Keystone in OpenStack Havana includes more granular role-based access control policies, the ability to assign roles via OAuth 1.0a and inherit domain roles from projects, a new group API, and separating projects and roles from authentication. It also allows for pluggable token generation and remote authentication through environment variables sent by web servers.