[libvirt PATCH 6/6] docs: Document granularPolkit attribute
Signed-off-by: Andrea Bolognani <abologna(a)redhat.com>
---
docs/aclpolkit.rst | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/docs/aclpolkit.rst b/docs/aclpolkit.rst
index 9b0a374c53..fe825c504b 100644
--- a/docs/aclpolkit.rst
+++ b/docs/aclpolkit.rst
@@ -70,6 +70,15 @@ to be approved by Polkit before any further APIs can be called.
Read-only access is granted to all local users by default, but
read/write access needs to be explicitly allowed.
+:since:`Since 9.10.0`, these requests will come with the ``granular``
+attribute (see below) set to either ``"true"``, if the Polkit access
+driver is enabled, or ``"false"`` otherwise. A policy designed to
+work with the Polkit access driver should only allow the
+``org.libvirt.unix.manage`` action if the ``granular`` attribute is
+set to ``"true"``: failing to do so might result in accidentally
+granting full administrative access to libvirt to more users than
+intended if the Polkit access driver is later disabled.
+
Object identity attributes
--------------------------
--
2.42.0