[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] document authentication with PolicyKit-1



Hi,

I just encountered the same problem with the newer PolicyKit as discussed
e.g. in this thread:

http://lists.fedoraproject.org/pipermail/virt/2010-June/002081.html

I solved it and thought updating the documentation for PolicyKit 1 would be 
nice. Patch attached.

Kind regards,

Gerd

-- 
Address (better: trap) for people I really don't want to get mail from:
jonas cactusamerica com
From 224c916f8d34301e62ab8c2f4cbb1cd7d108eb36 Mon Sep 17 00:00:00 2001
From: Gerd von Egidy <gerd von egidy intra2net com>
Date: Tue, 13 Jul 2010 12:24:49 +0200
Subject: [PATCH] document authentication with PolicyKit-1

---
 docs/auth.html.in |   33 +++++++++++++++++++++++++++++++--
 1 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/docs/auth.html.in b/docs/auth.html.in
index ab6c3e9..d7f61ea 100644
--- a/docs/auth.html.in
+++ b/docs/auth.html.in
@@ -64,9 +64,11 @@ session to authenticate using the user's password. This is akin to <code>sudo</c
 auth, but does not require that the client application ultimately run as root.
 Default policy will still allow any application to connect to the RO socket.
 </p>
+    <h4><a name="ACL_server_polkit-0">PolicyKit-0</a></h4>
     <p>
-The default policy can be overridden by the administrator using the PolicyKit
-master configuration file in <code>/etc/PolicyKit/PolicyKit.conf</code>. The
+When using PolicyKit version 0 the default policy can be overridden by the
+administrator using the PolicyKit master configuration file in
+<code>/etc/PolicyKit/PolicyKit.conf</code>. The
 <code>PolicyKit.conf(5)</code> manual page provides details on the syntax
 available. The two libvirt daemon actions available are named <code>org.libvirt.unix.monitor</code>
 for the RO socket, and <code>org.libvirt.unix.manage</code> for the RW socket.
@@ -88,6 +90,33 @@ would require adding the following snippet to <code>PolicyKit.conf</code>.
     &lt;/match&gt;
   &lt;/match&gt;
 </pre>
+    <h4><a name="ACL_server_polkit-1">PolicyKit-1</a></h4>
+    <p>
+When using PolicyKit version 1 the default policy can be overridden by creating
+a local authorization entry in a file ending on <code>.pkla</code>. Usually this
+will reside at <code>/etc/polkit-1/localauthority/50-local.d/10-org.libvirt.pkla</code>.
+Detailed information about the logic and syntax of PolicyKit can be found in the
+<code>pklocalauthority(8)</code> and <code>polkit(8)</code> manual pages.
+The two libvirt daemon actions available are named <code>org.libvirt.unix.monitor</code>
+for the RO socket, and <code>org.libvirt.unix.manage</code> for the RW socket.
+</p>
+    <p>
+As an example, to allow a user <code>fred</code> full access to the RW socket,
+while requiring members of the group <code>itdepartment</code> to authenticate with the admin password,
+would require a file <code>/etc/polkit-1/localauthority/50-local.d/10-org.libvirt.pkla</code>
+with the following content.
+</p>
+    <pre>
+[fred full access]
+Identity=unix-user:fred
+Action=org.libvirt.unix.manage
+ResultAny=yes
+
+[itdepartment admin auth once]
+Identity=unix-group:itdepartment
+Action=org.libvirt.unix.manage
+ResultAny=auth_admin_keep
+</pre>
     <h3><a name="ACL_server_username">Username/password auth</a></h3>
     <p>
 The plain TCP socket of the libvirt daemon defaults to using SASL for authentication.
-- 
1.7.1.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]