ONE:

Looks like the on-behalf-of functionality in python novaclient is borked in association w/ keystone
*There are 2 different calls to keystone to get token info, and they return different hash's
*The service catalog borks out if 'access' is not the main key, but in the 2nd case 'token' is the main key.

Modified Files
* novaclient/service_catalog.py

Until this is fixed you need to mod python-novaclient after it gets downloaded via devstack
###### BEGIN PATCH
@@ -44,12 +44,17 @@ class ServiceCatalog(object):
                 raise novaclient.exceptions.EndpointNotFound()

         # We don't always get a service catalog back ...
-        if not 'serviceCatalog' in self.catalog['access']:
+        try:
+            if 'serviceCatalog' in self.catalog['access']:
+                # Full catalog ...
+                catalog = self.catalog['access']['serviceCatalog']
+        except KeyError:
+            if 'serviceCatalog' in self.catalog['token']:
+                # Full catalog ...
+                catalog = self.catalog['token']['serviceCatalog']
+        if catalog is None:
             return None

-        # Full catalog ...
-        catalog = self.catalog['access']['serviceCatalog']
-
         for service in catalog:
             if service.get("type") != service_type:
                 continue
###### END PATCH

TWO:

funkyness w/ the extensions. the extensions url itself wont load. Seems to have to do with authorization & tenants.
 * mitigated in reddwarf/common/extensions.py, see for more information


keystone haves issues with the get endpoints method and causing NotImplementedError/ClientException HTTP/500:
###### BEGIN PATCH
diff --git a/keystone/service.py b/keystone/service.py
index d0d4470..4feb966 100644
--- a/keystone/service.py
+++ b/keystone/service.py
@@ -408,8 +408,17 @@ class TokenController(wsgi.Application):
         self.token_api.delete_token(context=context, token_id=token_id)

     def endpoints(self, context, token_id):
-        """Return a list of endpoints available to the token."""
-        raise NotImplementedError()
+        """Return service catalog endpoints."""
+        try:
+            token_ref = self.token_api.get_token(context=context,
+                                                 token_id=token_id)
+        except exception.NotFound:
+            raise exception.Unauthorized()
+
+        catalog_ref = self.catalog_api.get_catalog(context,
+                                                   token_ref['user']['id'],
+                                                   token_ref['tenant']['id'])
+        return {'token': {'serviceCatalog': self._format_catalog(catalog_ref)}}

     def _format_authenticate(self, token_ref, roles_ref, catalog_ref):
         o = self._format_token(token_ref, roles_ref)
###### END PATCH