text)
        self._assert_exception(
            'zone_export_not_found', 404, self.client.get,
-            '/zones/tasks/exports/%s' % create_response.json_body['id']
+            '/zones/tasks/exports/%s' % create_response.json_body['id'],
            headers={'X-Test-Role': 'member'}
        )
    def test_delete_export(self):
        zone = self.create_zone()
        create_response = self.client.post(
-            '/zones/%s/tasks/export' % zone['id']
+            '/zones/%s/tasks/export' % zone['id'],
            headers={'X-Test-Role': 'member'}
        )
        self.assertEqual('PENDING', create_response.json_body['status'])
        self.assertEqual(zone['id'], create_response.json_body['zone_id'])
        delete_response = self.client.delete(
-            '/zones/tasks/exports/%s' % create_response.json_body['id']
+            '/zones/tasks/exports/%s' % create_response.json_body['id'],
            headers={'X-Test-Role': 'member'}
        )
        self.assertEqual('', delete_response.text)
        self._assert_exception(
            'zone_export_not_found', 404, self.client.get,
-            '/zones/tasks/exports/%s' % create_response.json_body['id']
+            '/zones/tasks/exports/%s' % create_response.json_body['id'],
            headers={'X-Test-Role': 'member'}
        )
--- a/designate/tests/test_api/test_v2/test_quotas.py
+++ b/designate/tests/test_api/test_v2/test_quotas.py
@ -24,12 +24,10 @@ class ApiV2QuotasTest(ApiV2TestCase):
    def test_get_quotas(self):
        self.config(quota_api_export_size=1)
-        context = self.get_context(project_id='a')
+        result = self.client.get('/quotas/a', status=200,
                                 headers={'X-Test-Tenant-Id': 'a',
                                          'X-Test-Role': 'member'})
        result = self.client.get(
            '/quotas/%s' % context.project_id, status=200,
            headers={'X-Test-Tenant-Id': context.project_id}
        )
        self.assertEqual(
            {
                'zones': 10,
@ -44,9 +42,8 @@ class ApiV2QuotasTest(ApiV2TestCase):
    def test_get_all_quotas(self):
        self.config(quota_zone_recordsets=1)
-        result = self.client.get(
+        result = self.client.get('/quotas', status=200,
-            '/quotas', status=200,
+                                 headers={'X-Test-Role': 'member'})
        )
        self.assertEqual(
            {
@ -62,16 +59,14 @@ class ApiV2QuotasTest(ApiV2TestCase):
    def test_set_quotas(self):
        self.policy({'set_quota': '@'})
-        context = self.get_context(project_id='a')
+        self.client.patch_json('/quotas/a', {'zones': 123}, status=200,
-        self.client.patch_json(
+                               headers={'X-Test-Tenant-Id': 'a',
-            '/quotas/%s' % context.project_id, {'zones': 123}, status=200,
+                                        'X-Test-Role': 'member'})
-            headers={'X-Test-Tenant-Id': context.project_id}
+
-        )
+        result = self.client.get('/quotas/a', status=200,
                                 headers={'X-Test-Tenant-Id': 'a',
                                          'X-Test-Role': 'member'})
        result = self.client.get(
            '/quotas/%s' % context.project_id, status=200,
            headers={'X-Test-Tenant-Id': context.project_id}
        )
        self.assertEqual(
            {
                'zones': 123,
@ -91,16 +86,14 @@ class ApiV2QuotasTest(ApiV2TestCase):
        self.policy({'set_quota': '@'})
-        context = self.get_context(project_id='a')
+        self.client.patch_json('/quotas/a', {'zones': 123}, status=200,
-        self.client.patch_json(
+                               headers={'X-Test-Tenant-Id': 'a',
-            '/quotas/%s' % context.project_id, {'zones': 123}, status=200,
+                                        'X-Test-Role': 'member'})
-            headers={'X-Test-Tenant-Id': context.project_id}
+
-        )
+        result = self.client.get('/quotas/a', status=200,
                                 headers={'X-Test-Tenant-Id': 'a',
                                          'X-Test-Role': 'member'})
        result = self.client.get(
            '/quotas/%s' % context.project_id, status=200,
            headers={'X-Test-Tenant-Id': context.project_id}
        )
        self.assertEqual(
            {
                'zones': 123,
@ -117,13 +110,11 @@ class ApiV2QuotasTest(ApiV2TestCase):
        self.policy({'set_quota': '@'})
        context = self.get_context(project_id='a')
        # Update recordset_records quota.
        result = self.client.patch_json(
-            '/quotas/%s' % context.project_id, {'recordset_records': 123},
+            '/quotas/a', {'recordset_records': 123},
-            status=200,
+            status=200, headers={'X-Test-Tenant-Id': 'a',
-            headers={'X-Test-Tenant-Id': context.project_id}
+                                 'X-Test-Role': 'member'}
        )
        self.assertEqual(
            {
@ -137,16 +128,15 @@ class ApiV2QuotasTest(ApiV2TestCase):
        )
        # Delete quota.
-        self.client.delete(
+        self.client.delete('/quotas/a', status=204,
-            '/quotas/%s' % context.project_id, status=204,
+                           headers={'X-Test-Tenant-Id': 'a',
-            headers={'X-Test-Tenant-Id': context.project_id}
+                                    'X-Test-Role': 'member'})
        )
        # Make sure we are back to the default quotas.
-        result = self.client.get(
+        result = self.client.get('/quotas/a', status=200,
-            '/quotas/%s' % context.project_id, status=200,
+                                 headers={'X-Test-Tenant-Id': 'a',
-            headers={'X-Test-Tenant-Id': context.project_id}
+                                          'X-Test-Role': 'member'})
-        )
+
        self.assertEqual(
            {
                'zones': 10,
--- a/designate/tests/test_api/test_v2/test_recordsets.py
+++ b/designate/tests/test_api/test_v2/test_recordsets.py
@ -37,7 +37,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Prepare a RecordSet fixture
        fixture = self.get_recordset_fixture(self.zone['name'], fixture=0)
        response = self.client.post_json(
-            '/zones/%s/recordsets' % self.zone['id'], fixture)
+            '/zones/%s/recordsets' % self.zone['id'], fixture,
            headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(201, response.status_int)
@ -60,7 +61,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        fixture = self.get_recordset_fixture(self.zone['name'], fixture=0)
        fixture['ttl'] = 0
        response = self.client.post_json(
-            '/zones/%s/recordsets' % self.zone['id'], fixture)
+            '/zones/%s/recordsets' % self.zone['id'], fixture,
            headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(201, response.status_int)
@ -75,7 +77,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
-        response = self.client.put_json(url, body, status=200)
+        response = self.client.put_json(url, body, status=200,
                                        headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
@ -89,7 +92,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Check the zone's status is as expected
        response = self.client.get('/zones/%s/recordsets/%s' %
                                   (recordset['zone_id'], recordset['id']),
-                                   headers=[('Accept', 'application/json')])
+                                   headers={'Accept': 'application/json',
                                            'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
        self.assertEqual('application/json', response.content_type)
@ -106,7 +110,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        )
        response = self.client.post_json(
-            '/zones/%s/recordsets' % self.zone['id'], fixture)
+            '/zones/%s/recordsets' % self.zone['id'], fixture,
            headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(202, response.status_int)
@ -120,7 +125,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Check the zone's status is as expected
        response = self.client.get('/zones/%s' % self.zone['id'],
-                                   headers=[('Accept', 'application/json')])
+                                   headers={'Accept': 'application/json',
                                            'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
        self.assertEqual('application/json', response.content_type)
@ -147,7 +153,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Ensure it fails with a 400
        self._assert_exception(
-            'invalid_object', 400, self.client.post_json, url, body)
+            'invalid_object', 400, self.client.post_json, url, body,
            headers={'X-Test-Role': 'member'})
    def test_create_recordset_with_name_too_long(self):
        fixture = self.get_recordset_fixture(self.zone['name'], fixture=0)
@ -155,7 +162,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        body = fixture
        url = '/zones/%s/recordsets' % self.zone['id']
        self._assert_exception(
-            'invalid_object', 400, self.client.post_json, url, body)
+            'invalid_object', 400, self.client.post_json, url, body,
            headers={'X-Test-Role': 'member'})
    def test_create_recordset_with_name_missing(self):
        fixture = self.get_recordset_fixture(self.zone['name'], fixture=0)
@ -163,7 +171,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        body = fixture
        url = '/zones/%s/recordsets' % self.zone['id']
        self._assert_exception(
-            'invalid_object', 400, self.client.post_json, url, body)
+            'invalid_object', 400, self.client.post_json, url, body,
            headers={'X-Test-Role': 'member'})
    def test_create_recordset_type_is_missing(self):
        # Prepare a RecordSet fixture
@ -186,7 +195,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Ensure it fails with a 400
        self._assert_exception(
-            'invalid_object', 400, self.client.post_json, url, body)
+            'invalid_object', 400, self.client.post_json, url, body,
            headers={'X-Test-Role': 'member'})
    def test_create_recordset_with_invalid_type(self):
        fixture = self.get_recordset_fixture(self.zone['name'], fixture=0)
@ -194,7 +204,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        body = fixture
        url = '/zones/%s/recordsets' % self.zone['id']
        self._assert_exception(
-            'invalid_object', 400, self.client.post_json, url, body)
+            'invalid_object', 400, self.client.post_json, url, body,
            headers={'X-Test-Role': 'member'})
    def test_create_recordset_description_too_long(self):
        fixture = self.get_recordset_fixture(self.zone['name'], fixture=0)
@ -202,7 +213,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        body = fixture
        url = '/zones/%s/recordsets' % self.zone['id']
        self._assert_exception(
-            'invalid_object', 400, self.client.post_json, url, body)
+            'invalid_object', 400, self.client.post_json, url, body,
            headers={'X-Test-Role': 'member'})
    def test_create_recordset_with_negative_ttl(self):
        fixture = self.get_recordset_fixture(self.zone['name'], fixture=0)
@ -210,7 +222,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        body = fixture
        url = '/zones/%s/recordsets' % self.zone['id']
        self._assert_exception(
-            'invalid_object', 400, self.client.post_json, url, body)
+            'invalid_object', 400, self.client.post_json, url, body,
            headers={'X-Test-Role': 'member'})
    def test_create_recordset_with_ttl_greater_than_max(self):
        fixture = self.get_recordset_fixture(self.zone['name'], fixture=0)
@ -218,7 +231,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        body = fixture
        url = '/zones/%s/recordsets' % self.zone['id']
        self._assert_exception(
-            'invalid_object', 400, self.client.post_json, url, body)
+            'invalid_object', 400, self.client.post_json, url, body,
            headers={'X-Test-Role': 'member'})
    def test_create_recordset_with_invalid_ttl(self):
        fixture = self.get_recordset_fixture(self.zone['name'], fixture=0)
@ -226,10 +240,12 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        body = fixture
        url = '/zones/%s/recordsets' % self.zone['id']
        self._assert_exception(
-            'invalid_object', 400, self.client.post_json, url, body)
+            'invalid_object', 400, self.client.post_json, url, body,
            headers={'X-Test-Role': 'member'})
    def test_create_recordset_invalid_id(self):
-        self._assert_invalid_uuid(self.client.post, '/zones/%s/recordsets')
+        self._assert_invalid_uuid(self.client.post, '/zones/%s/recordsets',
                                  headers={'X-Test-Role': 'member'})
    def test_create_recordset_validation(self):
        # NOTE: The schemas should be tested separatly to the API. So we
@ -245,7 +261,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Ensure it fails with a 400
        self._assert_exception(
-            'invalid_object', 400, self.client.post_json, url, body)
+            'invalid_object', 400, self.client.post_json, url, body,
            headers={'X-Test-Role': 'member'})
    @patch.object(central_service.Service, 'create_recordset',
                  side_effect=messaging.MessagingTimeout())
@ -257,7 +274,7 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets' % self.zone['id']
        self._assert_exception('timeout', 504, self.client.post_json, url,
-                               body)
+                               body, headers={'X-Test-Role': 'member'})
    @patch.object(central_service.Service, 'create_recordset',
                  side_effect=exceptions.DuplicateRecordSet())
@ -269,7 +286,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets' % self.zone['id']
        self._assert_exception('duplicate_recordset', 409,
-                               self.client.post_json, url, body)
+                               self.client.post_json, url, body,
                               headers={'X-Test-Role': 'member'})
    def test_create_recordset_invalid_zone(self):
        fixture = self.get_recordset_fixture(self.zone['name'], fixture=0)
@ -279,24 +297,28 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/ba751950-6193-11e3-949a-0800200c9a66/recordsets'
        self._assert_exception('zone_not_found', 404, self.client.post_json,
-                               url, body)
+                               url, body, headers={'X-Test-Role': 'member'})
    def test_recordsets_invalid_url(self):
        url = '/zones/recordsets'
-        self._assert_exception('not_found', 404, self.client.get, url)
+        self._assert_exception('not_found', 404, self.client.get, url,
-        self._assert_exception('not_found', 404, self.client.post_json, url)
+                               headers={'X-Test-Role': 'member'})
        self._assert_exception('not_found', 404, self.client.post_json, url,
                               headers={'X-Test-Role': 'member'})
        # Pecan returns a 405 for Patch and delete operations
-        response = self.client.patch_json(url, status=405)
+        response = self.client.patch_json(url, status=405,
                                          headers={'X-Test-Role': 'member'})
        self.assertEqual(405, response.status_int)
-        response = self.client.delete(url, status=405)
+        response = self.client.delete(url, status=405,
                                      headers={'X-Test-Role': 'member'})
        self.assertEqual(405, response.status_int)
    def test_get_recordsets(self):
        url = '/zones/%s/recordsets' % self.zone['id']
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
@ -352,7 +374,7 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        for fixture in fixtures:
            response = self.client.post_json(
                '/zones/%s/recordsets' % self.zone['id'],
-                fixture)
+                fixture, headers={'X-Test-Role': 'member'})
        get_urls = [
            # Filter by Name
@ -380,7 +402,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        correct_results = [1, 1, 2, 1, 1, 2, 1, 1]
        for get_url, correct_result in zip(get_urls, correct_results):
-            response = self.client.get(get_url)
+            response = self.client.get(get_url,
                                       headers={'X-Test-Role': 'member'})
            # Check the headers are what we expect
            self.assertEqual(200, response.status_int)
@ -397,21 +420,22 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
    def test_get_recordsets_timeout(self, _):
        url = '/zones/ba751950-6193-11e3-949a-0800200c9a66/recordsets'
-        self._assert_exception('timeout', 504, self.client.get, url)
+        self._assert_exception('timeout', 504, self.client.get, url,
                               headers={'X-Test-Role': 'member'})
    def test_get_deleted_recordsets(self):
        zone = self.create_zone(fixture=1)
        recordset = self.create_recordset(zone, records=[])
        url = '/zones/%s/recordsets' % zone['id']
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
        # Now delete the recordset
        url = '/zones/%s/recordsets/%s' % (zone['id'], recordset.id)
-        self.client.delete(url, status=202)
+        self.client.delete(url, status=202, headers={'X-Test-Role': 'member'})
        # Simulate the zone having been deleted on the backend
        zone_serial = self.central_service.get_zone(
@ -423,20 +447,21 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Try to get the record and ensure that we get a
        # recordset_not_found error
        self._assert_exception('recordset_not_found', 404, self.client.get,
-                               url)
+                               url, headers={'X-Test-Role': 'member'})
    def test_get_deleted_recordset_after_deleting_zone(self):
        zone = self.create_zone(fixture=1)
        self.create_recordset(zone)
        url = '/zones/%s/recordsets' % zone['id']
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
        # Now delete the zone
-        self.client.delete('/zones/%s' % zone['id'], status=202)
+        self.client.delete('/zones/%s' % zone['id'], status=202,
                           headers={'X-Test-Role': 'member'})
        # Simulate the zone having been deleted on the backend
        zone_serial = self.central_service.get_zone(
@ -447,14 +472,15 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Try to get the record and ensure that we get a
        # zone_not_found error
-        self._assert_exception('zone_not_found', 404, self.client.get, url)
+        self._assert_exception('zone_not_found', 404, self.client.get, url,
                               headers={'X-Test-Role': 'member'})
    def test_get_recordset(self):
        # Create a recordset
        recordset = self.create_recordset(self.zone, records=[])
        url = '/zones/%s/recordsets/%s' % (self.zone['id'], recordset['id'])
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
@ -474,7 +500,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        self.assertEqual('ACTIVE', response.json['status'])
    def test_get_recordset_invalid_id(self):
-        self._assert_invalid_uuid(self.client.get, '/zones/%s/recordsets/%s')
+        self._assert_invalid_uuid(self.client.get, '/zones/%s/recordsets/%s',
                                  headers={'X-Test-Role': 'member'})
    @patch.object(central_service.Service, 'get_recordset',
                  side_effect=messaging.MessagingTimeout())
@ -483,7 +510,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
            self.zone['id'])
        self._assert_exception('timeout', 504, self.client.get, url,
-                               headers={'Accept': 'application/json'})
+                               headers={'Accept': 'application/json',
                                        'X-Test-Role': 'member'})
    @patch.object(central_service.Service, 'get_recordset',
                  side_effect=exceptions.RecordSetNotFound())
@ -493,7 +521,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        self._assert_exception('recordset_not_found', 404,
                               self.client.get, url,
-                               headers={'Accept': 'application/json'})
+                               headers={'Accept': 'application/json',
                                        'X-Test-Role': 'member'})
    def test_update_recordset(self):
        # Create a recordset
@ -504,7 +533,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
-        response = self.client.put_json(url, body, status=200)
+        response = self.client.put_json(url, body, status=200,
                                        headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
@ -524,7 +554,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Check the zone's status is as expected
        response = self.client.get('/zones/%s' % recordset['zone_id'],
-                                   headers=[('Accept', 'application/json')])
+                                   headers={'Accept': 'application/json',
                                            'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
        self.assertEqual('application/json', response.content_type)
@ -547,7 +578,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
-        response = self.client.put_json(url, body, status=202)
+        response = self.client.put_json(url, body, status=202,
                                        headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(202, response.status_int)
@ -563,7 +595,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Check the zone's status is as expected
        response = self.client.get('/zones/%s' % recordset['zone_id'],
-                                   headers=[('Accept', 'application/json')])
+                                   headers={'Accept': 'application/json',
                                            'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
        self.assertEqual('application/json', response.content_type)
@ -581,7 +614,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
-        response = self.client.put_json(url, body, status=202)
+        response = self.client.put_json(url, body, status=202,
                                        headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(202, response.status_int)
@ -595,7 +629,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Check the zone's status is as expected
        response = self.client.get('/zones/%s' % recordset['zone_id'],
-                                   headers=[('Accept', 'application/json')])
+                                   headers={'Accept': 'application/json',
                                            'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
        self.assertEqual('application/json', response.content_type)
@ -611,7 +646,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
-        self.client.put_json(url, body, status=202)
+        self.client.put_json(url, body, status=202,
                             headers={'X-Test-Role': 'member'})
    def test_create_txt_record_too_long(self):
        # See bug #1474012
@ -621,7 +657,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
        self._assert_exception('invalid_object', 400,
-                               self.client.put_json, url, body)
+                               self.client.put_json, url, body,
                               headers={'X-Test-Role': 'member'})
    def test_create_txt_record_multiple_strings(self):
        # create TXT record with string split in 2
@ -631,7 +668,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        body = {'description': 'Tester', 'records': [record]}
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
-        self.client.put_json(url, body, status=202)
+        self.client.put_json(url, body, status=202,
                             headers={'X-Test-Role': 'member'})
    def test_update_recordset_with_record_clear(self):
        # Create a recordset with one record
@ -642,7 +680,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
-        response = self.client.put_json(url, body, status=200)
+        response = self.client.put_json(url, body, status=200,
                                        headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
@ -654,7 +693,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Check the zone's status is as expected
        response = self.client.get('/zones/%s' % recordset['zone_id'],
-                                   headers=[('Accept', 'application/json')])
+                                   headers={'Accept': 'application/json',
                                            'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
        self.assertEqual('application/json', response.content_type)
@ -664,7 +704,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
    def test_update_recordset_invalid_id(self):
        self._assert_invalid_uuid(
-            self.client.put_json, '/zones/%s/recordsets/%s')
+            self.client.put_json, '/zones/%s/recordsets/%s',
            headers={'X-Test-Role': 'member'})
    def test_update_recordset_validation(self):
        # NOTE: The schemas should be tested separatly to the API. So we
@ -682,14 +723,14 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
                                           recordset['id'])
        self._assert_exception('invalid_object', 400, self.client.put_json,
-                               url, body)
+                               url, body, headers={'X-Test-Role': 'member'})
        # Prepare an update body with junk in the body
        body = {'description': 'Tester', 'junk': 'Junk Field'}
        # Ensure it fails with a 400
        self._assert_exception('invalid_object', 400, self.client.put_json,
-                               url, body)
+                               url, body, headers={'X-Test-Role': 'member'})
    @patch.object(central_service.Service, 'get_recordset',
                  side_effect=exceptions.DuplicateRecordSet())
@ -702,7 +743,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
               % (self.zone['id']))
        self._assert_exception('duplicate_recordset', 409,
-                               self.client.put_json, url, body)
+                               self.client.put_json, url, body,
                               headers={'X-Test-Role': 'member'})
    @patch.object(central_service.Service, 'get_recordset',
                  side_effect=messaging.MessagingTimeout())
@ -715,7 +757,7 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
               % (self.zone['id']))
        self._assert_exception('timeout', 504, self.client.put_json, url,
-                               body)
+                               body, headers={'X-Test-Role': 'member'})
    @patch.object(central_service.Service, 'get_recordset',
                  side_effect=exceptions.RecordSetNotFound())
@ -728,7 +770,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
               % (self.zone['id']))
        self._assert_exception('recordset_not_found', 404,
-                               self.client.put_json, url, body)
+                               self.client.put_json, url, body,
                               headers={'X-Test-Role': 'member'})
    def test_update_recordset_invalid_ttl(self):
        recordset = self.create_recordset(self.zone)
@ -736,7 +779,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
        self._assert_exception('invalid_object', 400,
-                               self.client.put_json, url, body)
+                               self.client.put_json, url, body,
                               headers={'X-Test-Role': 'member'})
    def test_update_recordset_negative_ttl(self):
        recordset = self.create_recordset(self.zone)
@ -744,7 +788,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
        self._assert_exception('invalid_object', 400,
-                               self.client.put_json, url, body)
+                               self.client.put_json, url, body,
                               headers={'X-Test-Role': 'member'})
    def test_update_recordset_ttl_greater_than_max(self):
        recordset = self.create_recordset(self.zone)
@ -752,7 +797,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
        self._assert_exception('invalid_object', 400,
-                               self.client.put_json, url, body)
+                               self.client.put_json, url, body,
                               headers={'X-Test-Role': 'member'})
    def test_update_recordset_description_too_long(self):
        recordset = self.create_recordset(self.zone)
@ -760,14 +806,16 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
        self._assert_exception('invalid_object', 400,
-                               self.client.put_json, url, body)
+                               self.client.put_json, url, body,
                               headers={'X-Test-Role': 'member'})
    def test_delete_recordset(self):
        recordset = self.create_recordset(self.zone, records=[])
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
-        response = self.client.delete(url, status=202)
+        response = self.client.delete(url, status=202,
                                      headers={'X-Test-Role': 'member'})
        self.assertEqual('application/json', response.content_type)
        # Currently recordset does not have a status field. As there are no
@ -777,7 +825,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Check the zone's status is as expected
        response = self.client.get('/zones/%s' % recordset['zone_id'],
-                                   headers=[('Accept', 'application/json')])
+                                   headers={'Accept': 'application/json',
                                            'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
        self.assertEqual('application/json', response.content_type)
@ -791,7 +840,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
-        response = self.client.delete(url, status=202)
+        response = self.client.delete(url, status=202,
                                      headers={'X-Test-Role': 'member'})
        self.assertEqual('application/json', response.content_type)
        self.assertEqual('DELETE', response.json['action'])
@ -799,7 +849,8 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Check the zone's status is as expected
        response = self.client.get('/zones/%s' % recordset['zone_id'],
-                                   headers=[('Accept', 'application/json')])
+                                   headers={'Accept': 'application/json',
                                            'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
        self.assertEqual('application/json', response.content_type)
@ -814,16 +865,18 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
               % (self.zone['id']))
        self._assert_exception('recordset_not_found', 404,
-                               self.client.delete, url)
+                               self.client.delete, url,
                               headers={'X-Test-Role': 'member'})
    def test_delete_recordset_invalid_id(self):
        self._assert_invalid_uuid(
-            self.client.delete, '/zones/%s/recordsets/%s')
+            self.client.delete, '/zones/%s/recordsets/%s',
            headers={'X-Test-Role': 'member'})
    def test_metadata_exists(self):
        url = '/zones/%s/recordsets' % self.zone['id']
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        # Make sure the fields exist
        self.assertIn('metadata', response.json)
@ -832,7 +885,7 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
    def test_total_count(self):
        url = '/zones/%s/recordsets' % self.zone['id']
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        # The NS and SOA records are there by default
        self.assertEqual(2, response.json['metadata']['total_count'])
@ -840,9 +893,10 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Create a recordset
        fixture = self.get_recordset_fixture(self.zone['name'], fixture=0)
        response = self.client.post_json(
-            '/zones/%s/recordsets' % self.zone['id'], fixture)
+            '/zones/%s/recordsets' % self.zone['id'], fixture,
            headers={'X-Test-Role': 'member'})
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        # Make sure total_count picked up the change
        self.assertEqual(3, response.json['metadata']['total_count'])
@ -854,19 +908,20 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Create a recordset
        fixture = self.get_recordset_fixture(self.zone['name'], fixture=0)
        response = self.client.post_json(
-            '/zones/%s/recordsets' % self.zone['id'], fixture)
+            '/zones/%s/recordsets' % self.zone['id'], fixture,
            headers={'X-Test-Role': 'member'})
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        # Make sure total_count picked up the change
        self.assertEqual(3, response.json['metadata']['total_count'])
        url = '/zones/%s/recordsets?data=nyan' % self.zone['id']
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        self.assertEqual(0, response.json['metadata']['total_count'])
        url = '/zones/%s/recordsets?data=ns1.example.org.' % self.zone['id']
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        self.assertEqual(1, response.json['metadata']['total_count'])
        # Test paging
@ -885,23 +940,25 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        # Even with paging enabled, total_count is still the total number of
        # recordsets matching the "data" filter
        url = '/zones/%s/recordsets?limit=1&data=nyan' % new_zone.id
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        self.assertEqual(2, response.json['metadata']['total_count'])
    def test_total_count_pagination(self):
        # Create two recordsets
        fixture = self.get_recordset_fixture(self.zone['name'], fixture=0)
        response = self.client.post_json(
-            '/zones/%s/recordsets' % self.zone['id'], fixture)
+            '/zones/%s/recordsets' % self.zone['id'], fixture,
            headers={'X-Test-Role': 'member'})
        fixture = self.get_recordset_fixture(self.zone['name'], fixture=1)
        response = self.client.post_json(
-            '/zones/%s/recordsets' % self.zone['id'], fixture)
+            '/zones/%s/recordsets' % self.zone['id'], fixture,
            headers={'X-Test-Role': 'member'})
        # Paginate the recordsets to two, there should be four now
        url = '/zones/%s/recordsets?limit=2' % self.zone['id']
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        # There are two recordsets returned
        self.assertEqual(2, len(response.json['recordsets']))
@ -919,7 +976,7 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        recordset = self.create_recordset(secondary)
        url = '/zones/%s/recordsets/%s' % (secondary['id'], recordset['id'])
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
@ -942,7 +999,7 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets' % secondary['id']
-        response = self.client.get(url)
+        response = self.client.get(url, headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
@ -977,7 +1034,7 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets' % secondary['id']
        self._assert_exception('forbidden', 403, self.client.post_json, url,
-                               fixture)
+                               fixture, headers={'X-Test-Role': 'member'})
    def test_update_secondary_zone_recordset(self):
        fixture = self.get_zone_fixture('SECONDARY', 1)
@ -991,7 +1048,7 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
                                           recordset['id'])
        self._assert_exception('forbidden', 403, self.client.put_json, url,
-                               {'ttl': 100})
+                               {'ttl': 100}, headers={'X-Test-Role': 'member'})
    def test_delete_secondary_zone_recordset(self):
        fixture = self.get_zone_fixture('SECONDARY', 1)
@ -1004,17 +1061,19 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
-        self._assert_exception('forbidden', 403, self.client.delete, url)
+        self._assert_exception('forbidden', 403, self.client.delete, url,
                               headers={'X-Test-Role': 'member'})
    def test_no_create_rs_deleting_zone(self):
        # Prepare a create
        fixture = self.get_recordset_fixture(self.zone['name'], fixture=0)
        body = fixture
-        self.client.delete('/zones/%s' % self.zone['id'], status=202)
+        self.client.delete('/zones/%s' % self.zone['id'], status=202,
                           headers={'X-Test-Role': 'member'})
        self._assert_exception('bad_request', 400, self.client.post_json,
                               '/zones/%s/recordsets' % self.zone['id'],
-                               body)
+                               body, headers={'X-Test-Role': 'member'})
    def test_no_update_rs_deleting_zone(self):
        # Create a recordset
@ -1024,9 +1083,10 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        body = {'description': 'Tester'}
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
-        self.client.delete('/zones/%s' % self.zone['id'], status=202)
+        self.client.delete('/zones/%s' % self.zone['id'], status=202,
                           headers={'X-Test-Role': 'member'})
        self._assert_exception('bad_request', 400, self.client.put_json, url,
-                               body)
+                               body, headers={'X-Test-Role': 'member'})
    def test_no_delete_rs_deleting_zone(self):
        # Create a recordset
@ -1035,10 +1095,13 @@ class ApiV2RecordSetsTest(ApiV2TestCase):
        url = '/zones/%s/recordsets/%s' % (recordset['zone_id'],
                                           recordset['id'])
-        self.client.delete('/zones/%s' % self.zone['id'], status=202)
+        self.client.delete('/zones/%s' % self.zone['id'], status=202,
-        self._assert_exception('bad_request', 400, self.client.delete, url)
+                           headers={'X-Test-Role': 'member'})
        self._assert_exception('bad_request', 400, self.client.delete, url,
                               headers={'X-Test-Role': 'member'})
    def test_invalid_recordset_filter(self):
        invalid_url = '/zones/%s/recordsets?action=NONE' % self.zone['id']
        self._assert_exception(
-            'bad_request', 400, self.client.get, invalid_url)
+            'bad_request', 400, self.client.get, invalid_url,
            headers={'X-Test-Role': 'member'})
--- a/designate/tests/test_api/test_v2/test_shared_zones.py
+++ b/designate/tests/test_api/test_v2/test_shared_zones.py
@ -27,7 +27,7 @@ class ApiV2SharedZonesTest(ApiV2TestCase):
            self.endpoint_url.format(self.zone.id),
            {
                'target_project_id': self.target_project_id,
-            }
+            }, headers={'X-Test-Role': 'member'}
        )
    def test_share_zone(self):
@ -55,19 +55,22 @@ class ApiV2SharedZonesTest(ApiV2TestCase):
    def test_share_zone_with_no_target_id_no_zone_id(self):
        self._assert_exception(
            'invalid_uuid', 400, self.client.post_json,
-            self.endpoint_url.format(""), {"target_project_id": ""}
+            self.endpoint_url.format(""), {"target_project_id": ""},
            headers={'X-Test-Role': 'member'}
        )
    def test_share_zone_with_target_id_no_zone_id(self):
        self._assert_exception(
            'invalid_uuid', 400, self.client.post_json,
-            self.endpoint_url.format(""), {"target_project_id": "2"}
+            self.endpoint_url.format(""), {"target_project_id": "2"},
            headers={'X-Test-Role': 'member'}
        )
    def test_share_zone_with_invalid_zone_id(self):
        self._assert_exception(
            'invalid_uuid', 400, self.client.post_json,
-            self.endpoint_url.format("invalid"), {"target_project_id": "2"}
+            self.endpoint_url.format("invalid"), {"target_project_id": "2"},
            headers={'X-Test-Role': 'member'}
        )
    def test_get_zone_share(self):
@ -75,7 +78,8 @@ class ApiV2SharedZonesTest(ApiV2TestCase):
        response = self.client.get(
            '{}/{}'.format(self.endpoint_url.format(self.zone.id),
-                           shared_zone.json['id'])
+                           shared_zone.json['id']),
            headers={'X-Test-Role': 'member'}
        )
        # Check the headers are what we expect
@ -98,7 +102,8 @@ class ApiV2SharedZonesTest(ApiV2TestCase):
        self.assertIn('updated_at', response.json)
    def test_list_zone_shares(self):
-        response = self.client.get(self.endpoint_url.format(self.zone.id))
+        response = self.client.get(self.endpoint_url.format(self.zone.id),
                                   headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
@ -114,7 +119,8 @@ class ApiV2SharedZonesTest(ApiV2TestCase):
        self._create_valid_shared_zone()
-        data = self.client.get(self.endpoint_url.format(self.zone.id))
+        data = self.client.get(self.endpoint_url.format(self.zone.id),
                               headers={'X-Test-Role': 'member'})
        self.assertEqual(1, len(data.json['shared_zones']))
@ -123,7 +129,8 @@ class ApiV2SharedZonesTest(ApiV2TestCase):
        response = self.client.delete(
            '{}/{}'.format(self.endpoint_url.format(self.zone.id),
-                           shared_zone.json['id'])
+                           shared_zone.json['id']),
            headers={'X-Test-Role': 'member'}
        )
        # Check the headers are what we expect
--- a/designate/tests/test_api/test_v2/test_zones.py
+++ b/designate/tests/test_api/test_v2/test_zones.py
@ -36,7 +36,8 @@ class ApiV2ZonesTest(ApiV2TestCase):
    def test_create_zone(self):
        # Create a zone
        fixture = self.get_zone_fixture(fixture=0)
-        response = self.client.post_json('/zones/', fixture)
+        response = self.client.post_json('/zones/', fixture,
                                         headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(202, response.status_int)
        self.assertEqual('application/json', response.content_type)
@ -61,7 +62,8 @@ class ApiV2ZonesTest(ApiV2TestCase):
        fixture = self.get_zone_fixture(fixture=0)
        del fixture['type']
-        response = self.client.post_json('/zones/', fixture)
+        response = self.client.post_json('/zones/', fixture,
                                         headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(202, response.status_int)
@ -95,14 +97,16 @@ class ApiV2ZonesTest(ApiV2TestCase):
        body = fixture
        self._assert_exception('invalid_object', 400, self.client.post_json,
-                               '/zones', body)
+                               '/zones', body,
                               headers={'X-Test-Role': 'member'})
    def test_create_zone_email_too_long(self):
        fixture = self.get_zone_fixture(fixture=0)
        fixture.update({'email': 'a' * 255 + '@abc.com'})
        body = fixture
        self._assert_exception('invalid_object', 400, self.client.post_json,
-                               '/zones', body)
+                               '/zones', body,
                               headers={'X-Test-Role': 'member'})
    def test_create_zone_invalid_email(self):
        invalid_emails = [
@ -117,29 +121,32 @@ class ApiV2ZonesTest(ApiV2TestCase):
        for email in invalid_emails:
            fixture.update({'email': email})
            body = fixture
-            self._assert_exception('invalid_object', 400,
+            self._assert_exception(
-                                   self.client.post_json,
+                'invalid_object', 400, self.client.post_json,
-                                   '/zones', body)
+                '/zones', body, headers={'X-Test-Role': 'member'})
    def test_create_zone_email_missing(self):
        fixture = self.get_zone_fixture(fixture=0)
        del fixture['email']
        body = fixture
        self._assert_exception('invalid_object', 400, self.client.post_json,
-                               '/zones', body)
+                               '/zones', body,
                               headers={'X-Test-Role': 'member'})
    def test_create_zone_ttl_less_than_zero(self):
        fixture = self.get_zone_fixture(fixture=0)
        fixture['ttl'] = -1
        body = fixture
        self._assert_exception('invalid_object', 400, self.client.post_json,
-                               '/zones', body)
+                               '/zones', body,
                               headers={'X-Test-Role': 'member'})
    def test_create_zone_ttl_is_zero(self):
        fixture = self.get_zone_fixture(fixture=0)
        fixture['ttl'] = 0
        body = fixture
-        response = self.client.post_json('/zones', body)
+        response = self.client.post_json('/zones', body,
                                         headers={'X-Test-Role': 'member'})
        self.assertEqual(202, response.status_int)
    def test_create_zone_ttl_is_greater_than_max(self):
@ -147,19 +154,22 @@ class ApiV2ZonesTest(ApiV2TestCase):
        fixture['ttl'] = 2174483648
        body = fixture
        self._assert_exception('invalid_object', 400, self.client.post_json,
-                               '/zones', body)
+                               '/zones', body,
                               headers={'X-Test-Role': 'member'})
    def test_create_zone_ttl_is_invalid(self):
        fixture = self.get_zone_fixture(fixture=0)
        fixture['ttl'] = "!@?>"
        body = fixture
        self._assert_exception('invalid_object', 400, self.client.post_json,
-                               '/zones', body)
+                               '/zones', body,
                               headers={'X-Test-Role': 'member'})
    def test_create_zone_ttl_is_not_required_field(self):
        fixture = self.get_zone_fixture(fixture=0)
        body = fixture
-        response = self.client.post_json('/zones', body)
+        response = self.client.post_json('/zones', body,
                                         headers={'X-Test-Role': 'member'})
        self.assertEqual(202, response.status_int)
        self.assertEqual('application/json', response.content_type)
@ -168,21 +178,24 @@ class ApiV2ZonesTest(ApiV2TestCase):
        fixture['description'] = "a" * 161
        body = fixture
        self._assert_exception('invalid_object', 400, self.client.post_json,
-                               '/zones', body)
+                               '/zones', body,
                               headers={'X-Test-Role': 'member'})
    def test_create_zone_name_is_missing(self):
        fixture = self.get_zone_fixture(fixture=0)
        del fixture['name']
        body = fixture
        self._assert_exception('invalid_object', 400, self.client.post_json,
-                               '/zones', body)
+                               '/zones', body,
                               headers={'X-Test-Role': 'member'})
    def test_create_zone_name_too_long(self):
        fixture = self.get_zone_fixture(fixture=0)
        fixture['name'] = 'x' * 255 + ".com"
        body = fixture
        self._assert_exception('invalid_object', 400, self.client.post_json,
-                               '/zones', body)
+                               '/zones', body,
                               headers={'X-Test-Role': 'member'})
    def test_create_zone_body_validation(self):
        fixture = self.get_zone_fixture(fixture=0)
@ -191,7 +204,8 @@ class ApiV2ZonesTest(ApiV2TestCase):
        # Ensure it fails with a 400
        body = fixture
        self._assert_exception('invalid_object', 400, self.client.post_json,
-                               '/zones', body)
+                               '/zones', body,
                               headers={'X-Test-Role': 'member'})
        fixture = self.get_zone_fixture(fixture=0)
        # Add created_at to the body
@ -199,7 +213,8 @@ class ApiV2ZonesTest(ApiV2TestCase):
        # Ensure it fails with a 400
        body = fixture
        self._assert_exception('invalid_object', 400, self.client.post_json,
-                               '/zones', body)
+                               '/zones', body,
                               headers={'X-Test-Role': 'member'})
    def test_create_zone_invalid_name(self):
        # Try to create a zone with an invalid name
@ -207,7 +222,8 @@ class ApiV2ZonesTest(ApiV2TestCase):
        # Ensure it fails with a 400
        self._assert_exception('invalid_object', 400, self.client.post_json,
-                               '/zones', fixture)
+                               '/zones', fixture,
                               headers={'X-Test-Role': 'member'})
    @patch.object(central_service.Service, 'create_zone',
                  side_effect=messaging.MessagingTimeout())
@ -217,7 +233,8 @@ class ApiV2ZonesTest(ApiV2TestCase):
        body = fixture
        self._assert_exception('timeout', 504, self.client.post_json,
-                               '/zones/', body)
+                               '/zones/', body,
                               headers={'X-Test-Role': 'member'})
    @patch.object(central_service.Service, 'create_zone',
                  side_effect=exceptions.DuplicateZone())
@ -227,30 +244,38 @@ class ApiV2ZonesTest(ApiV2TestCase):
        body = fixture
        self._assert_exception('duplicate_zone', 409, self.client.post_json,
-                               '/zones/', body)
+                               '/zones/', body,
                               headers={'X-Test-Role': 'member'})
    def test_create_zone_missing_content_type(self):
        self._assert_exception('unsupported_content_type', 415,
-                               self.client.post, '/zones')
+                               self.client.post, '/zones',
                               headers={'X-Test-Role': 'member'})
    def test_create_zone_bad_content_type(self):
        self._assert_exception(
            'unsupported_content_type', 415, self.client.post, '/zones',
-            headers={'Content-type': 'test/goat'})
+            headers={'Content-type': 'test/goat',
                     'X-Test-Role': 'member'})
    def test_zone_invalid_url(self):
        url = '/zones/2fdadfb1-cf96-4259-ac6b-bb7b6d2ff980/invalid'
        self._assert_exception('not_found', 404, self.client.get, url,
-                               headers={'Accept': 'application/json'})
+                               headers={'Accept': 'application/json',
-        self._assert_exception('not_found', 404, self.client.patch_json, url)
+                                        'X-Test-Role': 'member'})
-        self._assert_exception('not_found', 404, self.client.delete, url)
+        self._assert_exception('not_found', 404, self.client.patch_json, url,
                               headers={'X-Test-Role': 'member'})
        self._assert_exception('not_found', 404, self.client.delete, url,
                               headers={'X-Test-Role': 'member'})
        # Pecan returns a 405 for post
-        response = self.client.post(url, status=405)
+        response = self.client.post(url, status=405,
                                    headers={'X-Test-Role': 'member'})
        self.assertEqual(405, response.status_int)
    def test_get_zones(self):
-        response = self.client.get('/zones/')
+        response = self.client.get('/zones/',
                                   headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
@ -276,14 +301,16 @@ class ApiV2ZonesTest(ApiV2TestCase):
    @patch.object(central_service.Service, 'find_zones',
                  side_effect=messaging.MessagingTimeout())
    def test_get_zones_timeout(self, _):
-        self._assert_exception('timeout', 504, self.client.get, '/zones/')
+        self._assert_exception('timeout', 504, self.client.get, '/zones/',
                               headers={'X-Test-Role': 'member'})
    def test_get_zone(self):
        # Create a zone
        zone = self.create_zone()
        response = self.client.get('/zones/%s' % zone['id'],
-                                   headers=[('Accept', 'application/json')])
+                                   headers={'Accept': 'application/json',
                                            'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(200, response.status_int)
@ -302,26 +329,30 @@ class ApiV2ZonesTest(ApiV2TestCase):
        self.assertEqual(zone['email'], response.json['email'])
    def test_get_zone_invalid_id(self):
-        self._assert_invalid_uuid(self.client.get, '/zones/%s')
+        self._assert_invalid_uuid(self.client.get, '/zones/%s',
                                  headers={'X-Test-Role': 'member'})
    @patch.object(central_service.Service, 'get_zone',
                  side_effect=messaging.MessagingTimeout())
    def test_get_zone_timeout(self, _):
        url = '/zones/2fdadfb1-cf96-4259-ac6b-bb7b6d2ff980'
        self._assert_exception('timeout', 504, self.client.get, url,
-                               headers={'Accept': 'application/json'})
+                               headers={'Accept': 'application/json',
                                        'X-Test-Role': 'member'})
    @patch.object(central_service.Service, 'get_zone',
                  side_effect=exceptions.ZoneNotFound())
    def test_get_zone_missing(self, _):
        url = '/zones/2fdadfb1-cf96-4259-ac6b-bb7b6d2ff980'
        self._assert_exception('zone_not_found', 404, self.client.get, url,
-                               headers={'Accept': 'application/json'})
+                               headers={'Accept': 'application/json',
                                        'X-Test-Role': 'member'})
    def test_get_zone_bad_accept(self):
        url = '/zones/6e2146f3-87bc-4f47-adc5-4df0a5c78218'
-        self.client.get(url, headers={'Accept': 'test/goat'}, status=406)
+        self.client.get(url, status=406, headers={'Accept': 'test/goat',
                                                  'X-Test-Role': 'member'})
    def test_update_zone(self):
        # Create a zone
@ -331,7 +362,8 @@ class ApiV2ZonesTest(ApiV2TestCase):
        body = {'email': 'prefix-%s' % zone['email']}
        response = self.client.patch_json('/zones/%s' % zone['id'], body,
-                                          status=202)
+                                          status=202,
                                          headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(202, response.status_int)
@ -349,7 +381,8 @@ class ApiV2ZonesTest(ApiV2TestCase):
                         response.json['email'])
    def test_update_zone_invalid_id(self):
-        self._assert_invalid_uuid(self.client.patch_json, '/zones/%s')
+        self._assert_invalid_uuid(self.client.patch_json, '/zones/%s',
                                  headers={'X-Test-Role': 'member'})
    def test_update_zone_validation(self):
        # NOTE: The schemas should be tested separatly to the API. So we
@ -365,7 +398,7 @@ class ApiV2ZonesTest(ApiV2TestCase):
        # Ensure it fails with a 400
        self._assert_exception('invalid_object', 400, self.client.patch_json,
-                               url, body)
+                               url, body, headers={'X-Test-Role': 'member'})
        # Prepare an update body with negative ttl in the body
        body = {'email': 'prefix-%s' % zone['email'],
@ -373,7 +406,7 @@ class ApiV2ZonesTest(ApiV2TestCase):
        # Ensure it fails with a 400
        self._assert_exception('invalid_object', 400, self.client.patch_json,
-                               url, body)
+                               url, body, headers={'X-Test-Role': 'member'})
        # Prepare an update body with ttl > maximum (2147483647) in the body
        body = {'email': 'prefix-%s' % zone['email'],
@ -381,7 +414,7 @@ class ApiV2ZonesTest(ApiV2TestCase):
        # Ensure it fails with a 400
        self._assert_exception('invalid_object', 400, self.client.patch_json,
-                               url, body)
+                               url, body, headers={'X-Test-Role': 'member'})
    @patch.object(central_service.Service, 'get_zone',
                  side_effect=exceptions.DuplicateZone())
@ -393,7 +426,7 @@ class ApiV2ZonesTest(ApiV2TestCase):
        # Ensure it fails with a 409
        self._assert_exception('duplicate_zone', 409, self.client.patch_json,
-                               url, body)
+                               url, body, headers={'X-Test-Role': 'member'})
    @patch.object(central_service.Service, 'get_zone',
                  side_effect=messaging.MessagingTimeout())
@ -405,7 +438,7 @@ class ApiV2ZonesTest(ApiV2TestCase):
        # Ensure it fails with a 504
        self._assert_exception('timeout', 504, self.client.patch_json,
-                               url, body)
+                               url, body, headers={'X-Test-Role': 'member'})
    @patch.object(central_service.Service, 'get_zone',
                  side_effect=exceptions.ZoneNotFound())
@ -417,12 +450,13 @@ class ApiV2ZonesTest(ApiV2TestCase):
        # Ensure it fails with a 404
        self._assert_exception('zone_not_found', 404, self.client.patch_json,
-                               url, body)
+                               url, body, headers={'X-Test-Role': 'member'})
    def test_delete_zone(self):
        zone = self.create_zone()
-        response = self.client.delete('/zones/%s' % zone['id'], status=202)
+        response = self.client.delete('/zones/%s' % zone['id'], status=202,
                                      headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(202, response.status_int)
@ -431,18 +465,20 @@ class ApiV2ZonesTest(ApiV2TestCase):
        self.assertEqual('PENDING', response.json['status'])
        # The deleted zone should still be listed
-        zones = self.client.get('/zones/')
+        zones = self.client.get('/zones/', headers={'X-Test-Role': 'member'})
        self.assertEqual(1, len(zones.json['zones']))
    def test_delete_zone_invalid_id(self):
-        self._assert_invalid_uuid(self.client.delete, '/zones/%s')
+        self._assert_invalid_uuid(self.client.delete, '/zones/%s',
                                  headers={'X-Test-Role': 'member'})
    @patch.object(central_service.Service, 'delete_zone',
                  side_effect=messaging.MessagingTimeout())
    def test_delete_zone_timeout(self, _):
        url = '/zones/2fdadfb1-cf96-4259-ac6b-bb7b6d2ff980'
-        self._assert_exception('timeout', 504, self.client.delete, url)
+        self._assert_exception('timeout', 504, self.client.delete, url,
                               headers={'X-Test-Role': 'member'})
    @patch.object(central_service.Service, 'delete_zone',
                  side_effect=exceptions.ZoneNotFound())
@ -450,42 +486,48 @@ class ApiV2ZonesTest(ApiV2TestCase):
        url = '/zones/2fdadfb1-cf96-4259-ac6b-bb7b6d2ff980'
        self._assert_exception('zone_not_found', 404, self.client.delete,
-                               url)
+                               url, headers={'X-Test-Role': 'member'})
    def test_post_abandon_zone(self):
        zone = self.create_zone()
        url = '/zones/%s/tasks/abandon' % zone.id
        # Ensure that we get permission denied
-        self._assert_exception('forbidden', 403, self.client.post_json, url)
+        self._assert_exception('forbidden', 403, self.client.post_json, url,
                               headers={'X-Test-Role': 'member'})
        # Ensure that abandon zone succeeds with the right policy
        self.policy({'abandon_zone': '@'})
-        response = self.client.post_json(url)
+        response = self.client.post_json(url,
                                         headers={'X-Test-Role': 'member'})
        self.assertEqual(204, response.status_int)
    def test_get_abandon_zone(self):
        zone = self.create_zone()
        url = '/zones/%s/tasks/abandon' % zone.id
-        self._assert_exception('method_not_allowed', 405, self.client.get, url)
+        self._assert_exception('method_not_allowed', 405, self.client.get, url,
                               headers={'X-Test-Role': 'member'})
    def test_get_invalid_abandon(self):
        # This is an invalid endpoint - should return 404
        url = '/zones/tasks/abandon'
-        self._assert_exception('not_found', 404, self.client.get, url)
+        self._assert_exception('not_found', 404, self.client.get, url,
                               headers={'X-Test-Role': 'member'})
    def test_get_zone_tasks(self):
        # This is an invalid endpoint - should return 404
        zone = self.create_zone()
        url = '/zones/%s/tasks' % zone.id
-        self._assert_exception('not_found', 404, self.client.get, url)
+        self._assert_exception('not_found', 404, self.client.get, url,
                               headers={'X-Test-Role': 'member'})
    def test_create_secondary(self):
        # Create a zone
        fixture = self.get_zone_fixture('SECONDARY', 0)
        fixture['masters'] = ["10.0.0.1"]
-        response = self.client.post_json('/zones/', fixture)
+        response = self.client.post_json('/zones/', fixture,
                                         headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(202, response.status_int)
@ -516,7 +558,8 @@ class ApiV2ZonesTest(ApiV2TestCase):
        fixture = self.get_zone_fixture('SECONDARY', 0)
        self._assert_exception('invalid_object', 400, self.client.post_json,
-                               '/zones/', fixture)
+                               '/zones/', fixture,
                               headers={'X-Test-Role': 'member'})
    def test_update_secondary(self):
        # Create a zone
@ -538,8 +581,9 @@ class ApiV2ZonesTest(ApiV2TestCase):
        # Prepare an update body
        body = {'masters': masters}
-        response = self.client.patch_json('/zones/%s' % zone['id'], body,
+        response = self.client.patch_json(
-                                          status=202)
+            '/zones/%s' % zone['id'], body, status=202,
            headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(202, response.status_int)
@ -573,7 +617,7 @@ class ApiV2ZonesTest(ApiV2TestCase):
            response = self.client.post_json(
                '/zones/%s/tasks/xfr' % zone['id'],
-                None, status=202)
+                None, status=202, headers={'X-Test-Role': 'member'})
        self.assertTrue(worker.perform_zone_xfr.called)
@ -588,7 +632,7 @@ class ApiV2ZonesTest(ApiV2TestCase):
        response = self.client.post_json(
            '/zones/%s/tasks/xfr' % zone['id'],
-            None, status=400)
+            None, status=400, headers={'X-Test-Role': 'member'})
        # Check the headers are what we expect
        self.assertEqual(400, response.status_int)
@ -605,27 +649,32 @@ class ApiV2ZonesTest(ApiV2TestCase):
        body = {'email': 'foo@bar.io'}
        self._assert_exception('invalid_object', 400, self.client.patch_json,
-                               '/zones/%s' % zone['id'], body)
+                               '/zones/%s' % zone['id'], body,
                               headers={'X-Test-Role': 'member'})
    # Metadata tests
    def test_metadata_exists(self):
-        response = self.client.get('/zones/')
+        response = self.client.get('/zones/',
                                   headers={'X-Test-Role': 'member'})
        # Make sure the fields exist
        self.assertIn('metadata', response.json)
        self.assertIn('total_count', response.json['metadata'])
    def test_total_count(self):
-        response = self.client.get('/zones/')
+        response = self.client.get('/zones/',
                                   headers={'X-Test-Role': 'member'})
        # There are no zones by default
        self.assertEqual(0, response.json['metadata']['total_count'])
        # Create a zone
        fixture = self.get_zone_fixture(fixture=0)
-        response = self.client.post_json('/zones/', fixture)
+        response = self.client.post_json('/zones/', fixture,
                                         headers={'X-Test-Role': 'member'})
-        response = self.client.get('/zones/')
+        response = self.client.get('/zones/',
                                   headers={'X-Test-Role': 'member'})
        # Make sure total_count picked it up
        self.assertEqual(1, response.json['metadata']['total_count'])
@ -633,13 +682,16 @@ class ApiV2ZonesTest(ApiV2TestCase):
    def test_total_count_pagination(self):
        # Create two zones
        fixture = self.get_zone_fixture(fixture=0)
-        response = self.client.post_json('/zones/', fixture)
+        response = self.client.post_json('/zones/', fixture,
                                         headers={'X-Test-Role': 'member'})
        fixture = self.get_zone_fixture(fixture=1)
-        response = self.client.post_json('/zones/', fixture)
+        response = self.client.post_json('/zones/', fixture,
                                         headers={'X-Test-Role': 'member'})
        # Paginate so that there is only one zone returned
-        response = self.client.get('/zones?limit=1')
+        response = self.client.get('/zones?limit=1',
                                   headers={'X-Test-Role': 'member'})
        self.assertEqual(1, len(response.json['zones']))
@ -653,9 +705,11 @@ class ApiV2ZonesTest(ApiV2TestCase):
        # Prepare an update body
        body = {'zone': {'email': 'prefix-%s' % zone['email']}}
-        self.client.delete('/zones/%s' % zone['id'], status=202)
+        self.client.delete('/zones/%s' % zone['id'], status=202,
                           headers={'X-Test-Role': 'member'})
        self._assert_exception('bad_request', 400, self.client.patch_json,
-                               '/zones/%s' % zone['id'], body)
+                               '/zones/%s' % zone['id'], body,
                               headers={'X-Test-Role': 'member'})
    def test_get_nameservers(self):
        # Create a zone
@ -664,7 +718,8 @@ class ApiV2ZonesTest(ApiV2TestCase):
        # Prepare an update body
        response = self.client.get('/zones/%s/nameservers' % zone['id'],
-                                   headers=[('Accept', 'application/json')])
+                                   headers={'Accept': 'application/json',
                                            'X-Test-Role': 'member'})
        self.assertIn('nameservers', response.json)
        self.assertEqual(1, len(response.json['nameservers']))
@ -689,7 +744,8 @@ class ApiV2ZonesTest(ApiV2TestCase):
        ]
        for fixture in fixtures:
-            response = self.client.post_json('/zones/', fixture)
+            response = self.client.post_json('/zones/', fixture,
                                             headers={'X-Test-Role': 'member'})
        get_urls = [
            # Filter by Type
@ -714,7 +770,8 @@ class ApiV2ZonesTest(ApiV2TestCase):
        for get_url, correct_result in zip(get_urls, correct_results):
-            response = self.client.get(get_url)
+            response = self.client.get(get_url,
                                       headers={'X-Test-Role': 'member'})
            # Check the headers are what we expect
            self.assertEqual(200, response.status_int)
@ -726,4 +783,5 @@ class ApiV2ZonesTest(ApiV2TestCase):
    def test_invalid_zones_filter(self):
        invalid_url = '/zones?id=155477ef-e6c5-4b94-984d-8fc68c0c1a14'
        self._assert_exception(
-            'bad_request', 400, self.client.get, invalid_url)
+            'bad_request', 400, self.client.get, invalid_url,
            headers={'X-Test-Role': 'member'})
--- a/designate/tests/test_central/test_service.py
+++ b/designate/tests/test_central/test_service.py
@ -424,8 +424,10 @@ class CentralServiceTest(CentralTestCase):
        admin_context = self.get_admin_context()
        admin_context.all_tenants = True
-        tenant_one_context = self.get_context(project_id='1')
+        tenant_one_context = self.get_context(project_id='1',
-        tenant_two_context = self.get_context(project_id='2')
+                                              roles=['member', 'reader'])
        tenant_two_context = self.get_context(project_id='2',
                                              roles=['member', 'reader'])
        # in the beginning, there should be nothing
        tenants = self.central_service.count_tenants(admin_context)
@ -799,8 +801,10 @@ class CentralServiceTest(CentralTestCase):
        admin_context = self.get_admin_context()
        admin_context.all_tenants = True
-        tenant_one_context = self.get_context(project_id='1')
+        tenant_one_context = self.get_context(project_id='1',
-        tenant_two_context = self.get_context(project_id='2')
+                                              roles=['member', 'reader'])
        tenant_two_context = self.get_context(project_id='2',
                                              roles=['member', 'reader'])
        # Ensure we have no zones to start with.
        zones = self.central_service.find_zones(admin_context)
@ -1776,7 +1780,7 @@ class CentralServiceTest(CentralTestCase):
    def test_find_recordsets_shared_zone(self):
        zone = self.create_zone()
-        context = self.get_context(project_id='1')
+        context = self.get_context(project_id='1', roles=['member', 'reader'])
        self.share_zone(context=self.admin_context, zone_id=zone.id,
                        target_project_id='1')
@ -2064,7 +2068,7 @@ class CentralServiceTest(CentralTestCase):
        zone = self.create_zone()
        original_serial = zone.serial
-        context = self.get_context(project_id='1')
+        context = self.get_context(project_id='1', roles=['member', 'reader'])
        self.share_zone(context=self.admin_context, zone_id=zone.id,
                        target_project_id='1')
@ -3312,9 +3316,12 @@ class CentralServiceTest(CentralTestCase):
        self.assertEqual(zt_request.key, retrived_zt.key)
    def test_get_zone_transfer_request_scoped(self):
-        tenant_1_context = self.get_context(project_id='1')
+        tenant_1_context = self.get_context(project_id='1',
-        tenant_2_context = self.get_context(project_id='2')
+                                            roles=['member', 'reader'])
-        tenant_3_context = self.get_context(project_id='3')
+        tenant_2_context = self.get_context(project_id='2',
                                            roles=['member', 'reader'])
        tenant_3_context = self.get_context(project_id='3',
                                            roles=['member', 'reader'])
        zone = self.create_zone(context=tenant_1_context)
        zt_request = self.create_zone_transfer_request(
            zone,
@ -3363,8 +3370,10 @@ class CentralServiceTest(CentralTestCase):
                         exc.exc_info[0])
    def test_create_zone_transfer_accept(self):
-        tenant_1_context = self.get_context(project_id='1')
+        tenant_1_context = self.get_context(project_id='1',
-        tenant_2_context = self.get_context(project_id="2")
+                                            roles=['member', 'reader'])
        tenant_2_context = self.get_context(project_id="2",
                                            roles=['member', 'reader'])
        admin_context = self.get_admin_context()
        admin_context.all_tenants = True
@ -3413,8 +3422,10 @@ class CentralServiceTest(CentralTestCase):
            'COMPLETE', result['zt_request'].status)
    def test_create_zone_transfer_accept_scoped(self):
-        tenant_1_context = self.get_context(project_id='1')
+        tenant_1_context = self.get_context(project_id='1',
-        tenant_2_context = self.get_context(project_id="2")
+                                            roles=['member', 'reader'])
        tenant_2_context = self.get_context(project_id="2",
                                            roles=['member', 'reader'])
        admin_context = self.get_admin_context()
        admin_context.all_tenants = True
@ -3465,7 +3476,8 @@ class CentralServiceTest(CentralTestCase):
            'COMPLETE', result['zt_request'].status)
    def test_create_zone_transfer_accept_failed_key(self):
-        tenant_1_context = self.get_context(project_id='1')
+        tenant_1_context = self.get_context(project_id='1',
                                            roles=['member', 'reader'])
        tenant_2_context = self.get_context(project_id="2")
        admin_context = self.get_admin_context()
        admin_context.all_tenants = True
@ -3492,8 +3504,10 @@ class CentralServiceTest(CentralTestCase):
        self.assertEqual(exceptions.IncorrectZoneTransferKey, exc.exc_info[0])
    def test_create_zone_tarnsfer_accept_out_of_tenant_scope(self):
-        tenant_1_context = self.get_context(project_id='1')
+        tenant_1_context = self.get_context(project_id='1',
-        tenant_3_context = self.get_context(project_id="3")
+                                            roles=['member', 'reader'])
        tenant_3_context = self.get_context(project_id="3",
                                            roles=['member', 'reader'])
        admin_context = self.get_admin_context()
        admin_context.all_tenants = True
@ -3522,7 +3536,8 @@ class CentralServiceTest(CentralTestCase):
    # Zone Import Tests
    def test_create_zone_import(self):
        # Create a Zone Import
-        context = self.get_context(project_id=utils.generate_uuid())
+        context = self.get_context(project_id=utils.generate_uuid(),
                                   roles=['member', 'reader'])
        request_body = self.get_zonefile_fixture()
        zone_import = self.central_service.create_zone_import(context,
                                                              request_body)
@ -3536,14 +3551,16 @@ class CentralServiceTest(CentralTestCase):
        self.wait_for_import(zone_import.id)
    def test_create_zone_import_duplicate_threading(self):
-        context = self.get_context(project_id=utils.generate_uuid())
+        context = self.get_context(project_id=utils.generate_uuid(),
                                   roles=['member', 'reader'])
        request_body = self.get_zonefile_fixture()
        zone_import = self.central_service.create_zone_import(context,
                                                              request_body)
        self.wait_for_import(zone_import.id)
        def create_zone_import():
-            context = self.get_context(project_id=utils.generate_uuid())
+            context = self.get_context(project_id=utils.generate_uuid(),
                                       roles=['member', 'reader'])
            request_body = self.get_zonefile_fixture()
            zone_import = self.central_service.create_zone_import(context,
                                                            request_body)
@ -3653,7 +3670,8 @@ class CentralServiceTest(CentralTestCase):
        )
        # Create a Zone Import
-        context = self.get_context(project_id=utils.generate_uuid())
+        context = self.get_context(project_id=utils.generate_uuid(),
                                   roles=['member', 'reader'])
        request_body = self.get_zonefile_fixture()
        zone_import = self.central_service.create_zone_import(context,
                                                              request_body)
@ -3671,7 +3689,8 @@ class CentralServiceTest(CentralTestCase):
        self.assertEqual('ERROR', zone_import.status)
    def test_find_zone_imports(self):
-        context = self.get_context(project_id=utils.generate_uuid())
+        context = self.get_context(project_id=utils.generate_uuid(),
                                   roles=['member', 'reader'])
        # Ensure we have no zone_imports to start with.
        zone_imports = self.central_service.find_zone_imports(
@ -3708,7 +3727,8 @@ class CentralServiceTest(CentralTestCase):
    def test_get_zone_import(self):
        # Create a Zone Import
-        context = self.get_context(project_id=utils.generate_uuid())
+        context = self.get_context(project_id=utils.generate_uuid(),
                                   roles=['member', 'reader'])
        request_body = self.get_zonefile_fixture()
        zone_import = self.central_service.create_zone_import(
                    context, request_body)
@ -3726,7 +3746,8 @@ class CentralServiceTest(CentralTestCase):
    def test_update_zone_import(self):
        # Create a Zone Import
-        context = self.get_context(project_id=utils.generate_uuid())
+        context = self.get_context(project_id=utils.generate_uuid(),
                                   roles=['member', 'reader'])
        request_body = self.get_zonefile_fixture()
        zone_import = self.central_service.create_zone_import(
                    context, request_body)
@ -3749,7 +3770,8 @@ class CentralServiceTest(CentralTestCase):
    def test_delete_zone_import(self):
        # Create a Zone Import
-        context = self.get_context(project_id=utils.generate_uuid())
+        context = self.get_context(project_id=utils.generate_uuid(),
                                   roles=['member', 'reader'])
        request_body = self.get_zonefile_fixture()
        zone_import = self.central_service.create_zone_import(
                    context, request_body)
@ -3769,7 +3791,7 @@ class CentralServiceTest(CentralTestCase):
    def test_share_zone(self):
        # Create a Shared Zone
-        context = self.get_context(project_id='1')
+        context = self.get_context(project_id='1', roles=['member', 'reader'])
        zone = self.create_zone(context=context)
        shared_zone = self.share_zone(context=context, zone_id=zone.id)
@ -3796,7 +3818,7 @@ class CentralServiceTest(CentralTestCase):
        self.assertEqual(zone.id, shared_zone.zone_id)
    def test_unshare_zone(self):
-        context = self.get_context(project_id='1')
+        context = self.get_context(project_id='1', roles=['member', 'reader'])
        zone = self.create_zone(context=context)
        shared_zone = self.share_zone(context=context, zone_id=zone.id)
@ -3831,7 +3853,7 @@ class CentralServiceTest(CentralTestCase):
                         new_shared_zone_obj.project_id)
    def test_unshare_zone_with_child_objects(self):
-        context = self.get_context(project_id='1')
+        context = self.get_context(project_id='1', roles=['member', 'reader'])
        zone = self.create_zone(context=context)
        shared_zone = self.share_zone(context=context, zone_id=zone.id)
@ -3855,7 +3877,7 @@ class CentralServiceTest(CentralTestCase):
            )
    def test_find_shared_zones(self):
-        context = self.get_context(project_id='1')
+        context = self.get_context(project_id='1', roles=['member', 'reader'])
        zone = self.create_zone(context=context)
        # Ensure we have no shared zones to start with.
@ -3923,7 +3945,7 @@ class CentralServiceTest(CentralTestCase):
        self.assertEqual(second_shared_zone.id, shared_zones[1].id)
    def test_get_shared_zone(self):
-        context = self.get_context(project_id='1')
+        context = self.get_context(project_id='1', roles=['member', 'reader'])
        zone = self.create_zone(context=context)
        shared_zone = self.share_zone(context=context, zone_id=zone.id)
--- a/designate/tests/test_storage/init.py
+++ b/designate/tests/test_storage/init.py
@ -2982,8 +2982,10 @@ class StorageTestCase(object):
        self.assertEqual(result.id, accept.id)
    def test_transfer_zone_ownership(self):
-        tenant_1_context = self.get_context(project_id='1')
+        tenant_1_context = self.get_context(project_id='1',
-        tenant_2_context = self.get_context(project_id='2')
+                                            roles=['member', 'reader'])
        tenant_2_context = self.get_context(project_id='2',
                                            roles=['member', 'reader'])
        admin_context = self.get_admin_context()
        admin_context.all_tenants = True