From 74acebeb19b1c0c7a52998b7862806e26ea8fce8 Mon Sep 17 00:00:00 2001

Message-Id: <74acebeb19b1c0c7a52998b7862806e26ea8fce8.1377873639.git.jdenemar@redhat.com>

From: "Daniel P. Berrange" <berrange@redhat.com>

Date: Fri, 30 Aug 2013 11:13:44 +0100

Subject: [PATCH] Update polkit examples to use 'lookup' method

For

  https://bugzilla.redhat.com/show_bug.cgi?id=700443

Feedback from the polkit developers indicates that the

"_detail_XXXX" attributes are a private implementation

detail. Our examples should be recommending use of the

"action.lookup('XXX')" method instead.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

(cherry picked from commit 7a7cb0934e25b9ac23cf9b2d318ac801604e0681)

---

 docs/aclpolkit.html.in | 18 ++++++++----------

 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/docs/aclpolkit.html.in b/docs/aclpolkit.html.in

index 3f0689e..1a09139 100644

--- a/docs/aclpolkit.html.in

+++ b/docs/aclpolkit.html.in

@@ -344,10 +344,8 @@

       dealing with local clients connected via the UNIX socket).

       On the action object, the permission name is

       accessible via the id attribute, while the

-      object identifying attributes are exposed via a set of

-      attributes with the naming convention _detail_[attrname].

-      For example, the 'domain_name' attribute would be exposed via

-      a property _detail_domain_name.

+      object identifying attributes are exposed via the

+      lookup method.

     
Example: restricting ability to connect to drivers

@@ -359,7 +357,7 @@

       use the QEMU driver and not the Xen or LXC

       drivers which are also available in libvirtd.

       To achieve this we need to write a rule which checks

-      whether the _detail_connect_driver attribute

+      whether the connect_driver attribute

       is QEMU, and match on an action

       name of org.libvirt.api.connect.getattr. Using

       the javascript rules format, this ends up written as

@@ -369,7 +367,7 @@

 polkit.addRule(function(action, subject) {

     if (action.id == "org.libvirt.api.connect.getattr" &&

         subject.user == "berrange") {

-          if (action._detail_connect_driver == 'QEMU') {

+          if (action.lookup("connect_driver") == 'QEMU') {

             return polkit.Result.YES;

           } else {

             return polkit.Result.NO;

@@ -386,8 +384,8 @@ polkit.addRule(function(action, subject) {

       full read-write mode. The goal is to only allow them to

       see the domain called demo on the LXC driver.

       To achieve this we need to write a rule which checks

-      whether the _detail_connect_driver attribute

-      is LXC and the _detail_domain_name

+      whether the connect_driver attribute

+      is LXC and the domain_name

       attribute is demo, and match on a action

       name of org.libvirt.api.domain.getattr. Using

       the javascript rules format, this ends up written as

@@ -397,8 +395,8 @@ polkit.addRule(function(action, subject) {

 polkit.addRule(function(action, subject) {

     if (action.id == "org.libvirt.api.domain.getattr" &&

         subject.user == "berrange") {

-          if (action._detail_connect_driver == 'LXC' &&

-              action._detail_domain_name == 'demo') {

+          if (action.lookup("connect_driver") == 'LXC' &&

+              action.lookup("domain_name") == 'demo') {

             return polkit.Result.YES;

           } else {

             return polkit.Result.NO;

-- 

1.8.3.2