提交 30c225c6 编写于 作者: M Mark McLoughlin 提交者: Daniel P. Berrangé

docs: use JavaScript based PolicyKit .rules files

PolicyKit authentication rules have switched to a JavaScript based
format quite some time ago. See:

http://davidz25.blogspot.com/2012/06/authorization-rules-in-polkit.html

While backwards compat for the old .pkla format is still available, it
makes sense to point people first at the new format.

The SSHPolicyKitSetup wiki page seems pretty stale, so remove the
reference to it.
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
Signed-off-by: NMark McLoughlin <markmc@redhat.com>
上级 5de4d410
...@@ -184,15 +184,29 @@ Default policy will still allow any application to connect to the RO socket. ...@@ -184,15 +184,29 @@ Default policy will still allow any application to connect to the RO socket.
</p> </p>
<p> <p>
The default policy can be overridden by creating a new policy file in the The default policy can be overridden by creating a new policy file in the
local override directory <code>/etc/polkit-1/localauthority/50-local.d/</code>. <code>/etc/polkit-1/rules.d</code> directory. Information on the options
Policy files should have a unique name ending with .pkla. Using reverse DNS available can be found by reading the <code>polkit(8)</code> man page. The
naming works well. Information on the options available can be found by two libvirt actions are named <code>org.libvirt.unix.manage</code> for full
reading the pklocalauthority man page. The two libvirt daemon actions management access, and <code>org.libvirt.unix.monitor</code> for read-only
available are named <code>org.libvirt.unix.manage</code> for full management access.
access, and <code>org.libvirt.unix.monitor</code> for read-only access. </p>
<p>
As an example, creating <code>/etc/polkit-1/rules.d/80-libvirt-manage.rules</code>
with the following gives the user <code>fred</code> full management access
when accessing from an active local session:
</p> </p>
<pre>polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &amp;&amp;
subject.local &amp;&amp; subject.active &amp;&amp; subject.user == "fred") {
return polkit.Result.YES;
}
});</pre>
<p> <p>
As an example, this gives the user <code>fred</code> full management access: Older versions of PolicyKit used policy files ending with .pkla in the
local override directory <code>/etc/polkit-1/localauthority/50-local.d/</code>.
Compatibility with this older format is provided by <a
href="https://pagure.io/polkit-pkla-compat">polkit-pkla-compat</a>. As an
example, this gives the user <code>fred</code> full management access:
</p> </p>
<pre>[Allow fred libvirt management permissions] <pre>[Allow fred libvirt management permissions]
Identity=unix-user:fred Identity=unix-user:fred
...@@ -200,10 +214,6 @@ Action=org.libvirt.unix.manage ...@@ -200,10 +214,6 @@ Action=org.libvirt.unix.manage
ResultAny=yes ResultAny=yes
ResultInactive=yes ResultInactive=yes
ResultActive=yes</pre> ResultActive=yes</pre>
<p>
Further examples of PolicyKit setup can be found on the
<a href="http://wiki.libvirt.org/page/SSHPolicyKitSetup">wiki page</a>.
</p>
<h2><a id="ACL_server_sasl">SASL pluggable authentication</a></h2> <h2><a id="ACL_server_sasl">SASL pluggable authentication</a></h2>
<p> <p>
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册