From nobody Sun May 5 21:20:01 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
as permitted sender) client-ip=209.132.183.28;
envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com;
dmarc=pass(p=none dis=none) header.from=redhat.com
Return-Path:
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
mx.zohomail.com
with SMTPS id 1547643956676573.0573667620314;
Wed, 16 Jan 2019 05:05:56 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
[10.5.11.14])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mx1.redhat.com (Postfix) with ESMTPS id 74E5B81F10;
Wed, 16 Jan 2019 13:05:54 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
(colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
by smtp.corp.redhat.com (Postfix) with ESMTPS id 2D3025DF4D;
Wed, 16 Jan 2019 13:05:54 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
(lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
by colo-mx.corp.redhat.com (Postfix) with ESMTP id C8E9C3D39C;
Wed, 16 Jan 2019 13:05:53 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
[10.5.11.11])
by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id x0GBjhNP019023 for ;
Wed, 16 Jan 2019 06:45:43 -0500
Received: by smtp.corp.redhat.com (Postfix)
id 41CAF19E2C; Wed, 16 Jan 2019 11:45:43 +0000 (UTC)
Received: from emma.redhat.com (unknown [10.33.36.65])
by smtp.corp.redhat.com (Postfix) with ESMTPS id F1F6A600C8;
Wed, 16 Jan 2019 11:45:32 +0000 (UTC)
From: Mark McLoughlin
To: libvir-list@redhat.com
Date: Wed, 16 Jan 2019 11:45:09 +0000
Message-Id: <20190116114509.17045-1-markmc@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-loop: libvir-list@redhat.com
X-Mailman-Approved-At: Wed, 16 Jan 2019 08:05:19 -0500
Cc: Mark McLoughlin
Subject: [libvirt] [PATCH] docs: use JavaScript based PolicyKit .rules files
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted,
not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]);
Wed, 16 Jan 2019 13:05:55 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
PolicyKit authentication rules have switched to a JavaScript based
format quite some time ago. See:
http://davidz25.blogspot.com/2012/06/authorization-rules-in-polkit.html
While backwards compat for the old .pkla format is still available, it
makes sense to point people first at the new format.
The SSHPolicyKitSetup wiki page seems pretty stale, so remove the
reference to it.
Signed-off-by: Mark McLoughlin
Reviewed-by: Daniel P. Berrang=C3=A9
---
docs/auth.html.in | 32 +++++++++++++++++++++-----------
1 file changed, 21 insertions(+), 11 deletions(-)
diff --git a/docs/auth.html.in b/docs/auth.html.in
index afd6cd7f9b..33afe0a8ad 100644
--- a/docs/auth.html.in
+++ b/docs/auth.html.in
@@ -184,15 +184,29 @@ Default policy will still allow any application to co=
nnect to the RO socket.
The default policy can be overridden by creating a new policy file in the
-local override directory /etc/polkit-1/localauthority/50-local.d/.
-Policy files should have a unique name ending with .pkla. Using reverse D=
NS
-naming works well. Information on the options available can be found by
-reading the pklocalauthority man page. The two libvirt daemon actions
-available are named org.libvirt.unix.manage
for full manageme=
nt
-access, and org.libvirt.unix.monitor
for read-only access.
+/etc/polkit-1/rules.d
directory. Information on the options
+available can be found by reading the polkit(8)
man page. The
+two libvirt actions are named org.libvirt.unix.manage
for full
+management access, and org.libvirt.unix.monitor
for read-only
+access.
+
+
+As an example, creating /etc/polkit-1/rules.d/80-libvirt-manage.rule=
s
+with the following gives the user fred
full management access
+when accessing from an active local session:
+polkit.addRule(function(action, subject) {
+ if (action.id =3D=3D "org.libvirt.unix.manage" &&
+ subject.local && subject.active && subject.user =3D=
=3D "fred") {
+ return polkit.Result.YES;
+ }
+});
-As an example, this gives the user fred
full management acces=
s:
+Older versions of PolicyKit used policy files ending with .pkla in the
+local override directory /etc/polkit-1/localauthority/50-local.d/.
+Compatibility with this older format is provided by polkit-pkla-compat. As an
+example, this gives the user fred
full management access:
[Allow fred libvirt management permissions]
Identity=3Dunix-user:fred
@@ -200,10 +214,6 @@ Action=3Dorg.libvirt.unix.manage
ResultAny=3Dyes
ResultInactive=3Dyes
ResultActive=3Dyes
-
-Further examples of PolicyKit setup can be found on the
-wiki page.
-
=20
--=20
2.20.1
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list