diff --git a/manifests/compute/hypervisor.pp b/manifests/compute/hypervisor.pp
index 5362de06..39c66fce 100644
--- a/manifests/compute/hypervisor.pp
+++ b/manifests/compute/hypervisor.pp
@@ -141,14 +141,28 @@ Host *
     Exec <<| tag == 'get_or_set_virsh_secret' |>>
     Exec <<| tag == 'set_secret_value_virsh' |>>
 
+    # Configure Ceph keyring
     Ceph::Key <<| title == $cinder_rbd_user |>>
 
+    # If Cinder & Nova reside on the same node, we need a group
+    # where nova & cinder users have read permissions.
+    ensure_resource('group', 'cephkeyring', {
+      ensure => 'present'
+    })
+
+    # puppet-nova already manages 'nova' user
+    # we just want to ensure nova is part of the group.
+    ensure_resource('exec', 'add-nova-to-cephkeyring-group', {
+      command => 'useradd -G cephkeyring nova || true'
+    })
+
     ensure_resource('file', "/etc/ceph/ceph.client.${cinder_rbd_user}.keyring", {
-      owner   => 'cinder',
-      group   => 'cinder',
-      mode    => '0444',
+      owner   => 'cephkeyring',
+      group   => 'cephkeyring',
+      mode    => '0400',
       require => "Ceph::Key[${cinder_rbd_user}]",
     })
+
     Concat::Fragment <<| title == 'ceph-client-os' |>>
   } else {
     $libvirt_disk_cachemodes_real = []
diff --git a/manifests/volume/backend/rbd.pp b/manifests/volume/backend/rbd.pp
index 61a0aea0..660811fe 100644
--- a/manifests/volume/backend/rbd.pp
+++ b/manifests/volume/backend/rbd.pp
@@ -73,12 +73,26 @@ define cloud::volume::backend::rbd (
 
   # Configure Ceph keyring
   Ceph::Key <<| title == $rbd_user |>>
+
+  # If Cinder & Nova reside on the same node, we need a group
+  # where nova & cinder users have read permissions.
+  ensure_resource('group', 'cephkeyring', {
+    ensure => 'present'
+  })
+
+  # puppet-nova already manages 'cinder' user
+  # we just want to ensure cinder is part of the group.
+  ensure_resource('exec', 'add-cinder-to-cephkeyring-group', {
+    command => 'useradd -G cephkeyring cinder || true'
+  })
+
   ensure_resource('file', "/etc/ceph/ceph.client.${rbd_user}.keyring", {
-    owner   => 'cinder',
-    group   => 'cinder',
-    mode    => '0444',
+    owner   => 'cephkeyring',
+    group   => 'cephkeyring',
+    mode    => '0400',
     require => "Ceph::Key[${rbd_user}]",
   })
+
   Concat::Fragment <<| title == 'ceph-client-os' |>>
 
   @cinder::type { $volume_backend_name:
diff --git a/spec/classes/cloud_compute_hypervisor_spec.rb b/spec/classes/cloud_compute_hypervisor_spec.rb
index 57850bba..2f4cf9c5 100644
--- a/spec/classes/cloud_compute_hypervisor_spec.rb
+++ b/spec/classes/cloud_compute_hypervisor_spec.rb
@@ -233,12 +233,14 @@ describe 'cloud::compute::hypervisor' do
       should contain_class('ceilometer::agent::compute')
     end
 
-    it 'configure nova-conpute to support RBD backend' do
+    it 'configure nova-compute to support RBD backend' do
       should contain_nova_config('DEFAULT/libvirt_images_type').with('value' => 'rbd')
       should contain_nova_config('DEFAULT/libvirt_images_rbd_pool').with('value' => 'nova')
       should contain_nova_config('DEFAULT/libvirt_images_rbd_ceph_conf').with('value' => '/etc/ceph/ceph.conf')
       should contain_nova_config('DEFAULT/rbd_user').with('value' => 'cinder')
       should contain_nova_config('DEFAULT/rbd_secret_uuid').with('value' => 'secrete')
+      should contain_exec('add-nova-to-cephkeyring-group').with( :command => 'useradd -G cephkeyring nova || true')
+      should contain_group('cephkeyring').with(:ensure => 'present')
     end
 
     it 'configure nova-compute with extra parameters' do
diff --git a/spec/classes/cloud_volume_controller_spec.rb b/spec/classes/cloud_volume_controller_spec.rb
index 8c0fba82..333929f9 100644
--- a/spec/classes/cloud_volume_controller_spec.rb
+++ b/spec/classes/cloud_volume_controller_spec.rb
@@ -100,7 +100,7 @@ describe 'cloud::volume::controller' do
           :default_volume_type  => nil
         )
       end
-      xit 'should raise an error and fail' do
+      it 'should raise an error and fail' do
         should compile.and_raise_error(/when using multi-backend, you should define a default_volume_type value in cloud::volume::controller/)
       end
     end
diff --git a/spec/classes/cloud_volume_storage_spec.rb b/spec/classes/cloud_volume_storage_spec.rb
index 1662fc68..0686eccd 100644
--- a/spec/classes/cloud_volume_storage_spec.rb
+++ b/spec/classes/cloud_volume_storage_spec.rb
@@ -106,6 +106,8 @@ describe 'cloud::volume::storage' do
           :os_password    => 'secret',
           :os_auth_url    => 'http://keystone.host:5000/v2.0'
         )
+        should contain_exec('add-cinder-to-cephkeyring-group').with( :command => 'useradd -G cephkeyring cinder || true')
+        should contain_group('cephkeyring').with(:ensure => 'present')
       end
     end