Do not run neutron-ns-metadata-proxy as root on L3 agent

neutron-ns-metadata-proxy permissions should be
 reduced as much as possible because it is reachable
 from vms. Two new options metadata_proxy_user
 and metadata_proxy_group allow the defining of user/group now.

Change-Id: I29e6349867af876d822931d6f68ce9b6f0b51150
Closes-Bug: #1407806

doc/config-reference/networking/section_networking-options-reference.xml

@@ -116,6 +116,15 @@ Load-Balancer-as-a-Service related settings.</para>
 <para>Previously, neutron metadata agent connected to a neutron server via REST API using a neutron client. This is ineffective because keystone is then fully involved into the authentication process and gets overloaded.</para>
 <para>The neutron metadata agent has been reworked to use RPC by default to connect to a server since Kilo release. This is a typical way of interacting between neutron server and its agents. If neutron server does not support metadata RPC then neutron client will be used.</para>
 </note>
+<warning>
+  <para>Do not run the <literal>neutron-ns-metadata-proxy</literal> proxy
+    namespace as root on a node with the L3 agent running. In OpenStack Kilo
+    and newer, you can change the permissions of
+    <literal>neutron-ns-metadata-proxy</literal> after the proxy installation
+    using the <option>metadata_proxy_user</option> and
+    <option>metadata_proxy_group</option> options.</para>
+</warning>
+
 </section>
 
 <section xml:id="networking-options-metering_agent">