diff --git a/README.md b/README.md
index 28d64e1..f158827 100644
--- a/README.md
+++ b/README.md
@@ -247,6 +247,7 @@ Please refer to the Common cookbook for more attributes.
 * `openstack['identity']['admin_token']` - Admin token for bootstraping keystone server
 * `openstack['identity']['roles']` - Array of roles to create in the keystone server
 * `openstack['identity']['users']` - Array of users to create in the keystone server
+* `openstack['identity']['pastefile_url']` - Specify the URL for a keystone-paste.ini file that will override the default packaged file
 TODO: Add DB2 support on other platforms
 * `openstack['identity']['platform']['db2_python_packages']` - Array of DB2 python packages, only available on redhat platform
 * `openstack['identity']['token']['expiration']` - Token validity time in seconds
diff --git a/attributes/default.rb b/attributes/default.rb
index c5f72bd..750a6ef 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -35,6 +35,9 @@ default['credentials']['EC2']['admin']['secret'] = ''
 default['openstack']['identity']['verbose'] = 'False'
 default['openstack']['identity']['debug'] = 'False'
 
+# Specify a location to retrieve keystone-paste.ini from
+default['openstack']['identity']['pastefile_url'] = nil
+
 default['openstack']['identity']['region'] = node['openstack']['region']
 default['openstack']['identity']['token']['expiration'] = '86400'
 
diff --git a/recipes/server.rb b/recipes/server.rb
index 0aabcce..61374b7 100644
--- a/recipes/server.rb
+++ b/recipes/server.rb
@@ -194,13 +194,16 @@ template '/etc/keystone/keystone.conf' do
   notifies :restart, 'service[keystone]', :delayed
 end
 
-template '/etc/keystone/keystone-paste.ini' do
-  source 'keystone-paste.ini.erb'
-  owner node['openstack']['identity']['user']
-  group node['openstack']['identity']['group']
-  mode   00644
+# If a keystone-paste.ini is specified use it
+if node['openstack']['identity']['pastefile_url']
+  remote_file '/etc/keystone/keystone-paste.ini' do
+    source node['openstack']['identity']['pastefile_url']
+    owner node['openstack']['identity']['user']
+    group node['openstack']['identity']['group']
+    mode 00644
 
-  notifies :restart, 'service[keystone]', :immediately
+    notifies :restart, 'service[keystone]', :immediately
+  end
 end
 
 # populate the templated catlog, if you're using the templated catalog backend
diff --git a/spec/server_spec.rb b/spec/server_spec.rb
index 18b8a15..b2b8029 100644
--- a/spec/server_spec.rb
+++ b/spec/server_spec.rb
@@ -651,94 +651,26 @@ describe 'openstack-identity::server' do
     end
 
     describe 'keystone-paste.ini' do
-      let(:paste_file_path) { '/etc/keystone/keystone-paste.ini' }
-      let(:paste_file_template) { chef_run.template paste_file_path }
 
-      it 'has proper owner' do
-        expect(paste_file_template.owner).to eq('keystone')
-        expect(paste_file_template.group).to eq('keystone')
+      it 'does not manage keystone-paste unless specified' do
+        expect(chef_run).not_to create_remote_file('/etc/keystone/keystone-paste.ini')
       end
 
-      it 'has proper modes' do
-        expect(sprintf('%o', paste_file_template.mode)).to eq '644'
-      end
+      describe 'keystone-paste remote specified' do
 
-      it 'contains sections' do
-        required_sections = %w{filter:debug filter:token_auth
-                               filter:admin_token_auth filter:xml_body
-                               filter:json_body filter:user_crud_extension
-                               filter:crud_extension filter:ec2_extension
-                               filter:oauth_extension filter:s3_extension
-                               filter:endpoint_filter_extension filter:url_normalize
-                               filter:sizelimit filter:stats_monitoring
-                               filter:stats_reporting filter:access_log
-                               app:public_service app:service_v3
-                               app:admin_service pipeline:public_api
-                               pipeline:admin_api pipeline:api_v3
-                               app:public_version_service app:admin_version_service
-                               pipeline:public_version_api pipeline:admin_version_api
-                               composite:main composite:admin}
-        required_sections.each do |section|
-          expect(chef_run).to render_file(paste_file_path).with_content(
-            /#{Regexp.quote(section)}/)
+        before { node.set['openstack']['identity']['pastefile_url'] = 'http://server/mykeystone-paste.ini' }
+        let(:remote_paste) { chef_run.remote_file('/etc/keystone/keystone-paste.ini') }
+
+        it 'does manage keystone-paste from remote file if specified' do
+          expect(chef_run).to create_remote_file('/etc/keystone/keystone-paste.ini').with(
+            user: 'keystone',
+            group: 'keystone',
+            mode: 00644)
+          expect(remote_paste).to notify('service[keystone]').to(:restart)
         end
       end
 
-      it 'has the correct filter configuration' do
-        filter_factory_key = 'paste.filter_factory'
-        required_filter_factories = %w{keystone.common.wsgi:Debug.factory
-                                       keystone.middleware:TokenAuthMiddleware.factory
-                                       keystone.middleware:AdminTokenAuthMiddleware.factory
-                                       keystone.middleware:XmlBodyMiddleware.factory
-                                       keystone.middleware:JsonBodyMiddleware.factory
-                                       keystone.contrib.user_crud:CrudExtension.factory
-                                       keystone.contrib.admin_crud:CrudExtension.factory
-                                       keystone.contrib.ec2:Ec2Extension.factory
-                                       keystone.contrib.oauth1.routers:OAuth1Extension.factory
-                                       keystone.contrib.s3:S3Extension.factory
-                                       keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
-                                       keystone.middleware:NormalizingFilter.factory
-                                       keystone.middleware:RequestBodySizeLimiter.factory
-                                       keystone.contrib.stats:StatsMiddleware.factory
-                                       keystone.contrib.stats:StatsExtension.factory
-                                       keystone.contrib.access:AccessLogMiddleware.factory}
-        required_filter_factories.each do |filter_factory|
-          r = line_regexp("#{filter_factory_key} = #{filter_factory}")
-          expect(chef_run).to render_file(paste_file_path).with_content(r)
-        end
-      end
-
-      it 'has the correct app configuration' do
-        app_factory_key = 'paste.app_factory'
-        required_app_factories = %w{keystone.service:public_app_factory
-                                    keystone.service:v3_app_factory
-                                    keystone.service:admin_app_factory
-                                    keystone.service:public_version_app_factory
-                                    keystone.service:admin_version_app_factory}
-        required_app_factories.each do |app_factory|
-          r = line_regexp("#{app_factory_key} = #{app_factory}")
-          expect(chef_run).to render_file(paste_file_path).with_content(r)
-        end
-      end
-
-      it 'has the correct pipeline configuration for public_api' do
-        r = line_regexp('pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension user_crud_extension public_service')
-        expect(chef_run).to render_file(paste_file_path).with_content(r)
-      end
-
-      it 'has the correct pipeline configuration for admin_api' do
-        r = line_regexp('pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service')
-        expect(chef_run).to render_file(paste_file_path).with_content(r)
-      end
-
-      it 'has the correct pipeline configuration for admin_api' do
-        r = line_regexp('pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service')
-        expect(chef_run).to render_file(paste_file_path).with_content(r)
-      end
-
-      it 'notifies keystone restart' do
-        expect(paste_file_template).to notify('service[keystone]').to(:restart)
-      end
     end
+
   end
 end
diff --git a/templates/default/keystone-paste.ini.erb b/templates/default/keystone-paste.ini.erb
deleted file mode 100644
index 1df0fb9..0000000
--- a/templates/default/keystone-paste.ini.erb
+++ /dev/null
@@ -1,93 +0,0 @@
-<%= node["openstack"]["identity"]["custom_template_banner"] %>
-
-# keystone PasteDeploy configuration file.
-
-[filter:debug]
-paste.filter_factory = keystone.common.wsgi:Debug.factory
-
-[filter:token_auth]
-paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
-
-[filter:admin_token_auth]
-paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
-
-[filter:xml_body]
-paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
-
-[filter:json_body]
-paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
-
-[filter:user_crud_extension]
-paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
-
-[filter:crud_extension]
-paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
-
-[filter:ec2_extension]
-paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
-
-[filter:oauth_extension]
-paste.filter_factory = keystone.contrib.oauth1.routers:OAuth1Extension.factory
-
-[filter:s3_extension]
-paste.filter_factory = keystone.contrib.s3:S3Extension.factory
-
-[filter:endpoint_filter_extension]
-paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
-
-[filter:url_normalize]
-paste.filter_factory = keystone.middleware:NormalizingFilter.factory
-
-[filter:sizelimit]
-paste.filter_factory = keystone.middleware:RequestBodySizeLimiter.factory
-
-[filter:stats_monitoring]
-paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
-
-[filter:stats_reporting]
-paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
-
-[filter:access_log]
-paste.filter_factory = keystone.contrib.access:AccessLogMiddleware.factory
-
-[app:public_service]
-paste.app_factory = keystone.service:public_app_factory
-
-[app:service_v3]
-paste.app_factory = keystone.service:v3_app_factory
-
-[app:admin_service]
-paste.app_factory = keystone.service:admin_app_factory
-
-[pipeline:public_api]
-pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension user_crud_extension public_service
-
-[pipeline:admin_api]
-pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service
-
-[pipeline:api_v3]
-pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension service_v3
-
-[app:public_version_service]
-paste.app_factory = keystone.service:public_version_app_factory
-
-[app:admin_version_service]
-paste.app_factory = keystone.service:admin_version_app_factory
-
-[pipeline:public_version_api]
-pipeline = access_log sizelimit url_normalize xml_body public_version_service
-
-[pipeline:admin_version_api]
-pipeline = access_log sizelimit url_normalize xml_body admin_version_service
-
-[composite:main]
-use = egg:Paste#urlmap
-/v2.0 = public_api
-/v3 = api_v3
-/ = public_version_api
-
-[composite:admin]
-use = egg:Paste#urlmap
-/v2.0 = admin_api
-/v3 = api_v3
-/ = admin_version_api