diff --git a/manifests/compute/hypervisor.pp b/manifests/compute/hypervisor.pp
index db397d98..f852d3be 100644
--- a/manifests/compute/hypervisor.pp
+++ b/manifests/compute/hypervisor.pp
@@ -149,10 +149,13 @@ Host *
     ensure_resource('group', 'cephkeyring', {
       ensure => 'present'
     })
-    User<<| title == 'nova' |>> { groups +> 'cephkeyring' }
+
+    exec {'add-nova-to-group':
+      command => 'usermod -a -G cephkeyring nova'
+    }
 
     ensure_resource('file', "/etc/ceph/ceph.client.${cinder_rbd_user}.keyring", {
-      owner   => 'cephkeyring',
+      owner   => 'root',
       group   => 'cephkeyring',
       mode    => '0400',
       require => "Ceph::Key[${cinder_rbd_user}]",
diff --git a/manifests/volume/backend/rbd.pp b/manifests/volume/backend/rbd.pp
index 402f2933..7b7cb90d 100644
--- a/manifests/volume/backend/rbd.pp
+++ b/manifests/volume/backend/rbd.pp
@@ -79,10 +79,13 @@ define cloud::volume::backend::rbd (
   ensure_resource('group', 'cephkeyring', {
     ensure => 'present'
   })
-  User<<| title == 'cinder' |>> { groups +> 'cephkeyring' }
+
+  exec {'add-cinder-to-group':
+    command => 'usermod -a -G cephkeyring cinder'
+  }
 
   ensure_resource('file', "/etc/ceph/ceph.client.${rbd_user}.keyring", {
-    owner   => 'cephkeyring',
+    owner   => 'root',
     group   => 'cephkeyring',
     mode    => '0400',
     require => "Ceph::Key[${rbd_user}]",
diff --git a/spec/classes/cloud_compute_hypervisor_spec.rb b/spec/classes/cloud_compute_hypervisor_spec.rb
index d7effc22..9e465e4f 100644
--- a/spec/classes/cloud_compute_hypervisor_spec.rb
+++ b/spec/classes/cloud_compute_hypervisor_spec.rb
@@ -240,6 +240,7 @@ describe 'cloud::compute::hypervisor' do
       should contain_nova_config('DEFAULT/rbd_user').with('value' => 'cinder')
       should contain_nova_config('DEFAULT/rbd_secret_uuid').with('value' => 'secrete')
       should contain_group('cephkeyring').with(:ensure => 'present')
+      should contain_exec('add-nova-to-group').with(:command => 'usermod -a -G cephkeyring nova')
     end
 
     it 'configure nova-compute with extra parameters' do
diff --git a/spec/classes/cloud_volume_storage_spec.rb b/spec/classes/cloud_volume_storage_spec.rb
index 6d1fe444..f4a94938 100644
--- a/spec/classes/cloud_volume_storage_spec.rb
+++ b/spec/classes/cloud_volume_storage_spec.rb
@@ -107,6 +107,7 @@ describe 'cloud::volume::storage' do
           :os_auth_url    => 'http://keystone.host:5000/v2.0'
         )
         should contain_group('cephkeyring').with(:ensure => 'present')
+        should contain_exec('add-cinder-to-group').with(:command => 'usermod -a -G cephkeyring cinder')
       end
     end