[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] Documentation on www.libvirt.org about using PolicyKit authentication for libvirt is out of date



 Hi all,

I've created a patch for the bug here: https://bugzilla.redhat.com/show_bug.cgi?id=610822 It is attached to this message. The patch updates the docs to have more up-to-date information about how to use PolicyKit with libvirt

Best,

Patrick Dignan
>From fcece6eee96adbebd735926a90b4ea53525c2d8e Mon Sep 17 00:00:00 2001
From: Patrick Dignan <pat_dignan dell com>
Date: Thu, 12 Aug 2010 13:52:50 -0500
Subject: [PATCH] Updated PolicyKit documentation

---
 docs/auth.html.in |   37 +++++++++++++++++++++----------------
 1 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/docs/auth.html.in b/docs/auth.html.in
index ab6c3e9..9e4a33a 100644
--- a/docs/auth.html.in
+++ b/docs/auth.html.in
@@ -65,28 +65,33 @@ auth, but does not require that the client application ultimately run as root.
 Default policy will still allow any application to connect to the RO socket.
 </p>
     <p>
-The default policy can be overridden by the administrator using the PolicyKit
-master configuration file in <code>/etc/PolicyKit/PolicyKit.conf</code>. The
-<code>PolicyKit.conf(5)</code> manual page provides details on the syntax
-available. The two libvirt daemon actions available are named <code>org.libvirt.unix.monitor</code>
-for the RO socket, and <code>org.libvirt.unix.manage</code> for the RW socket.
+The default policy can be overridden by creating a new policy file in the local 
+override directory <code>/etc/polkit-1/localauthority/50-local.d/</code>.  
+Policy files should have a unique name ending with .pkla.  Using reverse DNS naming 
+works well. Information on the options available can be found by reading the 
+pklocalauthority man page. The two libvirt daemon actions available are named 
+<code>org.libvirt.unix.monitor</code> for the RO socket, and 
+<code>org.libvirt.unix.manage</code> for the RW socket.
 </p>
     <p>
 As an example, to allow a user <code>fred</code> full access to the RW socket,
 while requiring <code>joe</code> to authenticate with the admin password,
 would require adding the following snippet to <code>PolicyKit.conf</code>.
 </p>
-    <pre>
-  &lt;match action="org.libvirt.unix.manage"&gt;
-    &lt;match user="fred"&gt;
-      &lt;return result="yes"/&gt;
-    &lt;/match&gt;
-  &lt;/match&gt;
-  &lt;match action="org.libvirt.unix.manage"&gt;
-    &lt;match user="joe"&gt;
-      &lt;return result="auth_admin"/&gt;
-    &lt;/match&gt;
-  &lt;/match&gt;
+<pre>
+[Allow fred libvirt management permissions]
+Identity=unix-user:fred
+Action=org.libvirt.unix.manage
+ResultAny=No
+ResultInactive=No
+ResultActive=Yes
+
+[Allow joe libvirt management with admin password]
+Identity=unix-user:joe
+Action=org.libvirt.unix.manage
+ResultAny=No
+ResultInactive=No
+ResultActive=auth_admin
 </pre>
     <h3><a name="ACL_server_username">Username/password auth</a></h3>
     <p>
-- 
1.7.2.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]