CloudKitty Policies

Introduction

This document presents the permissions available for reader and member roles on the CloudKitty service (billing and rating) of Infomaniak Public Cloud, based on OpenStack default policies.

Context

Application Credentials must be created with the appropriate role according to functional needs. This matrix helps you choose the right role for billing and cost management operations.

Legend

Symbol	Meaning
	Allowed - The policy explicitly permits this action
	Forbidden - The policy explicitly denies this action
	Conditional - Allowed based on project membership

Billing Reports

Basic Report Operations

Operation	Endpoint	Policy	Reader	Member	Conditions
Get summary report	`GET /v1/report/summary`	`report:get_summary`			Project ownership
Get total costs	`GET /v1/report/total`	`report:get_total`			Project ownership

V2 Summary Reports

Operation	Endpoint	Policy	Reader	Member	Conditions
Get rating summary	`GET /v2/summary`	`summary:get_summary`			Project ownership

Data Storage and DataFrames

Storage Operations

Operation	Endpoint	Policy	Reader	Member	Conditions
List data frames	`GET /v1/storage/dataframes`	`storage:list_data_frames`			Project ownership

V2 DataFrames Operations

Operation	Endpoint	Policy	Reader	Member	Conditions
Get DataFrames	`GET /v2/dataframes`	`dataframes:get`			Project ownership

Information Services

Public Information Access

Operation	Endpoint	Policy	Conditions
List services info	`GET /v1/info/services`	`info:list_services_info`	Public information
Get service info	`GET /v1/info/services/{service_id}`	`info:get_service_info`	Public information
List metrics info	`GET /v1/info/metrics`	`info:list_metrics_info`	Public information
Get metric info	`GET /v1/info/metrics/{metric_id}`	`info:get_metric_info`	Public information
Get config info	`GET /v1/info/config`	`info:get_config`	Public information

Rating and Quotes

Rating Operations

Operation	Endpoint	Policy	Reader	Member	Conditions
Get instant quote	`POST /v1/rating/quote`	`rating:quote`			Public pricing

Capabilities Summary by Role

ReaderMember

Granted permissions:

View project billing reports and summaries
Access project cost totals and breakdowns
View project data frames and stored metrics
Access public service and metric information
Get instant pricing quotes
View CloudKitty configuration information

Limitations:

No administrative operations on rating modules
No collector management
No scope management
No data frame creation or modification

Granted permissions:

All Reader capabilities
Same access as Reader role for CloudKitty

Limitations:

No administrative operations (same as Reader)
No access to cross-project data
Limited to project-scoped billing information

CloudKitty Role Limitation

In CloudKitty, both reader and member roles have identical permissions for project-scoped operations. Administrative functions (rating modules, collectors, scopes) require the admin role, which is excluded from this documentation per requirements.

Usage Examples

Billing Monitoring Application

Use case: Cost monitoring, budget tracking, billing dashboard

Recommended role: reader

# Application Credential
role: reader

# Possible actions
- curl -H "X-Auth-Token: $TOKEN" "$CLOUDKITTY_URL/v1/report/summary?begin=2024-01-01&end=2024-01-31"
- curl -H "X-Auth-Token: $TOKEN" "$CLOUDKITTY_URL/v1/report/total?begin=2024-01-01&end=2024-01-31"
- curl -H "X-Auth-Token: $TOKEN" "$CLOUDKITTY_URL/v2/summary?begin=2024-01-01&end=2024-01-31"
- curl -H "X-Auth-Token: $TOKEN" "$CLOUDKITTY_URL/v1/storage/dataframes?begin=2024-01-01&end=2024-01-31"

Cost Analysis Application

Use case: Cost optimization, resource usage analysis

Recommended role: reader or member (identical permissions)

# Application Credential
role: reader  # or member - same capabilities

# Billing analysis operations
- curl -H "X-Auth-Token: $TOKEN" "$CLOUDKITTY_URL/v1/info/services"
- curl -H "X-Auth-Token: $TOKEN" "$CLOUDKITTY_URL/v1/info/metrics"
- curl -H "X-Auth-Token: $TOKEN" "$CLOUDKITTY_URL/v1/rating/quote" -d '{"resources": [...]}'
- curl -H "X-Auth-Token: $TOKEN" "$CLOUDKITTY_URL/v2/dataframes?begin=2024-01-01&end=2024-01-31"

Budget Management Integration

Use case: Automated budget alerts, cost reporting

Recommended role: reader

# Application Credential
role: reader

# Budget monitoring
- curl -H "X-Auth-Token: $TOKEN" "$CLOUDKITTY_URL/v1/report/total?period=monthly"
- curl -H "X-Auth-Token: $TOKEN" "$CLOUDKITTY_URL/v2/summary?groupby=service&begin=2024-01-01"
- curl -H "X-Auth-Token: $TOKEN" "$CLOUDKITTY_URL/v1/storage/dataframes?filters=service:compute"

Context Variables

Policies use the following variables to determine authorizations:

Variable	Description
`%(project_id)s`	Current user's project ID

Important Notes

Best Practices

Principle of least privilege: Use the reader role for all billing and cost monitoring needs
Role equivalence: Both reader and member roles have identical CloudKitty permissions
Project isolation: Users can only access billing data for their own project
Public information: Service and metric information is available to all authenticated users
Administrative separation: Administrative functions require admin role (not covered in this documentation)

CloudKitty Specifics

Limited role differentiation: Unlike other OpenStack services, CloudKitty has minimal differences between reader and member roles
Project scope only: All billing operations are limited to the user's project
Time-based queries: Most endpoints require time range parameters (begin/end dates)
Data retention: Historical billing data availability depends on CloudKitty configuration
Rate limiting: Some endpoints may have rate limiting for cost calculation operations

API Usage Notes

Date formats: Use ISO 8601 format for time parameters (YYYY-MM-DDTHH:MM:SS)
Pagination: Large datasets may require pagination using limit/offset parameters
Filtering: Use appropriate filters to limit data retrieval and improve performance
Caching: Billing calculations may be cached for performance reasons