[libvirt] [PATCH v2] examples: Add example polkit ACL rules

Daniel P. Berrange berrange at redhat.com
Fri Sep 4 12:26:17 UTC 2015 

On Fri, Sep 04, 2015 at 02:19:09PM +0200, Jiri Denemark wrote:
> Creating ACL rules is not exactly easy and existing examples are pretty
> simple. This patch adds a somewhat complex example which defines several
> roles. Admins can do everything, operators can do basic operations
> on any domain and several groups of users who act as operators but only
> on a limited set of domains.
> 
> Signed-off-by: Jiri Denemark <jdenemar at redhat.com>
> ---
>  Makefile.am                       |   2 +-
>  configure.ac                      |   1 +
>  examples/polkit/Makefile.am       |  17 ++++++
>  examples/polkit/libvirt-acl.rules | 115 ++++++++++++++++++++++++++++++++++++++
>  libvirt.spec.in                   |   3 +
>  5 files changed, 137 insertions(+), 1 deletion(-)
>  create mode 100644 examples/polkit/Makefile.am
>  create mode 100644 examples/polkit/libvirt-acl.rules
> 
> diff --git a/Makefile.am b/Makefile.am
> index 91b943b..d338d5a 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -23,7 +23,7 @@ SUBDIRS = . gnulib/lib include src daemon tools docs gnulib/tests \
>    tests po examples/object-events examples/hellolibvirt \
>    examples/dominfo examples/domsuspend examples/apparmor \
>    examples/xml/nwfilter examples/openauth examples/systemtap \
> -  tools/wireshark examples/dommigrate \
> +  tools/wireshark examples/dommigrate examples/polkit \
>    examples/lxcconvert examples/domtop
>  
>  ACLOCAL_AMFLAGS = -I m4
> diff --git a/configure.ac b/configure.ac
> index 8471a46..136c2e7 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -2809,6 +2809,7 @@ AC_CONFIG_FILES([\
>          examples/systemtap/Makefile \
>          examples/xml/nwfilter/Makefile \
>          examples/lxcconvert/Makefile \
> +        examples/polkit/Makefile \
>          tools/wireshark/Makefile \
>          tools/wireshark/src/Makefile])
>  AC_OUTPUT
> diff --git a/examples/polkit/Makefile.am b/examples/polkit/Makefile.am
> new file mode 100644
> index 0000000..4d213e8
> --- /dev/null
> +++ b/examples/polkit/Makefile.am
> @@ -0,0 +1,17 @@
> +## Copyright (C) 2015 Red Hat, Inc.
> +##
> +## This library is free software; you can redistribute it and/or
> +## modify it under the terms of the GNU Lesser General Public
> +## License as published by the Free Software Foundation; either
> +## version 2.1 of the License, or (at your option) any later version.
> +##
> +## This library is distributed in the hope that it will be useful,
> +## but WITHOUT ANY WARRANTY; without even the implied warranty of
> +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +## Lesser General Public License for more details.
> +##
> +## You should have received a copy of the GNU Lesser General Public
> +## License along with this library.  If not, see
> +## <http://www.gnu.org/licenses/>.
> +
> +EXTRA_DIST = libvirt-acl.rules
> diff --git a/examples/polkit/libvirt-acl.rules b/examples/polkit/libvirt-acl.rules
> new file mode 100644
> index 0000000..5c26593
> --- /dev/null
> +++ b/examples/polkit/libvirt-acl.rules
> @@ -0,0 +1,115 @@


It would be beneficial to put some docs in this file header here
to explain to people what this example is achieving.

> +function Role(name) {
> +    this.name = name;
> +
> +    this.users = [];
> +    this.groups = [];
> +
> +    this.check = function(subject, api, domain) {
> +        var validUser = false
> +
> +        if (this.users.indexOf(subject.user) >= 0) {
> +            validUser = true;
> +        } else {
> +            for (var i = 0; i < subject.groups.length; i++) {
> +                if (this.groups.indexOf(subject.groups[i]) >= 0) {
> +                    validUser = true;
> +                    break;
> +                }
> +            }
> +        }
> +
> +        if (validUser &&
> +            (this.name == "admin" ||
> +             !domain ||
> +             (this.domains && domain.match(this.domains)))) {
> +            var msg = "Access granted: " +
> +                      "user = " + subject.user +
> +                      ", groups = [" + subject.groups + "]" +
> +                      ", role = " + this.name +
> +                      ", api = " + api;
> +            if (domain)
> +                msg += ", domain = " + domain;
> +            polkit.log(msg);
> +            return true
> +        }
> +
> +        return false;
> +    };
> +}
> +
> +
> +/* Basic operations and monitoring on a limited set of domains. */
> +var userA = new Role("userA");
> +userA.domains = /^a/;
> +userA.users = ["userA1", "userA2", "userA3", "multiUser"];
> +userA.groups = ["groupA1", "groupA2"];
> +
> +var userB = new Role("userB");
> +userB.domains = /^b/;
> +userB.users = ["userB1", "userB2", "userB3", "multiUser"];
> +userB.groups = ["groupB1", "groupB2", "multiGroup"];
> +
> +var userC = new Role("userC");
> +userC.domains = /^c/;
> +userC.users = ["userC1", "userC2", "userC3"];
> +userC.groups = ["groupC1", "groupC2", "multiGroup"];
> +
> +/* Same as users but on any domain. */
> +var operator = new Role("operator");
> +operator.domains = /.*/;
> +operator.users = ["powerUser1", "powerUser2"];
> +operator.groups = ["powerGroup1", "powerGroup2", "powerGroup3"];
> +
> +var users = [operator, userA, userB, userC];
> +
> +/* Full access. */
> +var admin = new Role("admin");
> +admin.users = ["adminUser1"];
> +admin.groups = ["adminGroup1"];
> +
> +
> +restrictedActions = [
> +    "domain.core-dump",
> +    "domain.fs-freeze",
> +    "domain.fs-trim",
> +    "domain.getattr",
> +    "domain.hibernate",
> +    "domain.init-control",
> +    "domain.inject-nmi",
> +    "domain.open-device",
> +    "domain.open-graphics",
> +    "domain.pm-control",
> +    "domain.read",
> +    "domain.reset",
> +    "domain.save",
> +    "domain.screenshot",
> +    "domain.send-input",
> +    "domain.send-signal",
> +    "domain.set-password",
> +    "domain.set-time",
> +    "domain.snapshot",
> +    "domain.start",
> +    "domain.stop",
> +    "domain.suspend"
> +];
> +
> +polkit.addRule(function(action, subject) {
> +    if (action.id.indexOf("org.libvirt.api.") != 0)
> +        return polkit.Result.NOT_HANDLED;
> +
> +    var api = action.id.replace("org.libvirt.api.", "");
> +    var domain = action.lookup("domain_name");
> +
> +    if (admin.check(subject, api, domain))
> +        return polkit.Result.YES;
> +
> +    if (restrictedActions.indexOf(api) < 0)
> +        return polkit.Result.NOT_HANDLED;
> +
> +    for (var i = 0; i < users.length; i++) {
> +        if (users[i].check(subject, api, domain))
> +            return polkit.Result.YES;
> +    }
> +
> +    return polkit.Result.NO;
> +});
> diff --git a/libvirt.spec.in b/libvirt.spec.in
> index 78a4cc3..6f6b191 100644
> --- a/libvirt.spec.in
> +++ b/libvirt.spec.in
> @@ -2039,6 +2039,9 @@ exit 0
>      %endif # ! %{with_driver_modules}
>  
>      %if %{with_network}
> +
> +%doc examples/polkit/*.rules
> +
>  %files daemon-config-network
>  %defattr(-, root, root)
>  %dir %{_datadir}/libvirt/networks/
> -- 

ACK

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list