diff --git a/files/apts/keystone b/files/apts/keystone
index 6e6d3d53ab..94479c9251 100644
--- a/files/apts/keystone
+++ b/files/apts/keystone
@@ -12,4 +12,4 @@ python-greenlet
 python-routes
 libldap2-dev
 libsasl2-dev
-
+python-bcrypt
diff --git a/files/default_catalog.templates b/files/default_catalog.templates
new file mode 100644
index 0000000000..b527ae5034
--- /dev/null
+++ b/files/default_catalog.templates
@@ -0,0 +1,30 @@
+# config for TemplatedCatalog, using camelCase because I don't want to do
+# translations for legacy compat
+catalog.RegionOne.identity.publicURL = http://%SERVICE_HOST%:$(public_port)s/v2.0
+catalog.RegionOne.identity.adminURL = http://%SERVICE_HOST%:$(admin_port)s/v2.0
+catalog.RegionOne.identity.internalURL = http://%SERVICE_HOST%:$(public_port)s/v2.0
+catalog.RegionOne.identity.name = 'Identity Service'
+
+
+catalog.RegionOne.compute.publicURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s
+catalog.RegionOne.compute.adminURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s
+catalog.RegionOne.compute.internalURL = http://%SERVICE_HOST%:8774/v1.1/$(tenant_id)s
+catalog.RegionOne.compute.name = 'Compute Service'
+
+
+catalog.RegionOne.ec2.publicURL = http://%SERVICE_HOST%:8773/services/Cloud
+catalog.RegionOne.ec2.adminURL = http://%SERVICE_HOST%:8773/services/Admin
+catalog.RegionOne.ec2.internalURL = http://%SERVICE_HOST%:8773/services/Cloud
+catalog.RegionOne.ec2.name = 'EC2 Service'
+
+
+catalog.RegionOne.image.publicURL = http://%SERVICE_HOST%:9292/v1
+catalog.RegionOne.image.adminURL = http://%SERVICE_HOST%:9292/v1
+catalog.RegionOne.image.internalURL = http://%SERVICE_HOST%:9292/v1
+catalog.RegionOne.image.name = 'Image Service'
+
+
+catalog.RegionOne.object_store.publicURL = http://%SERVICE_HOST%:8080/v1/AUTH_$(tenant_id)s
+catalog.RegionOne.object_store.adminURL = http://%SERVICE_HOST%:8080/
+catalog.RegionOne.object_store.internalURL = http://%SERVICE_HOST%:8080/v1/AUTH_$(tenant_id)s
+catalog.RegionOne.object_store.name = 'Swift Service'
diff --git a/files/keystone.conf b/files/keystone.conf
index 056f16b63f..45044f7631 100644
--- a/files/keystone.conf
+++ b/files/keystone.conf
@@ -1,112 +1,92 @@
 [DEFAULT]
-# Show more verbose log output (sets INFO log level output)
-verbose = False
-
-# Show debugging output in logs (sets DEBUG log level output)
-debug = False
-
-# Which backend store should Keystone use by default.
-# Default: 'sqlite'
-# Available choices are 'sqlite' [future will include LDAP, PAM, etc]
-default_store = sqlite
-
-# Log to this file. Make sure you do not set the same log
-# file for both the API and registry servers!
-log_file = %DEST%/keystone/keystone.log
-
-# List of backends to be configured
-backends = keystone.backends.sqlalchemy
-#For LDAP support, add: ,keystone.backends.ldap
-
-# Dictionary Maps every service to a header.Missing services would get header
-# X_(SERVICE_NAME) Key => Service Name, Value => Header Name
-service_header_mappings = {
-	'nova' : 'X-Server-Management-Url',
-	'swift' : 'X-Storage-Url',
-	'cdn' : 'X-CDN-Management-Url'}
-
-#List of extensions currently supported
-extensions= osksadm,oskscatalog
-
-# Address to bind the API server
-# TODO Properties defined within app not available via pipeline.
-service_host = 0.0.0.0
-
-# Port the bind the API server to
-service_port = 5000
-
-# SSL for API server
-service_ssl = False
-
-# Address to bind the Admin API server
-admin_host = 0.0.0.0
-
-# Port the bind the Admin API server to
+public_port = 5000
 admin_port = 35357
+admin_token = %SERVICE_TOKEN%
+compute_port = 3000
+verbose = True
+debug = True
+# commented out so devstack logs to stdout
+# log_file = %DEST%/keystone/keystone.log
 
-# SSL for API Admin server
-admin_ssl = False
+# ================= Syslog Options ============================
+# Send logs to syslog (/dev/log) instead of to file specified
+# by `log-file`
+use_syslog = False
 
-# Keystone certificate file (modify as needed)
-# Only required if *_ssl is set to True
-certfile = /etc/keystone/ssl/certs/keystone.pem
+# Facility to use. If unset defaults to LOG_USER.
+# syslog_log_facility = LOG_LOCAL0
 
-# Keystone private key file (modify as needed)
-# Only required if *_ssl is set to True
-keyfile = /etc/keystone/ssl/private/keystonekey.pem
+[sql]
+connection = %SQL_CONN%
+idle_timeout = 30
+min_pool_size = 5
+max_pool_size = 10
+pool_timeout = 200
 
-# Keystone trusted CA certificates  (modify as needed)
-# Only required if *_ssl is set to True
-ca_certs = /etc/keystone/ssl/certs/ca.pem
+[identity]
+driver = keystone.identity.backends.sql.Identity
 
-# Client certificate required
-# Only relevant if *_ssl is set to True
-cert_required = True
+[catalog]
+driver = keystone.catalog.backends.templated.TemplatedCatalog
+template_file = %KEYSTONE_DIR%/etc/default_catalog.templates
 
-#Role that allows to perform admin operations.
-keystone_admin_role = admin
+[token]
+driver = keystone.token.backends.kvs.Token
 
-#Role that allows to perform service admin operations.
-keystone_service_admin_role = KeystoneServiceAdmin
+[policy]
+driver = keystone.policy.backends.simple.SimpleMatch
 
-#Tells whether password user need to be hashed in the backend
-hash_password = True
-
-[keystone.backends.sqlalchemy]
-# SQLAlchemy connection string for the reference implementation registry
-# server. Any valid SQLAlchemy connection string is fine.
-# See: http://bit.ly/ideIpI
-sql_connection = %SQL_CONN%
-backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant',
-                    'User', 'Credentials', 'EndpointTemplates', 'Token',
-                    'Service']
-
-# Period in seconds after which SQLAlchemy should reestablish its connection
-# to the database.
-sql_idle_timeout = 30
-
-[pipeline:admin]
-pipeline =
-    urlrewritefilter
-    admin_api
-
-[pipeline:keystone-legacy-auth]
-pipeline =
-    urlrewritefilter
-    legacy_auth
-    service_api
-
-[app:service_api]
-paste.app_factory = keystone.server:service_app_factory
-
-[app:admin_api]
-paste.app_factory = keystone.server:admin_app_factory
-
-[filter:urlrewritefilter]
-paste.filter_factory = keystone.middleware.url:filter_factory
-
-[filter:legacy_auth]
-paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory
+[ec2]
+driver = keystone.contrib.ec2.backends.sql.Ec2
 
 [filter:debug]
-paste.filter_factory = keystone.common.wsgi:debug_filter_factory
+paste.filter_factory = keystone.common.wsgi:Debug.factory
+
+[filter:token_auth]
+paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
+
+[filter:admin_token_auth]
+paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
+
+[filter:json_body]
+paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
+
+[filter:crud_extension]
+paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
+
+[filter:ec2_extension]
+paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
+
+[app:public_service]
+paste.app_factory = keystone.service:public_app_factory
+
+[app:admin_service]
+paste.app_factory = keystone.service:admin_app_factory
+
+[pipeline:public_api]
+pipeline = token_auth admin_token_auth json_body debug ec2_extension public_service
+
+[pipeline:admin_api]
+pipeline = token_auth admin_token_auth json_body debug ec2_extension crud_extension admin_service
+
+[app:public_version_service]
+paste.app_factory = keystone.service:public_version_app_factory
+
+[app:admin_version_service]
+paste.app_factory = keystone.service:admin_version_app_factory
+
+[pipeline:public_version_api]
+pipeline = public_version_service
+
+[pipeline:admin_version_api]
+pipeline = admin_version_service
+
+[composite:main]
+use = egg:Paste#urlmap
+/v2.0 = public_api
+/ = public_version_api
+
+[composite:admin]
+use = egg:Paste#urlmap
+/v2.0 = admin_api
+/ = admin_version_service
diff --git a/files/keystone_data.sh b/files/keystone_data.sh
index 77f6b93330..408e36d382 100755
--- a/files/keystone_data.sh
+++ b/files/keystone_data.sh
@@ -1,54 +1,91 @@
 #!/bin/bash
-BIN_DIR=${BIN_DIR:-.}
 # Tenants
-$BIN_DIR/keystone-manage tenant add admin
-$BIN_DIR/keystone-manage tenant add demo
-$BIN_DIR/keystone-manage tenant add invisible_to_admin
+export SERVICE_TOKEN=$SERVICE_TOKEN
+export SERVICE_ENDPOINT=$SERVICE_ENDPOINT
+
+function get_id () {
+    echo `$@ | grep id | awk '{print $4}'`
+}
+
+ADMIN_TENANT=`get_id keystone tenant-create --name=admin`
+DEMO_TENANT=`get_id keystone tenant-create --name=demo`
+INVIS_TENANT=`get_id keystone tenant-create --name=invisible_to_admin`
+
 
 # Users
-$BIN_DIR/keystone-manage user add admin %ADMIN_PASSWORD%
-$BIN_DIR/keystone-manage user add demo %ADMIN_PASSWORD%
+ADMIN_USER=`get_id keystone user-create \
+                                 --name=admin \
+                                 --pass="$ADMIN_PASSWORD" \
+                                 --email=admin@example.com`
+DEMO_USER=`get_id keystone user-create \
+                                 --name=demo \
+                                 --pass="$ADMIN_PASSWORD" \
+                                 --email=admin@example.com`
 
 # Roles
-$BIN_DIR/keystone-manage role add admin
-$BIN_DIR/keystone-manage role add Member
-$BIN_DIR/keystone-manage role add KeystoneAdmin
-$BIN_DIR/keystone-manage role add KeystoneServiceAdmin
-$BIN_DIR/keystone-manage role add sysadmin
-$BIN_DIR/keystone-manage role add netadmin
-$BIN_DIR/keystone-manage role grant admin admin admin
-$BIN_DIR/keystone-manage role grant Member demo demo
-$BIN_DIR/keystone-manage role grant sysadmin demo demo
-$BIN_DIR/keystone-manage role grant netadmin demo demo
-$BIN_DIR/keystone-manage role grant Member demo invisible_to_admin
-$BIN_DIR/keystone-manage role grant admin admin demo
-$BIN_DIR/keystone-manage role grant admin admin
-$BIN_DIR/keystone-manage role grant KeystoneAdmin admin
-$BIN_DIR/keystone-manage role grant KeystoneServiceAdmin admin
+ADMIN_ROLE=`get_id keystone role-create --name=admin`
+MEMBER_ROLE=`get_id keystone role-create --name=Member`
+KEYSTONEADMIN_ROLE=`get_id keystone role-create --name=KeystoneAdmin`
+KEYSTONESERVICE_ROLE=`get_id keystone role-create --name=KeystoneServiceAdmin`
+SYSADMIN_ROLE=`get_id keystone role-create --name=sysadmin`
+NETADMIN_ROLE=`get_id keystone role-create --name=netadmin`
+
+
+# Add Roles to Users in Tenants
+
+keystone add-user-role $ADMIN_USER $ADMIN_ROLE $ADMIN_TENANT
+keystone add-user-role $DEMO_USER $MEMBER_ROLE $DEMO_TENANT
+keystone add-user-role $DEMO_USER $SYSADMIN_ROLE $DEMO_TENANT
+keystone add-user-role $DEMO_USER $NETADMIN_ROLE $DEMO_TENANT
+keystone add-user-role $DEMO_USER $MEMBER_ROLE $INVIS_TENANT
+keystone add-user-role $ADMIN_USER $ADMIN_ROLE $DEMO_TENANT
+
+# TODO(termie): these two might be dubious
+keystone add-user-role $ADMIN_USER $KEYSTONEADMIN_ROLE $ADMIN_TENANT
+keystone add-user-role $ADMIN_USER $KEYSTONESERVICE_ROLE $ADMIN_TENANT
 
 # Services
-$BIN_DIR/keystone-manage service add nova compute "Nova Compute Service"
-$BIN_DIR/keystone-manage service add ec2 ec2 "EC2 Compatability Layer"
-$BIN_DIR/keystone-manage service add glance image "Glance Image Service"
-$BIN_DIR/keystone-manage service add keystone identity "Keystone Identity Service"
+keystone service-create \
+                                 --name=nova \
+                                 --type=compute \
+                                 --description="Nova Compute Service"
+
+keystone service-create \
+                                 --name=ec2 \
+                                 --type=ec2 \
+                                 --description="EC2 Compatibility Layer"
+
+keystone service-create \
+                                 --name=glance \
+                                 --type=image \
+                                 --description="Glance Image Service"
+
+keystone service-create \
+                                 --name=keystone \
+                                 --type=identity \
+                                 --description="Keystone Identity Service"
 if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
-    $BIN_DIR/keystone-manage service add swift object-store "Swift Service"
+    keystone service-create \
+                                 --name=swift \
+                                 --type="object-store" \
+                                 --description="Swift Service"
 fi
 
-#endpointTemplates
-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne nova http://%SERVICE_HOST%:8774/v1.1/%tenant_id% http://%SERVICE_HOST%:8774/v1.1/%tenant_id%  http://%SERVICE_HOST%:8774/v1.1/%tenant_id% 1 1
-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne ec2 http://%SERVICE_HOST%:8773/services/Cloud http://%SERVICE_HOST%:8773/services/Admin http://%SERVICE_HOST%:8773/services/Cloud 1 1
-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne glance http://%SERVICE_HOST%:9292/v1 http://%SERVICE_HOST%:9292/v1 http://%SERVICE_HOST%:9292/v1 1 1
-$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne keystone %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/v2.0 %KEYSTONE_AUTH_PROTOCOL%://%KEYSTONE_AUTH_HOST%:%KEYSTONE_AUTH_PORT%/v2.0 %KEYSTONE_SERVICE_PROTOCOL%://%KEYSTONE_SERVICE_HOST%:%KEYSTONE_SERVICE_PORT%/v2.0 1 1
-if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
-    $BIN_DIR/keystone-manage $* endpointTemplates add RegionOne swift http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% http://%SERVICE_HOST%:8080/ http://%SERVICE_HOST%:8080/v1/AUTH_%tenant_id% 1 1
-fi
+# create ec2 creds and parse the secret and access key returned
+RESULT=`keystone ec2-create-credentials --tenant_id=$ADMIN_TENANT --user_id=$ADMIN_USER`
+    echo `$@ | grep id | awk '{print $4}'`
+ADMIN_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'`
+ADMIN_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'`
 
-# Tokens
-$BIN_DIR/keystone-manage token add %SERVICE_TOKEN% admin admin 2015-02-05T00:00
 
-# EC2 related creds - note we are setting the secret key to ADMIN_PASSWORD
-# but keystone doesn't parse them - it is just a blob from keystone's
-# point of view
-$BIN_DIR/keystone-manage credentials add admin EC2 'admin' '%ADMIN_PASSWORD%' admin || echo "no support for adding credentials"
-$BIN_DIR/keystone-manage credentials add demo EC2 'demo' '%ADMIN_PASSWORD%' demo || echo "no support for adding credentials"
+RESULT=`keystone ec2-create-credentials --tenant_id=$DEMO_TENANT --user_id=$DEMO_USER`
+DEMO_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'`
+DEMO_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'`
+
+# write the secret and access to ec2rc
+cat > $DEVSTACK_DIR/ec2rc <<EOF
+ADMIN_ACCESS=$ADMIN_ACCESS
+ADMIN_SECRET=$ADMIN_SECRET
+DEMO_ACCESS=$DEMO_ACCESS
+DEMO_SECRET=$DEMO_SECRET
+EOF
diff --git a/files/pips/keystone b/files/pips/keystone
index 09636e4991..fef9f8b00a 100644
--- a/files/pips/keystone
+++ b/files/pips/keystone
@@ -1 +1,2 @@
 PassLib
+pycli
diff --git a/openrc b/openrc
index 4c4b1d31fa..df011a32ab 100644
--- a/openrc
+++ b/openrc
@@ -42,7 +42,7 @@ export OS_PASSWORD=${NOVA_PASSWORD}
 #
 # *NOTE*: Using the 2.0 *auth api* does not mean that compute api is 2.0.  We
 # will use the 1.1 *compute api*
-export NOVA_URL=${NOVA_URL:-http://$SERVICE_HOST:5000/v2.0/}
+export NOVA_URL=${NOVA_URL:-http://$SERVICE_HOST:5000/v2.0}
 export OS_AUTH_URL=${NOVA_URL}
 
 # Currently novaclient needs you to specify the *compute api* version.  This
@@ -56,10 +56,10 @@ export NOVA_REGION_NAME=${NOVA_REGION_NAME:-RegionOne}
 export EC2_URL=${EC2_URL:-http://$SERVICE_HOST:8773/services/Cloud}
 
 # Access key is set in the initial keystone data to be the same as username
-export EC2_ACCESS_KEY=${USERNAME:-demo}
+export EC2_ACCESS_KEY=${DEMO_ACCESS}
 
 # Secret key is set in the initial keystone data to the admin password
-export EC2_SECRET_KEY=${ADMIN_PASSWORD:-secrete}
+export EC2_SECRET_KEY=${DEMO_SECRET}
 
 # Euca2ools Certificate stuff for uploading bundles
 # You can get your certs using ./tools/get_certs.sh
diff --git a/stack.sh b/stack.sh
index 08fcafe425..d803816ca9 100755
--- a/stack.sh
+++ b/stack.sh
@@ -533,6 +533,7 @@ pip_install `cat $FILES/pips/* | uniq`
 # compute service
 git_clone $NOVA_REPO $NOVA_DIR $NOVA_BRANCH
 # python client library to nova that horizon (and others) use
+git_clone $KEYSTONECLIENT_REPO $KEYSTONECLIENT_DIR $KEYSTONECLIENT_BRANCH
 git_clone $NOVACLIENT_REPO $NOVACLIENT_DIR $NOVACLIENT_BRANCH
 
 # glance, swift middleware and nova api needs keystone middleware
@@ -561,7 +562,6 @@ fi
 if [[ "$ENABLED_SERVICES" =~ "horizon" ]]; then
     # django powered web control panel for openstack
     git_clone $HORIZON_REPO $HORIZON_DIR $HORIZON_BRANCH $HORIZON_TAG
-    git_clone $KEYSTONECLIENT_REPO $KEYSTONECLIENT_DIR $KEYSTONECLIENT_BRANCH
 fi
 if [[ "$ENABLED_SERVICES" =~ "q-svc" ]]; then
     # quantum
@@ -584,6 +584,8 @@ fi
 
 # setup our checkouts so they are installed into python path
 # allowing ``import nova`` or ``import glance.client``
+cd $KEYSTONECLIENT_DIR; sudo python setup.py develop
+cd $NOVACLIENT_DIR; sudo python setup.py develop
 if [[ "$ENABLED_SERVICES" =~ "key" ||
       "$ENABLED_SERVICES" =~ "g-api" ||
       "$ENABLED_SERVICES" =~ "n-api" ||
@@ -598,10 +600,8 @@ if [[ "$ENABLED_SERVICES" =~ "g-api" ||
       "$ENABLED_SERVICES" =~ "n-api" ]]; then
     cd $GLANCE_DIR; sudo python setup.py develop
 fi
-cd $NOVACLIENT_DIR; sudo python setup.py develop
 cd $NOVA_DIR; sudo python setup.py develop
 if [[ "$ENABLED_SERVICES" =~ "horizon" ]]; then
-    cd $KEYSTONECLIENT_DIR; sudo python setup.py develop
     cd $HORIZON_DIR/horizon; sudo python setup.py develop
     cd $HORIZON_DIR/openstack-dashboard; sudo python setup.py develop
 fi
@@ -793,28 +793,20 @@ fi
 
 # Nova
 # ----
-
-# Put config files in /etc/nova for everyone to find
-NOVA_CONF=/etc/nova
-if [[ ! -d $NOVA_CONF ]]; then
-    sudo mkdir -p $NOVA_CONF
-fi
-sudo chown `whoami` $NOVA_CONF
-
 if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
     # We are going to use a sample http middleware configuration based on the
     # one from the keystone project to launch nova.  This paste config adds
     # the configuration required for nova to validate keystone tokens.
 
     # First we add a some extra data to the default paste config from nova
-    cp $NOVA_DIR/etc/nova/api-paste.ini $NOVA_CONF
+    cp $NOVA_DIR/etc/nova/api-paste.ini $NOVA_DIR/bin/nova-api-paste.ini
 
     # Then we add our own service token to the configuration
-    sed -e "s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g" -i $NOVA_CONF/api-paste.ini
+    sed -e "s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g" -i $NOVA_DIR/bin/nova-api-paste.ini
 
     # Finally, we change the pipelines in nova to use keystone
     function replace_pipeline() {
-        sed "/\[pipeline:$1\]/,/\[/s/^pipeline = .*/pipeline = $2/" -i $NOVA_CONF/api-paste.ini
+        sed "/\[pipeline:$1\]/,/\[/s/^pipeline = .*/pipeline = $2/" -i $NOVA_DIR/bin/nova-api-paste.ini
     }
     replace_pipeline "ec2cloud" "ec2faultwrap logrequest totoken authtoken keystonecontext cloudrequest authorizer validator ec2executor"
     replace_pipeline "ec2admin" "ec2faultwrap logrequest totoken authtoken keystonecontext adminrequest authorizer ec2executor"
@@ -1101,11 +1093,11 @@ if [[ "$ENABLED_SERVICES" =~ "n-vol" ]]; then
 fi
 
 function add_nova_flag {
-    echo "$1" >> $NOVA_CONF/nova.conf
+    echo "$1" >> $NOVA_DIR/bin/nova.conf
 }
 
 # (re)create nova.conf
-rm -f $NOVA_CONF/nova.conf
+rm -f $NOVA_DIR/bin/nova.conf
 add_nova_flag "--verbose"
 add_nova_flag "--allow_admin_api"
 add_nova_flag "--scheduler_driver=$SCHEDULER"
@@ -1165,7 +1157,7 @@ fi
 VNCSERVER_LISTEN=${VNCSERVER_LISTEN=127.0.0.1}
 add_nova_flag "--vncserver_listen=$VNCSERVER_LISTEN"
 add_nova_flag "--vncserver_proxyclient_address=$VNCSERVER_PROXYCLIENT_ADDRESS"
-add_nova_flag "--api_paste_config=$NOVA_CONF/api-paste.ini"
+add_nova_flag "--api_paste_config=$NOVA_DIR/bin/nova-api-paste.ini"
 add_nova_flag "--image_service=nova.image.glance.GlanceImageService"
 add_nova_flag "--ec2_dmz_host=$EC2_DMZ_HOST"
 add_nova_flag "--rabbit_host=$RABBIT_HOST"
@@ -1231,51 +1223,6 @@ if [[ "$ENABLED_SERVICES" =~ "mysql" ]]; then
 fi
 
 
-# Keystone
-# --------
-
-if [[ "$ENABLED_SERVICES" =~ "key" ]]; then
-    # (re)create keystone database
-    mysql -u$MYSQL_USER -p$MYSQL_PASSWORD -e 'DROP DATABASE IF EXISTS keystone;'
-    mysql -u$MYSQL_USER -p$MYSQL_PASSWORD -e 'CREATE DATABASE keystone;'
-
-    # Configure keystone.conf
-    KEYSTONE_CONF=$KEYSTONE_DIR/etc/keystone.conf
-    cp $FILES/keystone.conf $KEYSTONE_CONF
-    sudo sed -e "s,%SQL_CONN%,$BASE_SQL_CONN/keystone,g" -i $KEYSTONE_CONF
-    sudo sed -e "s,%DEST%,$DEST,g" -i $KEYSTONE_CONF
-
-    # keystone_data.sh creates our admin user and our ``SERVICE_TOKEN``.
-    KEYSTONE_DATA=$KEYSTONE_DIR/bin/keystone_data.sh
-    cp $FILES/keystone_data.sh $KEYSTONE_DATA
-    sudo sed -e "
-        s,%KEYSTONE_AUTH_HOST%,$KEYSTONE_AUTH_HOST,g;
-        s,%KEYSTONE_AUTH_PORT%,$KEYSTONE_AUTH_PORT,g;
-        s,%KEYSTONE_AUTH_PROTOCOL%,$KEYSTONE_AUTH_PROTOCOL,g;
-        s,%KEYSTONE_SERVICE_HOST%,$KEYSTONE_SERVICE_HOST,g;
-        s,%KEYSTONE_SERVICE_PORT%,$KEYSTONE_SERVICE_PORT,g;
-        s,%KEYSTONE_SERVICE_PROTOCOL%,$KEYSTONE_SERVICE_PROTOCOL,g;
-        s,%SERVICE_HOST%,$SERVICE_HOST,g;
-        s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g;
-        s,%ADMIN_PASSWORD%,$ADMIN_PASSWORD,g;
-    " -i $KEYSTONE_DATA
-
-    # Prepare up the database
-    $KEYSTONE_DIR/bin/keystone-manage sync_database
-
-    # initialize keystone with default users/endpoints
-    ENABLED_SERVICES=$ENABLED_SERVICES BIN_DIR=$KEYSTONE_DIR/bin bash $KEYSTONE_DATA
-
-    if [ "$SYSLOG" != "False" ]; then
-        sed -i -e '/^handlers=devel$/s/=devel/=production/' \
-            $KEYSTONE_DIR/etc/logging.cnf
-        sed -i -e "/^log_file/s/log_file/\#log_file/" \
-            $KEYSTONE_DIR/etc/keystone.conf
-        KEYSTONE_LOG_CONFIG="--log-config $KEYSTONE_DIR/etc/logging.cnf"
-    fi
-fi
-
-
 # Launch Services
 # ===============
 
@@ -1317,16 +1264,54 @@ if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then
     fi
 fi
 
+if [[ "$ENABLED_SERVICES" =~ "key" ]]; then
+    # (re)create keystone database
+    mysql -u$MYSQL_USER -p$MYSQL_PASSWORD -e 'DROP DATABASE IF EXISTS keystone;'
+    mysql -u$MYSQL_USER -p$MYSQL_PASSWORD -e 'CREATE DATABASE keystone;'
+
+    # Configure keystone.conf
+    KEYSTONE_CONF=$KEYSTONE_DIR/etc/keystone.conf
+    cp $FILES/keystone.conf $KEYSTONE_CONF
+    sudo sed -e "s,%SQL_CONN%,$BASE_SQL_CONN/keystone,g" -i $KEYSTONE_CONF
+    sudo sed -e "s,%DEST%,$DEST,g" -i $KEYSTONE_CONF
+    sudo sed -e "s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g" -i $KEYSTONE_CONF
+    sudo sed -e "s,%KEYSTONE_DIR%,$KEYSTONE_DIR,g" -i $KEYSTONE_CONF
+
+    KEYSTONE_CATALOG=$KEYSTONE_DIR/etc/default_catalog.templates
+    cp $FILES/default_catalog.templates $KEYSTONE_CATALOG
+    sudo sed -e "s,%SERVICE_HOST%,$SERVICE_HOST,g" -i $KEYSTONE_CATALOG
+
+
+    if [ "$SYSLOG" != "False" ]; then
+        cp $KEYSTONE_DIR/etc/logging.conf.sample $KEYSTONE_DIR/etc/logging.conf
+        sed -i -e '/^handlers=devel$/s/=devel/=production/' \
+            $KEYSTONE_DIR/etc/logging.conf
+        sed -i -e "/^log_file/s/log_file/\#log_file/" \
+            $KEYSTONE_DIR/etc/keystone.conf
+        KEYSTONE_LOG_CONFIG="--log-config $KEYSTONE_DIR/etc/logging.conf"
+    fi
+fi
+
 # launch the keystone and wait for it to answer before continuing
 if [[ "$ENABLED_SERVICES" =~ "key" ]]; then
-    screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d"
+    screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug"
     echo "Waiting for keystone to start..."
-    if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= wget -q -O- $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT; do sleep 1; done"; then
+    if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= wget -q -O- $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/; do sleep 1; done"; then
       echo "keystone did not start"
       exit 1
     fi
+
+    # initialize keystone with default users/endpoints
+    pushd $KEYSTONE_DIR
+    $KEYSTONE_DIR/bin/keystone-manage db_sync
+    popd
+
+    # keystone_data.sh creates services, admin and demo users, and roles.
+    SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0
+    ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT DEVSTACK_DIR=$TOP_DIR ENABLED_SERVICES=$ENABLED_SERVICES bash $FILES/keystone_data.sh
 fi
 
+
 # launch the nova-api and wait for it to answer before continuing
 if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
     screen_it n-api "cd $NOVA_DIR && $NOVA_DIR/bin/nova-api"
@@ -1459,6 +1444,10 @@ if [[ "$ENABLED_SERVICES" =~ "g-reg" ]]; then
     # Create a directory for the downloaded image tarballs.
     mkdir -p $FILES/images
 
+    ADMIN_USER=admin
+    ADMIN_TENANT=admin
+    TOKEN=`curl -s -d  "{\"auth\":{\"passwordCredentials\": {\"username\": \"$ADMIN_USER\", \"password\": \"$ADMIN_PASSWORD\"}, \"tenantName\": \"$ADMIN_TENANT\"}}" -H "Content-type: application/json" http://$HOST_IP:5000/v2.0/tokens | python -c "import sys; import json; tok = json.loads(sys.stdin.read()); print tok['access']['token']['id'];"`
+
     # Option to upload legacy ami-tty, which works with xenserver
     if [ $UPLOAD_LEGACY_TTY ]; then
         if [ ! -f $FILES/tty.tgz ]; then
@@ -1466,11 +1455,11 @@ if [[ "$ENABLED_SERVICES" =~ "g-reg" ]]; then
         fi
 
         tar -zxf $FILES/tty.tgz -C $FILES/images
-        RVAL=`glance add -A $SERVICE_TOKEN name="tty-kernel" is_public=true container_format=aki disk_format=aki < $FILES/images/aki-tty/image`
+        RVAL=`glance add -A $TOKEN name="tty-kernel" is_public=true container_format=aki disk_format=aki < $FILES/images/aki-tty/image`
         KERNEL_ID=`echo $RVAL | cut -d":" -f2 | tr -d " "`
-        RVAL=`glance add -A $SERVICE_TOKEN name="tty-ramdisk" is_public=true container_format=ari disk_format=ari < $FILES/images/ari-tty/image`
+        RVAL=`glance add -A $TOKEN name="tty-ramdisk" is_public=true container_format=ari disk_format=ari < $FILES/images/ari-tty/image`
         RAMDISK_ID=`echo $RVAL | cut -d":" -f2 | tr -d " "`
-        glance add -A $SERVICE_TOKEN name="tty" is_public=true container_format=ami disk_format=ami kernel_id=$KERNEL_ID ramdisk_id=$RAMDISK_ID < $FILES/images/ami-tty/image
+        glance add -A $TOKEN name="tty" is_public=true container_format=ami disk_format=ami kernel_id=$KERNEL_ID ramdisk_id=$RAMDISK_ID < $FILES/images/ami-tty/image
     fi
 
     for image_url in ${IMAGE_URLS//,/ }; do
@@ -1517,14 +1506,14 @@ if [[ "$ENABLED_SERVICES" =~ "g-reg" ]]; then
         # kernel for use when uploading the root filesystem.
         KERNEL_ID=""; RAMDISK_ID="";
         if [ -n "$KERNEL" ]; then
-            RVAL=`glance add -A $SERVICE_TOKEN name="$IMAGE_NAME-kernel" is_public=true container_format=aki disk_format=aki < "$KERNEL"`
+            RVAL=`glance add -A $TOKEN name="$IMAGE_NAME-kernel" is_public=true container_format=aki disk_format=aki < "$KERNEL"`
             KERNEL_ID=`echo $RVAL | cut -d":" -f2 | tr -d " "`
         fi
         if [ -n "$RAMDISK" ]; then
-            RVAL=`glance add -A $SERVICE_TOKEN name="$IMAGE_NAME-ramdisk" is_public=true container_format=ari disk_format=ari < "$RAMDISK"`
+            RVAL=`glance add -A $TOKEN name="$IMAGE_NAME-ramdisk" is_public=true container_format=ari disk_format=ari < "$RAMDISK"`
             RAMDISK_ID=`echo $RVAL | cut -d":" -f2 | tr -d " "`
         fi
-        glance add -A $SERVICE_TOKEN name="${IMAGE_NAME%.img}" is_public=true container_format=ami disk_format=ami ${KERNEL_ID:+kernel_id=$KERNEL_ID} ${RAMDISK_ID:+ramdisk_id=$RAMDISK_ID} < <(zcat --force "${IMAGE}")
+        glance add -A $TOKEN name="${IMAGE_NAME%.img}" is_public=true container_format=ami disk_format=ami ${KERNEL_ID:+kernel_id=$KERNEL_ID} ${RAMDISK_ID:+ramdisk_id=$RAMDISK_ID} < <(zcat --force "${IMAGE}")
     done
 fi
 
diff --git a/stackrc b/stackrc
index e87b3cde8f..2274e6241a 100644
--- a/stackrc
+++ b/stackrc
@@ -16,7 +16,7 @@ GLANCE_BRANCH=master
 
 # unified auth system (manages accounts/tokens)
 KEYSTONE_REPO=https://github.com/openstack/keystone.git
-KEYSTONE_BRANCH=master
+KEYSTONE_BRANCH=redux
 
 # a websockets/html5 or flash powered VNC console for vm instances
 NOVNC_REPO=https://github.com/cloudbuilders/noVNC.git
@@ -76,6 +76,11 @@ case "$LIBVIRT_TYPE" in
         IMAGE_URLS="http://launchpad.net/cirros/trunk/0.3.0/+download/cirros-0.3.0-x86_64-uec.tar.gz";;
 esac
 
+# use stored ec2 env variables
+if [ -f ./ec2rc ]; then
+    source ./ec2rc
+fi
+
 # allow local overrides of env variables
 if [ -f ./localrc ]; then
     source ./localrc