diff --git a/docs/auth.html.in b/docs/auth.html.in index ab6c3e94527277f3a0462e6b3455881489cce007..13731eb766fa331b3d23a8696af1cfc4a591e1b7 100644 --- a/docs/auth.html.in +++ b/docs/auth.html.in @@ -65,29 +65,27 @@ auth, but does not require that the client application ultimately run as root. Default policy will still allow any application to connect to the RO socket.

-The default policy can be overridden by the administrator using the PolicyKit -master configuration file in /etc/PolicyKit/PolicyKit.conf. The -PolicyKit.conf(5) manual page provides details on the syntax -available. The two libvirt daemon actions available are named org.libvirt.unix.monitor -for the RO socket, and org.libvirt.unix.manage for the RW socket. -

+The default policy can be overridden by creating a new policy file in the +local override directory /etc/polkit-1/localauthority/50-local.d/. +Policy files should have a unique name ending with .pkla. Using reverse DNS +naming works well. Information on the options available can be found by +reading the pklocalauthority man page. The two libvirt daemon actions +available are named org.libvirt.unix.manage for full management +access, and org.libvirt.unix.monitor for read-only access. +

-As an example, to allow a user fred full access to the RW socket, -while requiring joe to authenticate with the admin password, -would require adding the following snippet to PolicyKit.conf. -

-
-  <match action="org.libvirt.unix.manage">
-    <match user="fred">
-      <return result="yes"/>
-    </match>
-  </match>
-  <match action="org.libvirt.unix.manage">
-    <match user="joe">
-      <return result="auth_admin"/>
-    </match>
-  </match>
-
+As an example, this gives the user fred full management access: +

+
[Allow fred libvirt management permissions]
+Identity=unix-user:fred
+Action=org.libvirt.unix.manage
+ResultAny=yes
+ResultInactive=yes
+ResultActive=yes
+

+Further examples of PolicyKit setup can be found on the +wiki page. +

Username/password auth

The plain TCP socket of the libvirt daemon defaults to using SASL for authentication.