diff --git a/config.yaml b/config.yaml
index 55b4dec8..1ada523d 100644
--- a/config.yaml
+++ b/config.yaml
@@ -12,6 +12,11 @@ options:
     default: False
     description: |
       Setting this to True will allow supporting services to log to syslog.
+  audit-middleware:
+    type: boolean
+    default: False
+    description: |
+      Enable Keystone auditing middleware for logging API calls.
   openstack-origin:
     type: string
     default: bobcat
@@ -127,10 +132,10 @@ options:
     description: Database to request access.
   rabbit-user:
     type: string
-    default: cinder
-    description: Username to request access on rabbitmq-server.
-  rabbit-vhost:
-    type: string
+    default: cinder            api_paste_content = zaza.model.file_contents(
+                self.lead_unit,
+                api_paste_ini_path,
+            )
     default: openstack
     description: RabbitMQ virtual host to request access on rabbitmq-server.
   region:
@@ -312,7 +317,10 @@ options:
     type: string
     default:
     description: |
-      The IP address and netmask of the OpenStack Public network (e.g.
+      The IP address and netmask of the             api_paste_content = zaza.model.file_contents(
+                self.lead_unit,
+                api_paste_ini_path,
+            )OpenStack Public network (e.g.
       192.168.0.0/24)
       .
       This network will be used for public endpoints.
diff --git a/hooks/cinder_utils.py b/hooks/cinder_utils.py
index fa1d519f..14d226e2 100644
--- a/hooks/cinder_utils.py
+++ b/hooks/cinder_utils.py
@@ -167,6 +167,7 @@ CINDER_CONF_DIR = "/etc/cinder"
 CINDER_CONF = '%s/cinder.conf' % CINDER_CONF_DIR
 CINDER_API_CONF = '%s/api-paste.ini' % CINDER_CONF_DIR
 CINDER_POLICY_JSON = '%s/policy.json' % CINDER_CONF_DIR
+CINDER_AUDIT_MAP = '%s/api_audit_map.conf' % CINDER_CONF_DIR
 CEPH_CONF = '/etc/ceph/ceph.conf'
 
 HAPROXY_CONF = '/etc/haproxy/haproxy.cfg'
@@ -237,18 +238,24 @@ BASE_RESOURCE_MAP = OrderedDict([
                      cinder_contexts.VolumeUsageAuditContext(),
                      context.MemcacheContext(),
                      cinder_contexts.SectionalConfigContext(),
-                     cinder_contexts.LVMContext()],
+                     cinder_contexts.LVMContext(),
+                     context.KeystoneAuditMiddleware(service='cinder')],
         'services': ['cinder-api', 'cinder-volume', 'cinder-scheduler',
                      'haproxy']
     }),
     (CINDER_API_CONF, {
-        'contexts': [context.IdentityServiceContext()],
+        'contexts': [context.IdentityServiceContext(),
+                     context.KeystoneAuditMiddleware(service='cinder')],
         'services': ['cinder-api'],
     }),
     (CINDER_POLICY_JSON, {
         'contexts': [],
         'services': ['cinder-api']
     }),
+    (CINDER_AUDIT_MAP, {
+        'contexts': [context.KeystoneAuditMiddleware(service='cinder')],
+        'services': ['cinder-api']
+    }),
     (ceph_config_file(), {
         'contexts': [context.CephContext()],
         'services': ['cinder-volume']
@@ -773,7 +780,7 @@ def check_local_db_actions_complete():
             # Echo notification
             data = {CINDER_DB_INIT_ECHO_RKEY: init_id}
             # BUG: #1928383 - clear CINDER_DB_INIT_RKEY if not the leader
-            if not(is_elected_leader(CLUSTER_RES)):
+            if not is_elected_leader(CLUSTER_RES):
                 data[CINDER_DB_INIT_RKEY] = None
             relation_set(**data)
 
diff --git a/templates/yoga/api-paste.ini b/templates/yoga/api-paste.ini
new file mode 100644
index 00000000..5a632263
--- /dev/null
+++ b/templates/yoga/api-paste.ini
@@ -0,0 +1,101 @@
+#############
+# OpenStack #
+#############
+
+[composite:osapi_volume]
+use = call:cinder.api:root_app_factory
+/: apiversions
+/healthcheck: healthcheck
+/v1: openstack_volume_api_v1
+/v2: openstack_volume_api_v2
+/v3: openstack_volume_api_v3
+
+[composite:openstack_volume_api_v1]
+use = call:cinder.api.middleware.auth:pipeline_factory
+noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv1
+{% if audit_middleware and service_name -%}
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv1
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv1
+{% else -%}
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+{% endif %}
+
+[composite:openstack_volume_api_v2]
+use = call:cinder.api.middleware.auth:pipeline_factory
+noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2
+{% if audit_middleware and service_name -%}
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv2
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv2
+{% else -%}
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+{% endif %}
+
+[composite:openstack_volume_api_v3]
+use = call:cinder.api.middleware.auth:pipeline_factory
+noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
+{% if audit_middleware and service_name -%}
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv3
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext audit apiv3
+{% else -%}
+keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
+keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
+{% endif %}
+
+[filter:request_id]
+paste.filter_factory = oslo_middleware.request_id:RequestId.factory
+
+[filter:http_proxy_to_wsgi]
+paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
+
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = cinder
+
+[filter:faultwrap]
+paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
+
+[filter:osprofiler]
+paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
+
+[filter:noauth]
+paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
+
+[filter:sizelimit]
+paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
+
+[app:apiv1]
+paste.app_factory = cinder.api.v1.router:APIRouter.factory
+
+[app:apiv2]
+paste.app_factory = cinder.api.v2.router:APIRouter.factory
+
+[app:apiv3]
+paste.app_factory = cinder.api.v3.router:APIRouter.factory
+
+[pipeline:apiversions]
+pipeline = cors http_proxy_to_wsgi faultwrap osvolumeversionapp
+
+[app:osvolumeversionapp]
+paste.app_factory = cinder.api.versions:Versions.factory
+
+[pipeline:healthcheck]
+pipeline = request_id healthcheckapp
+
+[app:healthcheckapp]
+paste.app_factory = oslo_middleware:Healthcheck.app_factory
+backends = disable_by_file
+disable_by_file_path = /etc/cinder/healthcheck_disable
+
+##########
+# Shared #
+##########
+
+[filter:keystonecontext]
+paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory
+
+[filter:authtoken]
+paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+{% include "section-filter-audit" %}
\ No newline at end of file
diff --git a/templates/yoga/api_audit_map.conf b/templates/yoga/api_audit_map.conf
new file mode 100644
index 00000000..17889f8c
--- /dev/null
+++ b/templates/yoga/api_audit_map.conf
@@ -0,0 +1,28 @@
+[DEFAULT]
+# default target endpoint type
+# should match the endpoint type defined in service catalog
+target_endpoint_type = None
+
+# map urls ending with specific text to a unique action
+[custom_actions]
+associate = update/associate
+disassociate = update/disassociate
+disassociate_all = update/disassociate_all
+associations = read/list/associations
+
+# possible end path of api requests
+[path_keywords]
+defaults = None
+detail = None
+limits = None
+os-quota-specs = project
+qos-specs = qos-spec
+snapshots = snapshot
+types = type
+volumes = volume
+
+# map endpoint type defined in service catalog to CADF typeURI
+[service_endpoints]
+volume = service/storage/block
+volumev2 = service/storage/block
+volumev3 = service/storage/block
\ No newline at end of file
diff --git a/templates/yoga/cinder.conf b/templates/yoga/cinder.conf
new file mode 100644
index 00000000..42f7421f
--- /dev/null
+++ b/templates/yoga/cinder.conf
@@ -0,0 +1,89 @@
+###############################################################################
+# [ WARNING ]
+# cinder configuration file maintained by Juju
+# local changes may be overwritten.
+###############################################################################
+[DEFAULT]
+rootwrap_config = /etc/cinder/rootwrap.conf
+api_paste_confg = /etc/cinder/api-paste.ini
+iscsi_helper = tgtadm
+verbose = {{ verbose }}
+debug = {{ debug }}
+use_syslog = {{ use_syslog }}
+auth_strategy = keystone
+state_path = /var/lib/cinder
+osapi_volume_workers = {{ workers }}
+
+{% if transport_url %}
+transport_url = {{ transport_url }}
+{% endif %}
+
+{% if use_internal_endpoints -%}
+swift_catalog_info = object-store:swift:internalURL
+keystone_catalog_info = identity:Identity Service:internalURL
+glance_catalog_info = image:glance:internalURL
+nova_catalog_info = compute:Compute Service:internalURL
+{% endif %}
+
+osapi_volume_listen = {{ bind_host }}
+{% if osapi_volume_listen_port -%}
+osapi_volume_listen_port = {{ osapi_volume_listen_port }}
+{% endif -%}
+
+{% if glance_api_servers -%}
+glance_api_servers = {{ glance_api_servers }}
+{% endif -%}
+
+{% if glance_api_version -%}
+glance_api_version = {{ glance_api_version }}
+{% endif -%}
+
+{% if region -%}
+os_region_name = {{ region }}
+{% endif -%}
+
+{% if user_config_flags -%}
+{% for key, value in user_config_flags.items() -%}
+{{ key }} = {{ value }}
+{% endfor -%}
+{% endif -%}
+
+volume_usage_audit_period = {{ volume_usage_audit_period }}
+
+{% if auth_host -%}
+cinder_internal_tenant_project_id = {{ admin_tenant_id }}
+{% if admin_user_id -%}
+cinder_internal_tenant_user_id = {{ admin_user_id }}
+{% else -%}
+cinder_internal_tenant_user_id = {{ admin_user }}
+{% endif -%}
+{% endif -%}
+
+{% include "parts/backends" %}
+{% include "section-keystone-authtoken-mitaka" %}
+
+{% if keystone_authtoken -%}
+{% include "section-service-user" %}
+{% endif -%}
+
+{% include "parts/section-database" %}
+
+{% include "section-oslo-messaging-rabbit-ocata" %}
+
+{% include "section-oslo-notifications" %}
+
+{% include "section-audit-middleware-notifications" %}
+
+[oslo_concurrency]
+lock_path = /var/lock/cinder
+
+[keymgr]
+# XXX: hack to work around http://pad.lv/1516085
+#      will be superseded by SRU to cinder package
+encryption_auth_url = {{ service_protocol }}://{{ service_host }}:{{ service_port }}/v3
+
+{% include "section-oslo-middleware" %}
+
+[nova]
+{% include "parts/service-auth" %}
+