Before any of the API can be executed, the client needs to be authenticated by allowing one of these special actions. Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx> --- docs/aclpolkit.rst | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docs/aclpolkit.rst b/docs/aclpolkit.rst index a9e2a305a5..9b0a374c53 100644 --- a/docs/aclpolkit.rst +++ b/docs/aclpolkit.rst @@ -53,6 +53,23 @@ The default policy for any permission which corresponds to a "read only" operation, is to allow access. All other permissions default to deny access. +Special actions +--------------- + +In addition to the various ``org.libvirt.api.*`` actions mentioned +above, each of which corresponds to a specific API call, there are +two more actions that can be allowed or rejected via Polkit rules: + + * ``org.libvirt.unix.monitor`` for read-only access to the API; + * ``org.libvirt.unix.manage`` for read/write access. + +When a user connects to the daemon locally (or through the ssh +transport), the appropriate ``org.libvirt.unix.*`` action will need +to be approved by Polkit before any further APIs can be called. + +Read-only access is granted to all local users by default, but +read/write access needs to be explicitly allowed. + Object identity attributes -------------------------- -- 2.42.0 _______________________________________________ Devel mailing list -- devel@xxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
