[Openstack-operators] [ceilometer][keystone][billing] RBAC restrictions of Ceilometer's Event API prevents billing of Openstack cloud

Adam Young ayoung at redhat.com
Mon Dec 7 18:58:33 UTC 2015


On 12/07/2015 05:01 AM, Christian Brinker wrote:
> Hi,
>
> my company is currently starting to implement a public Openstack
> cloud. I am part of the developer team creating a billing system
> towards our customers. We want to use
> Ceilometer's Event API (Liberty release) to retreive the usage
> information (as /v2/events) of our customers projects(aka tenants).
> Unfortunately, the RBAC filter
> prevents REST calls towards the /v2-Web-API from users who are not
> member of the project (or are their admin). But adding a user to all
> projects with a distinc
> ceilometer-reader role or admin role seems not fourtunate to us
> because to want to serve admin role users to their own domain to each
> customer. So the ceilometer-reader
> user could be removed by a customer. Due to this, we ran into some
> kind of deadlock of good solutions and would be happy to get any help:
>
> - Is there another/common way to retrieve the event based usage
> information in a way to generate billing information? For example
> volume A was created at t1 and deleted
> at t2.
> - Is there a way to get a project scope token from keystone through
> some kind of cloud admin user which is not part of the project?
> - Is there a way to change Ceilometers policy.json in a way to
> retrieve data from all projects with a admin on the default project or
> someone similiar?

See the commit that just merged:

https://review.openstack.org/#/c/240719/


You could create a role called "observer" or "auditor" on the admin 
project, and modify the policy files for the services you want so that 
users with "auditor" with tokens that have "is_admin_project" set   can 
read the data for that API.

Can you enumerate the APIS you want to call this way?

>
> Thanks for your efforts.
>
> Greetings,
> Christian Brinker
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators




More information about the OpenStack-operators mailing list