Currently Glance is exposed to users through Nova; this is becoming a problem because new Glance features require a Nova extension. It would be better to have Glance as a first-class member of the OpenStack ecosystem. But in order for this to happen, we (as in OpenStack cloud providers) would need at least: - more robust user roles to allow per-user: - quotas - (anything else?) - protected image properties - image-related restrictions - e.g., there may be contractual reasons why you wouldn't want to allow download of specific images based not on the user, but on the image itself; might be the case for other actions) - other API changes from increased load Protected properties is scheduled for Havana; blueprint but no details yet. There are currently blueprints for rate limits, but an alternative approach would be to think that rate limiting should be done in front of Glance by Repose or a similar system that understands Keystone.