[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] polkit: Allow password-less access for 'libvirt' group



On 04/30/2015 05:21 AM, Daniel P. Berrange wrote:
> On Wed, Apr 29, 2015 at 03:44:46PM -0400, Cole Robinson wrote:
>> On 04/29/2015 03:42 PM, Guido Günther wrote:
>>> On Tue, Apr 28, 2015 at 07:51:11PM -0400, Cole Robinson wrote:
>>>> Many users, who admin their own machines, want to be able to access
>>>> system libvirtd via tools like virt-manager without having to enter
>>>> a root password. Just google 'virt-manager without password' and
>>>> you'll find many hits. I've read at least 5 blog posts over the years
>>>> describing slightly different ways of achieving this goal.
>>>>
>>>> Let's finally add official support for this.
>>>>
>>>> Install a polkit-1 rules file granting password-less auth for any user
>>>> in the new 'libvirt' group. Create the group on RPM install
>>>>
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=957300
>>>> ---
>>>>  daemon/50-libvirt.rules |  9 +++++++++
>>>>  daemon/Makefile.am      | 13 +++++++++++++
>>>>  libvirt.spec.in         | 15 +++++++++++++--
>>>>  3 files changed, 35 insertions(+), 2 deletions(-)
>>>>  create mode 100644 daemon/50-libvirt.rules
>>>>
>>>> diff --git a/daemon/50-libvirt.rules b/daemon/50-libvirt.rules
>>>> new file mode 100644
>>>> index 0000000..01a15fa
>>>> --- /dev/null
>>>> +++ b/daemon/50-libvirt.rules
>>>> @@ -0,0 +1,9 @@
>>>> +// Allow any user in the 'libvirt' group to connect to system libvirtd
>>>> +// without entering a password.
>>>> +
>>>> +polkit.addRule(function(action, subject) {
>>>> +    if (action.id == "org.libvirt.unix.manage" &&
>>>> +        subject.isInGroup("libvirt")) {
>>>> +        return polkit.Result.YES;
>>>> +    }
>>>> +});
>>>
>>> That's what we're shipping in Debian since quiet some time:
>>>
>>>     https://anonscm.debian.org/cgit/pkg-libvirt/libvirt.git/tree/debian/polkit/60-libvirt.rules
>>>
>>> even with the same group name (which came from the group that owns the
>>> socket for socket based permissions). Would be great to be consistent
>>> across distros.
>>>
>>
>> Latest version of the patch uses libvirtadm at Dan's suggestion... but if
>> there's already precedent with what debian is shipping we might want to stick
>> with plain 'libvirt'.
>>
>> Dan, thoughts?
> 
> Yeah, since both Suse and Debian have shipped this aready with a group
> name of 'libvirt', we should use that for consistency
> 
> Regards,
> Daniel
> 

Okay, sent v3 with group=libvirt. If there's no objections I'll push after the
release is out

Thanks,
Cole


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]