Comment 11 for bug 890411

We did not consider the use case of having multiple instances of services or services that don't trust each other sharing one instance of Keystone. That was not an oversight, but a conscious decision to focus on exiting incubation and integrating with existing OpenStack services in known, common deployments.

That is not to negate the concern Jason brings up, which is valid.

We did, however, blueprint a mechanism to separate services so they can own their own endpoints and roles. That mechanism was not fully implemented until today (https://review.openstack.org/1864). Using the enforced ownership over service names, you can have services own their role prefixes (ex. nova:admin is owned by nova and glance cannot edit it. Similarly, glance:admin is created and owned by glance).

While all roles are still returned to the middleware, the service can identify the roles it owns by the prefix.

But I still look forward to the patch from HP. Meanwhile, I would consider this workaround a mitigation for the above risk. I will work on documenting it.