Comment 13 for bug 1576804

Hello Julien, Mehdi,

Perhaps I didn't make myself clear. What we wish to accomplish is the following: in a domain-enabled openstack deploy, a regular user belonging to a project should be able to see only the resources that belong to said project (that happens today). A domain admin should be able to see all resources that belong to that domain, but not the resources that belong to a different domain nor all resources.
I've created the resource-types with a domain_id value, and now have the ceilometer agents adding an arbitrary domain_id to the samples. I tried to modify the policy.json file so that a domain-scoped token results in listing only the resources for that domain, but to no avail. The rule I tried is:

    "domain_member": "domain_id:%(resource.domain_id)s",

How can I use X-Domain-Id in the policy.json file to limit the resources that gnocchi return?