diff --git a/files/api-paste.ini b/files/api-paste.ini
index 31a49e9..a0b48fe 100644
--- a/files/api-paste.ini
+++ b/files/api-paste.ini
@@ -1,6 +1,7 @@
+
 # heat-api pipeline
 [pipeline:heat-api]
-pipeline = faultwrap ssl versionnegotiation authurl authtoken context apiv1app
+pipeline = request_id faultwrap ssl versionnegotiation osprofiler authurl authtoken context apiv1app
 
 # heat-api pipeline for standalone heat
 # ie. uses alternative auth backend that authenticates users against keystone
@@ -11,7 +12,7 @@ pipeline = faultwrap ssl versionnegotiation authurl authtoken context apiv1app
 #   flavor = standalone
 #
 [pipeline:heat-api-standalone]
-pipeline = faultwrap ssl versionnegotiation authurl authpassword context apiv1app
+pipeline = request_id faultwrap ssl versionnegotiation authurl authpassword context apiv1app
 
 # heat-api pipeline for custom cloud backends
 # i.e. in heat.conf:
@@ -19,11 +20,11 @@ pipeline = faultwrap ssl versionnegotiation authurl authpassword context apiv1ap
 #   flavor = custombackend
 #
 [pipeline:heat-api-custombackend]
-pipeline = faultwrap versionnegotiation context custombackendauth apiv1app
+pipeline = request_id faultwrap versionnegotiation context custombackendauth apiv1app
 
 # heat-api-cfn pipeline
 [pipeline:heat-api-cfn]
-pipeline = cfnversionnegotiation ec2authtoken authtoken context apicfnv1app
+pipeline = cfnversionnegotiation osprofiler ec2authtoken authtoken context apicfnv1app
 
 # heat-api-cfn pipeline for standalone heat
 # relies exclusively on authenticating with ec2 signed requests
@@ -32,7 +33,7 @@ pipeline = cfnversionnegotiation ec2authtoken context apicfnv1app
 
 # heat-api-cloudwatch pipeline
 [pipeline:heat-api-cloudwatch]
-pipeline = versionnegotiation ec2authtoken authtoken context apicwapp
+pipeline = versionnegotiation osprofiler ec2authtoken authtoken context apicwapp
 
 # heat-api-cloudwatch pipeline for standalone heat
 # relies exclusively on authenticating with ec2 signed requests
@@ -92,3 +93,12 @@ paste.filter_factory = heat.common.auth_password:filter_factory
 # Auth middleware that validates against custom backend
 [filter:custombackendauth]
 paste.filter_factory = heat.common.custom_backend_auth:filter_factory
+
+# Middleware to set x-openstack-request-id in http response header
+[filter:request_id]
+paste.filter_factory = oslo.middleware.request_id:RequestId.factory
+
+[filter:osprofiler]
+paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
+hmac_keys = SECRET_KEY
+enabled = yes
diff --git a/files/policy.json b/files/policy.json
index e3e8822..54c845b 100644
--- a/files/policy.json
+++ b/files/policy.json
@@ -8,6 +8,7 @@
     "cloudformation:DescribeStacks": "rule:deny_stack_user",
     "cloudformation:DeleteStack": "rule:deny_stack_user",
     "cloudformation:UpdateStack": "rule:deny_stack_user",
+    "cloudformation:CancelUpdateStack": "rule:deny_stack_user",
     "cloudformation:DescribeStackEvents": "rule:deny_stack_user",
     "cloudformation:ValidateTemplate": "rule:deny_stack_user",
     "cloudformation:GetTemplate": "rule:deny_stack_user",
@@ -50,7 +51,13 @@
     "stacks:show": "rule:deny_stack_user",
     "stacks:template": "rule:deny_stack_user",
     "stacks:update": "rule:deny_stack_user",
+    "stacks:update_patch": "rule:deny_stack_user",
     "stacks:validate_template": "rule:deny_stack_user",
+    "stacks:snapshot": "rule:deny_stack_user",
+    "stacks:show_snapshot": "rule:deny_stack_user",
+    "stacks:delete_snapshot": "rule:deny_stack_user",
+    "stacks:list_snapshots": "rule:deny_stack_user",
+    "stacks:restore_snapshot": "rule:deny_stack_user",
 
     "software_configs:create": "rule:deny_stack_user",
     "software_configs:show": "rule:deny_stack_user",
@@ -60,5 +67,7 @@
     "software_deployments:show": "rule:deny_stack_user",
     "software_deployments:update": "rule:deny_stack_user",
     "software_deployments:delete": "rule:deny_stack_user",
-    "software_deployments:metadata": ""
+    "software_deployments:metadata": "",
+
+    "service:index": "rule:context_is_admin"
 }
diff --git a/tasks/heat_pre_install.yml b/tasks/heat_pre_install.yml
index bc0835c..3e8bc7e 100644
--- a/tasks/heat_pre_install.yml
+++ b/tasks/heat_pre_install.yml
@@ -39,12 +39,13 @@
     state: directory
     owner: "{{ item.owner|default(heat_system_user_name) }}"
     group: "{{ item.group|default(heat_system_group_name) }}"
+    mode: "{{ item.mode|default('0755') }}"
   with_items:
     - { path: "/etc/heat" }
     - { path: "/etc/heat/environment.d" }
     - { path: "/etc/heat/templates" }
-    - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
-    - { path: "/var/cache/heat" }
+    - { path: "/etc/sudoers.d", owner: "root", group: "root" }
+    - { path: "/var/cache/heat", mode: "0700" }
     - { path: "{{ heat_system_home_folder }}" }
   tags:
     - heat-dirs
diff --git a/templates/heat.conf.j2 b/templates/heat.conf.j2
index 49808cb..d667d72 100644
--- a/templates/heat.conf.j2
+++ b/templates/heat.conf.j2
@@ -19,18 +19,9 @@ heat_watch_server_url = {{ heat_watch_server_url }}
 heat_waitcondition_server_url = {{ heat_waitcondition_server_url }}
 heat_metadata_server_url = {{ heat_metadata_server_url }}
 
-
 ## RPC Backend
 rpc_backend = {{ heat_rpc_backend }}
 
-
-## RabbitMQ
-rabbit_port = {{ rabbitmq_port }}
-rabbit_userid = {{ rabbitmq_userid }}
-rabbit_password = {{ rabbitmq_password }}
-rabbit_hosts = {{ rabbitmq_servers }}
-
-
 ## Plugin dirs
 plugin_dirs = {{ heat_plugin_dirs | join(',') }}
 
@@ -80,6 +71,14 @@ bind_port = {{ heat_cfn_service_port }}
 [heat_api_cloudwatch]
 bind_port = {{ heat_watch_port }}
 
+
+[oslo_messaging_rabbit]
+rabbit_port = {{ rabbitmq_port }}
+rabbit_userid = {{ rabbitmq_userid }}
+rabbit_password = {{ rabbitmq_password }}
+rabbit_hosts = {{ rabbitmq_servers }}
+
+
 [keystone_authtoken]
 signing_dir = /var/cache/heat
 identity_uri = {{ keystone_service_adminuri }}