[libvirt] [PATCH] examples: Add example polkit ACL rules

[Daniel P. Berrange]

On Tue, Aug 04, 2015 at 05:01:26PM +0200, Jiri Denemark wrote:
> Creating ACL rules is not exactly easy and existing examples are pretty
> simple. This patch adds a somewhat complex example which defines three
> roles (user, operator, admin) with different permissions.
> 

> +/* Basic operations and monitoring. */
> +var user = new Role("user");
> +user.users = ["user1", "user2", "user3"];
> +user.groups = ["group1", "group2"];
> +
> +/* Same as users plus some privileged operations.  */
> +var operator = new Role("operator");
> +operator.users = ["powerUser1", "powerUser2"];
> +operator.groups = ["powerGroup1", "powerGroup2", "powerGroup3"];
> +
> +/* Full access. */
> +var admin = new Role("admin");
> +admin.users = ["adminUser1"];
> +admin.groups = ["adminGroup1"];

What is the aim in differentiating operator vs admin ? 


> +operator.actions = [
> +    "domain.delete",
> +    "domain.migrate",
> +    "domain.read-secure",
> +    "domain.write",

Once you give out domain.write (or any other $object.write) to the
operator, it is pretty much game over for security - they'd be
able to elevate privileges to admin without any real trouble.

> +    "network.delete",
> +    "network.getattr",
> +    "network.read",
> +    "network.save",
> +    "network.start",
> +    "network.stop",
> +    "network.write",
> +    "nwfilter.delete",
> +    "nwfilter.getattr",
> +    "nwfilter.read",
> +    "nwfilter.save",
> +    "nwfilter.write",
> +    "secret.delete",
> +    "secret.getattr",
> +    "secret.read",
> +    "secret.read-secure",
> +    "secret.save",
> +    "secret.write",
> +    "storage-pool.refresh",
> +    "storage-vol.create",
> +    "storage-vol.data-read",
> +    "storage-vol.data-write",
> +    "storage-vol.delete",
> +    "storage-vol.format",
> +    "storage-vol.getattr",
> +    "storage-vol.read",
> +    "storage-vol.resize"
> +];

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|