The way Compute Resources in Openstack are managed as of now is a bit broken.

In short, an user (admin) creates a Compute Resource and selects a tenant. Now any other foreman user would have access to create machines on that tenant, which is wrong, because these machines will be created on nova with whoever created the Compute Resource's credentials.

In order to prevent this, several approaches can be followed. As an example, you could have a Compute Resource with the credentials for each of the users, but again, any other user would be allowed to create vms on other Compute Resources and not only on his (he might not have permissions on other Compute Resources). This doesn't scale very well either as if you have 200 users in foreman it can really be a pain to always have to tell the admin to create you an Openstack Compute Resource. Not to mention the fact that foreman stores the name and password on each of the Openstack Compute Resources as plain text on the database (this could be done using EC2 credentials instead).

We have hacked our way in our foreman installation at CERN to allow us create hosts on Openstack Compute Resources (http://theforeman.org/issues/1825 is still fairly broken), set user_data (not through SSH/SCP because that doesn't work for us, we use finish templates for this). I have a working foreman that does this, but it differs a bit from what's currently on foreman/master. If we want to go ahead and support Keystone (or think of some other good way of manage this) we should probably try to merge them. I'm going to submit a pull request with the changes I did and link to it asap.