checking in missing site/slice privilege steps
diff --git a/planetstack/core/admin.py b/planetstack/core/admin.py
index 4846a28..c9d3172 100644
--- a/planetstack/core/admin.py
+++ b/planetstack/core/admin.py
@@ -404,16 +404,6 @@
     def queryset(self, request):
         return DeploymentPrivilege.select_by_user(request.user)
 
-class ControllerPrivilegeInline(PlStackTabularInline):
-    model = ControllerPrivilege
-    extra = 0
-    suit_classes = 'suit-tab suit-tab-admin-only'
-    fields = ['backend_status_icon', 'user','role','controller']
-    readonly_fields = ('backend_status_icon', )
-
-    def queryset(self, request):
-        return ControllerPrivilege.select_by_user(request.user)
-
 class ControllerSiteInline(PlStackTabularInline):
     model = ControllerSite
     extra = 0
@@ -1217,7 +1207,7 @@
     # that reference specific fields on auth.User.
     list_display = ('email', 'firstname', 'lastname', 'site', 'last_login')
     list_filter = ('site',)
-    inlines = [SlicePrivilegeInline,SitePrivilegeInline,ControllerPrivilegeInline,UserDashboardViewInline]
+    inlines = [SlicePrivilegeInline,SitePrivilegeInline,UserDashboardViewInline]
 
     fieldListLoginDetails = ['backend_status_text', 'email','site','password','is_active','is_readonly','is_admin','public_key']
     fieldListContactInfo = ['firstname','lastname','phone','timezone']
diff --git a/planetstack/core/models/__init__.py b/planetstack/core/models/__init__.py
index 79c6611..fcb50be 100644
--- a/planetstack/core/models/__init__.py
+++ b/planetstack/core/models/__init__.py
@@ -5,13 +5,13 @@
 from .service import ServiceAttribute
 from .tag import Tag
 from .role import Role
-from .site import Site, Deployment, DeploymentRole, DeploymentPrivilege, Controller, ControllerRole, ControllerPrivilege, ControllerSite, SiteDeployment
+from .site import Site, Deployment, DeploymentRole, DeploymentPrivilege, Controller, ControllerRole, ControllerSite, SiteDeployment
 from .dashboard import DashboardView, ControllerDashboardView
 from .user import User, UserDashboardView
 from .serviceclass import ServiceClass
 from .site import ControllerManager, ControllerDeletionManager, ControllerLinkManager,ControllerLinkDeletionManager
 from .slice import Slice, ControllerSlice
-from .controlleruser import ControllerUser
+from .controlleruser import ControllerUser, ControllerSitePrivilege, ControllerSlicePrivilege
 from .image import Image, ImageDeployments, ControllerImages
 from .node import Node
 from .serviceresource import ServiceResource
diff --git a/planetstack/core/models/controlleruser.py b/planetstack/core/models/controlleruser.py
index d0fda11..678ab77 100644
--- a/planetstack/core/models/controlleruser.py
+++ b/planetstack/core/models/controlleruser.py
@@ -24,3 +24,66 @@
             users = Users.select_by_user(user)
             qs = ControllerUser.objects.filter(user__in=users)
         return qs
+
+
+class ControllerSitePrivilege(PlCoreBase):
+    objects = ControllerLinkManager()
+    deleted_objects = ControllerLinkDeletionManager()
+
+    controller = models.ForeignKey('Controller', related_name='controllersiteprivileges')
+    site_privilege = models.ForeignKey('SitePrivilege', related_name='controllersiteprivileges')
+    role_id = models.CharField(null=True, blank=True, max_length=200, db_index=True, help_text="Keystone id")
+
+    def __unicode__(self):  return u'%s %s' % (self.controller, self.site_privilege)
+
+    def can_update(self, user):
+        if user.is_readonly:
+            return False
+        if user.is_admin:
+            return True
+        cprivs = ControllerSitePrivilege.objects.filter(site_privilege__user=user)
+        for cpriv in dprivs:
+            if cpriv.site_privilege.role.role == ['admin', 'Admin']:
+                return True
+        return False
+
+    @staticmethod
+    def select_by_user(user):
+        if user.is_admin:
+            qs = ControllerSitePrivilege.objects.all()
+        else:
+            cpriv_ids = [cp.id for cp in ControllerSitePrivilege.objects.filter(site_privilege__user=user)]
+            qs = ControllerSitePrivilege.objects.filter(id__in=cpriv_ids)
+        return qs
+
+
+class ControllerSlicePrivilege(PlCoreBase):
+    objects = ControllerLinkManager()
+    deleted_objects = ControllerLinkDeletionManager()
+
+    controller = models.ForeignKey('Controller', related_name='controllersliceprivileges')
+    slice_privilege = models.ForeignKey('SlicePrivilege', related_name='controllersliceprivileges')
+    role_id = models.CharField(null=True, blank=True, max_length=200, db_index=True, help_text="Keystone id")
+
+    def __unicode__(self):  return u'%s %s' % (self.controller, self.slice_privilege)
+
+    def can_update(self, user):
+        if user.is_readonly:
+            return False
+        if user.is_admin:
+            return True
+        cprivs = ControllerSlicePrivilege.objects.filter(slice_privilege__user=user)
+        for cpriv in dprivs:
+            if cpriv.role.role == ['admin', 'Admin']:
+                return True
+        return False
+
+    @staticmethod
+    def select_by_user(user):
+        if user.is_admin:
+            qs = ControllerSlicePrivilege.objects.all()
+        else:
+            cpriv_ids = [cp.id for cp in ControllerSlicePrivilege.objects.filter(slice_privilege__user=user)]
+            qs = ControllerSlicePrivilege.objects.filter(id__in=cpriv_ids)
+        return qs
+
diff --git a/planetstack/core/models/site.py b/planetstack/core/models/site.py
index 1d46f4c..881468a 100644
--- a/planetstack/core/models/site.py
+++ b/planetstack/core/models/site.py
@@ -263,36 +263,6 @@
 
     def __unicode__(self):  return u'%s' % (self.role)
 
-class ControllerPrivilege(PlCoreBase):
-    objects = ControllerLinkManager()
-    deleted_objects = ControllerLinkDeletionManager()
-
-    user = models.ForeignKey('User', related_name='controllerprivileges')
-    controller = models.ForeignKey('Controller', related_name='controllerprivileges')
-    role = models.ForeignKey('ControllerRole',related_name='controllerprivileges')
-
-    def __unicode__(self):  return u'%s %s %s' % (self.controller, self.user, self.role)
-
-    def can_update(self, user):
-        if user.is_readonly:
-            return False
-        if user.is_admin:
-            return True
-        cprivs = ControllerPrivilege.objects.filter(user=user)
-        for cpriv in dprivs:
-            if cpriv.role.role == 'admin':
-                return True
-        return False
-
-    @staticmethod
-    def select_by_user(user):
-        if user.is_admin:
-            qs = ControllerPrivilege.objects.all()
-        else:
-            cpriv_ids = [cp.id for cp in ControllerPrivilege.objects.filter(user=user)]
-            qs = ControllerPrivilege.objects.filter(id__in=cpriv_ids)
-        return qs 
-
 class Controller(PlCoreBase):
 
     objects = ControllerManager()
diff --git a/planetstack/genapi.py b/planetstack/genapi.py
index c7b189b..2e10d74 100644
--- a/planetstack/genapi.py
+++ b/planetstack/genapi.py
@@ -68,9 +68,6 @@
         url(r'plstackapi/planetstackroles/$', PlanetStackRoleList.as_view(), name='planetstackrole-list'),
         url(r'plstackapi/planetstackroles/(?P<pk>[a-zA-Z0-9\-]+)/$', PlanetStackRoleDetail.as_view(), name ='planetstackrole-detail'),
     
-        url(r'plstackapi/controllerprivileges/$', ControllerPrivilegeList.as_view(), name='controllerprivilege-list'),
-        url(r'plstackapi/controllerprivileges/(?P<pk>[a-zA-Z0-9\-]+)/$', ControllerPrivilegeDetail.as_view(), name ='controllerprivilege-detail'),
-    
         url(r'plstackapi/networkslivers/$', NetworkSliverList.as_view(), name='networksliver-list'),
         url(r'plstackapi/networkslivers/(?P<pk>[a-zA-Z0-9\-]+)/$', NetworkSliverDetail.as_view(), name ='networksliver-detail'),
     
@@ -725,41 +722,6 @@
 
 
 
-class ControllerPrivilegeSerializer(serializers.HyperlinkedModelSerializer):
-    id = IdField()
-    
-    humanReadableName = serializers.SerializerMethodField("getHumanReadableName")
-    validators = serializers.SerializerMethodField("getValidators")
-    def getHumanReadableName(self, obj):

-        return str(obj)
-    def getValidators(self, obj):
-        try:
-            return obj.getValidators()
-        except:
-            return None
-    class Meta:
-        model = ControllerPrivilege
-        fields = ('humanReadableName', 'validators', 'id','created','updated','enacted','backend_status','deleted','user','controller','role',)
-
-class ControllerPrivilegeIdSerializer(XOSModelSerializer):
-    id = IdField()
-    
-    humanReadableName = serializers.SerializerMethodField("getHumanReadableName")
-    validators = serializers.SerializerMethodField("getValidators")
-    def getHumanReadableName(self, obj):

-        return str(obj)

-    def getValidators(self, obj):

-        try:
-            return obj.getValidators()
-        except:
-            return None

-    class Meta:

-        model = ControllerPrivilege
-        fields = ('humanReadableName', 'validators', 'id','created','updated','enacted','backend_status','deleted','user','controller','role',)
-
-
-
-
 class NetworkSliverSerializer(serializers.HyperlinkedModelSerializer):
     id = IdField()
     
@@ -2371,8 +2333,6 @@
 
                  PlanetStackRole: PlanetStackRoleSerializer,
 
-                 ControllerPrivilege: ControllerPrivilegeSerializer,
-
                  NetworkSliver: NetworkSliverSerializer,
 
                  Project: ProjectSerializer,
@@ -3161,65 +3121,6 @@
 
 
 
-class ControllerPrivilegeList(generics.ListCreateAPIView):
-    queryset = ControllerPrivilege.objects.select_related().all()
-    serializer_class = ControllerPrivilegeSerializer
-    id_serializer_class = ControllerPrivilegeIdSerializer
-    filter_backends = (filters.DjangoFilterBackend,)
-    filter_fields = ('id','created','updated','enacted','backend_status','deleted','user','controller','role',)
-
-    def get_serializer_class(self):
-        no_hyperlinks = self.request.QUERY_PARAMS.get('no_hyperlinks', False)
-        if (no_hyperlinks):
-            return self.id_serializer_class
-        else:
-            return self.serializer_class
-
-    def get_queryset(self):
-        return ControllerPrivilege.select_by_user(self.request.user)
-
-    def create(self, request, *args, **kwargs):
-        serializer = self.get_serializer(data=request.DATA, files=request.FILES)
-        if not (serializer.is_valid()):
-            response = {"error": "validation",
-                        "specific_error": "not serializer.is_valid()",

-                        "reasons": serializer.errors}

-            return Response(response, status=status.HTTP_400_BAD_REQUEST)
-        obj = serializer.object
-        obj.caller = request.user
-        if obj.can_update(request.user):
-            return super(ControllerPrivilegeList, self).create(request, *args, **kwargs)
-        else:
-            raise Exception("failed obj.can_update")
-
-        ret = super(ControllerPrivilegeList, self).create(request, *args, **kwargs)
-        if (ret.status_code%100 != 200):
-            raise Exception(ret.data)
-
-        return ret
-
-
-class ControllerPrivilegeDetail(PlanetStackRetrieveUpdateDestroyAPIView):
-    queryset = ControllerPrivilege.objects.select_related().all()
-    serializer_class = ControllerPrivilegeSerializer
-    id_serializer_class = ControllerPrivilegeIdSerializer
-
-    def get_serializer_class(self):
-        no_hyperlinks = self.request.QUERY_PARAMS.get('no_hyperlinks', False)
-        if (no_hyperlinks):
-            return self.id_serializer_class
-        else:
-            return self.serializer_class
-    
-    def get_queryset(self):
-        return ControllerPrivilege.select_by_user(self.request.user)
-
-    # update() is handled by PlanetStackRetrieveUpdateDestroyAPIView
-
-    # destroy() is handled by PlanetStackRetrieveUpdateDestroyAPIView
-
-
-
 class NetworkSliverList(generics.ListCreateAPIView):
     queryset = NetworkSliver.objects.select_related().all()
     serializer_class = NetworkSliverSerializer
diff --git a/planetstack/model_policies/__init__.py b/planetstack/model_policies/__init__.py
index ac395a1..f1c8071 100644
--- a/planetstack/model_policies/__init__.py
+++ b/planetstack/model_policies/__init__.py
@@ -2,3 +2,5 @@
 from .model_policy_User import *
 from .model_policy_Network import *
 from .model_policy_Site import *
+from .model_policy_SitePrivilege import *
+from .model_policy_SlicePrivilege import *
diff --git a/planetstack/model_policies/model_policy_SitePrivilege.py b/planetstack/model_policies/model_policy_SitePrivilege.py
new file mode 100644
index 0000000..90280a3
--- /dev/null
+++ b/planetstack/model_policies/model_policy_SitePrivilege.py
@@ -0,0 +1,14 @@
+def handle(site_privilege):
+    from core.models import Controller, SitePrivilege, ControllerSitePrivilege
+    
+    # apply site privilage at all controllers
+    controller_site_privileges = ControllerSitePrivilege.objects.filter(
+        site_privilege = site_privilege,
+        )
+    existing_controllers = [csp.controller for sp in controller_site_privileges]
+    all_controllers = Controller.objects.all()
+    for controller in all_controllers:
+        if controller not in existing_controllers:
+            ctrl_site_priv = ControllerSitePrivilege(controller=controller, site_privilege=site_privilege)
+            ctrl_site_priv.save()  
+
diff --git a/planetstack/model_policies/model_policy_SlicePrivilege.py b/planetstack/model_policies/model_policy_SlicePrivilege.py
new file mode 100644
index 0000000..0f772cb
--- /dev/null
+++ b/planetstack/model_policies/model_policy_SlicePrivilege.py
@@ -0,0 +1,14 @@
+def handle(slice_privilege):
+    from core.models import Controller, SlicePrivilege, ControllerSlicePrivilege
+    
+    # apply slice privilage at all controllers
+    controller_slice_privileges = ControllerSlicePrivilege.objects.filter(
+        slice_privilege = slice_privilege,
+        )
+    existing_controllers = [csp.controller for sp in controller_slice_privileges]
+    all_controllers = Controller.objects.all()
+    for controller in all_controllers:
+        if controller not in existing_controllers:
+            ctrl_slice_priv = ControllerSlicePrivilege(controller=controller, slice_privilege=slice_privilege)
+            ctrl_slice_priv.save()  
+
diff --git a/planetstack/openstack_observer/steps/__init__.py b/planetstack/openstack_observer/steps/__init__.py
index b83322a..72b0b12 100644
--- a/planetstack/openstack_observer/steps/__init__.py
+++ b/planetstack/openstack_observer/steps/__init__.py
@@ -1,3 +1,5 @@
 from .sync_controller_sites import SyncControllerSites
 from .sync_controller_slices import SyncControllerSlices
 from .sync_controller_users import SyncControllerUsers
+from .sync_controller_site_privileges import SyncControllerSitePrivileges
+from .sync_controller_slice_privileges import SyncControllerSlicePrivileges
diff --git a/planetstack/openstack_observer/steps/sync_controller_site_privileges.py b/planetstack/openstack_observer/steps/sync_controller_site_privileges.py
new file mode 100644
index 0000000..dd5bf3a
--- /dev/null
+++ b/planetstack/openstack_observer/steps/sync_controller_site_privileges.py
@@ -0,0 +1,92 @@
+import os
+import base64
+from collections import defaultdict
+from django.db.models import F, Q
+from planetstack.config import Config
+from observer.openstacksyncstep import OpenStackSyncStep
+from core.models.site import Controller, SitePrivilege 
+from core.models.user import User
+from core.models.controlleruser import ControllerUser, ControllerSitePrivilege
+from util.logger import Logger, logging
+
+from observer.ansible import *
+
+logger = Logger(level=logging.INFO)
+
+class SyncControllerSitePrivileges(OpenStackSyncStep):
+    provides=[ControllerSitePrivilege]
+    requested_interval=0
+
+    def fetch_pending(self, deleted):
+
+        if (deleted):
+            return ControllerSitePrivilege.deleted_objects.all()
+        else:
+            return ControllerSitePrivilege.objects.filter(Q(enacted__lt=F('updated')) | Q(enacted=None)) 
+
+    def sync_record(self, controller_site_privilege):
+        logger.info("sync'ing controler_site_privilege %s at controller %s" % (controller_site_privilege, controller_site_privilege.controller))
+
+        if not controller_site_privilege.controller.admin_user:
+            logger.info("controller %r has no admin_user, skipping" % controller_site_privilege.controller)
+            return
+
+	template = os_template_env.get_template('sync_controller_users.yaml')
+        roles = [controller_site_privilege.site_privilege.role.role]
+	# setup user home site roles at controller 
+        if not controller_site_privilege.site_privilege.user.site:
+            raise Exception('Siteless user %s'%controller_site_privilege.site_privilege.user.email)
+        else:
+            # look up tenant id for the user's site at the controller
+            #ctrl_site_deployments = SiteDeployment.objects.filter(
+            #  site_deployment__site=controller_site_privilege.user.site,
+            #  controller=controller_site_privilege.controller)
+
+            #if ctrl_site_deployments:
+            #    # need the correct tenant id for site at the controller
+            #    tenant_id = ctrl_site_deployments[0].tenant_id  
+            #    tenant_name = ctrl_site_deployments[0].site_deployment.site.login_base
+            user_fields = {
+                       'endpoint':controller_site_privilege.controller.auth_url,
+		       'name': controller_site_privilege.site_privilege.user.email,
+                       'email': controller_site_privilege.site_privilege.user.email,
+                       'password': controller_site_privilege.site_privilege.user.remote_password,
+                       'admin_user': controller_site_privilege.controller.admin_user,
+		       'admin_password': controller_site_privilege.controller.admin_password,
+	               'ansible_tag':'%s@%s'%(controller_site_privilege.site_privilege.user.email.replace('@','-at-'),controller_site_privilege.controller.name),
+		       'admin_tenant': controller_site_privilege.controller.admin_tenant,
+		       'roles':roles,
+		       'tenant':controller_site_privilege.site_privilege.site.login_base}    
+	
+	    rendered = template.render(user_fields)
+	    res = run_template('sync_controller_users.yaml', user_fields,path='controller_site_privileges')
+
+	    # results is an array in which each element corresponds to an 
+	    # "ok" string received per operation. If we get as many oks as
+	    # the number of operations we issued, that means a grand success.
+	    # Otherwise, the number of oks tell us which operation failed.
+	    expected_length = len(roles) + 1
+	    if (len(res)==expected_length):
+                controller_site_privilege.role_id = res[0]['id']
+                controller_site_privilege.save()
+	    elif (len(res)):
+	        raise Exception('Could not assign roles for user %s'%user_fields['name'])
+	    else:
+	        raise Exception('Could not create or update user %s'%user_fields['name'])
+
+    def delete_record(self, controller_site_privilege):
+        if controller_site_privilege.role_id:
+            driver = self.driver.admin_driver(controller=controller_site_privilege.controller)
+            user = ControllerUser.objects.get(
+                controller=controller_site_privilege.controller, 
+                user=controller_site_privilege.site_privilege.user
+            )
+            site = ControllerSite.objects.get(
+                controller=controller_site_privilege.controller, 
+                user=controller_site_privilege.site_privilege.user
+            )
+            driver.delete_user_role(
+                user.kuser_id, 
+                site.tenant_id, 
+                controller_site_privilege.site_prvilege.role.role
+            )
diff --git a/planetstack/openstack_observer/steps/sync_controller_slice_privileges.py b/planetstack/openstack_observer/steps/sync_controller_slice_privileges.py
new file mode 100644
index 0000000..f981f16
--- /dev/null
+++ b/planetstack/openstack_observer/steps/sync_controller_slice_privileges.py
@@ -0,0 +1,92 @@
+import os
+import base64
+from collections import defaultdict
+from django.db.models import F, Q
+from planetstack.config import Config
+from observer.openstacksyncstep import OpenStackSyncStep
+from core.models.slice import Controller, SlicePrivilege 
+from core.models.user import User
+from core.models.controlleruser import ControllerUser, ControllerSlicePrivilege
+from util.logger import Logger, logging
+
+from observer.ansible import *
+
+logger = Logger(level=logging.INFO)
+
+class SyncControllerSlicePrivileges(OpenStackSyncStep):
+    provides=[ControllerSlicePrivilege]
+    requested_interval=0
+
+    def fetch_pending(self, deleted):
+
+        if (deleted):
+            return ControllerSlicePrivilege.deleted_objects.all()
+        else:
+            return ControllerSlicePrivilege.objects.filter(Q(enacted__lt=F('updated')) | Q(enacted=None)) 
+
+    def sync_record(self, controller_slice_privilege):
+        logger.info("sync'ing controler_slice_privilege %s at controller %s" % (controller_slice_privilege, controller_slice_privilege.controller))
+
+        if not controller_slice_privilege.controller.admin_user:
+            logger.info("controller %r has no admin_user, skipping" % controller_slice_privilege.controller)
+            return
+
+	template = os_template_env.get_template('sync_controller_users.yaml')
+        roles = [controller_slice_privilege.slice_privilege.role.role]
+	# setup user home slice roles at controller 
+        if not controller_slice_privilege.slice_privilege.user.site:
+            raise Exception('Sliceless user %s'%controller_slice_privilege.slice_privilege.user.email)
+        else:
+            # look up tenant id for the user's slice at the controller
+            #ctrl_slice_deployments = SliceDeployment.objects.filter(
+            #  slice_deployment__slice=controller_slice_privilege.user.slice,
+            #  controller=controller_slice_privilege.controller)
+
+            #if ctrl_slice_deployments:
+            #    # need the correct tenant id for slice at the controller
+            #    tenant_id = ctrl_slice_deployments[0].tenant_id  
+            #    tenant_name = ctrl_slice_deployments[0].slice_deployment.slice.login_base
+            user_fields = {
+                       'endpoint':controller_slice_privilege.controller.auth_url,
+		       'name': controller_slice_privilege.slice_privilege.user.email,
+                       'email': controller_slice_privilege.slice_privilege.user.email,
+                       'password': controller_slice_privilege.slice_privilege.user.remote_password,
+                       'admin_user': controller_slice_privilege.controller.admin_user,
+		       'admin_password': controller_slice_privilege.controller.admin_password,
+	               'ansible_tag':'%s@%s'%(controller_slice_privilege.slice_privilege.user.email.replace('@','-at-'),controller_slice_privilege.controller.name),
+		       'admin_tenant': controller_slice_privilege.controller.admin_tenant,
+		       'roles':roles,
+		       'tenant':controller_slice_privilege.slice_privilege.slice.name}    
+	
+	    rendered = template.render(user_fields)
+	    res = run_template('sync_controller_users.yaml', user_fields,path='controller_slice_privileges')
+
+	    # results is an array in which each element corresponds to an 
+	    # "ok" string received per operation. If we get as many oks as
+	    # the number of operations we issued, that means a grand success.
+	    # Otherwise, the number of oks tell us which operation failed.
+	    expected_length = len(roles) + 1
+	    if (len(res)==expected_length):
+                controller_slice_privilege.role_id = res[0]['id']
+                controller_slice_privilege.save()
+	    elif (len(res)):
+	        raise Exception('Could not assign roles for user %s'%user_fields['name'])
+	    else:
+	        raise Exception('Could not create or update user %s'%user_fields['name'])
+
+    def delete_record(self, controller_slice_privilege):
+        if controller_slice_privilege.role_id:
+            driver = self.driver.admin_driver(controller=controller_slice_privilege.controller)
+            user = ControllerUser.objects.get(
+                controller=controller_slice_privilege.controller, 
+                user=controller_slice_privilege.slice_privilege.user
+            )
+            slice = ControllerSlice.objects.get(
+                controller=controller_slice_privilege.controller, 
+                user=controller_slice_privilege.slice_privilege.user
+            )
+            driver.delete_user_role(
+                user.kuser_id, 
+                slice.tenant_id, 
+                controller_slice_privilege.slice_prvilege.role.role
+            )
diff --git a/planetstack/openstack_observer/steps/sync_controller_user_site_privileges.py b/planetstack/openstack_observer/steps/sync_controller_user_site_privileges.py
deleted file mode 100644
index 6a62104..0000000
--- a/planetstack/openstack_observer/steps/sync_controller_user_site_privileges.py
+++ /dev/null
@@ -1,86 +0,0 @@
-import os
-import base64
-from collections import defaultdict
-from django.db.models import F, Q
-from planetstack.config import Config
-from observer.openstacksyncstep import OpenStackSyncStep
-from core.models.site import Controller, SitePrivilege 
-from core.models.user import User
-from core.models.controlleruser import ControllerUser
-from util.logger import Logger, logging
-
-from observer.ansible import *
-
-logger = Logger(level=logging.INFO)
-
-class SyncControllerUser(OpenStackSyncStep):
-    provides=[SitePrivilege]
-    requested_interval=0
-
-    def fetch_pending(self, deleted):
-
-        if (deleted):
-            return SitePrivilege.deleted_objects.all()
-        else:
-            return ControllerUser.objects.filter(Q(enacted__lt=F('updated')) | Q(enacted=None)) 
-
-    def sync_record(self, controller_user):
-        logger.info("sync'ing user %s at controller %s" % (controller_user.user, controller_user.controller))
-
-        if not controller_user.controller.admin_user:
-            logger.info("controller %r has no admin_user, skipping" % controller_user.controller)
-            return
-
-	template = os_template_env.get_template('sync_controller_users.yaml')
-
-        # All users will have at least the 'user' role at their home site/tenant.
-        # We must also check if the user should have the admin role 		 		
-	roles = ['user']
-        if controller_user.user.is_admin:
-            roles.append('admin')
-   
-	# setup user home site roles at controller 
-        if not controller_user.user.site:
-            raise Exception('Siteless user %s'%controller_user.user.email)
-        else:
-            # look up tenant id for the user's site at the controller
-            #ctrl_site_deployments = SiteDeployment.objects.filter(
-            #  site_deployment__site=controller_user.user.site,
-            #  controller=controller_user.controller)
-
-            #if ctrl_site_deployments:
-            #    # need the correct tenant id for site at the controller
-            #    tenant_id = ctrl_site_deployments[0].tenant_id  
-            #    tenant_name = ctrl_site_deployments[0].site_deployment.site.login_base
-            user_fields = {
-                       'endpoint':controller_user.controller.auth_url,
-		       'name': controller_user.user.email,
-                       'email': controller_user.user.email,
-                       'password': controller_user.user.remote_password,
-                       'admin_user': controller_user.controller.admin_user,
-		       'admin_password': controller_user.controller.admin_password,
-	               'ansible_tag':'%s@%s'%(controller_user.user.email.replace('@','-at-'),controller_user.controller.name),
-		       'admin_tenant': controller_user.controller.admin_tenant,
-		       'roles':roles,
-		       'tenant':controller_user.user.site.login_base}    
-	
-	    rendered = template.render(user_fields)
-	    res = run_template('sync_controller_users.yaml', user_fields,path='controller_users')
-
-	    # results is an array in which each element corresponds to an 
-	    # "ok" string received per operation. If we get as many oks as
-	    # the number of operations we issued, that means a grand success.
-	    # Otherwise, the number of oks tell us which operation failed.
-	    expected_length = len(roles) + 1
-	    if (len(res)==expected_length):
-                controller_user.kuser_id = res[0]['id']
-                controller_user.save()
-	    elif (len(res)):
-	        raise Exception('Could not assign roles for user %s'%user_fields['name'])
-	    else:
-	        raise Exception('Could not create or update user %s'%user_fields['name'])
-
-    def delete_record(self, controller_user):
-        if controller_user.kuser_id:
-            driver = self.driver.admin_driver(controller=controller_user.controller)
-            driver.delete_user(controller_user.kuser_id)
diff --git a/planetstack/openstack_observer/steps/sync_controller_user_slice_privileges.py b/planetstack/openstack_observer/steps/sync_controller_user_slice_privileges.py
deleted file mode 100644
index 4c68a40..0000000
--- a/planetstack/openstack_observer/steps/sync_controller_user_slice_privileges.py
+++ /dev/null
@@ -1,86 +0,0 @@
-import os
-import base64
-from collections import defaultdict
-from django.db.models import F, Q
-from planetstack.config import Config
-from observer.openstacksyncstep import OpenStackSyncStep
-from core.models.site import Controller, SiteDeployment
-from core.models.user import User
-from core.models.controllerusers import ControllerUser
-from util.logger import Logger, logging
-
-from observer.ansible import *
-
-logger = Logger(level=logging.INFO)
-
-class SyncControllerUser(OpenStackSyncStep):
-    provides=[ControllerUser, User]
-    requested_interval=0
-
-    def fetch_pending(self, deleted):
-
-        if (deleted):
-            return ControllerUser.deleted_objects.all()
-        else:
-            return ControllerUser.objects.filter(Q(enacted__lt=F('updated')) | Q(enacted=None)) 
-
-    def sync_record(self, controller_user):
-        logger.info("sync'ing user %s at controller %s" % (controller_user.user, controller_user.controller))
-
-        if not controller_user.controller.admin_user:
-            logger.info("controller %r has no admin_user, skipping" % controller_user.controller)
-            return
-
-	template = os_template_env.get_template('sync_controller_users.yaml')
-
-        # All users will have at least the 'user' role at their home site/tenant.
-        # We must also check if the user should have the admin role 		 		
-	roles = ['user']
-        if controller_user.user.is_admin:
-            roles.append('admin')
-   
-	# setup user home site roles at controller 
-        if not controller_user.user.site:
-            raise Exception('Siteless user %s'%controller_user.user.email)
-        else:
-            # look up tenant id for the user's site at the controller
-            #ctrl_site_deployments = SiteDeployment.objects.filter(
-            #  site_deployment__site=controller_user.user.site,
-            #  controller=controller_user.controller)
-
-            #if ctrl_site_deployments:
-            #    # need the correct tenant id for site at the controller
-            #    tenant_id = ctrl_site_deployments[0].tenant_id  
-            #    tenant_name = ctrl_site_deployments[0].site_deployment.site.login_base
-            user_fields = {
-                       'endpoint':controller_user.controller.auth_url,
-		       'name': controller_user.user.email,
-                       'email': controller_user.user.email,
-                       'password': controller_user.user.remote_password,
-                       'admin_user': controller_user.controller.admin_user,
-		       'admin_password': controller_user.controller.admin_password,
-	               'ansible_tag':'%s@%s'%(controller_user.user.email.replace('@','-at-'),controller_user.controller.name),
-		       'admin_tenant': controller_user.controller.admin_tenant,
-		       'roles':roles,
-		       'tenant':controller_user.user.site.login_base}    
-	
-	    rendered = template.render(user_fields)
-	    res = run_template('sync_controller_users.yaml', user_fields,path='controller_users')
-
-	    # results is an array in which each element corresponds to an 
-	    # "ok" string received per operation. If we get as many oks as
-	    # the number of operations we issued, that means a grand success.
-	    # Otherwise, the number of oks tell us which operation failed.
-	    expected_length = len(roles) + 1
-	    if (len(res)==expected_length):
-                controller_user.kuser_id = res[0]['id']
-                controller_user.save()
-	    elif (len(res)):
-	        raise Exception('Could not assign roles for user %s'%user_fields['name'])
-	    else:
-	        raise Exception('Could not create or update user %s'%user_fields['name'])
-
-    def delete_record(self, controller_user):
-        if controller_user.kuser_id:
-            driver = self.driver.admin_driver(controller=controller_user.controller)
-            driver.delete_user(controller_user.kuser_id)