It's fairly straightforward to create an 'observer' role and edit the policy.json files to allow it to read things.
In Icehouse, though, roles are per-project which means we'd have to add the novaobserver user and role to every project and every newly created project.
In Kilo (or Liberty?) there are keystone 'domains' that allow privs to be assigned to groups of projects. So, deferring this pending an OpenStack upgrade.