[Openstack-operators] [ceilometer][keystone][billing] RBAC restrictions of Ceilometer's Event API prevents billing of Openstack cloud

Christian Brinker cbrinker at evoila.de
Mon Dec 7 10:01:42 UTC 2015


my company is currently starting to implement a public Openstack
cloud. I am part of the developer team creating a billing system
towards our customers. We want to use
Ceilometer's Event API (Liberty release) to retreive the usage
information (as /v2/events) of our customers projects(aka tenants).
Unfortunately, the RBAC filter
prevents REST calls towards the /v2-Web-API from users who are not
member of the project (or are their admin). But adding a user to all
projects with a distinc
ceilometer-reader role or admin role seems not fourtunate to us
because to want to serve admin role users to their own domain to each
customer. So the ceilometer-reader
user could be removed by a customer. Due to this, we ran into some
kind of deadlock of good solutions and would be happy to get any help:

- Is there another/common way to retrieve the event based usage
information in a way to generate billing information? For example
volume A was created at t1 and deleted
at t2.
- Is there a way to get a project scope token from keystone through
some kind of cloud admin user which is not part of the project?
- Is there a way to change Ceilometers policy.json in a way to
retrieve data from all projects with a admin on the default project or
someone similiar?

Thanks for your efforts.

Christian Brinker

More information about the OpenStack-operators mailing list