Hi,
I just encountered the same problem with the newer PolicyKit as discussed
e.g. in this thread:
http://lists.fedoraproject.org/pipermail/virt/2010-June/002081.html
I solved it and thought updating the documentation for PolicyKit 1 would be
nice. Patch attached.
Kind regards,
Gerd
--
Address (better: trap) for people I really don't want to get mail from:
jonas@xxxxxxxxxxxxxxxxx
From 224c916f8d34301e62ab8c2f4cbb1cd7d108eb36 Mon Sep 17 00:00:00 2001
From: Gerd von Egidy <gerd.von.egidy@xxxxxxxxxxxxx>
Date: Tue, 13 Jul 2010 12:24:49 +0200
Subject: [PATCH] document authentication with PolicyKit-1
---
docs/auth.html.in | 33 +++++++++++++++++++++++++++++++--
1 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/docs/auth.html.in b/docs/auth.html.in
index ab6c3e9..d7f61ea 100644
--- a/docs/auth.html.in
+++ b/docs/auth.html.in
@@ -64,9 +64,11 @@ session to authenticate using the user's password. This is akin to <code>sudo</c
auth, but does not require that the client application ultimately run as root.
Default policy will still allow any application to connect to the RO socket.
</p>
+ <h4><a name="ACL_server_polkit-0">PolicyKit-0</a></h4>
<p>
-The default policy can be overridden by the administrator using the PolicyKit
-master configuration file in <code>/etc/PolicyKit/PolicyKit.conf</code>. The
+When using PolicyKit version 0 the default policy can be overridden by the
+administrator using the PolicyKit master configuration file in
+<code>/etc/PolicyKit/PolicyKit.conf</code>. The
<code>PolicyKit.conf(5)</code> manual page provides details on the syntax
available. The two libvirt daemon actions available are named <code>org.libvirt.unix.monitor</code>
for the RO socket, and <code>org.libvirt.unix.manage</code> for the RW socket.
@@ -88,6 +90,33 @@ would require adding the following snippet to <code>PolicyKit.conf</code>.
</match>
</match>
</pre>
+ <h4><a name="ACL_server_polkit-1">PolicyKit-1</a></h4>
+ <p>
+When using PolicyKit version 1 the default policy can be overridden by creating
+a local authorization entry in a file ending on <code>.pkla</code>. Usually this
+will reside at <code>/etc/polkit-1/localauthority/50-local.d/10-org.libvirt.pkla</code>.
+Detailed information about the logic and syntax of PolicyKit can be found in the
+<code>pklocalauthority(8)</code> and <code>polkit(8)</code> manual pages.
+The two libvirt daemon actions available are named <code>org.libvirt.unix.monitor</code>
+for the RO socket, and <code>org.libvirt.unix.manage</code> for the RW socket.
+</p>
+ <p>
+As an example, to allow a user <code>fred</code> full access to the RW socket,
+while requiring members of the group <code>itdepartment</code> to authenticate with the admin password,
+would require a file <code>/etc/polkit-1/localauthority/50-local.d/10-org.libvirt.pkla</code>
+with the following content.
+</p>
+ <pre>
+[fred full access]
+Identity=unix-user:fred
+Action=org.libvirt.unix.manage
+ResultAny=yes
+
+[itdepartment admin auth once]
+Identity=unix-group:itdepartment
+Action=org.libvirt.unix.manage
+ResultAny=auth_admin_keep
+</pre>
<h3><a name="ACL_server_username">Username/password auth</a></h3>
<p>
The plain TCP socket of the libvirt daemon defaults to using SASL for authentication.
--
1.7.1.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list