提交 df1718cc 编写于 作者: J Justin Clift

docs: reworked the policykit patch submitted by Patrick Dignan

Tweaked the PolicyKit documentation improvement patch submitted
by Patrick Dignan.

Additionally, removed the reference to PolicyKit.conf, which is
no longer used by PolicyKit, plus added a link to the expanded
PolicyKit example page on the wiki.
上级 5bc43075
...@@ -65,29 +65,27 @@ auth, but does not require that the client application ultimately run as root. ...@@ -65,29 +65,27 @@ auth, but does not require that the client application ultimately run as root.
Default policy will still allow any application to connect to the RO socket. Default policy will still allow any application to connect to the RO socket.
</p> </p>
<p> <p>
The default policy can be overridden by the administrator using the PolicyKit The default policy can be overridden by creating a new policy file in the
master configuration file in <code>/etc/PolicyKit/PolicyKit.conf</code>. The local override directory <code>/etc/polkit-1/localauthority/50-local.d/</code>.
<code>PolicyKit.conf(5)</code> manual page provides details on the syntax Policy files should have a unique name ending with .pkla. Using reverse DNS
available. The two libvirt daemon actions available are named <code>org.libvirt.unix.monitor</code> naming works well. Information on the options available can be found by
for the RO socket, and <code>org.libvirt.unix.manage</code> for the RW socket. reading the pklocalauthority man page. The two libvirt daemon actions
</p> available are named <code>org.libvirt.unix.manage</code> for full management
access, and <code>org.libvirt.unix.monitor</code> for read-only access.
</p>
<p> <p>
As an example, to allow a user <code>fred</code> full access to the RW socket, As an example, this gives the user <code>fred</code> full management access:
while requiring <code>joe</code> to authenticate with the admin password, </p>
would require adding the following snippet to <code>PolicyKit.conf</code>. <pre>[Allow fred libvirt management permissions]
</p> Identity=unix-user:fred
<pre> Action=org.libvirt.unix.manage
&lt;match action="org.libvirt.unix.manage"&gt; ResultAny=yes
&lt;match user="fred"&gt; ResultInactive=yes
&lt;return result="yes"/&gt; ResultActive=yes</pre>
&lt;/match&gt; <p>
&lt;/match&gt; Further examples of PolicyKit setup can be found on the
&lt;match action="org.libvirt.unix.manage"&gt; <a href="http://wiki.libvirt.org/page/SSHPolicyKitSetup">wiki page</a>.
&lt;match user="joe"&gt; </p>
&lt;return result="auth_admin"/&gt;
&lt;/match&gt;
&lt;/match&gt;
</pre>
<h3><a name="ACL_server_username">Username/password auth</a></h3> <h3><a name="ACL_server_username">Username/password auth</a></h3>
<p> <p>
The plain TCP socket of the libvirt daemon defaults to using SASL for authentication. The plain TCP socket of the libvirt daemon defaults to using SASL for authentication.
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册