1 files changed, 12 insertions, 9 deletions

diff --git a/nova/policies/quota_sets.py b/nova/policies/quota_sets.py
index ac141a2c24..ae8c471f56 100644
--- a/nova/policies/quota_sets.py
+++ b/nova/policies/quota_sets.py
@@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-quota-sets:%s'
 quota_sets_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'update',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="Update the quotas",
         operations=[
             {
@@ -32,7 +32,7 @@ quota_sets_policies = [
                 'path': '/os-quota-sets/{tenant_id}'
             }
         ],
-        scope_types=['system']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'defaults',
         check_str=base.RULE_ANY,
@@ -43,10 +43,10 @@ quota_sets_policies = [
                 'path': '/os-quota-sets/{tenant_id}/defaults'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'show',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER_OR_ADMIN,
         description="Show a quota",
         operations=[
             {
@@ -54,10 +54,10 @@ quota_sets_policies = [
                 'path': '/os-quota-sets/{tenant_id}'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'delete',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.ADMIN,
         description="Revert quotas to defaults",
         operations=[
             {
@@ -65,10 +65,13 @@ quota_sets_policies = [
                 'path': '/os-quota-sets/{tenant_id}'
             }
         ],
-        scope_types=['system']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'detail',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        # TODO(gmann): Until we have domain admin or so to get other project's
+        # data, allow admin role(with scope check it will be project admin) to
+        # get other project quota.
+        check_str=base.PROJECT_READER_OR_ADMIN,
         description="Show the detail of quota",
         operations=[
             {
@@ -76,7 +79,7 @@ quota_sets_policies = [
                 'path': '/os-quota-sets/{tenant_id}/detail'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
 ]