diff --git a/group_vars/clients.yml.sample b/group_vars/clients.yml.sample
index d39599e3f..a0e9e57b5 100644
--- a/group_vars/clients.yml.sample
+++ b/group_vars/clients.yml.sample
@@ -38,10 +38,6 @@ dummy:
 #  - "{{ test }}"
 #  - "{{ test2 }}"
 
-# Can add `mds_cap` attribute to override the default value which is '' for mds capabilities.
-# To have have ansible setfacl the generated key for $user, set the acls var like so:
-# acls: ["u:$user:r--"]
-#
 # Generate a keyring using ceph-authtool CLI or python.
 # Eg:
 #  $ ceph-authtool --gen-print-key
@@ -52,6 +48,6 @@ dummy:
 # - { name: client.test, key: "AQAin8tUMICVFBAALRHNrV0Z4MXupRw4v9JQ6Q==" ...
 #
 #keys:
-#  - { name: client.test, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test" },  mode: "0600", acls: [] }
-#  - { name: client.test2, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test2" },  mode: "0600", acls: [] }
+#  - { name: client.test, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test" },  mode: "0600" }
+#  - { name: client.test2, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test2" },  mode: "0600" }
 
diff --git a/group_vars/mons.yml.sample b/group_vars/mons.yml.sample
index 2d7aa65ab..61db7484c 100644
--- a/group_vars/mons.yml.sample
+++ b/group_vars/mons.yml.sample
@@ -139,14 +139,12 @@ dummy:
 # e.g key: "AQDC2UxZH4yeLhAAgTaZb+4wDUlYOsr1OfZSpQ=="
 # By default, keys will be auto-generated.
 #
-# To have have ansible setfacl the generated key, set the acls var like so:
-# acls: ["u:nova:r--", "u:cinder:r--", "u:glance:r--", "u:gnocchi:r--"]
 #openstack_keys:
-#  - { name: client.glance, caps: { mon: "profile rbd", osd: "profile rbd pool=volumes, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600", acls: [] }
-#  - { name: client.cinder, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_cinder_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600", acls: [] }
-#  - { name: client.cinder-backup, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode: "0600", acls: [] }
-#  - { name: client.gnocchi, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_gnocchi_pool.name }}"}, mode: "0600", acls: [] }
-#  - { name: client.openstack, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_glance_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{ openstack_cinder_pool.name }}, profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode: "0600", acls: [] }
+#  - { name: client.glance, caps: { mon: "profile rbd", osd: "profile rbd pool=volumes, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600" }
+#  - { name: client.cinder, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_cinder_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600" }
+#  - { name: client.cinder-backup, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode: "0600" }
+#  - { name: client.gnocchi, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_gnocchi_pool.name }}"}, mode: "0600", }
+#  - { name: client.openstack, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_glance_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{ openstack_cinder_pool.name }}, profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode: "0600" }
 
 
 ##########
diff --git a/infrastructure-playbooks/ceph-keys.yml b/infrastructure-playbooks/ceph-keys.yml
index 3837d5d1c..82da2eb0a 100644
--- a/infrastructure-playbooks/ceph-keys.yml
+++ b/infrastructure-playbooks/ceph-keys.yml
@@ -17,9 +17,9 @@
       - client.leseb1
       - client.pythonnnn
     keys_to_create:
-      - { name: client.pythonnnn, caps: { mon: "allow rwx", mds: "allow *" } , mode: "0600", acls: [] }
-      - { name: client.existpassss, caps: { mon: "allow r", osd: "allow *" } , mode: "0600", acls: [] }
-      - { name: client.path, caps: { mon: "allow r", osd: "allow *" } , mode: "0600", acls: [] }
+      - { name: client.pythonnnn, caps: { mon: "allow rwx", mds: "allow *" } , mode: "0600" }
+      - { name: client.existpassss, caps: { mon: "allow r", osd: "allow *" } , mode: "0600" }
+      - { name: client.path, caps: { mon: "allow r", osd: "allow *" } , mode: "0600" }
 
   tasks:
     - name: create ceph key(s) module
diff --git a/library/ceph_key.py b/library/ceph_key.py
index eaa6022a6..c6803302f 100644
--- a/library/ceph_key.py
+++ b/library/ceph_key.py
@@ -102,8 +102,8 @@ options:
 EXAMPLES = '''
 
 keys_to_create:
-  - { name: client.key, key: "AQAin8tUUK84ExAA/QgBtI7gEMWdmnvKBzlXdQ==", caps: { mon: "allow rwx", mds: "allow *" } , mode: "0600", acls: [] }
-  - { name: client.cle, caps: { mon: "allow r", osd: "allow *" } , mode: "0600", acls: [] }
+  - { name: client.key, key: "AQAin8tUUK84ExAA/QgBtI7gEMWdmnvKBzlXdQ==", caps: { mon: "allow rwx", mds: "allow *" } , mode: "0600" }
+  - { name: client.cle, caps: { mon: "allow r", osd: "allow *" } , mode: "0600" }
 
 caps:
   mon: "allow rwx"
diff --git a/roles/ceph-client/defaults/main.yml b/roles/ceph-client/defaults/main.yml
index cb5f6ba42..320e7a9fb 100644
--- a/roles/ceph-client/defaults/main.yml
+++ b/roles/ceph-client/defaults/main.yml
@@ -30,10 +30,6 @@ pools:
   - "{{ test }}"
   - "{{ test2 }}"
 
-# Can add `mds_cap` attribute to override the default value which is '' for mds capabilities.
-# To have have ansible setfacl the generated key for $user, set the acls var like so:
-# acls: ["u:$user:r--"]
-#
 # Generate a keyring using ceph-authtool CLI or python.
 # Eg:
 #  $ ceph-authtool --gen-print-key
@@ -44,5 +40,5 @@ pools:
 # - { name: client.test, key: "AQAin8tUMICVFBAALRHNrV0Z4MXupRw4v9JQ6Q==" ...
 #
 keys:
-  - { name: client.test, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test" },  mode: "0600", acls: [] }
-  - { name: client.test2, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test2" },  mode: "0600", acls: [] }
+  - { name: client.test, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test" },  mode: "0600" }
+  - { name: client.test2, caps: { mon: "allow r", osd: "allow class-read object_prefix rbd_children, allow rwx pool=test2" },  mode: "0600" }
diff --git a/roles/ceph-client/tasks/create_users_keys.yml b/roles/ceph-client/tasks/create_users_keys.yml
index d7b79bb9b..eef870134 100644
--- a/roles/ceph-client/tasks/create_users_keys.yml
+++ b/roles/ceph-client/tasks/create_users_keys.yml
@@ -97,16 +97,3 @@
   when:
     - not item.get('skipped', False)
     - not inventory_hostname == groups.get(client_group_name, []) | first
-
-- name: setfacl for cephx key(s)
-  acl:
-    path: "{{ ceph_conf_key_directory }}/{{ cluster }}.{{ item.0.name }}.keyring"
-    entry: "{{ item.1 }}"
-    state: present
-  with_subelements:
-    - "{{ keys }}"
-    - acls
-    - skip_missing: true
-  when:
-    - cephx
-    - keys | length > 0
diff --git a/roles/ceph-mon/defaults/main.yml b/roles/ceph-mon/defaults/main.yml
index 51fc2a709..becce1969 100644
--- a/roles/ceph-mon/defaults/main.yml
+++ b/roles/ceph-mon/defaults/main.yml
@@ -131,14 +131,12 @@ openstack_pools:
 # e.g key: "AQDC2UxZH4yeLhAAgTaZb+4wDUlYOsr1OfZSpQ=="
 # By default, keys will be auto-generated.
 #
-# To have have ansible setfacl the generated key, set the acls var like so:
-# acls: ["u:nova:r--", "u:cinder:r--", "u:glance:r--", "u:gnocchi:r--"]
 openstack_keys:
-  - { name: client.glance, caps: { mon: "profile rbd", osd: "profile rbd pool=volumes, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600", acls: [] }
-  - { name: client.cinder, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_cinder_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600", acls: [] }
-  - { name: client.cinder-backup, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode: "0600", acls: [] }
-  - { name: client.gnocchi, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_gnocchi_pool.name }}"}, mode: "0600", acls: [] }
-  - { name: client.openstack, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_glance_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{ openstack_cinder_pool.name }}, profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode: "0600", acls: [] }
+  - { name: client.glance, caps: { mon: "profile rbd", osd: "profile rbd pool=volumes, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600" }
+  - { name: client.cinder, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_cinder_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{ openstack_glance_pool.name }}"}, mode: "0600" }
+  - { name: client.cinder-backup, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode: "0600" }
+  - { name: client.gnocchi, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_gnocchi_pool.name }}"}, mode: "0600", }
+  - { name: client.openstack, caps: { mon: "profile rbd", osd: "profile rbd pool={{ openstack_glance_pool.name }}, profile rbd pool={{ openstack_nova_pool.name }}, profile rbd pool={{ openstack_cinder_pool.name }}, profile rbd pool={{ openstack_cinder_backup_pool.name }}"}, mode: "0600" }
 
 
 ##########