Perhaps I didn't make myself clear. What we wish to accomplish is the following: in a domain-enabled openstack deploy, a regular user belonging to a project should be able to see only the resources that belong to said project (that happens today). A domain admin should be able to see all resources that belong to that domain, but not the resources that belong to a different domain nor all resources.
I've created the resource-types with a domain_id value, and now have the ceilometer agents adding an arbitrary domain_id to the samples. I tried to modify the policy.json file so that a domain-scoped token results in listing only the resources for that domain, but to no avail. The rule I tried is:
Hello Julien, Mehdi,
Perhaps I didn't make myself clear. What we wish to accomplish is the following: in a domain-enabled openstack deploy, a regular user belonging to a project should be able to see only the resources that belong to said project (that happens today). A domain admin should be able to see all resources that belong to that domain, but not the resources that belong to a different domain nor all resources.
I've created the resource-types with a domain_id value, and now have the ceilometer agents adding an arbitrary domain_id to the samples. I tried to modify the policy.json file so that a domain-scoped token results in listing only the resources for that domain, but to no avail. The rule I tried is:
"domain_ member" : "domain_ id:%(resource. domain_ id)s",
How can I use X-Domain-Id in the policy.json file to limit the resources that gnocchi return?