diff --git a/openstack/python-keystone/centos/patches/0001-Rebasing-Keyring-integration.patch b/openstack/python-keystone/centos/patches/0001-Rebasing-Keyring-integration.patch
index b9ad336e..d9b87d5e 100644
--- a/openstack/python-keystone/centos/patches/0001-Rebasing-Keyring-integration.patch
+++ b/openstack/python-keystone/centos/patches/0001-Rebasing-Keyring-integration.patch
@@ -5,9 +5,9 @@ Subject: [PATCH 1/1] Rebasing Keyring integration
 
 ---
  keystone/exception.py     |  6 ++++++
- keystone/identity/core.py | 50 +++++++++++++++++++++++++++++++++++++++++++++++
+ keystone/identity/core.py | 54 +++++++++++++++++++++++++++++++++++++++++++++++
  requirements.txt          |  1 +
- 3 files changed, 57 insertions(+)
+ 3 files changed, 61 insertions(+)
 
 diff --git a/keystone/exception.py b/keystone/exception.py
 index b85878b..56601ce 100644
@@ -73,21 +73,25 @@ index ed43e76..da7e7ba 100644
      @domains_configured
      @exception_translated('user')
      def update_user(self, user_id, user_ref, initiator=None):
-@@ -1113,6 +1135,13 @@ class Manager(manager.Manager):
-             )
-             notifications.invalidate_token_cache_notification(reason)
+@@ -1099,6 +1121,17 @@ class Manager(manager.Manager):
+ 
+         ref = driver.update_user(entity_id, user)
  
 +        # Certain local Keystone users are stored in Keystone as opposed
 +        # to the default SQL Identity backend, such as the admin user.
 +        # When its password is updated, we need to update Keyring as well
 +        # as certain services retrieve this user context from Keyring and
 +        # will get auth failures
++        # Need update password before send out notification. Otherwise,
++        # any process monitor the notification will still get old password
++        # from Keyring.
 +        if ('password' in user) and ('name' in ref):
 +            self._update_keyring_password(ref, user['password'])
-         return self._set_domain_id_and_mapping(
-             ref, domain_id, driver, mapping.EntityType.USER)
++
+         notifications.Audit.updated(self._USER, user_id, initiator)
  
-@@ -1128,6 +1157,7 @@ class Manager(manager.Manager):
+         enabled_change = ((user.get('enabled') is False) and
+@@ -1128,6 +1161,7 @@ class Manager(manager.Manager):
          hints.add_filter('user_id', user_id)
          fed_users = PROVIDERS.shadow_users_api.list_federated_users_info(hints)
  
@@ -95,7 +99,7 @@ index ed43e76..da7e7ba 100644
          driver.delete_user(entity_id)
          PROVIDERS.assignment_api.delete_user_assignments(user_id)
          self.get_user.invalidate(self, user_id)
-@@ -1141,6 +1171,18 @@ class Manager(manager.Manager):
+@@ -1141,6 +1175,18 @@ class Manager(manager.Manager):
  
          PROVIDERS.credential_api.delete_credentials_for_user(user_id)
          PROVIDERS.id_mapping_api.delete_id_mapping(user_id)
@@ -114,7 +118,7 @@ index ed43e76..da7e7ba 100644
          notifications.Audit.deleted(self._USER, user_id, initiator)
  
          # Invalidate user role assignments cache region, as it may be caching
-@@ -1390,6 +1432,14 @@ class Manager(manager.Manager):
+@@ -1390,6 +1436,14 @@ class Manager(manager.Manager):
          notifications.Audit.updated(self._USER, user_id, initiator)
          self._persist_revocation_event_for_user(user_id)