In F-2, Quantum got a basic authz implementation that is equivalent to what nova has. this enforces that an entity is only updated by the tenant that created it, or by an admin tenant.
However, for quantum, we actually need something more: specifically, we need to make sure that a subnet or port can only be associated with a network that is owned by the same tenant (at least in the simple use case. there are advanced use cases where a provider will want to be able to allow tenants to create ports on a network owned by the provider).
Kevin Mitchell said that the likely best way to do this would be to extend the "brain" concept in the existing policy checking code. See comments within the review for the base authz code: https://review.openstack.org/8500
Note: this is required for a secure implementation of quantum API that is exposed to tenants. Hence, I am targeting F-2 so it stays high on the radar, though in practice F-2 won't be production complete, so this may not be done by then.