diff --git a/doc/source/configuring.rst b/doc/source/configuring.rst
index 47fc39b88c..a692027815 100644
--- a/doc/source/configuring.rst
+++ b/doc/source/configuring.rst
@@ -277,10 +277,21 @@ Optional. Default: ``600``.
 The period of time, in seconds, that the API server will wait for a registry
 request to complete. A value of '0' implies no timeout.
 
+.. note::
+   ``use_user_token``, ``admin_user``, ``admin_password``,
+   ``admin_tenant_name``, ``auth_url``, ``auth_strategy`` and ``auth_region``
+   options were considered harmful and have been deprecated in M release.
+   They will be removed in O release. For more information read
+   `OSSN-0060 <https://wiki.openstack.org/wiki/OSSN/OSSN-0060>`_.
+   Related functionality with uploading big images has been implemented with
+   Keystone trusts support.
+
 * ``use_user_token=True``
 
 Optional. Default: True
 
+DEPRECATED. This option will be removed in O release.
+
 Pass the user token through for API requests to the registry.
 
 If 'use_user_token' is not in effect then admin credentials can be
@@ -288,11 +299,10 @@ specified (see below). If admin credentials are specified then they are
 used to generate a token; this token rather than the original user's
 token is used for requests to the registry.
 
-To prevent failures with token expiration during big files upload,
-it is recommended to set this parameter to False.
-
 * ``admin_user=USER``
 
+DEPRECATED. This option will be removed in O release.
+
 If 'use_user_token' is not in effect then admin credentials can be
 specified. Use this parameter to specify the username.
 
@@ -300,6 +310,8 @@ Optional. Default: None
 
 * ``admin_password=PASSWORD``
 
+DEPRECATED. This option will be removed in O release.
+
 If 'use_user_token' is not in effect then admin credentials can be
 specified. Use this parameter to specify the password.
 
@@ -307,6 +319,8 @@ Optional. Default: None
 
 * ``admin_tenant_name=TENANTNAME``
 
+DEPRECATED. This option will be removed in O release.
+
 If 'use_user_token' is not in effect then admin credentials can be
 specified. Use this parameter to specify the tenant name.
 
@@ -314,6 +328,8 @@ Optional. Default: None
 
 * ``auth_url=URL``
 
+DEPRECATED. This option will be removed in O release.
+
 If 'use_user_token' is not in effect then admin credentials can be
 specified. Use this parameter to specify the Keystone endpoint.
 
@@ -321,13 +337,17 @@ Optional. Default: None
 
 * ``auth_strategy=STRATEGY``
 
+DEPRECATED. This option will be removed in O release.
+
 If 'use_user_token' is not in effect then admin credentials can be
 specified. Use this parameter to specify the auth strategy.
 
-Optional. Default: keystone
+Optional. Default: noauth
 
 * ``auth_region=REGION``
 
+DEPRECATED. This option will be removed in O release.
+
 If 'use_user_token' is not in effect then admin credentials can be
 specified. Use this parameter to specify the region.
 
diff --git a/etc/glance-api.conf b/etc/glance-api.conf
index dc773badaa..811feb566b 100644
--- a/etc/glance-api.conf
+++ b/etc/glance-api.conf
@@ -252,33 +252,75 @@
 # upload, it is recommended to set this parameter to False.If
 # "use_user_token" is not in effect, then admin credentials can be
 # specified. (boolean value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: This option was considered harmful and has been deprecated
+# in M release. It will be removed in O release. For more information
+# read OSSN-0060. Related functionality with uploading big images has
+# been implemented with Keystone trusts support.
 #use_user_token = true
 
 # The administrators user name. If "use_user_token" is not in effect,
 # then admin credentials can be specified. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: This option was considered harmful and has been deprecated
+# in M release. It will be removed in O release. For more information
+# read OSSN-0060. Related functionality with uploading big images has
+# been implemented with Keystone trusts support.
 #admin_user = <None>
 
 # The administrators password. If "use_user_token" is not in effect,
 # then admin credentials can be specified. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: This option was considered harmful and has been deprecated
+# in M release. It will be removed in O release. For more information
+# read OSSN-0060. Related functionality with uploading big images has
+# been implemented with Keystone trusts support.
 #admin_password = <None>
 
 # The tenant name of the administrative user. If "use_user_token" is
 # not in effect, then admin tenant name can be specified. (string
 # value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: This option was considered harmful and has been deprecated
+# in M release. It will be removed in O release. For more information
+# read OSSN-0060. Related functionality with uploading big images has
+# been implemented with Keystone trusts support.
 #admin_tenant_name = <None>
 
 # The URL to the keystone service. If "use_user_token" is not in
 # effect and using keystone auth, then URL of keystone can be
 # specified. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: This option was considered harmful and has been deprecated
+# in M release. It will be removed in O release. For more information
+# read OSSN-0060. Related functionality with uploading big images has
+# been implemented with Keystone trusts support.
 #auth_url = <None>
 
 # The strategy to use for authentication. If "use_user_token" is not
 # in effect, then auth strategy can be specified. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: This option was considered harmful and has been deprecated
+# in M release. It will be removed in O release. For more information
+# read OSSN-0060. Related functionality with uploading big images has
+# been implemented with Keystone trusts support.
 #auth_strategy = noauth
 
 # The region for the authentication service. If "use_user_token" is
 # not in effect and using keystone auth, then region name can be
 # specified. (string value)
+# This option is deprecated for removal.
+# Its value may be silently ignored in the future.
+# Reason: This option was considered harmful and has been deprecated
+# in M release. It will be removed in O release. For more information
+# read OSSN-0060. Related functionality with uploading big images has
+# been implemented with Keystone trusts support.
 #auth_region = <None>
 
 # The protocol to use for communication with the registry server.
diff --git a/glance/registry/client/__init__.py b/glance/registry/client/__init__.py
index 9e4b99a0c0..32dcf20a2d 100644
--- a/glance/registry/client/__init__.py
+++ b/glance/registry/client/__init__.py
@@ -51,8 +51,17 @@ registry_client_opts = [
                       'value of 0 implies no timeout.')),
 ]
 
+_DEPRECATE_USE_USER_TOKEN_MSG = ('This option was considered harmful and '
+                                 'has been deprecated in M release. It will '
+                                 'be removed in O release. For more '
+                                 'information read OSSN-0060. '
+                                 'Related functionality with uploading big '
+                                 'images has been implemented with Keystone '
+                                 'trusts support.')
+
 registry_client_ctx_opts = [
-    cfg.BoolOpt('use_user_token', default=True,
+    cfg.BoolOpt('use_user_token', default=True, deprecated_for_removal=True,
+                deprecated_reason=_DEPRECATE_USE_USER_TOKEN_MSG,
                 help=_('Whether to pass through the user token when '
                        'making requests to the registry. To prevent '
                        'failures with token expiration during big '
@@ -60,28 +69,34 @@ registry_client_ctx_opts = [
                        'parameter to False.'
                        'If "use_user_token" is not in effect, then '
                        'admin credentials can be specified.')),
-    cfg.StrOpt('admin_user', secret=True,
+    cfg.StrOpt('admin_user', secret=True, deprecated_for_removal=True,
+               deprecated_reason=_DEPRECATE_USE_USER_TOKEN_MSG,
                help=_('The administrators user name. '
                       'If "use_user_token" is not in effect, then '
                       'admin credentials can be specified.')),
-    cfg.StrOpt('admin_password', secret=True,
+    cfg.StrOpt('admin_password', secret=True, deprecated_for_removal=True,
+               deprecated_reason=_DEPRECATE_USE_USER_TOKEN_MSG,
                help=_('The administrators password. '
                       'If "use_user_token" is not in effect, then '
                       'admin credentials can be specified.')),
-    cfg.StrOpt('admin_tenant_name', secret=True,
+    cfg.StrOpt('admin_tenant_name', secret=True, deprecated_for_removal=True,
+               deprecated_reason=_DEPRECATE_USE_USER_TOKEN_MSG,
                help=_('The tenant name of the administrative user. '
                       'If "use_user_token" is not in effect, then '
                       'admin tenant name can be specified.')),
-    cfg.StrOpt('auth_url',
+    cfg.StrOpt('auth_url', deprecated_for_removal=True,
+               deprecated_reason=_DEPRECATE_USE_USER_TOKEN_MSG,
                help=_('The URL to the keystone service. '
                       'If "use_user_token" is not in effect and '
                       'using keystone auth, then URL of keystone '
                       'can be specified.')),
-    cfg.StrOpt('auth_strategy', default='noauth',
+    cfg.StrOpt('auth_strategy', default='noauth', deprecated_for_removal=True,
+               deprecated_reason=_DEPRECATE_USE_USER_TOKEN_MSG,
                help=_('The strategy to use for authentication. '
                       'If "use_user_token" is not in effect, then '
                       'auth strategy can be specified.')),
-    cfg.StrOpt('auth_region',
+    cfg.StrOpt('auth_region', deprecated_for_removal=True,
+               deprecated_reason=_DEPRECATE_USE_USER_TOKEN_MSG,
                help=_('The region for the authentication service. '
                       'If "use_user_token" is not in effect and '
                       'using keystone auth, then region name can '
diff --git a/glance/tests/functional/__init__.py b/glance/tests/functional/__init__.py
index f17d89f169..fd122d0e75 100644
--- a/glance/tests/functional/__init__.py
+++ b/glance/tests/functional/__init__.py
@@ -87,7 +87,7 @@ class Server(object):
         self.process_pid = None
         self.server_module = None
         self.stop_kill = False
-        self.use_user_token = False
+        self.use_user_token = True
         self.send_identity_credentials = False
 
     def write_conf(self, **kwargs):
diff --git a/releasenotes/notes/deprecate-glance-api-opts-23bdbd1ad7625999.yaml b/releasenotes/notes/deprecate-glance-api-opts-23bdbd1ad7625999.yaml
new file mode 100644
index 0000000000..b213b0e0ea
--- /dev/null
+++ b/releasenotes/notes/deprecate-glance-api-opts-23bdbd1ad7625999.yaml
@@ -0,0 +1,8 @@
+---
+deprecations:
+
+  - The use_user_token, admin_user, admin_password, admin_tenant_name,
+    auth_url, auth_strategy and auth_region options in the [DEFAULT]
+    configuration section in glance-api.conf are deprecated, and will
+    be removed in the O release.
+    See https://wiki.openstack.org/wiki/OSSN/OSSN-0060