When devstack sets up the service users, some of them get the 'service' role, which is great, but nova and neutron get the 'admin' role, which is not great. Also, the docs seem to say that all the service users should have the 'admin' role.
We need a cross-project initiative to figure out what the operations are that the different services need to do (e.g., what does neutron need to do on nova), update the docs with the correct info so that deployers can set up their system in a secure way, update the default policies, and change devstack to do the role assignments for testing.