diff --git a/playbooks/roles/os_nova/defaults/main.yml b/playbooks/roles/os_nova/defaults/main.yml
index 3e6a39e94d..5a8ab74927 100644
--- a/playbooks/roles/os_nova/defaults/main.yml
+++ b/playbooks/roles/os_nova/defaults/main.yml
@@ -65,59 +65,7 @@ nova_keystone_auth_plugin: password
 ## Nova enabled apis
 nova_enabled_apis: "osapi_compute,metadata"
 
-## Nova s3
-nova_s3_service_name: s3
-nova_s3_service_type: s3
-nova_s3_service_proto: http
-nova_s3_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(nova_s3_service_proto) }}"
-nova_s3_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_s3_service_proto) }}"
-nova_s3_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(nova_s3_service_proto) }}"
-nova_s3_service_port: 3333
-nova_s3_service_description: "S3 Compatibility Layer"
-nova_s3_service_publicuri: "{{ nova_s3_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ nova_s3_service_port }}"
-nova_s3_service_publicurl: "{{ nova_s3_service_publicuri }}"
-nova_s3_service_adminuri: "{{ nova_s3_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_s3_service_port }}"
-nova_s3_service_adminurl: "{{ nova_s3_service_adminuri }}"
-nova_s3_service_internaluri: "{{ nova_s3_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ nova_s3_service_port }}"
-nova_s3_service_internalurl: "{{ nova_s3_service_internaluri }}"
-nova_s3_program_name: nova-api-ec2
-nova_s3_deprecated_but_enabled: false
-
-## Nova v3
-nova_v3_service_name: novav3
-nova_v3_service_type: computev3
-nova_v3_service_proto: http
-nova_v3_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(nova_v3_service_proto) }}"
-nova_v3_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_v3_service_proto) }}"
-nova_v3_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(nova_v3_service_proto) }}"
-nova_v3_service_port: 8774
-nova_v3_service_description: "Nova Compute Service V3"
-nova_v3_service_publicuri: "{{ nova_v3_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ nova_v3_service_port }}"
-nova_v3_service_publicurl: "{{ nova_v3_service_publicuri }}/v3"
-nova_v3_service_adminuri: "{{ nova_v3_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_v3_service_port }}"
-nova_v3_service_adminurl: "{{ nova_v3_service_adminuri }}/v3"
-nova_v3_service_internaluri: "{{ nova_v3_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ nova_v3_service_port }}"
-nova_v3_service_internalurl: "{{ nova_v3_service_internaluri }}/v3"
-nova_v3_deprecated_but_enabled: false
-
 ## Nova v2.1
-nova_v21_service_name: novav21
-nova_v21_service_type: computev21
-nova_v21_service_proto: http
-nova_v21_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(nova_v21_service_proto) }}"
-nova_v21_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_v21_service_proto) }}"
-nova_v21_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(nova_v21_service_proto) }}"
-nova_v21_service_port: 8774
-nova_v21_service_description: "Nova Compute Service V2.1"
-nova_v21_service_publicuri: "{{ nova_v21_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ nova_v21_service_port }}"
-nova_v21_service_publicurl: "{{ nova_v21_service_publicuri }}/v2.1"
-nova_v21_service_adminuri: "{{ nova_v21_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_v21_service_port }}"
-nova_v21_service_adminurl: "{{ nova_v21_service_adminuri }}/v2.1"
-nova_v21_service_internaluri: "{{ nova_v21_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ nova_v21_service_port }}"
-nova_v21_service_internalurl: "{{ nova_v21_service_internaluri }}/v2.1"
-nova_v21_enabled: true
-
-## Nova v2
 nova_service_name: nova
 nova_service_type: compute
 nova_service_proto: http
@@ -127,33 +75,13 @@ nova_service_internaluri_proto: "{{ openstack_service_internaluri_proto | defaul
 nova_service_port: 8774
 nova_service_description: "Nova Compute Service"
 nova_service_publicuri: "{{ nova_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ nova_service_port }}"
-nova_service_publicurl: "{{ nova_service_publicuri }}/v2/%(tenant_id)s"
+nova_service_publicurl: "{{ nova_service_publicuri }}/v2.1/%(tenant_id)s"
 nova_service_adminuri: "{{ nova_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_service_port }}"
-nova_service_adminurl: "{{ nova_service_adminuri }}/v2/%(tenant_id)s"
+nova_service_adminurl: "{{ nova_service_adminuri }}/v2.1/%(tenant_id)s"
 nova_service_internaluri: "{{ nova_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ nova_service_port }}"
-nova_service_internalurl: "{{ nova_service_internaluri }}/v2/%(tenant_id)s"
+nova_service_internalurl: "{{ nova_service_internaluri }}/v2.1/%(tenant_id)s"
 nova_program_name: nova-api-os-compute
 
-## Nova ec2
-# WARNNING: The EC2 api in the nova tree has been deprecated. To consume this API you'll need to
-# uncomment the EC2 section found within the nova `api-paste.ini` file.
-nova_ec2_service_name: ec2
-nova_ec2_service_type: ec2
-nova_ec2_service_proto: http
-nova_ec2_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(nova_ec2_service_proto) }}"
-nova_ec2_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_ec2_service_proto) }}"
-nova_ec2_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(nova_ec2_service_proto) }}"
-nova_ec2_service_port: 8773
-nova_ec2_service_description: "EC2 Compatibility Layer"
-nova_ec2_service_publicuri: "{{ nova_ec2_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ nova_ec2_service_port }}"
-nova_ec2_service_publicurl: "{{ nova_ec2_service_publicuri }}/services/Cloud"
-nova_ec2_service_adminuri: "{{ nova_ec2_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_ec2_service_port }}"
-nova_ec2_service_adminurl: "{{ nova_ec2_service_adminuri }}/services/Admin"
-nova_ec2_service_internaluri: "{{ nova_ec2_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ nova_ec2_service_port }}"
-nova_ec2_service_internalurl: "{{ nova_ec2_service_internaluri }}/services/Cloud"
-nova_ec2_program_name: nova-api-ec2
-nova_ec2_deprecated_but_enabled: false
-
 ## Nova cinder
 nova_cross_az_attach: True
 
@@ -283,10 +211,6 @@ nova_ceph_client_uuid: 517a4663-3927-44bc-9ea7-4a90e1cd4c66
 # compute the number of api workers to use.
 # nova_conductor_workers: 16
 
-# If ``nova_ec2_workers`` is unset the system will use half the number of available VCPUS to
-# compute the number of api workers to use.
-# nova_ec2_workers: 16
-
 # If ``nova_metadata_workers`` is unset the system will use half the number of available VCPUS to
 # compute the number of api workers to use.
 # nova_metadata_workers: 16
@@ -309,9 +233,7 @@ nova_service_names:
   - "{{ nova_metadata_program_name }}"
   - "{{ nova_cert_program_name }}"
   - "{{ nova_conductor_program_name }}"
-  - "{{ nova_s3_program_name }}"
   - "{{ nova_program_name }}"
-  - "{{ nova_ec2_program_name }}"
   - "{{ nova_scheduler_program_name }}"
   - "{{ nova_compute_program_name }}"
   - "{{ nova_spice_program_name }}"
diff --git a/playbooks/roles/os_nova/files/rootwrap.d/compute.filters b/playbooks/roles/os_nova/files/rootwrap.d/compute.filters
index 3e9b7f547c..2a38cca54b 100644
--- a/playbooks/roles/os_nova/files/rootwrap.d/compute.filters
+++ b/playbooks/roles/os_nova/files/rootwrap.d/compute.filters
@@ -31,6 +31,9 @@ qemu-nbd: CommandFilter, qemu-nbd, root
 # nova/virt/disk/mount/loop.py: 'losetup', '--detach', device
 losetup: CommandFilter, losetup, root
 
+# nova/virt/disk/vfs/localfs.py: 'blkid', '-o', 'value', '-s', 'TYPE', device
+blkid: CommandFilter, blkid, root
+
 # nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path
 # nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device
 blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
@@ -45,7 +48,6 @@ mkdir: CommandFilter, mkdir, root
 # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
 # nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log
 # nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk')
-# nova/utils.py: 'chown', owner_uid, path
 chown: CommandFilter, chown, root
 
 # nova/virt/disk/vfs/localfs.py: 'chmod'
@@ -84,6 +86,12 @@ tunctl: CommandFilter, tunctl, root
 # nova/network/linux_net.py: 'ovs-vsctl', ....
 ovs-vsctl: CommandFilter, ovs-vsctl, root
 
+# nova/virt/libvirt/vif.py: 'vrouter-port-control', ...
+vrouter-port-control: CommandFilter, vrouter-port-control, root
+
+# nova/virt/libvirt/vif.py: 'ebrctl', ...
+ebrctl: CommandFilter, ebrctl, root
+
 # nova/network/linux_net.py: 'ovs-ofctl', ....
 ovs-ofctl: CommandFilter, ovs-ofctl, root
 
@@ -93,8 +101,8 @@ dd: CommandFilter, dd, root
 # nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ...
 iscsiadm: CommandFilter, iscsiadm, root
 
-# nova/virt/libvirt/volume.py: 'aoe-revalidate', aoedev
-# nova/virt/libvirt/volume.py: 'aoe-discover'
+# nova/virt/libvirt/volume/aoe.py: 'aoe-revalidate', aoedev
+# nova/virt/libvirt/volume/aoe.py: 'aoe-discover'
 aoe-revalidate: CommandFilter, aoe-revalidate, root
 aoe-discover: CommandFilter, aoe-discover, root
 
@@ -154,6 +162,9 @@ brctl: CommandFilter, brctl, root
 # nova/virt/xenapi/vm_utils.py: 'mkswap'
 mkswap: CommandFilter, mkswap, root
 
+# nova/virt/libvirt/utils.py: 'nova-idmapshift'
+nova-idmapshift: CommandFilter, nova-idmapshift, root
+
 # nova/virt/xenapi/vm_utils.py: 'mkfs'
 # nova/utils.py: 'mkfs', fs, path, label
 mkfs: CommandFilter, mkfs, root
@@ -164,16 +175,11 @@ qemu-img: CommandFilter, qemu-img, root
 # nova/virt/disk/vfs/localfs.py: 'readlink', '-e'
 readlink: CommandFilter, readlink, root
 
-# nova/virt/disk/api.py: 'touch', target
-touch: CommandFilter, touch, root
-
 # nova/virt/disk/api.py:
 mkfs.ext3: CommandFilter, mkfs.ext3, root
+mkfs.ext4: CommandFilter, mkfs.ext4, root
 mkfs.ntfs: CommandFilter, mkfs.ntfs, root
 
-# nova/virt/libvirt/connection.py:
-read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
-
 # nova/virt/libvirt/connection.py:
 lvremove: CommandFilter, lvremove, root
 
@@ -186,24 +192,33 @@ lvs: CommandFilter, lvs, root
 # nova/virt/libvirt/utils.py:
 vgs: CommandFilter, vgs, root
 
-# nova/virt/baremetal/volume_driver.py: 'tgtadm', '--lld', 'iscsi', ...
-tgtadm: CommandFilter, tgtadm, root
-
 # nova/utils.py:read_file_as_root: 'cat', file_path
 # (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file)
 read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd
 read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow
 
-# nova/virt/libvirt/volume.py: 'multipath' '-R'
+# os-brick needed commands
+read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
 multipath: CommandFilter, multipath, root
-
-# nova/virt/libvirt/utils.py:
+# multipathd show status
+multipathd: CommandFilter, multipathd, root
 systool: CommandFilter, systool, root
-
-# nova/virt/libvirt/volume.py:
 sginfo: CommandFilter, sginfo, root
+vgc-cluster: CommandFilter, vgc-cluster, root
+# os_brick/initiator/connector.py
+drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
+
+# TODO(smcginnis) Temporary fix.
+# Need to pull in os-brick os-brick.filters file instead and clean
+# out stale brick values from this file.
+scsi_id: CommandFilter, /lib/udev/scsi_id, root
+
+# nova/storage/linuxscsi.py: sg_scan device
 sg_scan: CommandFilter, sg_scan, root
-ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.*, /dev/disk/by-path/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.*
+
+# nova/volume/encryptors/cryptsetup.py:
+# nova/volume/encryptors/luks.py:
+ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/.*, .*
 
 # nova/volume/encryptors.py:
 # nova/virt/libvirt/dmcrypt.py:
@@ -212,9 +227,6 @@ cryptsetup: CommandFilter, cryptsetup, root
 # nova/virt/xenapi/vm_utils.py:
 xenstore-read: CommandFilter, xenstore-read, root
 
-# nova/virt/baremetal/tilera.py: 'rpc.mountd'
-rpc.mountd: CommandFilter, rpc.mountd, root
-
 # nova/virt/libvirt/utils.py:
 rbd: CommandFilter, rbd, root
 
@@ -226,3 +238,9 @@ cp: CommandFilter, cp, root
 
 # nova/virt/xenapi/vm_utils.py:
 sync: CommandFilter, sync, root
+
+# nova/virt/libvirt/imagebackend.py:
+ploop: CommandFilter, ploop, root
+
+# nova/virt/libvirt/utils.py: 'xend', 'status'
+xend: CommandFilter, xend, root
diff --git a/playbooks/roles/os_nova/files/rootwrap.d/network.filters b/playbooks/roles/os_nova/files/rootwrap.d/network.filters
index 568e8d493c..527ab40c27 100644
--- a/playbooks/roles/os_nova/files/rootwrap.d/network.filters
+++ b/playbooks/roles/os_nova/files/rootwrap.d/network.filters
@@ -42,9 +42,6 @@ ivs-ctl: CommandFilter, ivs-ctl, root
 # nova/virt/libvirt/vif.py: 'ifc_ctl', ...
 ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root
 
-# nova/virt/libvirt/vif.py: 'ebrctl', ...
-ebrctl: CommandFilter, ebrctl, root
-
 # nova/virt/libvirt/vif.py: 'mm-ctl', ...
 mm-ctl: CommandFilter, mm-ctl, root
 
diff --git a/playbooks/roles/os_nova/tasks/nova_service_setup.yml b/playbooks/roles/os_nova/tasks/nova_service_setup.yml
index a515eb7f6e..91bef1e012 100644
--- a/playbooks/roles/os_nova/tasks/nova_service_setup.yml
+++ b/playbooks/roles/os_nova/tasks/nova_service_setup.yml
@@ -28,81 +28,3 @@
     role_name: "{{ nova_service_role_name }}"
   tags:
     - nova-api
-    - nova-api-v2
-
-
-- include: nova_service_add.yml
-  vars:
-    service_user_name: "{{ nova_service_user_name }}"
-    service_tenant_name: "{{ nova_service_project_name }}"
-    service_name: "{{ nova_v21_service_name }}"
-    service_type: "{{ nova_v21_service_type }}"
-    service_region: "{{ nova_service_region }}"
-    service_description: "{{ nova_v21_service_description }}"
-    service_password: "{{ nova_v21_service_password }}"
-    service_publicurl: "{{ nova_v21_service_publicurl }}"
-    service_internalurl: "{{ nova_v21_service_internalurl }}"
-    service_adminurl: "{{ nova_v21_service_adminurl }}"
-    role_name: "{{ nova_service_role_name }}"
-  when: >
-    nova_v21_enabled == true or nova_v21_enabled == 'True'
-  tags:
-    - nova-api
-    - nova-api-v21
-
-- include: nova_service_add.yml
-  vars:
-    service_user_name: "{{ nova_service_user_name }}"
-    service_tenant_name: "{{ nova_service_project_name }}"
-    service_name: "{{ nova_v3_service_name }}"
-    service_type: "{{ nova_v3_service_type }}"
-    service_region: "{{ nova_service_region }}"
-    service_description: "{{ nova_v3_service_description }}"
-    service_password: "{{ nova_v3_service_password }}"
-    service_publicurl: "{{ nova_v3_service_publicurl }}"
-    service_internalurl: "{{ nova_v3_service_internalurl }}"
-    service_adminurl: "{{ nova_v3_service_adminurl }}"
-    role_name: "{{ nova_service_role_name }}"
-  when: >
-    nova_v3_deprecated_but_enabled == true or nova_v3_deprecated_but_enabled == 'True'
-  tags:
-    - nova-api
-    - nova-api-v3
-
-- include: nova_service_add.yml
-  vars:
-    service_user_name: "{{ nova_service_user_name }}"
-    service_tenant_name: "{{ nova_service_project_name }}"
-    service_name: "{{ nova_s3_service_name }}"
-    service_type: "{{ nova_s3_service_type }}"
-    service_region: "{{ nova_service_region }}"
-    service_description: "{{ nova_s3_service_description }}"
-    service_password: "{{ nova_s3_service_password }}"
-    service_publicurl: "{{ nova_s3_service_publicurl }}"
-    service_internalurl: "{{ nova_s3_service_internalurl }}"
-    service_adminurl: "{{ nova_s3_service_adminurl }}"
-    role_name: "{{ nova_service_role_name }}"
-  when: >
-    nova_s3_deprecated_but_enabled == true or nova_s3_deprecated_but_enabled == 'True'
-  tags:
-    - nova-api
-    - nova-api-s3
-
-- include: nova_service_add.yml
-  vars:
-    service_user_name: "{{ nova_service_user_name }}"
-    service_tenant_name: "{{ nova_service_project_name }}"
-    service_name: "{{ nova_ec2_service_name }}"
-    service_type: "{{ nova_ec2_service_type }}"
-    service_region: "{{ nova_service_region }}"
-    service_description: "{{ nova_ec2_service_description }}"
-    service_password: "{{ nova_ec2_service_password }}"
-    service_publicurl: "{{ nova_ec2_service_publicurl }}"
-    service_internalurl: "{{ nova_ec2_service_internalurl }}"
-    service_adminurl: "{{ nova_ec2_service_adminurl }}"
-    role_name: "{{ nova_service_role_name }}"
-  when: >
-    nova_ec2_deprecated_but_enabled == true or nova_ec2_deprecated_but_enabled == 'True'
-  tags:
-    - nova-api
-    - nova-api-ec2
diff --git a/playbooks/roles/os_nova/tasks/nova_upstart_init.yml b/playbooks/roles/os_nova/tasks/nova_upstart_init.yml
index 03a194b8a3..dc9ba0d6b7 100644
--- a/playbooks/roles/os_nova/tasks/nova_upstart_init.yml
+++ b/playbooks/roles/os_nova/tasks/nova_upstart_init.yml
@@ -49,28 +49,6 @@
     service_home: "{{ nova_system_home_folder }}"
   when: inventory_hostname in groups['nova_api_os_compute']
 
-- include: nova_upstart_common_init.yml
-  vars:
-    program_name: "{{ nova_s3_program_name }}"
-    service_name: "{{ nova_service_name }}"
-    system_user: "{{ nova_system_user_name }}"
-    system_group: "{{ nova_system_group_name }}"
-    service_home: "{{ nova_system_home_folder }}"
-  when: >
-    inventory_hostname in groups['nova_api_os_compute'] and
-    (nova_ec2_deprecated_but_enabled == true or nova_ec2_deprecated_but_enabled == 'True')
-
-- include: nova_upstart_common_init.yml
-  vars:
-    program_name: "{{ nova_ec2_program_name }}"
-    service_name: "{{ nova_service_name }}"
-    system_user: "{{ nova_system_user_name }}"
-    system_group: "{{ nova_system_group_name }}"
-    service_home: "{{ nova_system_home_folder }}"
-  when: >
-    inventory_hostname in groups['nova_api_os_compute'] and
-    (nova_ec2_deprecated_but_enabled == true or nova_ec2_deprecated_but_enabled == 'True')
-
 - include: nova_upstart_common_init.yml
   vars:
     program_name: "{{ nova_scheduler_program_name }}"
diff --git a/playbooks/roles/os_nova/templates/api-paste.ini.j2 b/playbooks/roles/os_nova/templates/api-paste.ini.j2
index 1a87f0c5a3..b53206c6ad 100644
--- a/playbooks/roles/os_nova/templates/api-paste.ini.j2
+++ b/playbooks/roles/os_nova/templates/api-paste.ini.j2
@@ -6,53 +6,11 @@ use = egg:Paste#urlmap
 /: meta
 
 [pipeline:meta]
-pipeline = ec2faultwrap logrequest metaapp
+pipeline = metaapp
 
 [app:metaapp]
 paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory
 
-#######
-# EC2 #
-#######
-
-[composite:ec2]
-use = egg:Paste#urlmap
-/: ec2cloud
-
-[composite:ec2cloud]
-use = call:nova.api.auth:pipeline_factory
-noauth = ec2faultwrap logrequest ec2noauth cloudrequest validator ec2executor
-noauth2 = ec2faultwrap logrequest ec2noauth cloudrequest validator ec2executor
-keystone = ec2faultwrap logrequest ec2keystoneauth cloudrequest validator ec2executor
-
-[filter:ec2faultwrap]
-paste.filter_factory = nova.api.ec2:FaultWrapper.factory
-
-[filter:logrequest]
-paste.filter_factory = nova.api.ec2:RequestLogging.factory
-
-[filter:ec2lockout]
-paste.filter_factory = nova.api.ec2:Lockout.factory
-
-[filter:ec2keystoneauth]
-paste.filter_factory = nova.api.ec2:EC2KeystoneAuth.factory
-
-[filter:ec2noauth]
-paste.filter_factory = nova.api.ec2:NoAuth.factory
-
-[filter:cloudrequest]
-controller = nova.api.ec2.cloud.CloudController
-paste.filter_factory = nova.api.ec2:Requestify.factory
-
-[filter:authorizer]
-paste.filter_factory = nova.api.ec2:Authorizer.factory
-
-[filter:validator]
-paste.filter_factory = nova.api.ec2:Validator.factory
-
-[app:ec2executor]
-paste.app_factory = nova.api.ec2:Executor.factory
-
 #############
 # OpenStack #
 #############
@@ -60,32 +18,44 @@ paste.app_factory = nova.api.ec2:Executor.factory
 [composite:osapi_compute]
 use = call:nova.api.openstack.urlmap:urlmap_factory
 /: oscomputeversions
-/v1.1: openstack_compute_api_v2
-/v2: openstack_compute_api_v2
+# starting in Liberty the v21 implementation replaces the v2
+# implementation and is suggested that you use it as the default. If
+# this causes issues with your clients you can rollback to the
+# *frozen* v2 api by commenting out the above stanza and using the
+# following instead::
+# /v1.1: openstack_compute_api_legacy_v2
+# /v2: openstack_compute_api_legacy_v2
+# if rolling back to v2 fixes your issue please file a critical bug
+# at - https://bugs.launchpad.net/nova/+bugs
+#
+# v21 is an exactly feature match for v2, except it has more stringent
+# input validation on the wsgi surface (prevents fuzzing early on the
+# API). It also provides new features via API microversions which are
+# opt into for clients. Unaware clients will receive the same frozen
+# v2 API feature set, but with some relaxed validation
+/v1.1: openstack_compute_api_v21_legacy_v2_compatible
+/v2: openstack_compute_api_v21_legacy_v2_compatible
 /v2.1: openstack_compute_api_v21
-/v3: openstack_compute_api_v3
 
-[composite:openstack_compute_api_v2]
+# NOTE: this is deprecated in favor of openstack_compute_api_v21_legacy_v2_compatible
+[composite:openstack_compute_api_legacy_v2]
 use = call:nova.api.auth:pipeline_factory
-noauth = compute_req_id faultwrap sizelimit noauth ratelimit osapi_compute_app_v2
-noauth2 = compute_req_id faultwrap sizelimit noauth2 ratelimit osapi_compute_app_v2
-keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext ratelimit osapi_compute_app_v2
-keystone_nolimit = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v2
+noauth2 = compute_req_id faultwrap sizelimit noauth2 legacy_ratelimit osapi_compute_app_legacy_v2
+keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_ratelimit osapi_compute_app_legacy_v2
+keystone_nolimit = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_legacy_v2
 
 [composite:openstack_compute_api_v21]
 use = call:nova.api.auth:pipeline_factory_v21
-noauth = compute_req_id faultwrap sizelimit noauth osapi_compute_app_v21
 noauth2 = compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
 keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21
 
-[composite:openstack_compute_api_v3]
+[composite:openstack_compute_api_v21_legacy_v2_compatible]
 use = call:nova.api.auth:pipeline_factory_v21
-noauth = request_id faultwrap sizelimit noauth_v3 osapi_compute_app_v3
-noauth2 = request_id faultwrap sizelimit noauth_v3 osapi_compute_app_v3
-keystone = request_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v3
+noauth2 = compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21
+keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
 
 [filter:request_id]
-paste.filter_factory = oslo.middleware:RequestId.factory
+paste.filter_factory = oslo_middleware:RequestId.factory
 
 [filter:compute_req_id]
 paste.filter_factory = nova.api.compute_req_id:ComputeReqIdMiddleware.factory
@@ -93,30 +63,24 @@ paste.filter_factory = nova.api.compute_req_id:ComputeReqIdMiddleware.factory
 [filter:faultwrap]
 paste.filter_factory = nova.api.openstack:FaultWrapper.factory
 
-[filter:noauth]
-paste.filter_factory = nova.api.openstack.auth:NoAuthMiddlewareOld.factory
-
 [filter:noauth2]
 paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory
 
-[filter:noauth_v3]
-paste.filter_factory = nova.api.openstack.auth:NoAuthMiddlewareV3.factory
-
-[filter:ratelimit]
+[filter:legacy_ratelimit]
 paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory
 
 [filter:sizelimit]
-paste.filter_factory = oslo.middleware:RequestBodySizeLimiter.factory
+paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory
 
-[app:osapi_compute_app_v2]
+[filter:legacy_v2_compatible]
+paste.filter_factory = nova.api.openstack:LegacyV2CompatibleWrapper.factory
+
+[app:osapi_compute_app_legacy_v2]
 paste.app_factory = nova.api.openstack.compute:APIRouter.factory
 
 [app:osapi_compute_app_v21]
 paste.app_factory = nova.api.openstack.compute:APIRouterV21.factory
 
-[app:osapi_compute_app_v3]
-paste.app_factory = nova.api.openstack.compute:APIRouterV3.factory
-
 [pipeline:oscomputeversions]
 pipeline = faultwrap oscomputeversionapp
 
diff --git a/playbooks/roles/os_nova/templates/nova.conf.j2 b/playbooks/roles/os_nova/templates/nova.conf.j2
index 500db80d62..a7257e63b9 100644
--- a/playbooks/roles/os_nova/templates/nova.conf.j2
+++ b/playbooks/roles/os_nova/templates/nova.conf.j2
@@ -62,18 +62,10 @@ resume_guests_state_on_host_boot = {{ nova_resume_guests_state_on_host_boot }}
 # Api's
 enabled_apis = {{ nova_enabled_apis }}
 osapi_compute_workers = {{ nova_osapi_compute_workers | default(api_threads) }}
-{% if nova_ec2_deprecated_but_enabled == true or nova_ec2_deprecated_but_enabled == 'True' %}
-ec2_workers = {{ nova_ec2_workers | default(api_threads) }}
-ec2_dmz_host = {{ external_lb_vip_address }}
-{% endif %}
-{% if nova_s3_deprecated_but_enabled == true or nova_s3_deprecated_but_enabled == 'True' %}
-s3_port = {{ nova_s3_service_port }}
-s3_host = {{ nova_management_address }}
-{% endif %}
 
 # Rpc all
 rpc_backend = {{ nova_rpc_backend }}
-rpc_thread_pool_size = {{ nova_rpc_thread_pool_size }}
+executor_thread_pool_size = {{ nova_rpc_thread_pool_size }}
 rpc_conn_pool_size = {{ nova_rpc_conn_pool_size }}
 rpc_response_timeout = {{ nova_rpc_response_timeout }}
 
@@ -162,7 +154,6 @@ port = {{ glance_service_port }}
 url = {{ neutron_service_adminurl }}
 region_name = {{ neutron_service_region }}
 auth_plugin = password
-auth_strategy = keystone
 # Keystone client plugin password option
 password = {{ neutron_service_password }}
 # Keystone client plugin username option
@@ -183,15 +174,6 @@ manager = nova.conductor.manager.ConductorManager
 workers = {{ nova_conductor_workers | default(api_threads) }}
 
 
-[osapi_v3]
-# note that this setting enables both the v3 and v2.1 APIs in kilo
-{% if nova_v3_deprecated_but_enabled == true or nova_v3_deprecated_but_enabled == 'True' or nova_v21_enabled == true or nova_v21_enabled == 'True' %}
-enabled = true
-{% else %}
-enabled = false
-{% endif %}
-
-
 [keystone_authtoken]
 insecure = {{ keystone_service_internaluri_insecure | bool }}
 auth_plugin = {{ nova_keystone_auth_plugin }}
diff --git a/playbooks/roles/os_nova/templates/policy.json.j2 b/playbooks/roles/os_nova/templates/policy.json.j2
index c8464b1f34..5f6023e5c3 100644
--- a/playbooks/roles/os_nova/templates/policy.json.j2
+++ b/playbooks/roles/os_nova/templates/policy.json.j2
@@ -9,20 +9,86 @@
     "compute:create:attach_network": "",
     "compute:create:attach_volume": "",
     "compute:create:forced_host": "is_admin:True",
+
+    "compute:get": "",
     "compute:get_all": "",
-    "compute:get_all_tenants": "",
+    "compute:get_all_tenants": "is_admin:True",
+
+    "compute:update": "",
+
+    "compute:get_instance_metadata": "",
+    "compute:get_all_instance_metadata": "",
+    "compute:get_all_instance_system_metadata": "",
+    "compute:update_instance_metadata": "",
+    "compute:delete_instance_metadata": "",
+
+    "compute:get_instance_faults": "",
+    "compute:get_diagnostics": "",
+    "compute:get_instance_diagnostics": "",
+
     "compute:start": "rule:admin_or_owner",
     "compute:stop": "rule:admin_or_owner",
+
+    "compute:get_lock": "",
+    "compute:lock": "",
+    "compute:unlock": "",
     "compute:unlock_override": "rule:admin_api",
 
+    "compute:get_vnc_console": "",
+    "compute:get_spice_console": "",
+    "compute:get_rdp_console": "",
+    "compute:get_serial_console": "",
+    "compute:get_mks_console": "",
+    "compute:get_console_output": "",
+
+    "compute:reset_network": "",
+    "compute:inject_network_info": "",
+    "compute:add_fixed_ip": "",
+    "compute:remove_fixed_ip": "",
+
+    "compute:attach_volume": "",
+    "compute:detach_volume": "",
+    "compute:swap_volume": "",
+
+    "compute:attach_interface": "",
+    "compute:detach_interface": "",
+
+    "compute:set_admin_password": "",
+
+    "compute:rescue": "",
+    "compute:unrescue": "",
+
+    "compute:suspend": "",
+    "compute:resume": "",
+
+    "compute:pause": "",
+    "compute:unpause": "",
+
     "compute:shelve": "",
     "compute:shelve_offload": "",
     "compute:unshelve": "",
+
+    "compute:snapshot": "",
+    "compute:snapshot_volume_backed": "",
+    "compute:backup": "",
+
     "compute:resize": "",
     "compute:confirm_resize": "",
     "compute:revert_resize": "",
+
     "compute:rebuild": "",
     "compute:reboot": "",
+    "compute:delete": "rule:admin_or_owner",
+    "compute:soft_delete": "rule:admin_or_owner",
+    "compute:force_delete": "rule:admin_or_owner",
+
+    "compute:security_groups:add_to_instance": "",
+    "compute:security_groups:remove_from_instance": "",
+
+    "compute:delete": "",
+    "compute:soft_delete": "",
+    "compute:force_delete": "",
+    "compute:restore": "",
 
     "compute:volume_snapshot_create": "",
     "compute:volume_snapshot_delete": "",
@@ -54,6 +120,7 @@
     "compute_extension:certificates": "",
     "compute_extension:cloudpipe": "rule:admin_api",
     "compute_extension:cloudpipe_update": "rule:admin_api",
+    "compute_extension:config_drive": "",
     "compute_extension:console_output": "",
     "compute_extension:consoles": "",
     "compute_extension:createserverext": "",
@@ -103,6 +170,7 @@
     "compute_extension:networks": "rule:admin_api",
     "compute_extension:networks:view": "",
     "compute_extension:networks_associate": "rule:admin_api",
+    "compute_extension:os-tenant-networks": "",
     "compute_extension:quotas:show": "",
     "compute_extension:quotas:update": "rule:admin_api",
     "compute_extension:quotas:delete": "rule:admin_api",
@@ -182,5 +250,239 @@
     "network:create_private_dns_domain": "",
     "network:create_public_dns_domain": "",
     "network:delete_dns_domain": "",
-    "network:attach_external_network": "rule:admin_api"
+    "network:attach_external_network": "rule:admin_api",
+    "network:get_vif_by_mac_address": "",
+
+    "os_compute_api:servers:detail:get_all_tenants": "is_admin:True",
+    "os_compute_api:servers:index:get_all_tenants": "is_admin:True",
+    "os_compute_api:servers:confirm_resize": "",
+    "os_compute_api:servers:create": "",
+    "os_compute_api:servers:create:attach_network": "",
+    "os_compute_api:servers:create:attach_volume": "",
+    "os_compute_api:servers:create:forced_host": "rule:admin_api",
+    "os_compute_api:servers:delete": "",
+    "os_compute_api:servers:update": "",
+    "os_compute_api:servers:detail": "",
+    "os_compute_api:servers:index": "",
+    "os_compute_api:servers:reboot": "",
+    "os_compute_api:servers:rebuild": "",
+    "os_compute_api:servers:resize": "",
+    "os_compute_api:servers:revert_resize": "",
+    "os_compute_api:servers:show": "",
+    "os_compute_api:servers:create_image": "",
+    "os_compute_api:servers:create_image:allow_volume_backed": "",
+    "os_compute_api:servers:start": "rule:admin_or_owner",
+    "os_compute_api:servers:stop": "rule:admin_or_owner",
+    "os_compute_api:os-access-ips:discoverable": "",
+    "os_compute_api:os-access-ips": "",
+    "os_compute_api:os-admin-actions": "rule:admin_api",
+    "os_compute_api:os-admin-actions:discoverable": "",
+    "os_compute_api:os-admin-actions:reset_network": "rule:admin_api",
+    "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api",
+    "os_compute_api:os-admin-actions:reset_state": "rule:admin_api",
+    "os_compute_api:os-admin-password": "",
+    "os_compute_api:os-admin-password:discoverable": "",
+    "os_compute_api:os-aggregates:discoverable": "",
+    "os_compute_api:os-aggregates:index": "rule:admin_api",
+    "os_compute_api:os-aggregates:create": "rule:admin_api",
+    "os_compute_api:os-aggregates:show": "rule:admin_api",
+    "os_compute_api:os-aggregates:update": "rule:admin_api",
+    "os_compute_api:os-aggregates:delete": "rule:admin_api",
+    "os_compute_api:os-aggregates:add_host": "rule:admin_api",
+    "os_compute_api:os-aggregates:remove_host": "rule:admin_api",
+    "os_compute_api:os-aggregates:set_metadata": "rule:admin_api",
+    "os_compute_api:os-agents": "rule:admin_api",
+    "os_compute_api:os-agents:discoverable": "",
+    "os_compute_api:os-attach-interfaces": "",
+    "os_compute_api:os-attach-interfaces:discoverable": "",
+    "os_compute_api:os-baremetal-nodes": "rule:admin_api",
+    "os_compute_api:os-baremetal-nodes:discoverable": "",
+    "os_compute_api:os-block-device-mapping-v1:discoverable": "",
+    "os_compute_api:os-cells": "rule:admin_api",
+    "os_compute_api:os-cells:create": "rule:admin_api",
+    "os_compute_api:os-cells:delete": "rule:admin_api",
+    "os_compute_api:os-cells:update": "rule:admin_api",
+    "os_compute_api:os-cells:sync_instances": "rule:admin_api",
+    "os_compute_api:os-cells:discoverable": "",
+    "os_compute_api:os-certificates:create": "",
+    "os_compute_api:os-certificates:show": "",
+    "os_compute_api:os-certificates:discoverable": "",
+    "os_compute_api:os-cloudpipe": "rule:admin_api",
+    "os_compute_api:os-cloudpipe:discoverable": "",
+    "os_compute_api:os-config-drive": "",
+    "os_compute_api:os-consoles:discoverable": "",
+    "os_compute_api:os-consoles:create": "",
+    "os_compute_api:os-consoles:delete": "",
+    "os_compute_api:os-consoles:index": "",
+    "os_compute_api:os-consoles:show": "",
+    "os_compute_api:os-console-output:discoverable": "",
+    "os_compute_api:os-console-output": "",
+    "os_compute_api:os-remote-consoles": "",
+    "os_compute_api:os-remote-consoles:discoverable": "",
+    "os_compute_api:os-create-backup:discoverable": "",
+    "os_compute_api:os-create-backup": "rule:admin_or_owner",
+    "os_compute_api:os-deferred-delete": "",
+    "os_compute_api:os-deferred-delete:discoverable": "",
+    "os_compute_api:os-disk-config": "",
+    "os_compute_api:os-disk-config:discoverable": "",
+    "os_compute_api:os-evacuate": "rule:admin_api",
+    "os_compute_api:os-evacuate:discoverable": "",
+    "os_compute_api:os-extended-server-attributes": "rule:admin_api",
+    "os_compute_api:os-extended-server-attributes:discoverable": "",
+    "os_compute_api:os-extended-status": "",
+    "os_compute_api:os-extended-status:discoverable": "",
+    "os_compute_api:os-extended-availability-zone": "",
+    "os_compute_api:os-extended-availability-zone:discoverable": "",
+    "os_compute_api:extensions": "",
+    "os_compute_api:extension_info:discoverable": "",
+    "os_compute_api:os-extended-volumes": "",
+    "os_compute_api:os-extended-volumes:discoverable": "",
+    "os_compute_api:os-fixed-ips": "rule:admin_api",
+    "os_compute_api:os-fixed-ips:discoverable": "",
+    "os_compute_api:os-flavor-access": "",
+    "os_compute_api:os-flavor-access:discoverable": "",
+    "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api",
+    "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api",
+    "os_compute_api:os-flavor-rxtx": "",
+    "os_compute_api:os-flavor-rxtx:discoverable": "",
+    "os_compute_api:flavors:discoverable": "",
+    "os_compute_api:os-flavor-extra-specs:discoverable": "",
+    "os_compute_api:os-flavor-extra-specs:index": "",
+    "os_compute_api:os-flavor-extra-specs:show": "",
+    "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api",
+    "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api",
+    "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api",
+    "os_compute_api:os-flavor-manage:discoverable": "",
+    "os_compute_api:os-flavor-manage": "rule:admin_api",
+    "os_compute_api:os-floating-ip-dns": "",
+    "os_compute_api:os-floating-ip-dns:discoverable": "",
+    "os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api",
+    "os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api",
+    "os_compute_api:os-floating-ip-pools": "",
+    "os_compute_api:os-floating-ip-pools:discoverable": "",
+    "os_compute_api:os-floating-ips": "",
+    "os_compute_api:os-floating-ips:discoverable": "",
+    "os_compute_api:os-floating-ips-bulk": "rule:admin_api",
+    "os_compute_api:os-floating-ips-bulk:discoverable": "",
+    "os_compute_api:os-fping": "",
+    "os_compute_api:os-fping:discoverable": "",
+    "os_compute_api:os-fping:all_tenants": "rule:admin_api",
+    "os_compute_api:os-hide-server-addresses": "is_admin:False",
+    "os_compute_api:os-hide-server-addresses:discoverable": "",
+    "os_compute_api:os-hosts": "rule:admin_api",
+    "os_compute_api:os-hosts:discoverable": "",
+    "os_compute_api:os-hypervisors": "rule:admin_api",
+    "os_compute_api:os-hypervisors:discoverable": "",
+    "os_compute_api:images:discoverable": "",
+    "os_compute_api:image-size": "",
+    "os_compute_api:image-size:discoverable": "",
+    "os_compute_api:os-instance-actions": "",
+    "os_compute_api:os-instance-actions:discoverable": "",
+    "os_compute_api:os-instance-actions:events": "rule:admin_api",
+    "os_compute_api:os-instance-usage-audit-log": "rule:admin_api",
+    "os_compute_api:os-instance-usage-audit-log:discoverable": "",
+    "os_compute_api:ips:discoverable": "",
+    "os_compute_api:ips:index": "rule:admin_or_owner",
+    "os_compute_api:ips:show": "rule:admin_or_owner",
+    "os_compute_api:os-keypairs:discoverable": "",
+    "os_compute_api:os-keypairs": "",
+    "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s",
+    "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s",
+    "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s",
+    "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s",
+    "os_compute_api:limits:discoverable": "",
+    "os_compute_api:limits": "",
+    "os_compute_api:os-lock-server:discoverable": "",
+    "os_compute_api:os-lock-server:lock": "rule:admin_or_owner",
+    "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner",
+    "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api",
+    "os_compute_api:os-migrate-server:discoverable": "",
+    "os_compute_api:os-migrate-server:migrate": "rule:admin_api",
+    "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api",
+    "os_compute_api:os-multinic": "",
+    "os_compute_api:os-multinic:discoverable": "",
+    "os_compute_api:os-networks": "rule:admin_api",
+    "os_compute_api:os-networks:view": "",
+    "os_compute_api:os-networks:discoverable": "",
+    "os_compute_api:os-networks-associate": "rule:admin_api",
+    "os_compute_api:os-networks-associate:discoverable": "",
+    "os_compute_api:os-pause-server:discoverable": "",
+    "os_compute_api:os-pause-server:pause": "rule:admin_or_owner",
+    "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner",
+    "os_compute_api:os-pci:pci_servers": "",
+    "os_compute_api:os-pci:discoverable": "",
+    "os_compute_api:os-pci:index": "rule:admin_api",
+    "os_compute_api:os-pci:detail": "rule:admin_api",
+    "os_compute_api:os-pci:show": "rule:admin_api",
+    "os_compute_api:os-personality:discoverable": "",
+    "os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "",
+    "os_compute_api:os-quota-sets:discoverable": "",
+    "os_compute_api:os-quota-sets:show": "rule:admin_or_owner",
+    "os_compute_api:os-quota-sets:defaults": "",
+    "os_compute_api:os-quota-sets:update": "rule:admin_api",
+    "os_compute_api:os-quota-sets:delete": "rule:admin_api",
+    "os_compute_api:os-quota-sets:detail": "rule:admin_api",
+    "os_compute_api:os-quota-class-sets:update": "rule:admin_api",
+    "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s",
+    "os_compute_api:os-quota-class-sets:discoverable": "",
+    "os_compute_api:os-rescue": "",
+    "os_compute_api:os-rescue:discoverable": "",
+    "os_compute_api:os-scheduler-hints:discoverable": "",
+    "os_compute_api:os-security-group-default-rules:discoverable": "",
+    "os_compute_api:os-security-group-default-rules": "rule:admin_api",
+    "os_compute_api:os-security-groups": "",
+    "os_compute_api:os-security-groups:discoverable": "",
+    "os_compute_api:os-server-diagnostics": "rule:admin_api",
+    "os_compute_api:os-server-diagnostics:discoverable": "",
+    "os_compute_api:os-server-password": "",
+    "os_compute_api:os-server-password:discoverable": "",
+    "os_compute_api:os-server-usage": "",
+    "os_compute_api:os-server-usage:discoverable": "",
+    "os_compute_api:os-server-groups": "",
+    "os_compute_api:os-server-groups:discoverable": "",
+    "os_compute_api:os-services": "rule:admin_api",
+    "os_compute_api:os-services:discoverable": "",
+    "os_compute_api:server-metadata:discoverable": "",
+    "os_compute_api:server-metadata:index": "rule:admin_or_owner",
+    "os_compute_api:server-metadata:show": "rule:admin_or_owner",
+    "os_compute_api:server-metadata:delete": "rule:admin_or_owner",
+    "os_compute_api:server-metadata:create": "rule:admin_or_owner",
+    "os_compute_api:server-metadata:update": "rule:admin_or_owner",
+    "os_compute_api:server-metadata:update_all": "rule:admin_or_owner",
+    "os_compute_api:servers:discoverable": "",
+    "os_compute_api:os-shelve:shelve": "",
+    "os_compute_api:os-shelve:shelve:discoverable": "",
+    "os_compute_api:os-shelve:shelve_offload": "rule:admin_api",
+    "os_compute_api:os-simple-tenant-usage:discoverable": "",
+    "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner",
+    "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api",
+    "os_compute_api:os-suspend-server:discoverable": "",
+    "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner",
+    "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner",
+    "os_compute_api:os-tenant-networks": "rule:admin_or_owner",
+    "os_compute_api:os-tenant-networks:discoverable": "",
+    "os_compute_api:os-shelve:unshelve": "",
+    "os_compute_api:os-user-data:discoverable": "",
+    "os_compute_api:os-virtual-interfaces": "",
+    "os_compute_api:os-virtual-interfaces:discoverable": "",
+    "os_compute_api:os-volumes": "",
+    "os_compute_api:os-volumes:discoverable": "",
+    "os_compute_api:os-volumes-attachments:index": "",
+    "os_compute_api:os-volumes-attachments:show": "",
+    "os_compute_api:os-volumes-attachments:create": "",
+    "os_compute_api:os-volumes-attachments:update": "",
+    "os_compute_api:os-volumes-attachments:delete": "",
+    "os_compute_api:os-volumes-attachments:discoverable": "",
+    "os_compute_api:os-availability-zone:list": "",
+    "os_compute_api:os-availability-zone:discoverable": "",
+    "os_compute_api:os-availability-zone:detail": "rule:admin_api",
+    "os_compute_api:os-used-limits": "rule:admin_api",
+    "os_compute_api:os-used-limits:discoverable": "",
+    "os_compute_api:os-migrations:index": "rule:admin_api",
+    "os_compute_api:os-migrations:discoverable": "",
+    "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api",
+    "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api",
+    "os_compute_api:os-assisted-volume-snapshots:discoverable": "",
+    "os_compute_api:os-console-auth-tokens": "rule:admin_api",
+    "os_compute_api:os-server-external-events:create": "rule:admin_api"
 }
diff --git a/playbooks/roles/os_nova/templates/rootwrap.conf.j2 b/playbooks/roles/os_nova/templates/rootwrap.conf.j2
index fb2997abdb..aa466c5d50 100644
--- a/playbooks/roles/os_nova/templates/rootwrap.conf.j2
+++ b/playbooks/roles/os_nova/templates/rootwrap.conf.j2
@@ -17,7 +17,7 @@ exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
 use_syslog=False
 
 # Which syslog facility to use.
-# Valid values include auth, authpriv, syslog, user0, user1...
+# Valid values include auth, authpriv, syslog, local0, local1...
 # Default value is 'syslog'
 syslog_log_facility=syslog