7:27 a.m.
Tweaked the PolicyKit documentation improvement patch submitted
by Patrick Dignan.
Additionally, removed the reference to PolicyKit.conf, which is
no longer used by PolicyKit, plus added a link to the expanded
PolicyKit example page on the wiki.
---
The concept submitted was both valid and useful, but the keyswords in
the "Result*" lines are case sensitive, so the example provided
didn't work.
docs/auth.html.in | 42 ++++++++++++++++++++----------------------
1 files changed, 20 insertions(+), 22 deletions(-)
diff --git a/docs/auth.html.in b/docs/auth.html.in
index ab6c3e9..13731eb 100644
--- a/docs/auth.html.in
+++ b/docs/auth.html.in
@@ -65,29 +65,27 @@ auth, but does not require that the client application ultimately run
as root.
Default policy will still allow any application to connect to the RO socket.
</p>
<p>
-The default policy can be overridden by the administrator using the PolicyKit
-master configuration file in <code>/etc/PolicyKit/PolicyKit.conf</code>. The
-<code>PolicyKit.conf(5)</code> manual page provides details on the syntax
-available. The two libvirt daemon actions available are named
<code>org.libvirt.unix.monitor</code>
-for the RO socket, and <code>org.libvirt.unix.manage</code> for the RW
socket.
-</p>
+The default policy can be overridden by creating a new policy file in the
+local override directory
<code>/etc/polkit-1/localauthority/50-local.d/</code>.
+Policy files should have a unique name ending with .pkla. Using reverse DNS
+naming works well. Information on the options available can be found by
+reading the pklocalauthority man page. The two libvirt daemon actions
+available are named <code>org.libvirt.unix.manage</code> for full management
+access, and <code>org.libvirt.unix.monitor</code> for read-only access.
+ </p>
<p>
-As an example, to allow a user <code>fred</code> full access to the RW
socket,
-while requiring <code>joe</code> to authenticate with the admin password,
-would require adding the following snippet to <code>PolicyKit.conf</code>.
-</p>
- <pre>
- <match action="org.libvirt.unix.manage">
- <match user="fred">
- <return result="yes"/>
- </match>
- </match>
- <match action="org.libvirt.unix.manage">
- <match user="joe">
- <return result="auth_admin"/>
- </match>
- </match>
-</pre>
+As an example, this gives the user <code>fred</code> full management access:
+ </p>
+<pre>[Allow fred libvirt management permissions]
+Identity=unix-user:fred
+Action=org.libvirt.unix.manage
+ResultAny=yes
+ResultInactive=yes
+ResultActive=yes</pre>
+ <p>
+Further examples of PolicyKit setup can be found on the
+<a href="http://wiki.libvirt.org/page/SSHPolicyKitSetup">wiki
page</a>.
+ </p>
<h3><a name="ACL_server_username">Username/password
auth</a></h3>
<p>
The plain TCP socket of the libvirt daemon defaults to using SASL for authentication.
--
1.7.2.3
9:41 a.m.
On Thu, Sep 16, 2010 at 10:27:03PM +1000, Justin Clift wrote:
Tweaked the PolicyKit documentation improvement patch submitted
by Patrick Dignan.
Additionally, removed the reference to PolicyKit.conf, which is
no longer used by PolicyKit, plus added a link to the expanded
PolicyKit example page on the wiki.
---
The concept submitted was both valid and useful, but the keyswords in
the "Result*" lines are case sensitive, so the example provided
didn't work.
ACK,
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
5182
days inactive
5182
days old
2 comments
2 participants
participants (2)
-
Daniel Veillard -
Justin Clift