Re: [libvirt] [PATCH] examples: Add example polkit ACL rules
On Tue, Aug 04, 2015 at 05:01:26PM +0200, Jiri Denemark wrote:
Creating ACL rules is not exactly easy and existing examples are
pretty
simple. This patch adds a somewhat complex example which defines three
roles (user, operator, admin) with different permissions.
+/* Basic operations and monitoring. */
+var user = new Role("user");
+user.users = ["user1", "user2", "user3"];
+user.groups = ["group1", "group2"];
+
+/* Same as users plus some privileged operations. */
+var operator = new Role("operator");
+operator.users = ["powerUser1", "powerUser2"];
+operator.groups = ["powerGroup1", "powerGroup2",
"powerGroup3"];
+
+/* Full access. */
+var admin = new Role("admin");
+admin.users = ["adminUser1"];
+admin.groups = ["adminGroup1"];
What is the aim in differentiating operator vs admin ?
+operator.actions = [
+ "domain.delete",
+ "domain.migrate",
+ "domain.read-secure",
+ "domain.write",
Once you give out domain.write (or any other $object.write) to the
operator, it is pretty much game over for security - they'd be
able to elevate privileges to admin without any real trouble.
+ "network.delete",
+ "network.getattr",
+ "network.read",
+ "network.save",
+ "network.start",
+ "network.stop",
+ "network.write",
+ "nwfilter.delete",
+ "nwfilter.getattr",
+ "nwfilter.read",
+ "nwfilter.save",
+ "nwfilter.write",
+ "secret.delete",
+ "secret.getattr",
+ "secret.read",
+ "secret.read-secure",
+ "secret.save",
+ "secret.write",
+ "storage-pool.refresh",
+ "storage-vol.create",
+ "storage-vol.data-read",
+ "storage-vol.data-write",
+ "storage-vol.delete",
+ "storage-vol.format",
+ "storage-vol.getattr",
+ "storage-vol.read",
+ "storage-vol.resize"
+];
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|