diff --git a/defaults/main.yml b/defaults/main.yml
index d8d0b76b..61745e06 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -446,7 +446,25 @@ keystone_pip_packages:
 # by the py_pkgs lookup.
 keystone_role_project_group: keystone_all
 
-## Tunable overrides
+#: Tunable file-based overrides
+# The contents of these files, if they exist, are read from the
+# specified path on the deployment host, interpreted by the
+# template engine and copied to the target host. If they do
+# not exist then the default files will be sourced from the
+# service git repository.
+keystone_paste_default_file_path: "/etc/openstack_deploy/keystone/keystone-paste.ini"
+keystone_policy_default_file_path: "/etc/openstack_deploy/keystone/policy.json"
+keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html"
+
+# If the above-mentioned files do not exist, then these
+# paths will be used to find the files from the git config
+# lookup location.
+keystone_git_config_lookup_location: https://git.openstack.org/cgit/openstack/keystone/plain
+keystone_paste_git_file_path: "etc/keystone-paste.ini?h={{ keystone_git_install_branch }}"
+keystone_sso_callback_git_file_path: "etc/sso_callback_template.html?h={{ keystone_git_install_branch }}"
+
+#: Tunable var-based overrides
+# The contents of these are templated over the default files.
 keystone_keystone_conf_overrides: {}
 keystone_keystone_default_conf_overrides: {}
 keystone_keystone_paste_ini_overrides: {}
diff --git a/files/sso_callback_template.html b/files/sso_callback_template.html
deleted file mode 100644
index 3364d69e..00000000
--- a/files/sso_callback_template.html
+++ /dev/null
@@ -1,22 +0,0 @@
-<!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml">
-  <head>
-    <title>Keystone WebSSO redirect</title>
-  </head>
-  <body>
-     <form id="sso" name="sso" action="$host" method="post">
-       Please wait...
-       <br/>
-       <input type="hidden" name="token" id="token" value="$token"/>
-       <noscript>
-         <input type="submit" name="submit_no_javascript" id="submit_no_javascript"
-            value="If your JavaScript is disabled, please click to continue"/>
-       </noscript>
-     </form>
-     <script type="text/javascript">
-       window.onload = function() {
-         document.forms['sso'].submit();
-       }
-     </script>
-  </body>
-</html>
diff --git a/releasenotes/notes/keystone-upstream-config-files-d16f27fc1332ed83.yaml b/releasenotes/notes/keystone-upstream-config-files-d16f27fc1332ed83.yaml
new file mode 100644
index 00000000..c0a31c2d
--- /dev/null
+++ b/releasenotes/notes/keystone-upstream-config-files-d16f27fc1332ed83.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - The ``os_keystone`` role will now (by default) source the
+    ``keystone-paste.ini``, ``policy.json`` and ``sso_callback_template.html``
+    templates from the service git source instead of from the role. It also
+    now includes a facility where you can place your own templates in
+    ``/etc/openstack_deploy/keystone`` (by default) and it will be
+    deployed to the target host after being interpreted by the
+    template engine.
diff --git a/tasks/keystone_post_install.yml b/tasks/keystone_post_install.yml
index df20eb43..3279f14f 100644
--- a/tasks/keystone_post_install.yml
+++ b/tasks/keystone_post_install.yml
@@ -27,14 +27,31 @@
       dest: "/etc/keystone/keystone.conf"
       config_overrides: "{{ keystone_keystone_conf_overrides }}"
       config_type: "ini"
-    - src: "keystone-paste.ini.j2"
-      dest: "/etc/keystone/keystone-paste.ini"
+  notify:
+    - Restart uWSGI on first node
+    - Restart uWSGI on other nodes
+    - Restart web server on first node
+    - Restart web server on other nodes
+
+- name: Retrieve and config_template upstream files
+  config_template:
+    content: "{{ lookup('pipe', item.content) | string }}"
+    dest: "{{ item.dest }}"
+    config_overrides: "{{ item.config_overrides }}"
+    config_type: "{{ item.config_type }}"
+  with_items:
+    - dest: "/etc/keystone/keystone-paste.ini"
       config_overrides: "{{ keystone_keystone_paste_ini_overrides }}"
       config_type: "ini"
-    - src: "policy.json.j2"
-      dest: "/etc/keystone/policy.json-{{ keystone_venv_tag }}"
+      content: |
+        cat {{ keystone_paste_default_file_path }} 2>/dev/null || \
+        curl -s {{ keystone_git_config_lookup_location }}/{{ keystone_paste_git_file_path }}
+    - dest: "/etc/keystone/policy.json-{{ keystone_venv_tag }}"
       config_overrides: "{{ keystone_policy_overrides }}"
       config_type: "json"
+      content: |
+        cat {{ keystone_policy_default_file_path }} 2>/dev/null || \
+        echo {}
   notify:
     - Restart uWSGI on first node
     - Restart uWSGI on other nodes
@@ -43,7 +60,9 @@
 
 - name: Copy Keystone Federation SP SSO callback template
   copy:
-    src: "sso_callback_template.html"
+    content: |
+        cat {{ keystone_sso_callback_file_path }} 2>/dev/null || \
+        curl -s {{ keystone_git_config_lookup_location }}/{{ keystone_sso_callback_git_file_path }}
     dest: "/etc/keystone/sso_callback_template.html"
     owner: "{{ keystone_system_user_name }}"
     group: "{{ keystone_system_group_name }}"
diff --git a/templates/keystone-paste.ini.j2 b/templates/keystone-paste.ini.j2
deleted file mode 100644
index b629b48c..00000000
--- a/templates/keystone-paste.ini.j2
+++ /dev/null
@@ -1,92 +0,0 @@
-# Keystone PasteDeploy configuration file.
-
-[filter:debug]
-use = egg:oslo.middleware#debug
-
-[filter:request_id]
-use = egg:oslo.middleware#request_id
-
-[filter:build_auth_context]
-use = egg:keystone#build_auth_context
-
-[filter:token_auth]
-use = egg:keystone#token_auth
-
-[filter:json_body]
-use = egg:keystone#json_body
-
-[filter:cors]
-use = egg:oslo.middleware#cors
-oslo_config_project = keystone
-
-[filter:http_proxy_to_wsgi]
-use = egg:oslo.middleware#http_proxy_to_wsgi
-
-[filter:healthcheck]
-use = egg:oslo.middleware#healthcheck
-
-[filter:ec2_extension]
-use = egg:keystone#ec2_extension
-
-[filter:ec2_extension_v3]
-use = egg:keystone#ec2_extension_v3
-
-[filter:s3_extension]
-use = egg:keystone#s3_extension
-
-[filter:url_normalize]
-use = egg:keystone#url_normalize
-
-[filter:sizelimit]
-use = egg:oslo.middleware#sizelimit
-
-[filter:osprofiler]
-use = egg:osprofiler#osprofiler
-
-[app:public_service]
-use = egg:keystone#public_service
-
-[app:service_v3]
-use = egg:keystone#service_v3
-
-[app:admin_service]
-use = egg:keystone#admin_service
-
-[pipeline:public_api]
-# The last item in this pipeline must be public_service or an equivalent
-# application. It cannot be a filter.
-pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service
-
-[pipeline:admin_api]
-# The last item in this pipeline must be admin_service or an equivalent
-# application. It cannot be a filter.
-pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service
-
-[pipeline:api_v3]
-# The last item in this pipeline must be service_v3 or an equivalent
-# application. It cannot be a filter.
-pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
-
-[app:public_version_service]
-use = egg:keystone#public_version_service
-
-[app:admin_version_service]
-use = egg:keystone#admin_version_service
-
-[pipeline:public_version_api]
-pipeline = healthcheck cors sizelimit osprofiler url_normalize public_version_service
-
-[pipeline:admin_version_api]
-pipeline = healthcheck cors sizelimit osprofiler url_normalize admin_version_service
-
-[composite:main]
-use = egg:Paste#urlmap
-/v2.0 = public_api
-/v3 = api_v3
-/ = public_version_api
-
-[composite:admin]
-use = egg:Paste#urlmap
-/v2.0 = admin_api
-/v3 = api_v3
-/ = admin_version_api
diff --git a/templates/policy.json.j2 b/templates/policy.json.j2
deleted file mode 100644
index ddf23962..00000000
--- a/templates/policy.json.j2
+++ /dev/null
@@ -1,199 +0,0 @@
-{
-    "admin_required": "role:admin or is_admin:1",
-    "service_role": "role:service",
-    "service_or_admin": "rule:admin_required or rule:service_role",
-    "owner" : "user_id:%(user_id)s",
-    "admin_or_owner": "rule:admin_required or rule:owner",
-    "token_subject": "user_id:%(target.token.user_id)s",
-    "admin_or_token_subject": "rule:admin_required or rule:token_subject",
-    "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
-
-    "default": "rule:admin_required",
-
-    "identity:get_region": "",
-    "identity:list_regions": "",
-    "identity:create_region": "rule:admin_required",
-    "identity:update_region": "rule:admin_required",
-    "identity:delete_region": "rule:admin_required",
-
-    "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
-    "identity:create_service": "rule:admin_required",
-    "identity:update_service": "rule:admin_required",
-    "identity:delete_service": "rule:admin_required",
-
-    "identity:get_endpoint": "rule:admin_required",
-    "identity:list_endpoints": "rule:admin_required",
-    "identity:create_endpoint": "rule:admin_required",
-    "identity:update_endpoint": "rule:admin_required",
-    "identity:delete_endpoint": "rule:admin_required",
-
-    "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s",
-    "identity:list_domains": "rule:admin_required",
-    "identity:create_domain": "rule:admin_required",
-    "identity:update_domain": "rule:admin_required",
-    "identity:delete_domain": "rule:admin_required",
-
-    "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s",
-    "identity:list_projects": "rule:admin_required",
-    "identity:list_user_projects": "rule:admin_or_owner",
-    "identity:create_project": "rule:admin_required",
-    "identity:update_project": "rule:admin_required",
-    "identity:delete_project": "rule:admin_required",
-
-    "identity:get_user": "rule:admin_or_owner",
-    "identity:list_users": "rule:admin_required",
-    "identity:create_user": "rule:admin_required",
-    "identity:update_user": "rule:admin_required",
-    "identity:delete_user": "rule:admin_required",
-    "identity:change_password": "rule:admin_or_owner",
-
-    "identity:get_group": "rule:admin_required",
-    "identity:list_groups": "rule:admin_required",
-    "identity:list_groups_for_user": "rule:admin_or_owner",
-    "identity:create_group": "rule:admin_required",
-    "identity:update_group": "rule:admin_required",
-    "identity:delete_group": "rule:admin_required",
-    "identity:list_users_in_group": "rule:admin_required",
-    "identity:remove_user_from_group": "rule:admin_required",
-    "identity:check_user_in_group": "rule:admin_required",
-    "identity:add_user_to_group": "rule:admin_required",
-
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-
-    "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-    "identity:ec2_list_credentials": "rule:admin_or_owner",
-    "identity:ec2_create_credential": "rule:admin_or_owner",
-    "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
-
-    "identity:get_role": "rule:admin_required",
-    "identity:list_roles": "rule:admin_required",
-    "identity:create_role": "rule:admin_required",
-    "identity:update_role": "rule:admin_required",
-    "identity:delete_role": "rule:admin_required",
-    "identity:get_domain_role": "rule:admin_required",
-    "identity:list_domain_roles": "rule:admin_required",
-    "identity:create_domain_role": "rule:admin_required",
-    "identity:update_domain_role": "rule:admin_required",
-    "identity:delete_domain_role": "rule:admin_required",
-
-    "identity:get_implied_role": "rule:admin_required ",
-    "identity:list_implied_roles": "rule:admin_required",
-    "identity:create_implied_role": "rule:admin_required",
-    "identity:delete_implied_role": "rule:admin_required",
-    "identity:list_role_inference_rules": "rule:admin_required",
-    "identity:check_implied_role": "rule:admin_required",
-
-    "identity:check_grant": "rule:admin_required",
-    "identity:list_grants": "rule:admin_required",
-    "identity:create_grant": "rule:admin_required",
-    "identity:revoke_grant": "rule:admin_required",
-
-    "identity:list_role_assignments": "rule:admin_required",
-    "identity:list_role_assignments_for_tree": "rule:admin_required",
-
-    "identity:get_policy": "rule:admin_required",
-    "identity:list_policies": "rule:admin_required",
-    "identity:create_policy": "rule:admin_required",
-    "identity:update_policy": "rule:admin_required",
-    "identity:delete_policy": "rule:admin_required",
-
-    "identity:check_token": "rule:admin_or_token_subject",
-    "identity:validate_token": "rule:service_admin_or_token_subject",
-    "identity:validate_token_head": "rule:service_or_admin",
-    "identity:revocation_list": "rule:service_or_admin",
-    "identity:revoke_token": "rule:admin_or_token_subject",
-
-    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
-    "identity:list_trusts": "",
-    "identity:list_roles_for_trust": "",
-    "identity:get_role_for_trust": "",
-    "identity:delete_trust": "",
-
-    "identity:create_consumer": "rule:admin_required",
-    "identity:get_consumer": "rule:admin_required",
-    "identity:list_consumers": "rule:admin_required",
-    "identity:delete_consumer": "rule:admin_required",
-    "identity:update_consumer": "rule:admin_required",
-
-    "identity:authorize_request_token": "rule:admin_required",
-    "identity:list_access_token_roles": "rule:admin_required",
-    "identity:get_access_token_role": "rule:admin_required",
-    "identity:list_access_tokens": "rule:admin_required",
-    "identity:get_access_token": "rule:admin_required",
-    "identity:delete_access_token": "rule:admin_required",
-
-    "identity:list_projects_for_endpoint": "rule:admin_required",
-    "identity:add_endpoint_to_project": "rule:admin_required",
-    "identity:check_endpoint_in_project": "rule:admin_required",
-    "identity:list_endpoints_for_project": "rule:admin_required",
-    "identity:remove_endpoint_from_project": "rule:admin_required",
-
-    "identity:create_endpoint_group": "rule:admin_required",
-    "identity:list_endpoint_groups": "rule:admin_required",
-    "identity:get_endpoint_group": "rule:admin_required",
-    "identity:update_endpoint_group": "rule:admin_required",
-    "identity:delete_endpoint_group": "rule:admin_required",
-    "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
-    "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
-    "identity:get_endpoint_group_in_project": "rule:admin_required",
-    "identity:list_endpoint_groups_for_project": "rule:admin_required",
-    "identity:add_endpoint_group_to_project": "rule:admin_required",
-    "identity:remove_endpoint_group_from_project": "rule:admin_required",
-
-    "identity:create_identity_provider": "rule:admin_required",
-    "identity:list_identity_providers": "rule:admin_required",
-    "identity:get_identity_providers": "rule:admin_required",
-    "identity:update_identity_provider": "rule:admin_required",
-    "identity:delete_identity_provider": "rule:admin_required",
-
-    "identity:create_protocol": "rule:admin_required",
-    "identity:update_protocol": "rule:admin_required",
-    "identity:get_protocol": "rule:admin_required",
-    "identity:list_protocols": "rule:admin_required",
-    "identity:delete_protocol": "rule:admin_required",
-
-    "identity:create_mapping": "rule:admin_required",
-    "identity:get_mapping": "rule:admin_required",
-    "identity:list_mappings": "rule:admin_required",
-    "identity:delete_mapping": "rule:admin_required",
-    "identity:update_mapping": "rule:admin_required",
-
-    "identity:create_service_provider": "rule:admin_required",
-    "identity:list_service_providers": "rule:admin_required",
-    "identity:get_service_provider": "rule:admin_required",
-    "identity:update_service_provider": "rule:admin_required",
-    "identity:delete_service_provider": "rule:admin_required",
-
-    "identity:get_auth_catalog": "",
-    "identity:get_auth_projects": "",
-    "identity:get_auth_domains": "",
-
-    "identity:list_projects_for_user": "",
-    "identity:list_domains_for_user": "",
-
-    "identity:list_revoke_events": "rule:service_or_admin",
-
-    "identity:create_policy_association_for_endpoint": "rule:admin_required",
-    "identity:check_policy_association_for_endpoint": "rule:admin_required",
-    "identity:delete_policy_association_for_endpoint": "rule:admin_required",
-    "identity:create_policy_association_for_service": "rule:admin_required",
-    "identity:check_policy_association_for_service": "rule:admin_required",
-    "identity:delete_policy_association_for_service": "rule:admin_required",
-    "identity:create_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:check_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required",
-
-    "identity:create_domain_config": "rule:admin_required",
-    "identity:get_domain_config": "rule:admin_required",
-    "identity:get_security_compliance_domain_config": "",
-    "identity:update_domain_config": "rule:admin_required",
-    "identity:delete_domain_config": "rule:admin_required",
-    "identity:get_domain_config_default": "rule:admin_required"
-}