diff --git a/ansible/roles/glance/tasks/ceph.yml b/ansible/roles/glance/tasks/ceph.yml
index 389a266ddd..2c9c8287f3 100644
--- a/ansible/roles/glance/tasks/ceph.yml
+++ b/ansible/roles/glance/tasks/ceph.yml
@@ -3,6 +3,7 @@
   file:
     path: "{{ node_config_directory }}/glance-api"
     state: "directory"
+    mode: "0770"
   when: inventory_hostname in groups['glance-api']
 
 - name: Copying over ceph.conf(s)
@@ -12,6 +13,7 @@
       - "{{ node_custom_config }}/ceph.conf"
       - "{{ node_custom_config }}/ceph/{{ inventory_hostname }}/ceph.conf"
     dest: "{{ node_config_directory }}/glance-api/ceph.conf"
+    mode: "0660"
   when: inventory_hostname in groups['glance-api']
 
 - include: ../../ceph_pools.yml
@@ -36,3 +38,14 @@
     dest: "{{ node_config_directory }}/glance-api/ceph.client.glance.keyring"
     mode: "0600"
   when: inventory_hostname in groups['glance-api']
+
+- name: Ensuring config directory has correct owner and permission
+  become: true
+  file:
+    path: "{{ node_config_directory }}/{{ item }}"
+    recurse: yes
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+  when: inventory_hostname in groups['glance-api']
+  with_items:
+    - "glance-api"
diff --git a/ansible/roles/glance/tasks/config.yml b/ansible/roles/glance/tasks/config.yml
index 8f4e3a813d..d2c2c0076c 100644
--- a/ansible/roles/glance/tasks/config.yml
+++ b/ansible/roles/glance/tasks/config.yml
@@ -3,7 +3,10 @@
   file:
     path: "{{ node_config_directory }}/{{ item.key }}"
     state: "directory"
-    recurse: yes
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+    mode: "0770"
+  become: true
   when:
     - inventory_hostname in groups[item.value.group]
     - item.value.enabled | bool
@@ -13,6 +16,8 @@
   template:
     src: "{{ item.key }}.json.j2"
     dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+    mode: "0660"
+  become: true
   register: glance_config_jsons
   when:
     - item.value.enabled | bool
@@ -33,6 +38,8 @@
       - "{{ node_custom_config }}/glance/{{ item.key }}.conf"
       - "{{ node_custom_config }}/glance/{{ inventory_hostname }}/{{ item.key }}.conf"
     dest: "{{ node_config_directory }}/{{ item.key }}/{{ item.key }}.conf"
+    mode: "0660"
+  become: true
   register: glance_confs
   when:
     - item.value.enabled | bool
@@ -69,6 +76,8 @@
   template:
     src: "{{ node_custom_config }}/glance/policy.json"
     dest: "{{ node_config_directory }}/{{ item.key }}/policy.json"
+    mode: "0660"
+  become: true
   register: glance_policy_jsons
   when:
     - glance_policy.stat.exists
@@ -94,3 +103,4 @@
   notify:
     - Restart glance-api container
     - Restart glance-registry container
+
diff --git a/ansible/roles/glance/tasks/external_ceph.yml b/ansible/roles/glance/tasks/external_ceph.yml
index 43e9cf7205..0eeb588296 100644
--- a/ansible/roles/glance/tasks/external_ceph.yml
+++ b/ansible/roles/glance/tasks/external_ceph.yml
@@ -3,11 +3,24 @@
   file:
     path: "{{ node_config_directory }}/glance-api"
     state: "directory"
+    mode: "0770"
   when: inventory_hostname in groups['glance-api']
 
 - name: Copy over ceph files
   copy:
     src: "{{ item }}"
     dest: "{{ node_config_directory }}/glance-api/"
+    mode: "0660"
   with_fileglob:
     - "{{ node_custom_config }}/glance/ceph*"
+
+- name: Ensuring config directory has correct owner and permission
+  become: true
+  file:
+    path: "{{ node_config_directory }}/{{ item }}"
+    recurse: yes
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+  when: inventory_hostname in groups['glance-api']
+  with_items:
+    - "glance-api"
diff --git a/ansible/roles/heat/tasks/config.yml b/ansible/roles/heat/tasks/config.yml
index 4a5e4276f1..03ab85b948 100644
--- a/ansible/roles/heat/tasks/config.yml
+++ b/ansible/roles/heat/tasks/config.yml
@@ -1,8 +1,12 @@
 ---
 - name: Ensuring config directories exist
+  become: true
   file:
     path: "{{ node_config_directory }}/{{ item.key }}"
     state: "directory"
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+    mode: "0770"
     recurse: yes
   when:
     - inventory_hostname in groups[item.value.group]
@@ -10,9 +14,11 @@
   with_dict: "{{ heat_services }}"
 
 - name: Copying over config.json files for services
+  become: true
   template:
     src: "{{ item.key }}.json.j2"
     dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+    mode: "0660"
   register: heat_config_jsons
   when:
     - item.value.enabled | bool
@@ -24,13 +30,16 @@
     - Restart heat-engine container
 
 - name: Copying over the heat-engine environment file
+  become: true
   template:
     src: "_deprecated.yaml"
     dest: "{{ node_config_directory }}/{{ item }}/_deprecated.yaml"
+    mode: "0660"
   with_items:
     - "heat-engine"
 
 - name: Copying over heat.conf
+  become: true
   vars:
     service_name: "{{ item.key }}"
   merge_configs:
@@ -41,6 +50,7 @@
       - "{{ node_custom_config }}/heat/{{ item.key }}.conf"
       - "{{ node_custom_config }}/heat/{{ inventory_hostname }}/heat.conf"
     dest: "{{ node_config_directory }}/{{ item.key }}/heat.conf"
+    mode: "0660"
   register: heat_confs
   when:
     - item.value.enabled | bool
@@ -57,9 +67,11 @@
   register: heat_policy
 
 - name: Copying over existing policy.json
+  become: true
   template:
     src: "{{ node_custom_config }}/heat/policy.json"
     dest: "{{ node_config_directory }}/{{ item.key }}/policy.json"
+    mode: "0660"
   register: heat_policy_jsons
   when:
     - heat_policy.stat.exists
diff --git a/ansible/roles/horizon/tasks/config.yml b/ansible/roles/horizon/tasks/config.yml
index 12836efaab..92fdeea1c5 100644
--- a/ansible/roles/horizon/tasks/config.yml
+++ b/ansible/roles/horizon/tasks/config.yml
@@ -1,20 +1,25 @@
 ---
 - name: Ensuring config directories exist
+  become: true
   file:
     path: "{{ node_config_directory }}/{{ item.key }}"
     state: "directory"
-    recurse: yes
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+    mode: "0770"
   when:
     - inventory_hostname in groups[item.value.group]
     - item.value.enabled | bool
   with_dict: "{{ horizon_services }}"
 
 - name: Copying over config.json files for services
+  become: true
   vars:
     horizon: "{{ horizon_services['horizon'] }}"
   template:
     src: "horizon.json.j2"
     dest: "{{ node_config_directory }}/horizon/config.json"
+    mode: "0660"
   register: horizon_config_json
   when:
     - horizon.enabled | bool
@@ -23,11 +28,13 @@
     - Restart horizon container
 
 - name: Copying over horizon.conf
+  become: true
   vars:
     horizon: "{{ horizon_services['horizon'] }}"
   template:
     src: "{{ item }}"
     dest: "{{ node_config_directory }}/horizon/horizon.conf"
+    mode: "0660"
   register: horizon_conf
   with_first_found:
     - "{{ node_custom_config }}/horizon/{{ inventory_hostname }}/horizon.conf"
@@ -40,11 +47,13 @@
     - Restart horizon container
 
 - name: Copying over local_settings
+  become: true
   vars:
     horizon: "{{ horizon_services['horizon'] }}"
   template:
     src: "{{ item }}"
     dest: "{{ node_config_directory }}/horizon/local_settings"
+    mode: "0660"
   with_first_found:
     - "{{ node_custom_config }}/horizon/{{ inventory_hostname }}/local_settings"
     - "{{ node_custom_config }}/horizon/local_settings"
@@ -87,11 +96,13 @@
     - { name: "watcher", enabled: "{{ enable_horizon_watcher }}" }
 
 - name: Copying over existing policy.json
+  become: true
   vars:
     horizon: "{{ horizon_services['horizon'] }}"
   template:
     src: "{{ node_custom_config }}/horizon/{{ item.item.name }}_policy.json"
     dest: "{{ node_config_directory }}/horizon/{{ item.item.name }}_policy.json"
+    mode: "0660"
   register: policy_jsons
   when:
     - horizon.enabled | bool
@@ -119,3 +130,4 @@
     - horizon.enabled | bool
   notify:
     - Restart horizon container
+
diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml
index 8fcf529de5..f32001c9a3 100644
--- a/ansible/roles/keystone/tasks/config.yml
+++ b/ansible/roles/keystone/tasks/config.yml
@@ -13,17 +13,34 @@
   file:
     path: "{{ node_config_directory }}/{{ item.key }}"
     state: "directory"
-    recurse: yes
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+    mode: "0770"
+  become: true
   when:
     - inventory_hostname in groups[item.value.group]
     - item.value.enabled | bool
   with_dict: "{{ keystone_services }}"
 
+- name: Creating Keystone Domain directory
+  vars:
+    keystone: "{{ keystone_services.keystone }}"
+  file:
+    dest: "{{ node_config_directory }}/keystone/domains/"
+    state: "directory"
+    mode: "0770"
+  become: true
+  when:
+    - inventory_hostname in groups[keystone.group]
+    - keystone.enabled | bool
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"
     dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+    mode: "0660"
   register: keystone_config_jsons
+  become: true
   with_dict: "{{ keystone_services }}"
   when:
     - inventory_hostname in groups[item.value.group]
@@ -44,6 +61,8 @@
       - "{{ node_custom_config }}/keystone/{{ item.key }}.conf"
       - "{{ node_custom_config }}/keystone/{{ inventory_hostname }}/keystone.conf"
     dest: "{{ node_config_directory }}/{{ item.key }}/keystone.conf"
+    mode: "0660"
+  become: true
   register: keystone_confs
   with_dict: "{{ keystone_services }}"
   when:
@@ -60,6 +79,7 @@
   file:
     dest: "{{ node_config_directory }}/keystone/domains/"
     state: "directory"
+  become: true
   when:
     - inventory_hostname in groups[keystone.group]
     - keystone.enabled | bool
@@ -76,6 +96,8 @@
   template:
     src: "{{ item.path }}"
     dest: "{{ node_config_directory }}/keystone/domains/"
+    mode: "0660"
+  become: true
   register: keystone_domains
   when:
     - inventory_hostname in groups[keystone.group]
@@ -89,6 +111,8 @@
   template:
     src: "{{ node_custom_config }}/keystone/policy.json"
     dest: "{{ node_config_directory }}/{{ item.key }}/policy.json"
+    mode: "0660"
+  become: true
   register: keystone_policy_jsons
   when:
     - inventory_hostname in groups[item.value.group]
@@ -106,6 +130,8 @@
   template:
     src: "{{ item }}"
     dest: "{{ node_config_directory }}/keystone/wsgi-keystone.conf"
+    mode: "0660"
+  become: true
   register: keystone_wsgi
   when:
     - inventory_hostname in groups[keystone.group]
@@ -132,6 +158,8 @@
   template:
     src: "{{ node_custom_config }}/keystone/keystone-paste.ini"
     dest: "{{ node_config_directory }}/keystone/keystone-paste.ini"
+    mode: "0660"
+  become: true
   register: keystone_paste_ini
   when:
     - inventory_hostname in groups[keystone.group]
@@ -156,6 +184,8 @@
   template:
     src: "{{ item.src }}"
     dest: "{{ node_config_directory }}/keystone-fernet/{{ item.dest }}"
+    mode: "0660"
+  become: true
   register: keystone_fernet_confs
   with_items:
     - { src: "crontab.j2", dest: "crontab" }
@@ -175,6 +205,8 @@
   template:
     src: "{{ item.src }}"
     dest: "{{ node_config_directory }}/keystone-ssh/{{ item.dest }}"
+    mode: "0660"
+  become: true
   register: keystone_ssh_confs
   with_items:
     - { src: "sshd_config.j2", dest: "sshd_config" }
diff --git a/ansible/roles/neutron/tasks/config-neutron-fake.yml b/ansible/roles/neutron/tasks/config-neutron-fake.yml
index 6736d94ca8..8577a16bee 100644
--- a/ansible/roles/neutron/tasks/config-neutron-fake.yml
+++ b/ansible/roles/neutron/tasks/config-neutron-fake.yml
@@ -1,16 +1,20 @@
 ---
 - name: Ensuring config directories exist
+  become: true
   file:
     path: "{{ node_config_directory }}/neutron-openvswitch-agent-fake-{{ item }}"
     state: "directory"
     recurse: yes
+    mode: "0770"
   with_sequence: start=1 end={{ num_nova_fake_per_node }}
   when: inventory_hostname in groups['compute']
 
 - name: Copying over config.json files for services
+  become: true
   template:
     src: "neutron-openvswitch-agent.json.j2"
     dest: "{{ node_config_directory }}/neutron-openvswitch-agent-fake-{{ item }}/config.json"
+    mode: "0660"
   register: fake_config_json
   with_sequence: start=1 end={{ num_nova_fake_per_node }}
   when:
@@ -18,6 +22,7 @@
     - neutron_plugin_agent == "openvswitch"
 
 - name: Copying over neutron.conf
+  become: true
   vars:
     service_name: "{{ item }}"
   merge_configs:
@@ -28,6 +33,7 @@
       - "{{ node_custom_config }}/neutron/{{ item }}.conf"
       - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/neutron.conf"
     dest: "{{ node_config_directory }}/neutron-openvswitch-agent-fake-{{ item }}/neutron.conf"
+    mode: "0660"
   register: fake_neutron_conf
   with_sequence: start=1 end={{ num_nova_fake_per_node }}
   when:
@@ -35,6 +41,7 @@
     - neutron_plugin_agent == "openvswitch"
 
 - name: Copying over ml2_conf.ini
+  become: true
   vars:
     service_name: "{{ item }}"
   merge_configs:
@@ -43,6 +50,7 @@
       - "{{ node_custom_config }}/neutron/ml2_conf.ini"
       - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/neutron.conf"
     dest: "{{ node_config_directory }}/neutron-openvswitch-agent-fake-{{ item }}/ml2_conf.ini"
+    mode: "0660"
   register: fake_neutron_ml2_conf_ini
   with_sequence: start=1 end={{ num_nova_fake_per_node }}
   when:
@@ -68,3 +76,14 @@
   with_sequence: "start=1 end={{ num_nova_fake_per_node }}"
   notify:
     - Restart fake neutron-openvswitch-agent container
+
+- name: Ensuring config directory has correct owner and permission
+  become: true
+  file:
+    path: "{{ node_config_directory }}/neutron-openvswitch-agent-fake-{{ item }}"
+    recurse: yes
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+  when: inventory_hostname in groups['compute']
+  with_sequence: start=1 end={{ num_nova_fake_per_node }}
+
diff --git a/ansible/roles/neutron/tasks/config.yml b/ansible/roles/neutron/tasks/config.yml
index 8245cdf15c..dbb2eb7495 100644
--- a/ansible/roles/neutron/tasks/config.yml
+++ b/ansible/roles/neutron/tasks/config.yml
@@ -1,5 +1,6 @@
 ---
 - name: Setting sysctl values
+  become: true
   vars:
     neutron_l3_agent: "{{ neutron_services['neutron-l3-agent'] }}"
     neutron_vpnaas_agent: "{{ neutron_services['neutron-vpnaas-agent'] }}"
@@ -14,19 +15,24 @@
       or (neutron_vpnaas_agent.enabled | bool and  neutron_vpnaas_agent.host_in_groups | bool)
 
 - name: Ensuring config directories exist
+  become: true
   file:
     path: "{{ node_config_directory }}/{{ item.key }}"
     state: "directory"
-    recurse: yes
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+    mode: "0770"
   when:
     - item.value.enabled | bool
     - item.value.host_in_groups | bool
   with_dict: "{{ neutron_services }}"
 
 - name: Copying over config.json files for services
+  become: true
   template:
     src: "{{ item.key }}.json.j2"
     dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+    mode: "0770"
   register: neutron_config_jsons
   when:
     - item.value.enabled | bool
@@ -36,6 +42,7 @@
     - "Restart {{ item.key }} container"
 
 - name: Copying over neutron.conf
+  become: true
   vars:
     service_name: "{{ item.key }}"
     services_need_neutron_conf:
@@ -56,6 +63,7 @@
       - "{{ node_custom_config }}/neutron/{{ item.key }}.conf"
       - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/neutron.conf"
     dest: "{{ node_config_directory }}/{{ item.key }}/neutron.conf"
+    mode: "0660"
   register: neutron_confs
   when:
     - item.value.enabled | bool
@@ -66,6 +74,7 @@
     - "Restart {{ item.key }} container"
 
 - name: Copying over neutron_lbaas.conf
+  become: true
   vars:
     service_name: "{{ item.key }}"
     services_need_neutron_lbaas_conf:
@@ -87,6 +96,7 @@
     - "Restart {{ item.key }} container"
 
 - name: Copying over neutron_vpnaas.conf
+  become: true
   vars:
     service_name: "{{ item.key }}"
     services_need_neutron_vpnaas_conf:
@@ -108,6 +118,7 @@
     - "Restart {{ item.key }} container"
 
 - name: Copying over ml2_conf.ini
+  become: true
   vars:
     service_name: "{{ item.key }}"
     services_need_ml2_conf_ini:
@@ -120,6 +131,7 @@
       - "{{ node_custom_config }}/neutron/ml2_conf.ini"
       - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/ml2_conf.ini"
     dest: "{{ node_config_directory }}/{{ service_name }}/ml2_conf.ini"
+    mode: "0660"
   register: neutron_ml2_confs
   when:
     - item.key in services_need_ml2_conf_ini
@@ -130,6 +142,7 @@
     - "Restart {{ item.key }} container"
 
 - name: Copying over dhcp_agent.ini
+  become: true
   vars:
     service_name: "neutron-dhcp-agent"
     neutron_dhcp_agent: "{{ neutron_services[service_name] }}"
@@ -139,6 +152,7 @@
       - "{{ node_custom_config }}/neutron/dhcp_agent.ini"
       - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/dhcp_agent.ini"
     dest: "{{ node_config_directory }}/{{ service_name }}/dhcp_agent.ini"
+    mode: "0660"
   register: dhcp_agent_ini
   when:
     - neutron_dhcp_agent.enabled | bool
@@ -147,12 +161,14 @@
     - "Restart {{ service_name }} container"
 
 - name: Copying over dnsmasq.conf
+  become: true
   vars:
     service_name: "neutron-dhcp-agent"
     neutron_dhcp_agent: "{{ neutron_services[service_name] }}"
   template:
     src: "dnsmasq.conf.j2"
     dest: "{{ node_config_directory }}/{{ service_name }}/dnsmasq.conf"
+    mode: "0660"
   register: dnsmasq_conf
   when:
     - neutron_dhcp_agent.enabled | bool
@@ -161,6 +177,7 @@
     - "Restart {{ service_name }} container"
 
 - name: Copying over l3_agent.ini
+  become: true
   vars:
     service_name: "{{ item.key }}"
     services_need_l3_agent_ini:
@@ -172,6 +189,7 @@
       - "{{ node_custom_config }}/neutron/l3_agent.ini"
       - "{{ node_custom_config }}/neutron/{{ inventory_hostname }}/l3_agent.ini"
     dest: "{{ node_config_directory }}/{{ service_name }}/l3_agent.ini"
+    mode: "0660"
   register: neutron_l3_agent_inis
   when:
     - item.key in services_need_l3_agent_ini
@@ -182,6 +200,7 @@
     - "Restart {{ item.key }} container"
 
 - name: Copying over fwaas_driver.ini
+  become: true
   vars:
     service_name: "{{ item.key }}"
     services_need_fwaas_driver_ini:
@@ -193,6 +212,7 @@
       - "{{ role_path }}/templates/fwaas_driver.ini.j2"
       - "{{ node_custom_config }}/neutron/fwaas_driver.ini"
     dest: "{{ node_config_directory }}/{{ service_name }}/fwaas_driver.ini"
+    mode: "0660"
   register: neutron_fwaas_driver_inis
   when:
     - item.key in services_need_fwaas_driver_ini
@@ -203,6 +223,7 @@
     - "Restart {{ item.key }} container"
 
 - name: Copying over metadata_agent.ini
+  become: true
   vars:
     service_name: "neutron-metadata-agent"
     neutron_metadata_agent: "{{ neutron_services[service_name] }}"
@@ -211,6 +232,7 @@
       - "{{ role_path }}/templates/metadata_agent.ini.j2"
       - "{{ node_custom_config }}/neutron/metadata_agent.ini"
     dest: "{{ node_config_directory }}/{{ service_name }}/metadata_agent.ini"
+    mode: "0660"
   register: neutron_metadata_agent_ini
   when:
     - neutron_metadata_agent.enabled | bool
@@ -219,6 +241,7 @@
     - "Restart {{ service_name }} container"
 
 - name: Copying over lbaas_agent.ini
+  become: true
   vars:
     service_name: "neutron-lbaas-agent"
     neutron_lbaas_agent: "{{ neutron_services[service_name] }}"
@@ -227,6 +250,7 @@
       - "{{ role_path }}/templates/lbaas_agent.ini.j2"
       - "{{ node_custom_config }}/neutron/lbaas_agent.ini"
     dest: "{{ node_config_directory }}/{{ service_name }}/lbaas_agent.ini"
+    mode: "0660"
   register: neutron_lbaas_agent_ini
   when:
     - neutron_lbaas_agent.enabled | bool
@@ -235,6 +259,7 @@
     - "Restart {{ service_name }} container"
 
 - name: Copying over vpnaas_agent.ini
+  become: true
   vars:
     service_name: "neutron-vpnaas-agent"
     neutron_vpnaas_agent: "{{ neutron_services[service_name] }}"
@@ -243,6 +268,7 @@
       - "{{ role_path }}/templates/vpnaas_agent.ini.j2"
       - "{{ node_custom_config }}/neutron/vpnaas_agent.ini"
     dest: "{{ node_config_directory }}/{{ service_name }}/vpnaas_agent.ini"
+    mode: "0660"
   register: neutron_vpnaas_agent_ini
   when:
     - neutron_vpnaas_agent.enabled | bool
@@ -251,6 +277,7 @@
     - "Restart {{ service_name }} container"
 
 - name: Copying over bgp_dragent.ini
+  become: true
   vars:
     service_name: "neutron-bgp-dragent"
     neutron_bgp_dragent: "{{ neutron_services[service_name] }}"
@@ -290,6 +317,7 @@
     - "Restart {{ service_name }} container"
 
 - name: Copying over existing policy.json
+  become: true
   vars:
     service_name: "{{ item.key }}"
     services_need_policy_json:
@@ -305,6 +333,7 @@
   template:
     src: "{{ node_custom_config }}/neutron/policy.json"
     dest: "{{ node_config_directory }}/{{ service_name }}/policy.json"
+    mode: "0660"
   register: policy_jsons
   when:
     - neutron_policy.stat.exists
@@ -359,3 +388,4 @@
   with_dict: "{{ neutron_services }}"
   notify:
     - "Restart {{ item.key }} container"
+
diff --git a/ansible/roles/nova/tasks/ceph.yml b/ansible/roles/nova/tasks/ceph.yml
index 4274a2f71a..fd2ecdc7ee 100644
--- a/ansible/roles/nova/tasks/ceph.yml
+++ b/ansible/roles/nova/tasks/ceph.yml
@@ -3,6 +3,7 @@
   file:
     path: "{{ node_config_directory }}/{{ item }}"
     state: "directory"
+    mode: "0770"
   with_items:
     - "nova-compute"
     - "nova-libvirt/secrets"
@@ -17,6 +18,7 @@
       - "{{ node_custom_config }}/ceph.conf"
       - "{{ node_custom_config }}/ceph/{{ inventory_hostname }}/ceph.conf"
     dest: "{{ node_config_directory }}/{{ item }}/ceph.conf"
+    mode: "0660"
   with_items:
     - "nova-compute"
     - "nova-libvirt"
@@ -94,3 +96,15 @@
     - uuid: "{{ cinder_rbd_secret_uuid }}"
       content: "{{ cinder_cephx_raw_key.stdout|default('') }}"
       enabled: "{{ enable_cinder | bool and cinder_backend_ceph | bool}}"
+
+- name: Ensuring config directory has correct owner and permission
+  become: true
+  file:
+    path: "{{ node_config_directory }}/{{ item }}"
+    recurse: yes
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+  with_items:
+    - "nova-compute"
+    - "nova-libvirt/secrets"
+  when: inventory_hostname in groups['compute']
diff --git a/ansible/roles/nova/tasks/config-nova-fake.yml b/ansible/roles/nova/tasks/config-nova-fake.yml
index d005cdc94e..e3fb87b2cf 100644
--- a/ansible/roles/nova/tasks/config-nova-fake.yml
+++ b/ansible/roles/nova/tasks/config-nova-fake.yml
@@ -1,5 +1,6 @@
 ---
 - name: Ensuring config directories exist
+  become: true
   file:
     path: "{{ node_config_directory }}/nova-compute-fake-{{ item }}"
     state: "directory"
@@ -9,14 +10,17 @@
     - Restart nova-compute-fake containers
 
 - name: Copying over config.json files for services
+  become: true
   template:
     src: "nova-compute.json.j2"
     dest: "{{ node_config_directory }}/nova-compute-fake-{{ item }}/config.json"
+    mode: "0660"
   with_sequence: start=1 end={{ num_nova_fake_per_node }}
   notify:
     - Restart nova-compute-fake containers
 
 - name: Copying over nova.conf
+  become: true
   vars:
     service_name: "{{ item }}"
   merge_configs:
@@ -27,6 +31,17 @@
       - "{{ node_custom_config }}/nova/{{ item }}.conf"
       - "{{ node_custom_config }}/nova/{{ inventory_hostname }}/nova.conf"
     dest: "{{ node_config_directory }}/nova-compute-fake-{{ item }}/nova.conf"
+    mode: "0660"
+  with_sequence: start=1 end={{ num_nova_fake_per_node }}
+
+- name: Ensuring config directory has correct owner and permission
+  become: true
+  file:
+    path: "{{ node_config_directory }}/nova-compute-fake-{{ item }}"
+    recurse: yes
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+  become: true
   with_sequence: start=1 end={{ num_nova_fake_per_node }}
   notify:
     - Restart nova-compute-fake containers
@@ -44,6 +59,7 @@
       - "/lib/modules:/lib/modules:ro"
       - "/run:/run:shared"
       - "kolla_logs:/var/log/kolla/"
+  become: true
   with_sequence: start=1 end={{ num_nova_fake_per_node }}
   when:
     - action != "config"
diff --git a/ansible/roles/nova/tasks/config.yml b/ansible/roles/nova/tasks/config.yml
index b636708f14..834646c956 100644
--- a/ansible/roles/nova/tasks/config.yml
+++ b/ansible/roles/nova/tasks/config.yml
@@ -1,5 +1,6 @@
 ---
 - name: Setting sysctl values
+  become: true
   sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes
   with_items:
     - { name: "net.bridge.bridge-nf-call-iptables", value: 1}
@@ -11,19 +12,24 @@
     - inventory_hostname in groups['compute']
 
 - name: Ensuring config directories exist
+  become: true
   file:
     path: "{{ node_config_directory }}/{{ item.key }}"
     state: "directory"
-    recurse: yes
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+    mode: "0770"
   when:
     - inventory_hostname in groups[item.value.group]
     - item.value.enabled | bool
   with_dict: "{{ nova_services }}"
 
 - name: Copying over config.json files for services
+  become: true
   template:
     src: "{{ item.key }}.json.j2"
     dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+    mode: "0770"
   register: config_jsons
   when:
     - inventory_hostname in groups[item.value.group]
@@ -33,6 +39,7 @@
     - "Restart {{ item.key }} container"
 
 - name: Copying over nova.conf
+  become: true
   vars:
     services_require_nova_conf:
       - placement-api
@@ -54,6 +61,7 @@
       - "{{ node_custom_config }}/nova/{{ item.key }}.conf"
       - "{{ node_custom_config }}/nova/{{ inventory_hostname }}/nova.conf"
     dest: "{{ node_config_directory }}/{{ item.key }}/nova.conf"
+    mode: "0660"
   register: nova_confs
   when:
     - inventory_hostname in groups[item.value.group]
@@ -64,11 +72,13 @@
     - "Restart {{ item.key }} container"
 
 - name: Copying over libvirt configuration
+  become: true
   vars:
     service: "{{ nova_services['nova-libvirt'] }}"
   template:
     src: "{{ item.src }}"
     dest: "{{ node_config_directory }}/nova-libvirt/{{ item.dest }}"
+    mode: "0660"
   register: nova_libvirt_confs
   when:
     - inventory_hostname in groups[service.group]
@@ -80,6 +90,7 @@
     - Restart nova-libvirt container
 
 - name: Copying over placement-api wsgi configuration
+  become: true
   vars:
     service: "{{ nova_services['placement-api'] }}"
   template:
@@ -93,11 +104,13 @@
     - Restart placement-api container
 
 - name: Copying files for nova-ssh
+  become: true
   vars:
     service: "{{ nova_services['nova-ssh'] }}"
   template:
     src: "{{ item.src }}"
     dest: "{{ node_config_directory }}/nova-ssh/{{ item.dest }}"
+    mode: "0660"
   register: nova_ssh_confs
   when:
     - inventory_hostname in groups[service.group]
@@ -131,6 +144,7 @@
   register: nova_policy
 
 - name: Copying over existing policy.json
+  become: true
   vars:
     services_require_policy_json:
       - placement-api
@@ -158,6 +172,7 @@
 
 # check whether the containers parameter is changed. If yes, trigger the handler
 - name: Check nova containers
+  become: true
   kolla_docker:
     action: "compare_container"
     common_options: "{{ docker_common_options }}"
@@ -175,3 +190,4 @@
   with_dict: "{{ nova_services }}"
   notify:
     - "Restart {{ item.key }} container"
+
diff --git a/ansible/roles/nova/tasks/external_ceph.yml b/ansible/roles/nova/tasks/external_ceph.yml
index 23011f8779..7071791d79 100644
--- a/ansible/roles/nova/tasks/external_ceph.yml
+++ b/ansible/roles/nova/tasks/external_ceph.yml
@@ -3,6 +3,7 @@
   file:
     path: "{{ node_config_directory }}/{{ item }}"
     state: "directory"
+    mode: "0770"
   with_items:
     - "nova-compute"
     - "nova-libvirt/secrets"
@@ -29,6 +30,7 @@
   copy:
     src: "{{ nova_cephx_keyring_file.stat.path }}"
     dest: "{{ node_config_directory }}/{{ item }}/"
+    mode: "0660"
   with_items:
     - nova-compute
     - nova-libvirt
@@ -40,6 +42,7 @@
   copy:
     src: "{{ node_custom_config }}/nova/ceph.conf"
     dest: "{{ node_config_directory }}/{{ item }}/"
+    mode: "0660"
   with_items:
     - nova-compute
     - nova-libvirt
@@ -91,3 +94,15 @@
     - uuid: "{{ cinder_rbd_secret_uuid }}"
       content: "{{ cinder_cephx_raw_key.stdout }}"
       enabled: "{{ cinder_backend_ceph }}"
+
+- name: Ensuring config directory has correct owner and permission
+  become: true
+  file:
+    path: "{{ node_config_directory }}/{{ item }}"
+    recurse: yes
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+  with_items:
+    - "nova-compute"
+    - "nova-libvirt/secrets"
+  when: inventory_hostname in groups['compute']
diff --git a/ansible/roles/openvswitch/tasks/config.yml b/ansible/roles/openvswitch/tasks/config.yml
index fb5dff2381..762eedfc46 100644
--- a/ansible/roles/openvswitch/tasks/config.yml
+++ b/ansible/roles/openvswitch/tasks/config.yml
@@ -1,18 +1,23 @@
 ---
 - name: Ensuring config directories exist
+  become: true
   file:
     path: "{{ node_config_directory }}/{{ item.key }}"
     state: "directory"
-    recurse: yes
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+    mode: "0770"
   when:
     - item.value.enabled | bool
     - item.value.host_in_groups | bool
   with_dict: "{{ openvswitch_services }}"
 
 - name: Copying over config.json files for services
+  become: true
   template:
     src: "{{ item.key }}.json.j2"
     dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
+    mode: "0770"
   register: openvswitch_config_jsons
   when:
     - item.value.enabled | bool
@@ -63,3 +68,4 @@
   with_dict: "{{ openvswitch_services }}"
   notify:
     - "Restart {{ item.key }} container"
+
diff --git a/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml b/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml
index 0cc8865865..1f7484bca7 100644
--- a/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml
+++ b/releasenotes/notes/specify-task-become-84f83707f612bcf3.yaml
@@ -3,3 +3,4 @@ prelude: >
     Specify Ansible "become" for only necessary tasks.
 features:
   - Add "become" to necessary tasks of general roles.
+  - Add "become" to necessary tasks of default roles.
diff --git a/tools/playbook-setup-nodes.yml b/tools/playbook-setup-nodes.yml
index 47864d335a..cd765cfa39 100644
--- a/tools/playbook-setup-nodes.yml
+++ b/tools/playbook-setup-nodes.yml
@@ -10,6 +10,24 @@
   - name: Install wget package
     package: name=wget
 
+  - name: Add sudo group
+    group:
+      name: sudo
+      state: present
+
+  - name: Allow 'sudo' group to have passwordless sudo
+    lineinfile:
+      dest: /etc/sudoers
+      state: present
+      line: "%sudo ALL=(ALL) NOPASSWD: ALL"
+
+  - name: Add jenkins to sudo group
+    user:
+      name: jenkins
+      append: yes
+      groups: "sudo"
+
+
 - hosts: all
   become: true