Update the API version for Openstack Newton

Use the "keystone-manage bootstrap" command to instead of admin_token.
Because the  admin_token is treated as a "shared secret" that can be used
to bootstrap Keystone through the API. This "token" does not represent a
user (it has no identity), and carries no explicit authorization (it
effectively bypasses most authorization checks).

Use the API v3 to instead of API v2.0. Identity API v3 was established to
introduce namespacing for users and projects by using "domains" as a
higher-level container for more flexible identity management and fixed a
security issue in the v2.0 API (bearer tokens appearing in URLs).

JIRA: COMPASS-491

Change-Id: I56182c14b761728c3492b9dd2b05c3b57aa5f35f
Signed-off-by: liyuenan <liyuenan@huawei.com>

21 files changed, 1274 insertions, 63 deletions

diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/aodh/templates/aodh.conf.j2 b/deploy/adapters/ansible/openstack_newton_xenial/roles/aodh/templates/aodh.conf.j2
index d4d232be..b580d78c 100644
--- a/deploy/adapters/ansible/openstack_newton_xenial/roles/aodh/templates/aodh.conf.j2
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/aodh/templates/aodh.conf.j2
@@ -35,12 +35,22 @@ token_cache_time = 300
 revocation_cache_time = 60
 
 [service_credentials]
-os_auth_url = http://{{ internal_vip.ip }}:5000/v2.0
+os_auth_url = http://{{ internal_vip.ip }}:5000/v3
 os_username = aodh
 os_tenant_name = service
 os_password = {{ AODH_PASS }}
 os_endpoint_type = internalURL
 os_region_name = RegionOne
 
+auth_type = password
+auth_url = http://{{ internal_vip.ip }}:5000/v3
+project_domain_name = default
+user_domain_name = default
+project_name = service
+username = aodh
+password = {{ AODH_PASS }}
+interface = internalURL
+region_name = RegionOne
+
 [api]
 host = {{ internal_ip }}
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/cinder-controller/templates/cinder.conf b/deploy/adapters/ansible/openstack_newton_xenial/roles/cinder-controller/templates/cinder.conf
new file mode 100644
index 00000000..d428a078
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/cinder-controller/templates/cinder.conf
@@ -0,0 +1,85 @@
+{% set memcached_servers = [] %}
+{% for host in haproxy_hosts.values() %}
+{% set _ = memcached_servers.append('%s:11211'% host) %}
+{% endfor %}
+{% set memcached_servers = memcached_servers|join(',') %}
+
+[DEFAULT]
+rootwrap_config = /etc/cinder/rootwrap.conf
+api_paste_confg = /etc/cinder/api-paste.ini
+iscsi_helper = tgtadm
+volume_name_template = volume-%s
+volume_group = storage-volumes
+verbose = {{ VERBOSE }}
+debug = {{ DEBUG }}
+auth_strategy = keystone
+state_path = /var/lib/cinder
+lock_path = /var/lock/cinder
+notification_driver = cinder.openstack.common.notifier.rpc_notifier
+volumes_dir = /var/lib/cinder/volumes
+transport_url = rabbit://{{ RABBIT_USER }}:{{ RABBIT_PASS }}@{{ rabbit_host }}
+log_file = /var/log/cinder/cinder.log
+
+control_exchange = cinder
+rpc_backend = rabbit
+my_ip = {{ storage_controller_host }}
+
+glance_host = {{ internal_vip.ip }}
+glance_port = 9292
+api_rate_limit = False
+storage_availability_zone = nova
+
+quota_volumes = 10
+quota_gigabytes = 1000
+quota_driver = cinder.quota.DbQuotaDriver
+
+osapi_volume_listen = {{ storage_controller_host }}
+osapi_volume_listen_port = 8776
+
+db_backend = sqlalchemy
+volume_name_template = volume-%s
+snapshot_name_template = snapshot-%s
+
+max_gigabytes = 10000
+
+volume_clear = zero
+volume_clear_size = 10
+
+iscsi_ip_address = {{ storage_controller_host }}
+iscsi_port = 3260
+iscsi_helper = tgtadm
+
+volumes_dir = /var/lib/cinder/volumes
+volume_driver = cinder.volume.drivers.lvm.LVMISCSIDriver
+
+[database]
+connection = mysql://cinder:{{ CINDER_DBPASS }}@{{ db_host }}/cinder
+idle_timeout = 30
+
+[keystone_authtoken]
+auth_uri = http://{{ internal_vip.ip }}:5000
+auth_url = http://{{ internal_vip.ip }}:35357
+memcached_servers = {{ memcached_servers }}
+auth_type = password
+project_domain_name = default
+user_domain_name = default
+project_name = service
+username = cinder
+password = {{ CINDER_PASS }}
+
+identity_uri = http://{{ internal_vip.ip }}:35357
+admin_tenant_name = service
+admin_user = cinder
+admin_password = {{ CINDER_PASS }}
+
+[keymgr]
+encryption_auth_url=http://{{ internal_vip.ip }}:5000/v3
+
+[oslo_messaging_rabbit]
+rabbit_host = {{ rabbit_host }}
+rabbit_port = 5672
+rabbit_userid = {{ RABBIT_USER }}
+rabbit_password = {{ RABBIT_PASS }}
+
+[oslo_concurrency]
+lock_path = /var/lib/cinder/tmp
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/cinder-volume/templates/cinder.conf b/deploy/adapters/ansible/openstack_newton_xenial/roles/cinder-volume/templates/cinder.conf
new file mode 100644
index 00000000..e4f98e82
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/cinder-volume/templates/cinder.conf
@@ -0,0 +1,82 @@
+{% set memcached_servers = [] %}
+{% for host in haproxy_hosts.values() %}
+{% set _ = memcached_servers.append('%s:11211'% host) %}
+{% endfor %}
+{% set memcached_servers = memcached_servers|join(',') %}
+
+[DEFAULT]
+rootwrap_config = /etc/cinder/rootwrap.conf
+api_paste_confg = /etc/cinder/api-paste.ini
+iscsi_helper = tgtadm
+volume_name_template = volume-%s
+volume_group = storage-volumes
+verbose = True
+auth_strategy = keystone
+state_path = /var/lib/cinder
+lock_path = /var/lib/cinder/tmp
+notification_driver=cinder.openstack.common.notifier.rpc_notifier
+volumes_dir = /var/lib/cinder/volumes
+transport_url = rabbit://{{ RABBIT_USER }}:{{ RABBIT_PASS }}@{{ rabbit_host }}
+log_file=/var/log/cinder/cinder.log
+
+control_exchange = cinder
+rpc_backend = rabbit
+my_ip = {{ storage_controller_host }}
+
+glance_host = {{ internal_vip.ip }}
+glance_port = 9292
+glance_api_servers = http://{{ internal_vip.ip }}:9292
+api_rate_limit = False
+storage_availability_zone = nova
+
+quota_volumes = 10
+quota_gigabytes = 1000
+quota_driver = cinder.quota.DbQuotaDriver
+
+osapi_volume_listen = {{ storage_controller_host }}
+osapi_volume_listen_port = 8776
+
+db_backend = sqlalchemy
+volume_name_template = volume-%s
+snapshot_name_template = snapshot-%s
+
+max_gigabytes = 10000
+
+volume_clear = zero
+volume_clear_size = 10
+
+iscsi_ip_address = {{ storage_controller_host }}
+iscsi_port=3260
+iscsi_helper=tgtadm
+
+volumes_dir=/var/lib/cinder/volumes
+volume_driver=cinder.volume.drivers.lvm.LVMISCSIDriver
+
+[database]
+connection = mysql://cinder:{{ CINDER_DBPASS }}@{{ db_host }}/cinder
+idle_timeout = 30
+
+[keystone_authtoken]
+auth_uri = http://{{ internal_vip.ip }}:5000
+auth_url = http://{{ internal_vip.ip }}:35357
+memcached_servers = {{ memcached_servers }}
+auth_type = password
+project_domain_name = default
+user_domain_name = default
+project_name = service
+username = cinder
+password = {{ CINDER_PASS }}
+
+identity_uri = http://{{ internal_vip.ip }}:35357
+admin_tenant_name = service
+admin_user = cinder
+admin_password = {{ CINDER_PASS }}
+
+[lvm]
+volume_driver = cinder.volume.drivers.lvm.LVMVolumeDriver
+volume_group = cinder-volumes
+iscsi_protocol = iscsi
+iscsi_helper = tgtadm
+
+[oslo_concurrency]
+lock_path = /var/lib/cinder/tmp
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/dashboard/tasks/main.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/dashboard/tasks/main.yml
new file mode 100644
index 00000000..9be6fd6c
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/dashboard/tasks/main.yml
@@ -0,0 +1,106 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+- include_vars: "{{ ansible_os_family }}.yml"
+
+- name: disable auto start
+  copy:
+    content: "#!/bin/sh\nexit 101"
+    dest: "/usr/sbin/policy-rc.d"
+    mode: 0755
+  when: ansible_os_family == "Debian"
+
+- name: install dashboard packages
+  action: "{{ ansible_pkg_mgr }} name={{ item }} state=present"
+  with_items: packages | union(packages_noarch)
+
+- name: enable auto start
+  file:
+    path=/usr/sbin/policy-rc.d
+    state=absent
+  when: ansible_os_family == "Debian"
+
+- name: remove ubuntu theme
+  action: "{{ ansible_pkg_mgr }} name=openstack-dashboard-ubuntu-theme state=absent"
+  when: ansible_os_family == 'Debian' and not enable_ubuntu_theme
+  notify:
+    - restart dashboard services
+
+- name: remove default apache2 config
+  file:
+    path: '{{ item }}'
+    state: absent
+  when: ansible_os_family == 'Debian'
+  with_items:
+    - '{{ apache_config_dir }}/conf-available/openstack-dashboard.conf'
+    - '{{ apache_config_dir }}/conf-enabled/openstack-dashboard.conf'
+    - '{{ apache_config_dir }}/sites-available/000-default.conf'
+    - '{{ apache_config_dir }}/sites-enabled/000-default.conf'
+  notify:
+    - restart dashboard services
+
+- name: update apache2 configs
+  template:
+    src: openstack-dashboard.conf.j2
+    dest: '{{ apache_config_dir }}/sites-available/openstack-dashboard.conf'
+  when: ansible_os_family == 'Debian'
+  notify:
+    - restart dashboard services
+
+- name: update apache2 configs redhat
+  template:
+    src: openstack-dashboard-redhat.conf.j2
+    dest: '{{ apache_config_dir }}/conf.d/openstack-dashboard.conf'
+  when: ansible_os_family == 'RedHat'
+  notify:
+    - restart dashboard services
+
+- name: enable dashboard
+  file:
+    src: "/etc/apache2/sites-available/openstack-dashboard.conf"
+    dest: "/etc/apache2/sites-enabled/openstack-dashboard.conf"
+    state: "link"
+  when: ansible_os_family == 'Debian'
+  notify:
+    - restart dashboard services
+
+- name: update ubuntu horizon settings
+  template:
+    src: local_settings.py.j2
+    dest: "/etc/openstack-dashboard/local_settings.py"
+  when: ansible_os_family == 'Debian'
+  notify:
+    - restart dashboard services
+
+- name: precompile horizon css
+  shell: /usr/bin/python /usr/share/openstack-dashboard/manage.py compress --force
+  ignore_errors: True
+  when: ansible_os_family == 'Debian'
+  notify:
+    - restart dashboard services
+
+- name: update redhat version horizon settings
+  lineinfile:
+    dest: /etc/openstack-dashboard/local_settings
+    regexp: '{{ item.regexp }}'
+    line: '{{ item.line }}'
+  with_items:
+    - regexp: '^WEBROOT[ \t]*=.*'
+      line: 'WEBROOT = "/horizon"'
+    - regexp: '^COMPRESS_OFFLINE[ \t]*=.*'
+      line: 'COMPRESS_OFFLINE=False'
+    - regexp: '^ALLOWED_HOSTS[ \t]*=.*'
+      line: 'ALLOWED_HOSTS = ["*"]'
+    - regexp: '^OPENSTACK_HOST[ \t]*=.*'
+      line: 'OPENSTACK_HOST = "{{ internal_ip }}"'
+  when: ansible_os_family == 'RedHat'
+  notify:
+    - restart dashboard services
+
+- meta: flush_handlers
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/dashboard/templates/local_settings.py.j2 b/deploy/adapters/ansible/openstack_newton_xenial/roles/dashboard/templates/local_settings.py.j2
new file mode 100644
index 00000000..7278d5c2
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/dashboard/templates/local_settings.py.j2
@@ -0,0 +1,326 @@
+# -*- coding: utf-8 -*-
+
+import os
+
+from django.utils.translation import ugettext_lazy as _
+
+from horizon.utils import secret_key
+
+from openstack_dashboard import exceptions
+from openstack_dashboard.settings import HORIZON_CONFIG
+
+DEBUG = False
+
+WEBROOT = '/'
+
+LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))
+
+SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key')
+
+SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
+
+CACHES = {
+    'default': {
+        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
+        'LOCATION': '{{ internal_vip.ip }}:11211',
+    },
+}
+
+EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
+
+OPENSTACK_HOST = "{{ internal_ip }}"
+OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
+OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "default"
+OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
+OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
+
+OPENSTACK_API_VERSIONS = {
+    "identity": 3,
+    "image": 2,
+    "volume": 2,
+}
+
+OPENSTACK_KEYSTONE_BACKEND = {
+    'name': 'native',
+    'can_edit_user': True,
+    'can_edit_group': True,
+    'can_edit_project': True,
+    'can_edit_domain': True,
+    'can_edit_role': True,
+}
+
+OPENSTACK_HYPERVISOR_FEATURES = {
+    'can_set_mount_point': False,
+    'can_set_password': False,
+    'requires_keypair': False,
+    'enable_quotas': True
+}
+
+OPENSTACK_CINDER_FEATURES = {
+    'enable_backup': False,
+}
+
+OPENSTACK_NEUTRON_NETWORK = {
+    'enable_router': True,
+    'enable_quotas': True,
+    'enable_ipv6': True,
+    'enable_distributed_router': False,
+    'enable_ha_router': False,
+    'enable_lb': True,
+    'enable_firewall': True,
+    'enable_vpn': True,
+    'enable_fip_topology_check': True,
+    'profile_support': None,
+    'supported_vnic_types': ['*'],
+}
+
+OPENSTACK_HEAT_STACK = {
+    'enable_user_pass': True,
+}
+
+IMAGE_CUSTOM_PROPERTY_TITLES = {
+    "architecture": _("Architecture"),
+    "kernel_id": _("Kernel ID"),
+    "ramdisk_id": _("Ramdisk ID"),
+    "image_state": _("Euca2ools state"),
+    "project_id": _("Project ID"),
+    "image_type": _("Image Type"),
+}
+
+IMAGE_RESERVED_CUSTOM_PROPERTIES = []
+
+API_RESULT_LIMIT = 1000
+API_RESULT_PAGE_SIZE = 20
+SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024
+INSTANCE_LOG_LENGTH = 35
+DROPDOWN_MAX_ITEMS = 30
+
+TIME_ZONE = "UTC"
+
+LOGGING = {
+    'version': 1,
+    'disable_existing_loggers': False,
+    'formatters': {
+        'operation': {
+            'format': '%(asctime)s %(message)s'
+        },
+    },
+    'handlers': {
+        'null': {
+            'level': 'DEBUG',
+            'class': 'logging.NullHandler',
+        },
+        'console': {
+            'level': 'INFO',
+            'class': 'logging.StreamHandler',
+        },
+        'operation': {
+            'level': 'INFO',
+            'class': 'logging.StreamHandler',
+            'formatter': 'operation',
+        },
+    },
+    'loggers': {
+        'django.db.backends': {
+            'handlers': ['null'],
+            'propagate': False,
+        },
+        'requests': {
+            'handlers': ['null'],
+            'propagate': False,
+        },
+        'horizon': {
+            'handlers': ['console'],
+            'level': 'DEBUG',
+            'propagate': False,
+        },
+        'horizon.operation_log': {
+            'handlers': ['operation'],
+            'level': 'INFO',
+            'propagate': False,
+        },
+        'openstack_dashboard': {
+            'handlers': ['console'],
+            'level': 'DEBUG',
+            'propagate': False,
+        },
+        'novaclient': {
+            'handlers': ['console'],
+            'level': 'DEBUG',
+            'propagate': False,
+        },
+        'cinderclient': {
+            'handlers': ['console'],
+            'level': 'DEBUG',
+            'propagate': False,
+        },
+        'keystoneclient': {
+            'handlers': ['console'],
+            'level': 'DEBUG',
+            'propagate': False,
+        },
+        'glanceclient': {
+            'handlers': ['console'],
+            'level': 'DEBUG',
+            'propagate': False,
+        },
+        'neutronclient': {
+            'handlers': ['console'],
+            'level': 'DEBUG',
+            'propagate': False,
+        },
+        'heatclient': {
+            'handlers': ['console'],
+            'level': 'DEBUG',
+            'propagate': False,
+        },
+        'ceilometerclient': {
+            'handlers': ['console'],
+            'level': 'DEBUG',
+            'propagate': False,
+        },
+        'swiftclient': {
+            'handlers': ['console'],
+            'level': 'DEBUG',
+            'propagate': False,
+        },
+        'openstack_auth': {
+            'handlers': ['console'],
+            'level': 'DEBUG',
+            'propagate': False,
+        },
+        'nose.plugins.manager': {
+            'handlers': ['console'],
+            'level': 'DEBUG',
+            'propagate': False,
+        },
+        'django': {
+            'handlers': ['console'],
+            'level': 'DEBUG',
+            'propagate': False,
+        },
+        'iso8601': {
+            'handlers': ['null'],
+            'propagate': False,
+        },
+        'scss': {
+            'handlers': ['null'],
+            'propagate': False,
+        },
+    },
+}
+
+SECURITY_GROUP_RULES = {
+    'all_tcp': {
+        'name': _('All TCP'),
+        'ip_protocol': 'tcp',
+        'from_port': '1',
+        'to_port': '65535',
+    },
+    'all_udp': {
+        'name': _('All UDP'),
+        'ip_protocol': 'udp',
+        'from_port': '1',
+        'to_port': '65535',
+    },
+    'all_icmp': {
+        'name': _('All ICMP'),
+        'ip_protocol': 'icmp',
+        'from_port': '-1',
+        'to_port': '-1',
+    },
+    'ssh': {
+        'name': 'SSH',
+        'ip_protocol': 'tcp',
+        'from_port': '22',
+        'to_port': '22',
+    },
+    'smtp': {
+        'name': 'SMTP',
+        'ip_protocol': 'tcp',
+        'from_port': '25',
+        'to_port': '25',
+    },
+    'dns': {
+        'name': 'DNS',
+        'ip_protocol': 'tcp',
+        'from_port': '53',
+        'to_port': '53',
+    },
+    'http': {
+        'name': 'HTTP',
+        'ip_protocol': 'tcp',
+        'from_port': '80',
+        'to_port': '80',
+    },
+    'pop3': {
+        'name': 'POP3',
+        'ip_protocol': 'tcp',
+        'from_port': '110',
+        'to_port': '110',
+    },
+    'imap': {
+        'name': 'IMAP',
+        'ip_protocol': 'tcp',
+        'from_port': '143',
+        'to_port': '143',
+    },
+    'ldap': {
+        'name': 'LDAP',
+        'ip_protocol': 'tcp',
+        'from_port': '389',
+        'to_port': '389',
+    },
+    'https': {
+        'name': 'HTTPS',
+        'ip_protocol': 'tcp',
+        'from_port': '443',
+        'to_port': '443',
+    },
+    'smtps': {
+        'name': 'SMTPS',
+        'ip_protocol': 'tcp',
+        'from_port': '465',
+        'to_port': '465',
+    },
+    'imaps': {
+        'name': 'IMAPS',
+        'ip_protocol': 'tcp',
+        'from_port': '993',
+        'to_port': '993',
+    },
+    'pop3s': {
+        'name': 'POP3S',
+        'ip_protocol': 'tcp',
+        'from_port': '995',
+        'to_port': '995',
+    },
+    'ms_sql': {
+        'name': 'MS SQL',
+        'ip_protocol': 'tcp',
+        'from_port': '1433',
+        'to_port': '1433',
+    },
+    'mysql': {
+        'name': 'MYSQL',
+        'ip_protocol': 'tcp',
+        'from_port': '3306',
+        'to_port': '3306',
+    },
+    'rdp': {
+        'name': 'RDP',
+        'ip_protocol': 'tcp',
+        'from_port': '3389',
+        'to_port': '3389',
+    },
+}
+
+REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
+                              'LAUNCH_INSTANCE_DEFAULTS',
+                              'OPENSTACK_IMAGE_FORMATS']
+
+DEFAULT_THEME = 'ubuntu'
+WEBROOT='/horizon/'
+ALLOWED_HOSTS = ['*',]
+COMPRESS_OFFLINE = True
+ALLOWED_PRIVATE_SUBNET_CIDR = {'ipv4': [], 'ipv6': []}
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/ext-network/tasks/main.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/ext-network/tasks/main.yml
index a8bce16e..2c61ff66 100644
--- a/deploy/adapters/ansible/openstack_newton_xenial/roles/ext-network/tasks/main.yml
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/ext-network/tasks/main.yml
@@ -18,37 +18,27 @@
 - name: restart neutron server
   service: name=neutron-server state=restarted enabled=yes
 
+- name: wait for neutron ready
+  wait_for: port=9696 delay=10 timeout=30 host={{ internal_vip.ip }}
+
 - name: create external net
-  neutron_network:
-    login_username: ADMIN
-    login_password: "{{ ADMIN_PASS }}"
-    login_tenant_name: admin
-    auth_url: "http://{{ internal_vip.ip }}:35357/v2.0"
-    name: "{{ public_net_info.network }}"
-    provider_network_type: "{{ public_net_info.type }}"
-    provider_physical_network: "{{ public_net_info.provider_network }}"
-    provider_segmentation_id: "{{ public_net_info.segment_id}}"
-    shared: false
-    router_external: yes
-    state: present
-  run_once: true
-  when: 'public_net_info.enable == True'
+  shell:
+    . /opt/admin-openrc.sh;
+    neutron net-create \
+        {{ public_net_info.network }} \
+        --provider:network_type {{ public_net_info.type }} \
+        --provider:physical_network {{ public_net_info.provider_network }} \
+        --router:external True
+  when: public_net_info.enable == True and inventory_hostname == groups['controller'][0]
 
 - name: create external subnet
-  neutron_subnet:
-    login_username: ADMIN
-    login_password: "{{ ADMIN_PASS }}"
-    login_tenant_name: admin
-    auth_url: "http://{{ internal_vip.ip }}:35357/v2.0"
-    name: "{{ public_net_info.subnet }}"
-    network_name: "{{ public_net_info.network }}"
-    cidr: "{{ public_net_info.floating_ip_cidr }}"
-    enable_dhcp: "{{ public_net_info.enable_dhcp }}"
-    no_gateway: "{{ public_net_info.no_gateway }}"
-    gateway_ip: "{{ public_net_info.external_gw }}"
-    allocation_pool_start: "{{ public_net_info.floating_ip_start }}"
-    allocation_pool_end: "{{ public_net_info.floating_ip_end }}"
-    state: present
-  run_once: true
-  when: 'public_net_info.enable == True'
+  shell:
+    . /opt/admin-openrc.sh;
+    neutron subnet-create \
+        --name {{ public_net_info.subnet }} \
+        --gateway {{ public_net_info.external_gw }} \
+        --allocation-pool \
+        start={{ public_net_info.floating_ip_start }},end={{ public_net_info.floating_ip_end }} \
+        {{ public_net_info.network }} {{ public_net_info.floating_ip_cidr }}
+  when: public_net_info.enable == True and inventory_hostname == groups['controller'][0]
 
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/glance/templates/glance-api.conf b/deploy/adapters/ansible/openstack_newton_xenial/roles/glance/templates/glance-api.conf
new file mode 100644
index 00000000..241f04ce
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/glance/templates/glance-api.conf
@@ -0,0 +1,93 @@
+{% set workers = ansible_processor_vcpus // 2 %}
+{% set workers = workers if workers else 1 %}
+{% set memcached_servers = [] %}
+{% set rabbitmq_servers = [] %}
+{% for host in haproxy_hosts.values() %}
+{% set _ = memcached_servers.append('%s:11211'% host) %}
+{% set _ = rabbitmq_servers.append('%s:5672'% host) %}
+{% endfor %}
+{% set memcached_servers = memcached_servers|join(',') %}
+{% set rabbitmq_servers = rabbitmq_servers|join(',') %}
+
+[DEFAULT]
+verbose = {{ VERBOSE }}
+debug = {{ DEBUG }}
+log_file = /var/log/glance/api.log
+bind_host = {{ image_host }}
+bind_port = 9292
+backlog = 4096
+workers = {{ workers }}
+registry_host = {{ internal_ip }}
+registry_port = 9191
+registry_client_protocol = http
+cinder_catalog_info = volume:cinder:internalURL
+
+enable_v1_api = True
+enable_v1_registry = True
+enable_v2_api = True
+enable_v2_registry = True
+
+notification_driver = messagingv2
+rpc_backend = rabbit
+
+delayed_delete = False
+scrubber_datadir = /var/lib/glance/scrubber
+scrub_time = 43200
+image_cache_dir = /var/lib/glance/image-cache/
+show_image_direct_url = True
+
+[database]
+backend = sqlalchemy
+connection = mysql://glance:{{ GLANCE_DBPASS }}@{{ db_host }}/glance?charset=utf8
+idle_timeout = 30
+sqlite_db = /var/lib/glance/glance.sqlite
+
+[task]
+task_executor = taskflow
+
+[glance_store]
+default_store = file
+stores = file,http,cinder,rbd
+filesystem_store_datadir = /var/lib/glance/images/
+
+[image_format]
+disk_formats = ami,ari,aki,vhd,vhdx,vmdk,raw,qcow2,vdi,iso,root-tar
+
+[profiler]
+enabled = True
+
+[keystone_authtoken]
+auth_uri = http://{{ internal_vip.ip }}:5000
+auth_url = http://{{ internal_vip.ip }}:35357
+memcached_servers = {{ memcached_servers }}
+auth_type = password
+project_domain_name = default
+user_domain_name = default
+project_name = service
+username = glance
+password = {{ GLANCE_PASS }}
+token_cache_time = 300
+revocation_cache_time = 60
+
+identity_uri = http://{{ internal_vip.ip }}:35357
+admin_tenant_name = service
+admin_user = glance
+admin_password = {{ GLANCE_PASS }}
+
+[paste_deploy]
+flavor= keystone
+
+[oslo_messaging_amqp]
+idle_timeout = 7200
+
+[oslo_messaging_rabbit]
+rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_use_ssl = false
+rabbit_userid = {{ RABBIT_USER }}
+rabbit_password = {{ RABBIT_PASS }}
+rabbit_virtual_host = /
+default_notification_exchange = glance
+
+rabbit_notification_exchange = glance
+rabbit_notification_topic = notifications
+rabbit_durable_queues = False
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/glance/templates/glance-registry.conf b/deploy/adapters/ansible/openstack_newton_xenial/roles/glance/templates/glance-registry.conf
new file mode 100644
index 00000000..ccd8f1bb
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/glance/templates/glance-registry.conf
@@ -0,0 +1,64 @@
+{% set workers = ansible_processor_vcpus // 2 %}
+{% set workers = workers if workers else 1 %}
+{% set memcached_servers = [] %}
+{% set rabbitmq_servers = [] %}
+{% for host in haproxy_hosts.values() %}
+{% set _ = memcached_servers.append('%s:11211'% host) %}
+{% set _ = rabbitmq_servers.append('%s:5672'% host) %}
+{% endfor %}
+{% set memcached_servers = memcached_servers|join(',') %}
+{% set rabbitmq_servers = rabbitmq_servers|join(',') %}
+
+[DEFAULT]
+verbose = {{ VERBOSE }}
+debug = {{ DEBUG }}
+log_file = /var/log/glance/api.log
+bind_host = {{ image_host }}
+bind_port = 9191
+backlog = 4096
+workers = {{ workers }}
+
+notification_driver = messagingv2
+rpc_backend = rabbit
+
+[database]
+backend = sqlalchemy
+connection = mysql://glance:{{ GLANCE_DBPASS }}@{{ db_host }}/glance?charset=utf8
+idle_timeout = 30
+
+[profiler]
+enabled = True
+
+[keystone_authtoken]
+auth_uri = http://{{ internal_vip.ip }}:5000
+auth_url = http://{{ internal_vip.ip }}:35357
+memcached_servers = {{ memcached_servers }}
+auth_type = password
+project_domain_name = default
+user_domain_name = default
+project_name = service
+username = glance
+password =  {{ GLANCE_PASS }}
+
+identity_uri = http://{{ internal_vip.ip }}:35357
+admin_tenant_name = service
+admin_user = glance
+admin_password = {{ GLANCE_PASS }}
+token_cache_time = 300
+revocation_cache_time = 60
+
+[paste_deploy]
+flavor= keystone
+
+[oslo_messaging_amqp]
+idle_timeout = 7200
+
+[oslo_messaging_rabbit]
+rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_use_ssl = false
+rabbit_userid = {{ RABBIT_USER }}
+rabbit_password = {{ RABBIT_PASS }}
+rabbit_virtual_host = /
+rabbit_notification_exchange = glance
+rabbit_notification_topic = notifications
+rabbit_durable_queues = False
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/heat/tasks/heat_install.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/heat/tasks/heat_install.yml
index b90e6402..6a0f1c73 100644
--- a/deploy/adapters/ansible/openstack_newton_xenial/roles/heat/tasks/heat_install.yml
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/heat/tasks/heat_install.yml
@@ -21,7 +21,7 @@
 
 - name: create heat user domain
   shell: >
-    . /opt/admin-openrc-v3.sh;
+    . /opt/admin-openrc.sh;
     openstack domain create --description "Stack projects and users" heat;
     openstack user create --domain heat --password {{ HEAT_PASS }} heat_domain_admin;
     openstack role add --domain heat --user-domain heat --user heat_domain_admin admin;
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/heat/templates/heat.j2 b/deploy/adapters/ansible/openstack_newton_xenial/roles/heat/templates/heat.j2
index 62df9fd9..72d4b61e 100644
--- a/deploy/adapters/ansible/openstack_newton_xenial/roles/heat/templates/heat.j2
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/heat/templates/heat.j2
@@ -1,10 +1,13 @@
+{% set memcached_servers = [] %}
+{% for host in haproxy_hosts.values() %}
+{% set _ = memcached_servers.append('%s:11211'% host) %}
+{% endfor %}
+{% set memcached_servers = memcached_servers|join(',') %}
+
 [DEFAULT]
 heat_metadata_server_url = http://{{ internal_vip.ip }}:8000
 heat_waitcondition_server_url = http://{{ internal_vip.ip }}:8000/v1/waitcondition
 rpc_backend = rabbit
-rabbit_host = {{ rabbit_host }}
-rabbit_userid = {{ RABBIT_USER }}
-rabbit_password = {{ RABBIT_PASS }}
 log_dir = /var/log/heat
 stack_domain_admin = heat_domain_admin
 stack_domain_admin_password = {{ HEAT_PASS }}
@@ -17,12 +20,35 @@ use_db_reconnect = True
 pool_timeout = 10
 
 [ec2authtoken]
-auth_uri = http://{{ internal_vip.ip }}:5000/v2.0
+auth_uri = http://{{ internal_vip.ip }}:5000
+
+[clients_keystone]
+auth_uri = http://{{ internal_vip.ip }}:35357
 
 [keystone_authtoken]
-auth_uri = http://{{ internal_vip.ip }}:5000/v2.0
+auth_uri = http://{{ internal_vip.ip }}:5000
+auth_url = http://{{ internal_vip.ip }}:35357
+memcached_servers = {{ memcached_servers }}
+auth_type = password
+project_domain_name = default
+user_domain_name = default
+project_name = service
+username = heat
+password = {{ HEAT_PASS }}
+
 identity_uri = http://{{ internal_vip.ip }}:35357
 admin_tenant_name = service
 admin_user = heat
 admin_password = {{ HEAT_PASS }}
 
+[oslo_messaging_rabbit]
+rabbit_host = {{ rabbit_host }}
+rabbit_userid = {{ RABBIT_USER }}
+rabbit_password = {{ RABBIT_PASS }}
+
+[trustee]
+auth_type = password
+auth_url = http://{{ internal_vip.ip }}:35357
+username = heat
+password = {{ HEAT_PASS }}
+user_domain_name = default
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_config.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_config.yml
new file mode 100644
index 00000000..35c84ce8
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_config.yml
@@ -0,0 +1,101 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+- include_vars: "{{ ansible_os_family }}.yml"
+
+- name: keystone-manage db-sync
+  shell: su -s /bin/sh -c 'keystone-manage db_sync' keystone
+
+- name: Check if fernet keys already exist
+  stat:
+    path: "/etc/keystone/fernet-keys/0"
+  register: fernet_keys_0
+
+- name: Create fernet keys for Keystone
+  command:
+    keystone-manage fernet_setup
+      --keystone-user keystone
+      --keystone-group keystone
+  when: not fernet_keys_0.stat.exists
+  notify:
+    - restart keystone services
+
+- name: Rotate fernet keys for Keystone
+  command:
+    keystone-manage fernet_rotate
+      --keystone-user keystone
+      --keystone-group keystone
+  when: fernet_keys_0.stat.exists
+  notify:
+    - restart keystone services
+
+- name: Distribute the fernet key repository
+  shell: rsync -e 'ssh -o StrictHostKeyChecking=no' \
+               -avz \
+               --delete \
+               /etc/keystone/fernet-keys \
+               root@{{ hostvars[ item ].ansible_eth0.ipv4.address }}:/etc/keystone/
+  with_items: groups['controller'][1:]
+  notify:
+    - restart keystone services
+
+- name: Check if credential keys already exist
+  stat:
+    path: "/etc/keystone/credential-keys/0"
+  register: credential_keys_0
+
+- name: Create credential keys for Keystone
+  command:
+    keystone-manage credential_setup
+      --keystone-user keystone
+      --keystone-group keystone
+  when: not credential_keys_0.stat.exists
+  notify:
+    - restart keystone services
+
+- name: Rotate credential keys for Keystone
+  command:
+    keystone-manage credential_rotate
+      --keystone-user keystone
+      --keystone-group keystone
+  when: credential_keys_0.stat.exists
+  notify:
+    - restart keystone services
+
+- name: Distribute the credential key repository
+  shell: rsync -e 'ssh -o StrictHostKeyChecking=no' \
+               -avz \
+               --delete \
+               /etc/keystone/credential-keys \
+               root@{{ hostvars[ item ].ansible_eth0.ipv4.address }}:/etc/keystone/
+  with_items: groups['controller'][1:]
+  notify:
+    - restart keystone services
+
+- name: Bootstrap the Identity service
+  shell:
+    keystone-manage bootstrap \
+      --bootstrap-password {{ ADMIN_PASS }} \
+      --bootstrap-admin-url http://{{ internal_ip }}:35357/v3/ \
+      --bootstrap-internal-url http://{{ internal_ip }}:35357/v3/ \
+      --bootstrap-public-url http://{{ internal_ip }}:5000/v3/
+      --bootstrap-region-id RegionOne \
+  notify:
+    - restart keystone services
+
+- meta: flush_handlers
+
+- name: wait for keystone ready
+  wait_for: port=35357 delay=3 timeout=30 host={{ internal_vip.ip }}
+
+- name: cron job to purge expired tokens hourly
+  cron:
+    name: 'purge expired tokens'
+    special_time: hourly
+    job: '/usr/bin/keystone-manage token_flush > /var/log/keystone/keystone-tokenflush.log 2>&1'
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_create.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_create.yml
new file mode 100644
index 00000000..53077776
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_create.yml
@@ -0,0 +1,93 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+- name: set keystone endpoint
+  shell:
+    . /opt/admin-openrc.sh;
+    openstack endpoint set \
+         --interface public \
+         --url {{ item.publicurl }} \
+         $(openstack endpoint list | grep keystone | grep public | awk '{print $2}');
+    openstack endpoint set \
+         --interface internal \
+         --url {{ item.internalurl }} \
+         $(openstack endpoint list | grep keystone | grep internal | awk '{print $2}');
+    openstack endpoint set \
+         --interface admin \
+         --url {{ item.adminurl }} \
+         $(openstack endpoint list | grep keystone | grep admin | awk '{print $2}');
+  with_items: "{{ os_services[0:1] }}"
+
+- name: add service
+  shell:
+    . /opt/admin-openrc.sh;
+    openstack service create \
+        --name "{{ item.name }}"
+        --description "{{ item.description }}" \
+        {{ item.type }}
+  with_items: "{{ os_services[1:] }}"
+
+- name: add project
+  shell:
+    . /opt/admin-openrc.sh;
+    openstack project create --description "Service Project" service;
+    openstack project create --domain default --description "Demo Project" demo;
+
+- name: set admin user
+  shell:
+    . /opt/admin-openrc.sh;
+    openstack user set \
+        --email "{{ item.email }}" \
+        --project "{{ item.tenant }}" \
+        --description "{{ item.tenant_description }}" \
+        --password "{{ item.password }}" \
+        {{ item.user }}
+  with_items: "{{ os_users }}"
+  when: item["user"] == "admin"
+
+- name: add user
+  shell:
+    . /opt/admin-openrc.sh;
+    openstack user create \
+        --email "{{ item.email }}" \
+        --project "{{ item.tenant }}" \
+        --description "{{ item.tenant_description }}" \
+        --password "{{ item.password }}" \
+        {{ item.user }}
+  with_items: "{{ os_users[1:] }}"
+
+- name: add roles
+  shell:
+    . /opt/admin-openrc.sh;
+    openstack role create {{ item.role }}
+  with_items: "{{ os_users }}"
+  when: item["user"] == "demo"
+
+- name: grant roles
+  shell:
+    . /opt/admin-openrc.sh;
+    openstack role add \
+        --project "{{ item.tenant }}" \
+        --user "{{ item.user }}" \
+        {{ item.role }}
+  with_items: "{{ os_users }}"
+
+- name: add endpoints
+  shell:
+    . /opt/admin-openrc.sh;
+    openstack endpoint create \
+        --region {{ item.region }} \
+        {{ item.name }} public {{ item.publicurl }};
+    openstack endpoint create \
+        --region {{ item.region }} \
+        {{ item.name }} internal {{ item.internalurl }};
+    openstack endpoint create \
+        --region {{ item.region }} \
+        {{ item.name }} admin {{ item.adminurl }};
+  with_items: "{{ os_services[1:] }}"
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_install.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_install.yml
index 8ff087ce..e9a36d42 100644
--- a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_install.yml
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/keystone_install.yml
@@ -93,6 +93,5 @@
   with_items:
     - admin-openrc.sh
     - demo-openrc.sh
-    - admin-openrc-v3.sh
 
 - meta: flush_handlers
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/main.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/main.yml
new file mode 100644
index 00000000..ad619d40
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/tasks/main.yml
@@ -0,0 +1,30 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+- include: keystone_install.yml
+  tags:
+    - install
+    - keystone_install
+    - keystone
+
+- include: keystone_config.yml
+  when: inventory_hostname == groups['controller'][0]
+  tags:
+    - config
+    - keystone_config
+    - keystone
+
+- include: keystone_create.yml
+  when: inventory_hostname == groups['controller'][0]
+  tags:
+    - config
+    - keystone_create
+    - keystone
+
+- meta: flush_handlers
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/admin-openrc.sh b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/admin-openrc.sh
new file mode 100644
index 00000000..94d5850f
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/admin-openrc.sh
@@ -0,0 +1,18 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+# Verify the Identity Service installation
+export OS_PROJECT_DOMAIN_NAME=default
+export OS_USER_DOMAIN_NAME=default
+export OS_TENANT_NAME=admin
+export OS_PROJECT_NAME=admin
+export OS_USERNAME=admin
+export OS_PASSWORD={{ ADMIN_PASS }}
+export OS_AUTH_URL=http://{{ internal_vip.ip }}:35357/v3
+export OS_IDENTITY_API_VERSION=3
+export OS_IMAGE_API_VERSION=2
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/demo-openrc.sh b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/demo-openrc.sh
new file mode 100644
index 00000000..920f42ed
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/demo-openrc.sh
@@ -0,0 +1,17 @@
+##############################################################################
+# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+export OS_PROJECT_DOMAIN_NAME=default
+export OS_USER_DOMAIN_NAME=default
+export OS_TENANT_NAME=demo
+export OS_PROJECT_NAME=demo
+export OS_USERNAME=demo
+export OS_PASSWORD={{ DEMO_PASS }}
+export OS_AUTH_URL=http://{{ internal_vip.ip }}:5000/v3
+export OS_IDENTITY_API_VERSION=3
+export OS_IMAGE_API_VERSION=2
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/keystone.conf b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/keystone.conf
new file mode 100644
index 00000000..919be344
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/templates/keystone.conf
@@ -0,0 +1,60 @@
+{% set memcached_servers = [] %}
+{% set rabbitmq_servers = [] %}
+{% for host in haproxy_hosts.values() %}
+{% set _ = memcached_servers.append('%s:11211'% host) %}
+{% set _ = rabbitmq_servers.append('%s:5672'% host) %}
+{% endfor %}
+{% set memcached_servers = memcached_servers|join(',') %}
+{% set rabbitmq_servers = rabbitmq_servers|join(',') %}
+[DEFAULT]
+debug={{ DEBUG }}
+log_dir = /var/log/keystone
+
+[cache]
+backend = keystone.cache.memcache_pool
+memcache_servers = {{ memcached_servers}}
+enabled=true
+
+[revoke]
+driver = sql
+expiration_buffer = 3600
+caching = true
+
+[database]
+connection = mysql://keystone:{{ KEYSTONE_DBPASS }}@{{ db_host }}/keystone?charset=utf8
+idle_timeout = 30
+min_pool_size = 5
+max_pool_size = 120
+pool_timeout = 30
+
+[fernet_tokens]
+key_repository = /etc/keystone/fernet-keys/
+
+[identity]
+default_domain_id = default
+driver = sql
+
+[assignment]
+driver = sql
+
+[resource]
+driver = sql
+caching = true
+cache_time = 3600
+
+[token]
+enforce_token_bind = permissive
+expiration = 43200
+provider = fernet
+driver = sql
+caching = true
+cache_time = 3600
+
+[eventlet_server]
+public_bind_host = {{ identity_host }}
+admin_bind_host = {{ identity_host }}
+
+[oslo_messaging_rabbit]
+rabbit_userid = {{ RABBIT_USER }}
+rabbit_password = {{ RABBIT_PASS }}
+rabbit_hosts = {{ rabbitmq_servers }}
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml
index 79ed06fe..90977372 100644
--- a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml
@@ -17,9 +17,9 @@ os_services:
     type: identity
     region: RegionOne
     description: "OpenStack Identity"
-    publicurl: "http://{{ public_vip.ip }}:5000/v2.0"
-    internalurl: "http://{{ internal_vip.ip }}:5000/v2.0"
-    adminurl: "http://{{ internal_vip.ip }}:35357/v2.0"
+    publicurl: "http://{{ public_vip.ip }}:5000/v3"
+    internalurl: "http://{{ internal_vip.ip }}:5000/v3"
+    adminurl: "http://{{ internal_vip.ip }}:35357/v3"
 
   - name: glance
     type: image
@@ -33,9 +33,9 @@ os_services:
     type: compute
     region: RegionOne
     description: "OpenStack Compute"
-    publicurl: "http://{{ public_vip.ip }}:8774/v2/%(tenant_id)s"
-    internalurl: "http://{{ internal_vip.ip }}:8774/v2/%(tenant_id)s"
-    adminurl: "http://{{ internal_vip.ip }}:8774/v2/%(tenant_id)s"
+    publicurl: "http://{{ public_vip.ip }}:8774/v2.1/%\\(tenant_id\\)s"
+    internalurl: "http://{{ internal_vip.ip }}:8774/v2.1/%\\(tenant_id\\)s"
+    adminurl: "http://{{ internal_vip.ip }}:8774/v2.1/%\\(tenant_id\\)s"
 
   - name: neutron
     type: network
@@ -65,25 +65,25 @@ os_services:
     type: volume
     region: RegionOne
     description: "OpenStack Block Storage"
-    publicurl: "http://{{ public_vip.ip }}:8776/v1/%(tenant_id)s"
-    internalurl: "http://{{ internal_vip.ip }}:8776/v1/%(tenant_id)s"
-    adminurl: "http://{{ internal_vip.ip }}:8776/v1/%(tenant_id)s"
+    publicurl: "http://{{ public_vip.ip }}:8776/v1/%\\(tenant_id\\)s"
+    internalurl: "http://{{ internal_vip.ip }}:8776/v1/%\\(tenant_id\\)s"
+    adminurl: "http://{{ internal_vip.ip }}:8776/v1/%\\(tenant_id\\)s"
 
   - name: cinderv2
     type: volumev2
     region: RegionOne
     description: "OpenStack Block Storage v2"
-    publicurl: "http://{{ public_vip.ip }}:8776/v2/%(tenant_id)s"
-    internalurl: "http://{{ internal_vip.ip }}:8776/v2/%(tenant_id)s"
-    adminurl: "http://{{ internal_vip.ip }}:8776/v2/%(tenant_id)s"
+    publicurl: "http://{{ public_vip.ip }}:8776/v2/%\\(tenant_id\\)s"
+    internalurl: "http://{{ internal_vip.ip }}:8776/v2/%\\(tenant_id\\)s"
+    adminurl: "http://{{ internal_vip.ip }}:8776/v2/%\\(tenant_id\\)s"
 
   - name: heat
     type: orchestration
     region: RegionOne
     description: "OpenStack Orchestration"
-    publicurl: "http://{{ public_vip.ip }}:8004/v1/%(tenant_id)s"
-    internalurl: "http://{{ internal_vip.ip }}:8004/v1/%(tenant_id)s"
-    adminurl: "http://{{ internal_vip.ip }}:8004/v1/%(tenant_id)s"
+    publicurl: "http://{{ public_vip.ip }}:8004/v1/%\\(tenant_id\\)s"
+    internalurl: "http://{{ internal_vip.ip }}:8004/v1/%\\(tenant_id\\)s"
+    adminurl: "http://{{ internal_vip.ip }}:8004/v1/%\\(tenant_id\\)s"
 
   - name: heat-cfn
     type: cloudformation
@@ -97,9 +97,9 @@ os_services:
 #    type: object-store
 #    region: RegionOne
 #    description: "OpenStack Object Storage"
-#    publicurl: "http://{{ public_vip.ip }}:8080/v1/AUTH_%(tenant_id)s"
-#    internalurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%(tenant_id)s"
-#    adminurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%(tenant_id)s"
+#    publicurl: "http://{{ public_vip.ip }}:8080/v1/AUTH_%\\(tenant_id\\)s"
+#    internalurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%\\(tenant_id\\)s"
+#    adminurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%\\(tenant_id\\)s"
 
 os_users:
   - user: admin
@@ -178,3 +178,4 @@ os_users:
 #    role: admin
 #    tenant: service
 #    tenant_description: "Service Tenant"
+
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/neutron-controller/tasks/neutron_install.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/neutron-controller/tasks/neutron_install.yml
index 0a30af7a..917a8356 100644
--- a/deploy/adapters/ansible/openstack_newton_xenial/roles/neutron-controller/tasks/neutron_install.yml
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/neutron-controller/tasks/neutron_install.yml
@@ -31,12 +31,9 @@
   with_items: services | union(services_noarch)
 
 - name: get tenant id to fill neutron.conf
-  shell: openstack project show \
-             --os-username=admin \
-             --os-password=console \
-             --os-auth-url=http://{{ internal_vip.ip }}:35357/v2.0 \
-             --os-tenant-name=admin \
-             service | grep id | awk '{print $4}'
+  shell:
+    . /opt/admin-openrc.sh;
+    openstack project show service | grep id | sed -n "2,1p" | awk '{print $4}'
   register: NOVA_ADMIN_TENANT_ID
 
 - name: update neutron conf
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/nova-compute/templates/nova.conf b/deploy/adapters/ansible/openstack_newton_xenial/roles/nova-compute/templates/nova.conf
new file mode 100644
index 00000000..5f8fb887
--- /dev/null
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/nova-compute/templates/nova.conf
@@ -0,0 +1,113 @@
+{% set memcached_servers = [] %}
+{% for host in haproxy_hosts.values() %}
+{% set _ = memcached_servers.append('%s:11211'% host) %}
+{% endfor %}
+{% set memcached_servers = memcached_servers|join(',') %}
+
+[DEFAULT]
+dhcpbridge_flagfile=/etc/nova/nova.conf
+dhcpbridge=/usr/bin/nova-dhcpbridge
+log-dir=/var/log/nova
+state_path=/var/lib/nova
+force_dhcp_release=True
+verbose={{ VERBOSE }}
+ec2_private_dns_show_ip=True
+enabled_apis=osapi_compute,metadata
+
+auth_strategy = keystone
+my_ip = {{ internal_ip }}
+use_neutron = True
+firewall_driver = nova.virt.firewall.NoopFirewallDriver
+transport_url = rabbit://openstack:{{ RABBIT_PASS }}@{{ rabbit_host }}
+default_floating_pool={{ public_net_info.network }}
+metadata_listen={{ internal_ip }}
+linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
+
+iscsi_helper=tgtadm
+connection_type=libvirt
+root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
+debug={{ DEBUG }}
+volumes_path=/var/lib/nova/volumes
+rpc_backend = rabbit
+rabbit_host = {{ rabbit_host }}
+rabbit_userid = {{ RABBIT_USER }}
+rabbit_password = {{ RABBIT_PASS }}
+osapi_compute_listen={{ internal_ip }}
+network_api_class = nova.network.neutronv2.api.API
+security_group_api = neutron
+instance_usage_audit = True
+instance_usage_audit_period = hour
+notify_on_state_change = vm_and_task_state
+notification_driver = nova.openstack.common.notifier.rpc_notifier
+notification_driver = ceilometer.compute.nova_notifier
+memcached_servers = {{ memcached_servers }}
+
+[database]
+# The SQLAlchemy connection string used to connect to the database
+connection = mysql://nova:{{ NOVA_DBPASS }}@{{ db_host }}/nova
+idle_timeout = 30
+pool_timeout = 10
+use_db_reconnect = True
+
+[api_database]
+connection = mysql://nova:{{ NOVA_DBPASS }}@{{ db_host }}/nova_api
+idle_timeout = 30
+pool_timeout = 10
+use_db_reconnect = True
+
+[oslo_concurrency]
+lock_path=/var/lib/nova/tmp
+
+[libvirt]
+use_virtio_for_bridges=True
+
+[wsgi]
+api_paste_config=/etc/nova/api-paste.ini
+
+[keystone_authtoken]
+auth_uri = http://{{ internal_vip.ip }}:5000
+auth_url = http://{{ internal_vip.ip }}:35357
+memcached_servers = {{ memcached_servers }}
+auth_type = password
+project_domain_name = default
+user_domain_name = default
+project_name = service
+username = nova
+password = {{ NOVA_PASS }}
+
+identity_uri = http://{{ internal_vip.ip }}:35357
+admin_tenant_name = service
+admin_user = nova
+admin_password = {{ NOVA_PASS }}
+
+[vnc]
+enabled = True
+vncserver_listen = {{ internal_ip }}
+vncserver_proxyclient_address = {{ internal_ip }}
+novncproxy_base_url = http://{{ public_vip.ip }}:6080/vnc_auto.html
+novncproxy_host = {{ internal_ip }}
+novncproxy_port = 6080
+
+[glance]
+api_servers = http://{{ internal_vip.ip }}:9292
+host = {{ internal_vip.ip }}
+
+[neutron]
+url = http://{{ internal_vip.ip }}:9696
+auth_url = http://{{ internal_vip.ip }}:35357
+auth_type = password
+project_domain_name = default
+user_domain_name = default
+region_name = RegionOne
+project_name = service
+username = neutron
+password = {{ NEUTRON_PASS }}
+service_metadata_proxy = True
+metadata_proxy_shared_secret = {{ METADATA_SECRET }}
+
+auth_strategy = keystone
+admin_tenant_name = service
+admin_username = neutron
+admin_password = {{ NEUTRON_PASS }}
+admin_auth_url = http://{{ internal_vip.ip }}:35357/v3
+
diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/tacker/templates/tacker.j2 b/deploy/adapters/ansible/openstack_newton_xenial/roles/tacker/templates/tacker.j2
index f1d9125b..ae0f644a 100644
--- a/deploy/adapters/ansible/openstack_newton_xenial/roles/tacker/templates/tacker.j2
+++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/tacker/templates/tacker.j2
@@ -286,7 +286,7 @@ notification_driver = tacker.openstack.common.notifier.rpc_notifier
 # notify_nova_on_port_data_changes = True
 
 # URL for connection to nova (Only supports one nova region currently).
-# nova_url = http://127.0.0.1:8774/v2
+# nova_url = http://127.0.0.1:8774/v3
 
 # Name of nova region to use. Useful if keystone manages more than one region
 # nova_region_name =