Comment 5 for bug 1118066

So this is a known issue, nova doesn't do any tenant validation for quotas. Right now the assumption is that only global admins (think cloud operator) should have access to the last three methods in:

http://docs.openstack.org/api/openstack-compute/2/content/os-quota-sets.html

GET v2{/tenant_id}/os-quota-sets{/tenant_id}{/user_id}
Enables an admin user to show quotas for a specified tenant and user.

POST v2{/tenant_id}/os-quota-sets{/tenant_id}{/user_id}
Updates quotas for a specified tenant/project and user.

GET v2{/tenant_id}/os-quota-sets{/tenant_id}/detail{/user_id}
Shows details for quotas for a specified tenant and user.

And as an admin (trusted user), we expect them to not break things.

This is part of a bigger issue, which is nova doesn't have great RBAC support. Say you want to create a tenant admin who can set quotas per user.