diff --git a/defaults/main.yml b/defaults/main.yml
index 01bc4323..2378fa1d 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -77,6 +77,9 @@ keystone_admin_user_name: admin
 keystone_admin_tenant_name: admin
 keystone_admin_description: Admin Tenant
 
+## Secure Proxy SSL Information
+#keystone_secure_proxy_ssl_header: X-Forwarded-For
+
 ## Service Type and Data
 keystone_service_region: RegionOne
 keystone_service_name: keystone
diff --git a/files/policy.json b/files/policy.json
index af65205e..e7db5ea3 100644
--- a/files/policy.json
+++ b/files/policy.json
@@ -4,6 +4,8 @@
     "service_or_admin": "rule:admin_required or rule:service_role",
     "owner" : "user_id:%(user_id)s",
     "admin_or_owner": "rule:admin_required or rule:owner",
+    "token_subject": "user_id:%(target.token.user_id)s",
+    "admin_or_token_subject": "rule:admin_required or rule:token_subject",
 
     "default": "rule:admin_required",
 
@@ -62,7 +64,7 @@
     "identity:update_credential": "rule:admin_required",
     "identity:delete_credential": "rule:admin_required",
 
-    "identity:ec2_get_credential": "rule:admin_or_owner",
+    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
     "identity:ec2_list_credentials": "rule:admin_or_owner",
     "identity:ec2_create_credential": "rule:admin_or_owner",
     "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
@@ -90,13 +92,12 @@
     "identity:validate_token": "rule:service_or_admin",
     "identity:validate_token_head": "rule:service_or_admin",
     "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_owner",
+    "identity:revoke_token": "rule:admin_or_token_subject",
 
     "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
     "identity:get_trust": "rule:admin_or_owner",
     "identity:list_trusts": "",
     "identity:list_roles_for_trust": "",
-    "identity:check_role_for_trust": "",
     "identity:get_role_for_trust": "",
     "identity:delete_trust": "",
 
@@ -126,7 +127,7 @@
     "identity:delete_endpoint_group": "rule:admin_required",
     "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
     "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
+    "identity:get_endpoint_group_in_project": "rule:admin_required",
     "identity:add_endpoint_group_to_project": "rule:admin_required",
     "identity:remove_endpoint_group_from_project": "rule:admin_required",
 
@@ -148,6 +149,12 @@
     "identity:delete_mapping": "rule:admin_required",
     "identity:update_mapping": "rule:admin_required",
 
+    "identity:create_service_provider": "rule:admin_required",
+    "identity:list_service_providers": "rule:admin_required",
+    "identity:get_service_provider": "rule:admin_required",
+    "identity:update_service_provider": "rule:admin_required",
+    "identity:delete_service_provider": "rule:admin_required",
+
     "identity:get_auth_catalog": "",
     "identity:get_auth_projects": "",
     "identity:get_auth_domains": "",
@@ -167,5 +174,10 @@
     "identity:check_policy_association_for_region_and_service": "rule:admin_required",
     "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
     "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required"
+    "identity:list_endpoints_for_policy": "rule:admin_required",
+
+    "identity:create_domain_config": "rule:admin_required",
+    "identity:get_domain_config": "rule:admin_required",
+    "identity:update_domain_config": "rule:admin_required",
+    "identity:delete_domain_config": "rule:admin_required"
 }
diff --git a/templates/keystone.conf.j2 b/templates/keystone.conf.j2
index 8e45a9b7..065e28e2 100644
--- a/templates/keystone.conf.j2
+++ b/templates/keystone.conf.j2
@@ -10,11 +10,12 @@ public_endpoint = {{ keystone_public_endpoint }}
 admin_endpoint = {{ keystone_service_adminuri }}
 fatal_deprecations = {{ keystone_fatal_deprecations }}
 
+{% if keystone_ssl_enabled == true and  keystone_secure_proxy_ssl_header is defined %}
+secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}
+{% endif %}
+
 log_file = keystone.log
 log_dir = /var/log/keystone
-rabbit_hosts = {{ rabbitmq_servers }}
-rabbit_userid = {{ rabbitmq_userid }}
-rabbit_password = {{ rabbitmq_password }}
 rpc_backend = {{ keystone_rpc_backend }}
 
 
@@ -85,8 +86,12 @@ cache_time = {{ keystone_token_cache_time }}
 provider = {{ keystone_token_provider }}
 driver = {{ keystone_token_driver }}
 
-
 [eventlet_server]
 admin_bind_host = {{ keystone_bind_address }}
 admin_port = {{ keystone_admin_port }}
 public_port = {{ keystone_service_port }}
+
+[oslo_messaging_rabbit]
+rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_userid = {{ rabbitmq_userid }}
+rabbit_password = {{ rabbitmq_password }}