Fix polkit configuration to allow usage of libvirt on openSUSE

There is a buggy limitation with pkla files on openSUSE, that blocks using 'unix-group:libvirtd' from working. A pkla with such a matching identity will be overruled by the pkla generated by polkit-default-privs containing 'unix-group:*' (which will match the other groups the user belongs to, likely after matching libvirtd). To work around this, explicitly allow the user instead. Also, move the creation of the libvirtd group a bit later, to clarify the code. Change-Id: Ia3e4ae982accfc247a744eaa6d6aa4935e4f404c
2012-12-05 17:59:04 +01:00 · 2012-12-05 17:59:04 +01:00 · f1c094cbcd
commit f1c094cbcd
parent 63ea3185de
1 changed files with 21 additions and 5 deletions
--- a/lib/nova
+++ b/lib/nova
@ -231,10 +231,13 @@ EOF
        if is_ubuntu; then
            LIBVIRT_DAEMON=libvirt-bin
        else
-            # http://wiki.libvirt.org/page/SSHPolicyKitSetup
-            if ! getent group libvirtd >/dev/null; then
-                sudo groupadd libvirtd
+            LIBVIRT_DAEMON=libvirtd
        fi
+
+        # For distributions using polkit to authorize access to libvirt,
+        # configure polkit accordingly.
+        # Based on http://wiki.libvirt.org/page/SSHPolicyKitSetup
+        if is_fedora; then
            sudo bash -c 'cat <<EOF >/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
 [libvirt Management Access]
 Identity=unix-group:libvirtd
@ -243,11 +246,24 @@ ResultAny=yes
 ResultInactive=yes
 ResultActive=yes
 EOF'
-            LIBVIRT_DAEMON=libvirtd
+        elif is_suse; then
+            # Work around the fact that polkit-default-privs overrules pklas
+            # with 'unix-group:$group'.
+            sudo bash -c "cat <<EOF >/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
+[libvirt Management Access]
+Identity=unix-user:$USER
+Action=org.libvirt.unix.manage
+ResultAny=yes
+ResultInactive=yes
+ResultActive=yes
+EOF"
        fi

        # The user that nova runs as needs to be member of **libvirtd** group otherwise
        # nova-compute will be unable to use libvirt.
+        if ! getent group libvirtd >/dev/null; then
+            sudo groupadd libvirtd
+        fi
        add_user_to_group `whoami` libvirtd

        # libvirt detects various settings on startup, as we potentially changed