From f1c094cbcd7917593a2f92b82a5d29931a5698a7 Mon Sep 17 00:00:00 2001
From: Vincent Untz <vuntz@suse.com>
Date: Wed, 5 Dec 2012 17:59:04 +0100
Subject: [PATCH] Fix polkit configuration to allow usage of libvirt on
 openSUSE

There is a buggy limitation with pkla files on openSUSE, that blocks
using 'unix-group:libvirtd' from working. A pkla with such a matching
identity will be overruled by the pkla generated by polkit-default-privs
containing 'unix-group:*' (which will match the other groups the user
belongs to, likely after matching libvirtd).

To work around this, explicitly allow the user instead.

Also, move the creation of the libvirtd group a bit later, to clarify
the code.

Change-Id: Ia3e4ae982accfc247a744eaa6d6aa4935e4f404c
---
 lib/nova | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/lib/nova b/lib/nova
index 86db561191..9530df4618 100644
--- a/lib/nova
+++ b/lib/nova
@@ -231,10 +231,13 @@ EOF
         if is_ubuntu; then
             LIBVIRT_DAEMON=libvirt-bin
         else
-            # http://wiki.libvirt.org/page/SSHPolicyKitSetup
-            if ! getent group libvirtd >/dev/null; then
-                sudo groupadd libvirtd
-            fi
+            LIBVIRT_DAEMON=libvirtd
+        fi
+
+        # For distributions using polkit to authorize access to libvirt,
+        # configure polkit accordingly.
+        # Based on http://wiki.libvirt.org/page/SSHPolicyKitSetup
+        if is_fedora; then
             sudo bash -c 'cat <<EOF >/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
 [libvirt Management Access]
 Identity=unix-group:libvirtd
@@ -243,11 +246,24 @@ ResultAny=yes
 ResultInactive=yes
 ResultActive=yes
 EOF'
-            LIBVIRT_DAEMON=libvirtd
+        elif is_suse; then
+            # Work around the fact that polkit-default-privs overrules pklas
+            # with 'unix-group:$group'.
+            sudo bash -c "cat <<EOF >/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
+[libvirt Management Access]
+Identity=unix-user:$USER
+Action=org.libvirt.unix.manage
+ResultAny=yes
+ResultInactive=yes
+ResultActive=yes
+EOF"
         fi
 
         # The user that nova runs as needs to be member of **libvirtd** group otherwise
         # nova-compute will be unable to use libvirt.
+        if ! getent group libvirtd >/dev/null; then
+            sudo groupadd libvirtd
+        fi
         add_user_to_group `whoami` libvirtd
 
         # libvirt detects various settings on startup, as we potentially changed