diff --git a/manifests/db/sync.pp b/manifests/db/sync.pp
index fd966568d..d516b49f4 100644
--- a/manifests/db/sync.pp
+++ b/manifests/db/sync.pp
@@ -10,16 +10,21 @@
 #   'db_sync' in the command line.
 #   Defaults to ''
 #
+# [*keystone_user*]
+#   (optional) Specify the keystone system user to be used with keystone-manage.
+#   Defaults to $::keystone::params::keystone_user
+#
 class keystone::db::sync(
-  $extra_params = undef,
-) {
+  $extra_params  = undef,
+  $keystone_user = $::keystone::params::keystone_user,
+) inherits keystone::params {
 
   include ::keystone::deps
 
   exec { 'keystone-manage db_sync':
     command     => "keystone-manage ${extra_params} db_sync",
     path        => '/usr/bin',
-    user        => 'keystone',
+    user        => $keystone_user,
     refreshonly => true,
     subscribe   => [
       Anchor['keystone::install::end'],
diff --git a/manifests/init.pp b/manifests/init.pp
index dbc0715cf..b181a0a61 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -497,11 +497,11 @@
 #
 # [*keystone_user*]
 #   (optional) Specify the keystone system user to be used with keystone-manage.
-#   Defaults to 'keystone'
+#   Defaults to $::keystone::params::keystone_user
 #
 # [*keystone_group*]
 #   (optional) Specify the keystone system group to be used with keystone-manage.
-#   Defaults to 'keystone'
+#   Defaults to $::keystone::params::keystone_group
 #
 # [*manage_policyrcd*]
 #   (optional) Whether to manage the policy-rc.d on debian based systems to
@@ -935,6 +935,7 @@ class keystone(
       exec { 'keystone-manage pki_setup':
         command     => "keystone-manage pki_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}",
         path        => '/usr/bin',
+        user        => $keystone_user,
         refreshonly => true,
         creates     => $signing_keyfile,
         notify      => Anchor['keystone::service::begin'],
@@ -1040,13 +1041,22 @@ class keystone(
   # Fernet tokens support
   if $enable_fernet_setup {
     validate_string($fernet_key_repository)
+    ensure_resource('file', $fernet_key_repository, {
+      ensure    => 'directory',
+      owner     => $keystone_user,
+      group     => $keystone_group,
+      subscribe => Anchor['keystone::install::end'],
+    })
+
     exec { 'keystone-manage fernet_setup':
       command     => "keystone-manage fernet_setup --keystone-user ${keystone_user} --keystone-group ${keystone_group}",
       path        => '/usr/bin',
+      user        => $keystone_user,
       refreshonly => true,
       creates     => "${fernet_key_repository}/0",
       notify      => Anchor['keystone::service::begin'],
       subscribe   => [Anchor['keystone::install::end'], Anchor['keystone::config::end']],
+      require     => File[$fernet_key_repository],
       tag         => 'keystone-exec',
     }
   }
@@ -1102,6 +1112,7 @@ class keystone(
     # and is only run once, so we don't need to notify the service
     exec { 'keystone-manage bootstrap':
       command     => "keystone-manage bootstrap --bootstrap-password ${admin_token}",
+      user        => $keystone_user,
       path        => '/usr/bin',
       refreshonly => true,
       notify      => Anchor['keystone::service::begin'],
@@ -1120,8 +1131,8 @@ class keystone(
     if (!defined(File[$domain_config_directory])) {
       file { $domain_config_directory:
         ensure  => directory,
-        owner   => 'keystone',
-        group   => 'keystone',
+        owner   => $keystone_user,
+        group   => $keystone_group,
         mode    => '0750',
         notify  => Service[$service_name],
         require => Anchor['keystone::install::end'],
diff --git a/releasenotes/notes/changes_around_keystone_manage_commands-5bbf256bb24c0a81.yaml b/releasenotes/notes/changes_around_keystone_manage_commands-5bbf256bb24c0a81.yaml
new file mode 100644
index 000000000..0684e7153
--- /dev/null
+++ b/releasenotes/notes/changes_around_keystone_manage_commands-5bbf256bb24c0a81.yaml
@@ -0,0 +1,3 @@
+---
+upgrade:
+  - All keystone-manage execs are performed now only by keystone user.
diff --git a/spec/classes/keystone_db_sync_spec.rb b/spec/classes/keystone_db_sync_spec.rb
index ccc0af3bf..e8356ede3 100644
--- a/spec/classes/keystone_db_sync_spec.rb
+++ b/spec/classes/keystone_db_sync_spec.rb
@@ -2,36 +2,54 @@ require 'spec_helper'
 
 describe 'keystone::db::sync' do
 
-  describe 'with only required params' do
-    it {
+  shared_examples_for 'keystone-dbsync' do
+
+    describe 'with only required params' do
+      it {
         is_expected.to contain_exec('keystone-manage db_sync').with(
           :command     => 'keystone-manage  db_sync',
+          :user        => 'keystone',
           :refreshonly => true,
           :subscribe   => ['Anchor[keystone::install::end]',
                           'Anchor[keystone::config::end]',
                           'Anchor[keystone::dbsync::begin]'],
           :notify      => 'Anchor[keystone::dbsync::end]',
         )
-    }
-  end
-
-  describe "overriding extra_params" do
-    let :params do
-      {
-        :extra_params => '--config-file /etc/keystone/keystone.conf',
       }
     end
 
-    it {
+    describe "overriding extra_params and keystone user" do
+      let :params do
+        {
+          :extra_params  => '--config-file /etc/keystone/keystone.conf',
+          :keystone_user => 'test_user',
+        }
+      end
+
+      it {
         is_expected.to contain_exec('keystone-manage db_sync').with(
           :command     => 'keystone-manage --config-file /etc/keystone/keystone.conf db_sync',
+          :user        => 'test_user',
           :refreshonly => true,
           :subscribe   => ['Anchor[keystone::install::end]',
                           'Anchor[keystone::config::end]',
                           'Anchor[keystone::dbsync::begin]'],
           :notify      => 'Anchor[keystone::dbsync::end]',
         )
-    }
+      }
+    end
+  end
+
+  on_supported_os({
+    :supported_os   => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_configures 'keystone-dbsync'
+    end
   end
 
 end
diff --git a/spec/classes/keystone_spec.rb b/spec/classes/keystone_spec.rb
index e8d1277c8..f5ad5eccf 100644
--- a/spec/classes/keystone_spec.rb
+++ b/spec/classes/keystone_spec.rb
@@ -69,6 +69,8 @@ describe 'keystone' do
       'paste_config'                        => '<SERVICE DEFAULT>',
       'sync_db'                             => true,
       'purge_config'                        => false,
+      'keystone_user'                       => 'keystone',
+      'keystone_group'                      => 'keystone',
   }
 
   override_params = {
@@ -115,7 +117,9 @@ describe 'keystone' do
       'member_role_id'                      => '123456789',
       'member_role_name'                    => 'othermember',
       'paste_config'                        => '/usr/share/keystone/keystone-paste.ini',
-      'using_domain_config'                 => false
+      'using_domain_config'                 => false,
+      'keystone_user'                       => 'test_user',
+      'keystone_group'                      => 'test_group',
     }
 
   httpd_params = {'service_name' => 'httpd'}.merge(default_params)
@@ -151,7 +155,7 @@ describe 'keystone' do
       if param_hash['enable_bootstrap']
         is_expected.to contain_exec('keystone-manage bootstrap').with(
           :command     => 'keystone-manage bootstrap --bootstrap-password service_token',
-          :user        => 'keystone',
+          :user        => param_hash['keystone_user'],
           :refreshonly => true
         )
       end
@@ -377,7 +381,9 @@ describe 'keystone' do
           'signing_ca_certs'                    => '/etc/keystone/ssl/certs/ca.pem',
           'signing_ca_key'                      => '/etc/keystone/ssl/private/cakey.pem',
           'signing_cert_subject'                => '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
-          'signing_key_size'                    => 2048
+          'signing_key_size'                    => 2048,
+          'keystone_user'                       => 'keystone',
+          'keystone_group'                      => 'keystone',
         }
       end
 
@@ -391,7 +397,7 @@ describe 'keystone' do
       end
 
       it { is_expected.to contain_exec('keystone-manage pki_setup').with(
-        :command => 'keystone-manage pki_setup --keystone-user keystone --keystone-group keystone',
+        :command => "keystone-manage pki_setup --keystone-user #{params['keystone_user']} --keystone-group #{params['keystone_group']}",
         :creates => '/etc/keystone/ssl/private/signing_key.pem'
       ) }
       it { is_expected.to contain_file('/var/cache/keystone').with_ensure('directory') }
@@ -896,14 +902,21 @@ describe 'keystone' do
           'enable_fernet_setup'    => true,
           'fernet_max_active_keys' => 5,
           'revoke_by_id'           => false,
-          'keystone_user'          => 'keystone',
-          'keystone_group'         => 'keystone'
+          'fernet_key_repository'  => '/etc/keystone/fernet-keys',
         })
       end
 
+      it { is_expected.to contain_file(params['fernet_key_repository']).with(
+        :ensure => 'directory',
+        :owner  => params['keystone_user'],
+        :group  => params['keystone_group'],
+      ) }
+
       it { is_expected.to contain_exec('keystone-manage fernet_setup').with(
-        :command => 'keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone',
-        :creates => '/etc/keystone/fernet-keys/0'
+        :command => "keystone-manage fernet_setup --keystone-user #{params['keystone_user']} --keystone-group #{params['keystone_group']}",
+        :user    => params['keystone_user'],
+        :creates => '/etc/keystone/fernet-keys/0',
+        :require => 'File[/etc/keystone/fernet-keys]',
       ) }
       it { is_expected.to contain_keystone_config('fernet_tokens/max_active_keys').with_value(5)}
       it { is_expected.to contain_keystone_config('token/revoke_by_id').with_value(false)}
@@ -921,6 +934,25 @@ describe 'keystone' do
       ) }
 
     end
+
+    describe 'when overriding the keystone group and user' do
+      let :params do
+        default_params.merge({
+          'enable_fernet_setup'   => true,
+          'fernet_key_repository' => '/etc/keystone/fernet-keys',
+          'keystone_user'         => 'test_user',
+          'keystone_group'        => 'test_group',
+        })
+      end
+
+      it { is_expected.to contain_exec('keystone-manage fernet_setup').with(
+        :command => "keystone-manage fernet_setup --keystone-user #{params['keystone_user']} --keystone-group #{params['keystone_group']}",
+        :user    => params['keystone_user'],
+        :creates => '/etc/keystone/fernet-keys/0',
+        :require => 'File[/etc/keystone/fernet-keys]',
+      ) }
+
+    end
   end
 
   shared_examples_for "when configuring default domain" do