[libvirt] [PATCH] examples: Add example polkit ACL rules
Daniel P. Berrange
berrange at redhat.com
Tue Aug 4 15:09:53 UTC 2015
On Tue, Aug 04, 2015 at 05:01:26PM +0200, Jiri Denemark wrote:
> Creating ACL rules is not exactly easy and existing examples are pretty
> simple. This patch adds a somewhat complex example which defines three
> roles (user, operator, admin) with different permissions.
>
> +/* Basic operations and monitoring. */
> +var user = new Role("user");
> +user.users = ["user1", "user2", "user3"];
> +user.groups = ["group1", "group2"];
> +
> +/* Same as users plus some privileged operations. */
> +var operator = new Role("operator");
> +operator.users = ["powerUser1", "powerUser2"];
> +operator.groups = ["powerGroup1", "powerGroup2", "powerGroup3"];
> +
> +/* Full access. */
> +var admin = new Role("admin");
> +admin.users = ["adminUser1"];
> +admin.groups = ["adminGroup1"];
What is the aim in differentiating operator vs admin ?
> +operator.actions = [
> + "domain.delete",
> + "domain.migrate",
> + "domain.read-secure",
> + "domain.write",
Once you give out domain.write (or any other $object.write) to the
operator, it is pretty much game over for security - they'd be
able to elevate privileges to admin without any real trouble.
> + "network.delete",
> + "network.getattr",
> + "network.read",
> + "network.save",
> + "network.start",
> + "network.stop",
> + "network.write",
> + "nwfilter.delete",
> + "nwfilter.getattr",
> + "nwfilter.read",
> + "nwfilter.save",
> + "nwfilter.write",
> + "secret.delete",
> + "secret.getattr",
> + "secret.read",
> + "secret.read-secure",
> + "secret.save",
> + "secret.write",
> + "storage-pool.refresh",
> + "storage-vol.create",
> + "storage-vol.data-read",
> + "storage-vol.data-write",
> + "storage-vol.delete",
> + "storage-vol.format",
> + "storage-vol.getattr",
> + "storage-vol.read",
> + "storage-vol.resize"
> +];
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list