[Openstack-operators] [ceilometer][keystone][billing] RBAC restrictions of Ceilometer's Event API prevents billing of Openstack cloud

Xav Paice xavpaice at gmail.com
Mon Dec 7 10:51:33 UTC 2015

I don't fully understand the architecture of our rating project, but as I
understand it we use a service with rights to read ceilometer info (in our
case, pollsters and notifications) and then aggregate that into another
database which we query to get the actual billing information.   We bill
monthly, and getting a month's worth of data for each tenant in one hit
would crush our older, Mongo based, Ceilometer into dust.  The tiny
database that contains the distilled information is quick and easy to
query, to the point where we can display that information to customers as
an extra panel in the dashboard.

Just a side note - what would happen if you missed an event?  Say, e.g.,
rabbit had a bad day... or something just wasn't running... We found
pollsters gave us the assurance to mean we'd only lose up to 10 mins of
data, which is generally OK when we bill by the hour.

On 7 December 2015 at 23:01, Christian Brinker <cbrinker at evoila.de> wrote:

> Hi,
> my company is currently starting to implement a public Openstack
> cloud. I am part of the developer team creating a billing system
> towards our customers. We want to use
> Ceilometer's Event API (Liberty release) to retreive the usage
> information (as /v2/events) of our customers projects(aka tenants).
> Unfortunately, the RBAC filter
> prevents REST calls towards the /v2-Web-API from users who are not
> member of the project (or are their admin). But adding a user to all
> projects with a distinc
> ceilometer-reader role or admin role seems not fourtunate to us
> because to want to serve admin role users to their own domain to each
> customer. So the ceilometer-reader
> user could be removed by a customer. Due to this, we ran into some
> kind of deadlock of good solutions and would be happy to get any help:
> - Is there another/common way to retrieve the event based usage
> information in a way to generate billing information? For example
> volume A was created at t1 and deleted
> at t2.
> - Is there a way to get a project scope token from keystone through
> some kind of cloud admin user which is not part of the project?
> - Is there a way to change Ceilometers policy.json in a way to
> retrieve data from all projects with a admin on the default project or
> someone similiar?
> Thanks for your efforts.
> Greetings,
> Christian Brinker
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20151207/d5ec810a/attachment.html>

More information about the OpenStack-operators mailing list