[PATCH] Documentation on www.libvirt.org about using PolicyKit authentication for libvirt is out of date

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 Hi all,
I've created a patch for the bug here: https://bugzilla.redhat.com/show_bug.cgi?id=610822 It is attached to this message. The patch updates the docs to have more up-to-date information about how to use PolicyKit with libvirt 

Best,

Patrick Dignan

>From fcece6eee96adbebd735926a90b4ea53525c2d8e Mon Sep 17 00:00:00 2001
From: Patrick Dignan <pat_dignan@xxxxxxxx>
Date: Thu, 12 Aug 2010 13:52:50 -0500
Subject: [PATCH] Updated PolicyKit documentation

---
 docs/auth.html.in |   37 +++++++++++++++++++++----------------
 1 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/docs/auth.html.in b/docs/auth.html.in
index ab6c3e9..9e4a33a 100644
--- a/docs/auth.html.in
+++ b/docs/auth.html.in
@@ -65,28 +65,33 @@ auth, but does not require that the client application ultimately run as root.
 Default policy will still allow any application to connect to the RO socket.
 </p>
     <p>
-The default policy can be overridden by the administrator using the PolicyKit
-master configuration file in <code>/etc/PolicyKit/PolicyKit.conf</code>. The
-<code>PolicyKit.conf(5)</code> manual page provides details on the syntax
-available. The two libvirt daemon actions available are named <code>org.libvirt.unix.monitor</code>
-for the RO socket, and <code>org.libvirt.unix.manage</code> for the RW socket.
+The default policy can be overridden by creating a new policy file in the local 
+override directory <code>/etc/polkit-1/localauthority/50-local.d/</code>.  
+Policy files should have a unique name ending with .pkla.  Using reverse DNS naming 
+works well. Information on the options available can be found by reading the 
+pklocalauthority man page. The two libvirt daemon actions available are named 
+<code>org.libvirt.unix.monitor</code> for the RO socket, and 
+<code>org.libvirt.unix.manage</code> for the RW socket.
 </p>
     <p>
 As an example, to allow a user <code>fred</code> full access to the RW socket,
 while requiring <code>joe</code> to authenticate with the admin password,
 would require adding the following snippet to <code>PolicyKit.conf</code>.
 </p>
-    <pre>
-  &lt;match action="org.libvirt.unix.manage"&gt;
-    &lt;match user="fred"&gt;
-      &lt;return result="yes"/&gt;
-    &lt;/match&gt;
-  &lt;/match&gt;
-  &lt;match action="org.libvirt.unix.manage"&gt;
-    &lt;match user="joe"&gt;
-      &lt;return result="auth_admin"/&gt;
-    &lt;/match&gt;
-  &lt;/match&gt;
+<pre>
+[Allow fred libvirt management permissions]
+Identity=unix-user:fred
+Action=org.libvirt.unix.manage
+ResultAny=No
+ResultInactive=No
+ResultActive=Yes
+
+[Allow joe libvirt management with admin password]
+Identity=unix-user:joe
+Action=org.libvirt.unix.manage
+ResultAny=No
+ResultInactive=No
+ResultActive=auth_admin
 </pre>
     <h3><a name="ACL_server_username">Username/password auth</a></h3>
     <p>
-- 
1.7.2.1


--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]