diff --git a/cinder/api/contrib/qos_specs_manage.py b/cinder/api/contrib/qos_specs_manage.py
index 4f85bfaf208..8f97ed794c8 100644
--- a/cinder/api/contrib/qos_specs_manage.py
+++ b/cinder/api/contrib/qos_specs_manage.py
@@ -33,7 +33,16 @@ from cinder.volume import qos_specs
 
 LOG = logging.getLogger(__name__)
 
-authorize = extensions.extension_authorizer('volume', 'qos_specs_manage')
+authorize_create = extensions.extension_authorizer('volume',
+                                                   'qos_specs_manage:create')
+authorize_get = extensions.extension_authorizer('volume',
+                                                'qos_specs_manage:get')
+authorize_get_all = extensions.extension_authorizer('volume',
+                                                    'qos_specs_manage:get_all')
+authorize_update = extensions.extension_authorizer('volume',
+                                                   'qos_specs_manage:update')
+authorize_delete = extensions.extension_authorizer('volume',
+                                                   'qos_specs_manage:delete')
 
 
 def _check_specs(context, specs_id):
@@ -56,7 +65,7 @@ class QoSSpecsController(wsgi.Controller):
     def index(self, req):
         """Returns the list of qos_specs."""
         context = req.environ['cinder.context']
-        authorize(context)
+        authorize_get_all(context)
 
         params = req.params.copy()
 
@@ -75,7 +84,7 @@ class QoSSpecsController(wsgi.Controller):
 
     def create(self, req, body=None):
         context = req.environ['cinder.context']
-        authorize(context)
+        authorize_create(context)
 
         self.assert_valid_body(body, 'qos_specs')
 
@@ -122,7 +131,7 @@ class QoSSpecsController(wsgi.Controller):
 
     def update(self, req, id, body=None):
         context = req.environ['cinder.context']
-        authorize(context)
+        authorize_update(context)
 
         self.assert_valid_body(body, 'qos_specs')
         specs = body['qos_specs']
@@ -152,7 +161,7 @@ class QoSSpecsController(wsgi.Controller):
     def show(self, req, id):
         """Return a single qos spec item."""
         context = req.environ['cinder.context']
-        authorize(context)
+        authorize_get(context)
 
         # Not found exception will be handled at the wsgi level
         spec = qos_specs.get_qos_specs(context, id)
@@ -162,7 +171,7 @@ class QoSSpecsController(wsgi.Controller):
     def delete(self, req, id):
         """Deletes an existing qos specs."""
         context = req.environ['cinder.context']
-        authorize(context)
+        authorize_delete(context)
 
         # Convert string to bool type in strict manner
         force = utils.get_bool_param('force', req.params)
@@ -198,7 +207,7 @@ class QoSSpecsController(wsgi.Controller):
     def delete_keys(self, req, id, body):
         """Deletes specified keys in qos specs."""
         context = req.environ['cinder.context']
-        authorize(context)
+        authorize_delete(context)
 
         if not (body and 'keys' in body
                 and isinstance(body.get('keys'), list)):
@@ -226,7 +235,7 @@ class QoSSpecsController(wsgi.Controller):
     def associations(self, req, id):
         """List all associations of given qos specs."""
         context = req.environ['cinder.context']
-        authorize(context)
+        authorize_get_all(context)
 
         LOG.debug("Get associations for qos_spec id: %s", id)
 
@@ -256,7 +265,7 @@ class QoSSpecsController(wsgi.Controller):
     def associate(self, req, id):
         """Associate a qos specs with a volume type."""
         context = req.environ['cinder.context']
-        authorize(context)
+        authorize_update(context)
 
         type_id = req.params.get('vol_type_id', None)
 
@@ -305,7 +314,7 @@ class QoSSpecsController(wsgi.Controller):
     def disassociate(self, req, id):
         """Disassociate a qos specs from a volume type."""
         context = req.environ['cinder.context']
-        authorize(context)
+        authorize_update(context)
 
         type_id = req.params.get('vol_type_id', None)
 
@@ -345,7 +354,7 @@ class QoSSpecsController(wsgi.Controller):
     def disassociate_all(self, req, id):
         """Disassociate a qos specs from all volume types."""
         context = req.environ['cinder.context']
-        authorize(context)
+        authorize_update(context)
 
         LOG.debug("Disassociate qos_spec: %s from all.", id)
 
diff --git a/cinder/tests/unit/api/contrib/test_qos_specs_manage.py b/cinder/tests/unit/api/contrib/test_qos_specs_manage.py
index 0a51f1ff9a2..b4b63e35f14 100644
--- a/cinder/tests/unit/api/contrib/test_qos_specs_manage.py
+++ b/cinder/tests/unit/api/contrib/test_qos_specs_manage.py
@@ -173,7 +173,8 @@ class QoSSpecManageApiTest(test.TestCase):
     @mock.patch('cinder.volume.qos_specs.get_all_specs',
                 side_effect=return_qos_specs_get_all)
     def test_index(self, mock_get_all_specs):
-        req = fakes.HTTPRequest.blank('/v2/%s/qos-specs' % fake.PROJECT_ID)
+        req = fakes.HTTPRequest.blank('/v2/%s/qos-specs' % fake.PROJECT_ID,
+                                      use_admin_context=True)
         res = self.controller.index(req)
 
         self.assertEqual(3, len(res['qos_specs']))
@@ -272,7 +273,7 @@ class QoSSpecManageApiTest(test.TestCase):
                 side_effect=return_qos_specs_delete)
     def test_qos_specs_delete(self, mock_qos_delete, mock_qos_get_specs):
         req = fakes.HTTPRequest.blank('/v2/%s/qos-specs/%s' % (
-            fake.PROJECT_ID, fake.QOS_SPEC_ID))
+            fake.PROJECT_ID, fake.QOS_SPEC_ID), use_admin_context=True)
         notifier = fake_notifier.get_fake_notifier()
         with mock.patch('cinder.rpc.get_notifier', return_value=notifier):
             self.controller.delete(req, fake.QOS_SPEC_ID)
@@ -288,7 +289,8 @@ class QoSSpecManageApiTest(test.TestCase):
         with mock.patch('cinder.rpc.get_notifier', return_value=notifier):
             req = fakes.HTTPRequest.blank('/v2/%s/qos-specs/%s' %
                                           (fake.PROJECT_ID,
-                                           fake.WILL_NOT_BE_FOUND_ID))
+                                           fake.WILL_NOT_BE_FOUND_ID),
+                                          use_admin_context=True)
             self.assertRaises(exception.QoSSpecsNotFound,
                               self.controller.delete, req,
                               fake.WILL_NOT_BE_FOUND_ID)
@@ -301,7 +303,7 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_qos_specs_delete_inuse(self, mock_qos_delete,
                                     mock_qos_get_specs):
         req = fakes.HTTPRequest.blank('/v2/%s/qos-specs/%s' % (
-            fake.PROJECT_ID, fake.IN_USE_ID))
+            fake.PROJECT_ID, fake.IN_USE_ID), use_admin_context=True)
 
         notifier = fake_notifier.get_fake_notifier()
         with mock.patch('cinder.rpc.get_notifier', return_value=notifier):
@@ -316,7 +318,8 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_qos_specs_delete_inuse_force(self, mock_qos_delete,
                                           mock_qos_get_specs):
         req = fakes.HTTPRequest.blank('/v2/%s/qos-specs/%s?force=True' %
-                                      (fake.PROJECT_ID, fake.IN_USE_ID))
+                                      (fake.PROJECT_ID, fake.IN_USE_ID),
+                                      use_admin_context=True)
 
         notifier = fake_notifier.get_fake_notifier()
         with mock.patch('cinder.rpc.get_notifier', return_value=notifier):
@@ -329,7 +332,8 @@ class QoSSpecManageApiTest(test.TestCase):
         invalid_force = "invalid_bool"
         req = fakes.HTTPRequest.blank(
             '/v2/%s/qos-specs/%s/delete_keys?force=%s' %
-            (fake.PROJECT_ID, fake.QOS_SPEC_ID, invalid_force))
+            (fake.PROJECT_ID, fake.QOS_SPEC_ID, invalid_force),
+            use_admin_context=True)
 
         self.assertRaises(exception.InvalidParameterValue,
                           self.controller.delete,
@@ -340,7 +344,8 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_qos_specs_delete_keys(self, mock_qos_delete_keys):
         body = {"keys": ['bar', 'zoo']}
         req = fakes.HTTPRequest.blank('/v2/%s/qos-specs/%s/delete_keys' %
-                                      (fake.PROJECT_ID, fake.IN_USE_ID))
+                                      (fake.PROJECT_ID, fake.IN_USE_ID),
+                                      use_admin_context=True)
 
         notifier = fake_notifier.get_fake_notifier()
         with mock.patch('cinder.rpc.get_notifier', return_value=notifier):
@@ -353,7 +358,8 @@ class QoSSpecManageApiTest(test.TestCase):
         body = {"keys": ['bar', 'zoo']}
         req = fakes.HTTPRequest.blank('/v2/%s/qos-specs/%s/delete_keys' %
                                       (fake.PROJECT_ID,
-                                       fake.WILL_NOT_BE_FOUND_ID))
+                                       fake.WILL_NOT_BE_FOUND_ID),
+                                      use_admin_context=True)
 
         notifier = fake_notifier.get_fake_notifier()
         with mock.patch('cinder.rpc.get_notifier', return_value=notifier):
@@ -366,7 +372,8 @@ class QoSSpecManageApiTest(test.TestCase):
                 side_effect=return_qos_specs_delete_keys)
     def test_qos_specs_delete_keys_badkey(self, mock_qos_specs_delete):
         req = fakes.HTTPRequest.blank('/v2/%s/qos-specs/%s/delete_keys' %
-                                      (fake.PROJECT_ID, fake.IN_USE_ID))
+                                      (fake.PROJECT_ID, fake.IN_USE_ID),
+                                      use_admin_context=True)
         body = {"keys": ['foo', 'zoo']}
 
         notifier = fake_notifier.get_fake_notifier()
@@ -381,7 +388,8 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_qos_specs_delete_keys_get_notifier(self, mock_qos_delete_keys):
         body = {"keys": ['bar', 'zoo']}
         req = fakes.HTTPRequest.blank('/v2/%s/qos-specs/%s/delete_keys' %
-                                      (fake.PROJECT_ID, fake.IN_USE_ID))
+                                      (fake.PROJECT_ID, fake.IN_USE_ID),
+                                      use_admin_context=True)
 
         notifier = fake_notifier.get_fake_notifier()
         with mock.patch('cinder.rpc.get_notifier', return_value=notifier,
@@ -396,7 +404,9 @@ class QoSSpecManageApiTest(test.TestCase):
 
         body = {"qos_specs": {"name": "qos_specs_%s" % fake.QOS_SPEC_ID,
                               "key1": "value1"}}
-        req = fakes.HTTPRequest.blank('/v2/%s/qos-specs' % fake.PROJECT_ID)
+        req = fakes.HTTPRequest.blank('/v2/%s/qos-specs' %
+                                      fake.PROJECT_ID,
+                                      use_admin_context=True)
 
         notifier = fake_notifier.get_fake_notifier()
         with mock.patch('cinder.rpc.get_notifier', return_value=notifier):
@@ -412,7 +422,8 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_create_invalid_input(self, mock_qos_get_specs):
         body = {"qos_specs": {"name": 'qos_spec_%s' % fake.INVALID_ID,
                               "consumer": "invalid_consumer"}}
-        req = fakes.HTTPRequest.blank('/v2/%s/qos-specs' % fake.PROJECT_ID)
+        req = fakes.HTTPRequest.blank('/v2/%s/qos-specs' % fake.PROJECT_ID,
+                                      use_admin_context=True)
 
         notifier = fake_notifier.get_fake_notifier()
         with mock.patch('cinder.rpc.get_notifier', return_value=notifier):
@@ -425,7 +436,8 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_create_conflict(self, mock_qos_spec_create):
         body = {"qos_specs": {"name": 'qos_spec_%s' % fake.ALREADY_EXISTS_ID,
                               "key1": "value1"}}
-        req = fakes.HTTPRequest.blank('/v2/%s/qos-specs' % fake.PROJECT_ID)
+        req = fakes.HTTPRequest.blank('/v2/%s/qos-specs' % fake.PROJECT_ID,
+                                      use_admin_context=True)
 
         notifier = fake_notifier.get_fake_notifier()
         with mock.patch('cinder.rpc.get_notifier', return_value=notifier):
@@ -438,7 +450,8 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_create_failed(self, mock_qos_spec_create):
         body = {"qos_specs": {"name": 'qos_spec_%s' % fake.ACTION_FAILED_ID,
                               "key1": "value1"}}
-        req = fakes.HTTPRequest.blank('/v2/%s/qos-specs' % fake.PROJECT_ID)
+        req = fakes.HTTPRequest.blank('/v2/%s/qos-specs' % fake.PROJECT_ID,
+                                      use_admin_context=True)
 
         notifier = fake_notifier.get_fake_notifier()
         with mock.patch('cinder.rpc.get_notifier', return_value=notifier):
@@ -486,7 +499,8 @@ class QoSSpecManageApiTest(test.TestCase):
         notifier = fake_notifier.get_fake_notifier()
         with mock.patch('cinder.rpc.get_notifier', return_value=notifier):
             req = fakes.HTTPRequest.blank('/v2/%s/qos-specs/%s' %
-                                          (fake.PROJECT_ID, fake.QOS_SPEC_ID))
+                                          (fake.PROJECT_ID, fake.QOS_SPEC_ID),
+                                          use_admin_context=True)
             body = {'qos_specs': {'key1': 'value1',
                                   'key2': 'value2'}}
             res = self.controller.update(req, fake.QOS_SPEC_ID, body)
@@ -500,7 +514,8 @@ class QoSSpecManageApiTest(test.TestCase):
         with mock.patch('cinder.rpc.get_notifier', return_value=notifier):
             req = fakes.HTTPRequest.blank('/v2/%s/qos-specs/%s' %
                                           (fake.PROJECT_ID,
-                                           fake.WILL_NOT_BE_FOUND_ID))
+                                           fake.WILL_NOT_BE_FOUND_ID),
+                                          use_admin_context=True)
             body = {'qos_specs': {'key1': 'value1',
                                   'key2': 'value2'}}
             self.assertRaises(exception.QoSSpecsNotFound,
@@ -514,7 +529,8 @@ class QoSSpecManageApiTest(test.TestCase):
         notifier = fake_notifier.get_fake_notifier()
         with mock.patch('cinder.rpc.get_notifier', return_value=notifier):
             req = fakes.HTTPRequest.blank('/v2/%s/qos-specs/%s' %
-                                          (fake.PROJECT_ID, fake.INVALID_ID))
+                                          (fake.PROJECT_ID, fake.INVALID_ID),
+                                          use_admin_context=True)
             body = {'qos_specs': {'key1': 'value1',
                                   'key2': 'value2'}}
             self.assertRaises(exception.InvalidQoSSpecs,
@@ -529,7 +545,8 @@ class QoSSpecManageApiTest(test.TestCase):
         with mock.patch('cinder.rpc.get_notifier', return_value=notifier):
             req = fakes.HTTPRequest.blank('/v2/%s/qos-specs/%s' %
                                           (fake.PROJECT_ID,
-                                           fake.UPDATE_FAILED_ID))
+                                           fake.UPDATE_FAILED_ID),
+                                          use_admin_context=True)
             body = {'qos_specs': {'key1': 'value1',
                                   'key2': 'value2'}}
             self.assertRaises(webob.exc.HTTPInternalServerError,
@@ -541,7 +558,7 @@ class QoSSpecManageApiTest(test.TestCase):
                 side_effect=return_qos_specs_get_qos_specs)
     def test_show(self, mock_get_qos_specs):
         req = fakes.HTTPRequest.blank('/v2/%s/qos-specs/%s' % (
-            fake.PROJECT_ID, fake.QOS_SPEC_ID))
+            fake.PROJECT_ID, fake.QOS_SPEC_ID), use_admin_context=True)
         res_dict = self.controller.show(req, fake.QOS_SPEC_ID)
 
         self.assertEqual(fake.QOS_SPEC_ID, res_dict['qos_specs']['id'])
@@ -553,7 +570,7 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_get_associations(self, mock_get_assciations):
         req = fakes.HTTPRequest.blank(
             '/v2/%s/qos-specs/%s/associations' % (
-                fake.PROJECT_ID, fake.QOS_SPEC_ID))
+                fake.PROJECT_ID, fake.QOS_SPEC_ID), use_admin_context=True)
         res = self.controller.associations(req, fake.QOS_SPEC_ID)
 
         self.assertEqual('FakeVolTypeName',
@@ -566,7 +583,8 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_get_associations_not_found(self, mock_get_assciations):
         req = fakes.HTTPRequest.blank(
             '/v2/%s/qos-specs/%s/associations' %
-            (fake.PROJECT_ID, fake.WILL_NOT_BE_FOUND_ID))
+            (fake.PROJECT_ID, fake.WILL_NOT_BE_FOUND_ID),
+            use_admin_context=True)
         self.assertRaises(exception.QoSSpecsNotFound,
                           self.controller.associations,
                           req, fake.WILL_NOT_BE_FOUND_ID)
@@ -576,7 +594,7 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_get_associations_failed(self, mock_get_associations):
         req = fakes.HTTPRequest.blank(
             '/v2/%s/qos-specs/%s/associations' % (
-                fake.PROJECT_ID, fake.RAISE_ID))
+                fake.PROJECT_ID, fake.RAISE_ID), use_admin_context=True)
         self.assertRaises(webob.exc.HTTPInternalServerError,
                           self.controller.associations,
                           req, fake.RAISE_ID)
@@ -588,7 +606,8 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_associate(self, mock_associate, mock_get_qos):
         req = fakes.HTTPRequest.blank(
             '/v2/%s/qos-specs/%s/associate?vol_type_id=%s' %
-            (fake.PROJECT_ID, fake.QOS_SPEC_ID, fake.VOLUME_TYPE_ID))
+            (fake.PROJECT_ID, fake.QOS_SPEC_ID, fake.VOLUME_TYPE_ID),
+            use_admin_context=True)
         res = self.controller.associate(req, fake.QOS_SPEC_ID)
 
         self.assertEqual(http_client.ACCEPTED, res.status_int)
@@ -599,7 +618,8 @@ class QoSSpecManageApiTest(test.TestCase):
                 side_effect=return_associate_qos_specs)
     def test_associate_no_type(self, mock_associate, mock_get_qos):
         req = fakes.HTTPRequest.blank('/v2/%s/qos-specs/%s/associate' %
-                                      (fake.PROJECT_ID, fake.QOS_SPEC_ID))
+                                      (fake.PROJECT_ID, fake.QOS_SPEC_ID),
+                                      use_admin_context=True)
         self.assertRaises(webob.exc.HTTPBadRequest,
                           self.controller.associate, req, fake.QOS_SPEC_ID)
 
@@ -611,14 +631,15 @@ class QoSSpecManageApiTest(test.TestCase):
         req = fakes.HTTPRequest.blank(
             '/v2/%s/qos-specs/%s/associate?vol_type_id=%s' % (
                 fake.PROJECT_ID, fake.WILL_NOT_BE_FOUND_ID,
-                fake.VOLUME_TYPE_ID))
+                fake.VOLUME_TYPE_ID), use_admin_context=True)
         self.assertRaises(exception.QoSSpecsNotFound,
                           self.controller.associate, req,
                           fake.WILL_NOT_BE_FOUND_ID)
 
         req = fakes.HTTPRequest.blank(
             '/v2/%s/qos-specs/%s/associate?vol_type_id=%s' %
-            (fake.PROJECT_ID, fake.QOS_SPEC_ID, fake.WILL_NOT_BE_FOUND_ID))
+            (fake.PROJECT_ID, fake.QOS_SPEC_ID, fake.WILL_NOT_BE_FOUND_ID),
+            use_admin_context=True)
 
         self.assertRaises(exception.VolumeTypeNotFound,
                           self.controller.associate, req, fake.QOS_SPEC_ID)
@@ -630,7 +651,8 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_associate_fail(self, mock_associate, mock_get_qos):
         req = fakes.HTTPRequest.blank(
             '/v2/%s/qos-specs/%s/associate?vol_type_id=%s' %
-            (fake.PROJECT_ID, fake.ACTION_FAILED_ID, fake.VOLUME_TYPE_ID))
+            (fake.PROJECT_ID, fake.ACTION_FAILED_ID, fake.VOLUME_TYPE_ID),
+            use_admin_context=True)
         self.assertRaises(webob.exc.HTTPInternalServerError,
                           self.controller.associate, req,
                           fake.ACTION_FAILED_ID)
@@ -642,7 +664,8 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_disassociate(self, mock_disassociate, mock_get_qos):
         req = fakes.HTTPRequest.blank(
             '/v2/%s/qos-specs/%s/disassociate?vol_type_id=%s' % (
-                fake.PROJECT_ID, fake.QOS_SPEC_ID, fake.VOLUME_TYPE_ID))
+                fake.PROJECT_ID, fake.QOS_SPEC_ID, fake.VOLUME_TYPE_ID),
+            use_admin_context=True)
         res = self.controller.disassociate(req, fake.QOS_SPEC_ID)
         self.assertEqual(http_client.ACCEPTED, res.status_int)
 
@@ -653,7 +676,7 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_disassociate_no_type(self, mock_disassociate, mock_get_qos):
         req = fakes.HTTPRequest.blank(
             '/v2/%s/qos-specs/%s/disassociate' % (
-                fake.PROJECT_ID, fake.QOS_SPEC_ID))
+                fake.PROJECT_ID, fake.QOS_SPEC_ID), use_admin_context=True)
 
         self.assertRaises(webob.exc.HTTPBadRequest,
                           self.controller.disassociate, req, fake.QOS_SPEC_ID)
@@ -666,14 +689,15 @@ class QoSSpecManageApiTest(test.TestCase):
         req = fakes.HTTPRequest.blank(
             '/v2/%s/qos-specs/%s/disassociate?vol_type_id=%s' % (
                 fake.PROJECT_ID, fake.WILL_NOT_BE_FOUND_ID,
-                fake.VOLUME_TYPE_ID))
+                fake.VOLUME_TYPE_ID), use_admin_context=True)
         self.assertRaises(exception.QoSSpecsNotFound,
                           self.controller.disassociate, req,
                           fake.WILL_NOT_BE_FOUND_ID)
 
         req = fakes.HTTPRequest.blank(
             '/v2/%s/qos-specs/%s/disassociate?vol_type_id=%s' %
-            (fake.PROJECT_ID, fake.VOLUME_TYPE_ID, fake.WILL_NOT_BE_FOUND_ID))
+            (fake.PROJECT_ID, fake.VOLUME_TYPE_ID, fake.WILL_NOT_BE_FOUND_ID),
+            use_admin_context=True)
         self.assertRaises(exception.VolumeTypeNotFound,
                           self.controller.disassociate, req,
                           fake.VOLUME_TYPE_ID)
@@ -685,7 +709,8 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_disassociate_failed(self, mock_disassociate, mock_get_qos):
         req = fakes.HTTPRequest.blank(
             '/v2/%s/qos-specs/%s/disassociate?vol_type_id=%s' % (
-                fake.PROJECT_ID, fake.ACTION2_FAILED_ID, fake.VOLUME_TYPE_ID))
+                fake.PROJECT_ID, fake.ACTION2_FAILED_ID, fake.VOLUME_TYPE_ID),
+            use_admin_context=True)
         self.assertRaises(webob.exc.HTTPInternalServerError,
                           self.controller.disassociate, req,
                           fake.ACTION2_FAILED_ID)
@@ -697,7 +722,7 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_disassociate_all(self, mock_disassociate, mock_get_qos):
         req = fakes.HTTPRequest.blank(
             '/v2/%s/qos-specs/%s/disassociate_all' % (
-                fake.PROJECT_ID, fake.QOS_SPEC_ID))
+                fake.PROJECT_ID, fake.QOS_SPEC_ID), use_admin_context=True)
         res = self.controller.disassociate_all(req, fake.QOS_SPEC_ID)
         self.assertEqual(http_client.ACCEPTED, res.status_int)
 
@@ -708,7 +733,8 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_disassociate_all_not_found(self, mock_disassociate, mock_get):
         req = fakes.HTTPRequest.blank(
             '/v2/%s/qos-specs/%s/disassociate_all' % (
-                fake.PROJECT_ID, fake.WILL_NOT_BE_FOUND_ID))
+                fake.PROJECT_ID, fake.WILL_NOT_BE_FOUND_ID),
+            use_admin_context=True)
         self.assertRaises(exception.QoSSpecsNotFound,
                           self.controller.disassociate_all, req,
                           fake.WILL_NOT_BE_FOUND_ID)
@@ -720,7 +746,37 @@ class QoSSpecManageApiTest(test.TestCase):
     def test_disassociate_all_failed(self, mock_disassociate, mock_get):
         req = fakes.HTTPRequest.blank(
             '/v2/%s/qos-specs/%s/disassociate_all' % (
-                fake.PROJECT_ID, fake.ACTION2_FAILED_ID))
+                fake.PROJECT_ID, fake.ACTION2_FAILED_ID),
+            use_admin_context=True)
         self.assertRaises(webob.exc.HTTPInternalServerError,
                           self.controller.disassociate_all, req,
                           fake.ACTION2_FAILED_ID)
+
+    def test_index_no_admin_user(self):
+        req = fakes.HTTPRequest.blank('/v2/%s/qos-specs' %
+                                      fake.PROJECT_ID, use_admin_context=False)
+        self.assertRaises(exception.PolicyNotAuthorized,
+                          self.controller.index, req)
+
+    def test_create_no_admin_user(self):
+        body = {"qos_specs": {"name": "qos_specs_%s" % fake.QOS_SPEC_ID,
+                              "key1": "value1"}}
+        req = fakes.HTTPRequest.blank('/v2/%s/qos-specs' %
+                                      fake.PROJECT_ID, use_admin_context=False)
+        self.assertRaises(exception.PolicyNotAuthorized,
+                          self.controller.create, req, body)
+
+    def test_update_no_admin_user(self):
+        req = fakes.HTTPRequest.blank('/v2/%s/qos-specs/%s' %
+                                      (fake.PROJECT_ID, fake.QOS_SPEC_ID),
+                                      use_admin_context=False)
+        body = {'qos_specs': {'key1': 'value1',
+                              'key2': 'value2'}}
+        self.assertRaises(exception.PolicyNotAuthorized,
+                          self.controller.update, req, fake.QOS_SPEC_ID, body)
+
+    def test_qos_specs_delete_no_admin_user(self):
+        req = fakes.HTTPRequest.blank('/v2/%s/qos-specs/%s' % (
+            fake.PROJECT_ID, fake.QOS_SPEC_ID), use_admin_context=False)
+        self.assertRaises(exception.PolicyNotAuthorized,
+                          self.controller.delete, req, fake.QOS_SPEC_ID)
diff --git a/cinder/tests/unit/policy.json b/cinder/tests/unit/policy.json
index 3635f808421..a361778a943 100644
--- a/cinder/tests/unit/policy.json
+++ b/cinder/tests/unit/policy.json
@@ -63,7 +63,11 @@
     "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
     "volume_extension:volume_type_encryption": "rule:admin_api",
     "volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
-    "volume_extension:qos_specs_manage": "",
+    "volume_extension:qos_specs_manage:create": "rule:admin_api",
+    "volume_extension:qos_specs_manage:get": "rule:admin_api",
+    "volume_extension:qos_specs_manage:get_all": "rule:admin_api",
+    "volume_extension:qos_specs_manage:update": "rule:admin_api",
+    "volume_extension:qos_specs_manage:delete": "rule:admin_api",
     "volume_extension:extended_snapshot_attributes": "",
     "volume_extension:volume_image_metadata": "",
     "volume_extension:volume_host_attribute": "rule:admin_api",
diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index 86590497bb9..5c3015915ec 100644
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -42,6 +42,12 @@
     "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
     "volume_extension:volume_image_metadata": "rule:admin_or_owner",
 
+    "volume_extension:qos_specs_manage:create": "rule:admin_api",
+    "volume_extension:qos_specs_manage:get": "rule:admin_api",
+    "volume_extension:qos_specs_manage:get_all": "rule:admin_api",
+    "volume_extension:qos_specs_manage:update": "rule:admin_api",
+    "volume_extension:qos_specs_manage:delete": "rule:admin_api",
+
     "volume_extension:quotas:show": "",
     "volume_extension:quotas:update": "rule:admin_api",
     "volume_extension:quotas:delete": "rule:admin_api",