From 74acebeb19b1c0c7a52998b7862806e26ea8fce8 Mon Sep 17 00:00:00 2001
Message-Id: <74acebeb19b1c0c7a52998b7862806e26ea8fce8.1377873639.git.jdenemar@redhat.com>
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Fri, 30 Aug 2013 11:13:44 +0100
Subject: [PATCH] Update polkit examples to use 'lookup' method
For
https://bugzilla.redhat.com/show_bug.cgi?id=700443
Feedback from the polkit developers indicates that the
"_detail_XXXX" attributes are a private implementation
detail. Our examples should be recommending use of the
"action.lookup('XXX')" method instead.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 7a7cb0934e25b9ac23cf9b2d318ac801604e0681)
---
docs/aclpolkit.html.in | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/docs/aclpolkit.html.in b/docs/aclpolkit.html.in
index 3f0689e..1a09139 100644
--- a/docs/aclpolkit.html.in
+++ b/docs/aclpolkit.html.in
@@ -344,10 +344,8 @@
dealing with local clients connected via the UNIX socket).
On the <code>action</code> object, the permission name is
accessible via the <code>id</code> attribute, while the
- object identifying attributes are exposed via a set of
- attributes with the naming convention <code>_detail_[attrname]</code>.
- For example, the 'domain_name' attribute would be exposed via
- a property <code>_detail_domain_name</code>.
+ object identifying attributes are exposed via the
+ <code>lookup</code> method.
</p>
<h3><a name="exconnect">Example: restricting ability to connect to drivers</a></h3>
@@ -359,7 +357,7 @@
use the <code>QEMU</code> driver and not the Xen or LXC
drivers which are also available in libvirtd.
To achieve this we need to write a rule which checks
- whether the <code>_detail_connect_driver</code> attribute
+ whether the <code>connect_driver</code> attribute
is <code>QEMU</code>, and match on an action
name of <code>org.libvirt.api.connect.getattr</code>. Using
the javascript rules format, this ends up written as
@@ -369,7 +367,7 @@
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.api.connect.getattr" &&
subject.user == "berrange") {
- if (action._detail_connect_driver == 'QEMU') {
+ if (action.lookup("connect_driver") == 'QEMU') {
return polkit.Result.YES;
} else {
return polkit.Result.NO;
@@ -386,8 +384,8 @@ polkit.addRule(function(action, subject) {
full read-write mode. The goal is to only allow them to
see the domain called <code>demo</code> on the LXC driver.
To achieve this we need to write a rule which checks
- whether the <code>_detail_connect_driver</code> attribute
- is <code>LXC</code> and the <code>_detail_domain_name</code>
+ whether the <code>connect_driver</code> attribute
+ is <code>LXC</code> and the <code>domain_name</code>
attribute is <code>demo</code>, and match on a action
name of <code>org.libvirt.api.domain.getattr</code>. Using
the javascript rules format, this ends up written as
@@ -397,8 +395,8 @@ polkit.addRule(function(action, subject) {
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.api.domain.getattr" &&
subject.user == "berrange") {
- if (action._detail_connect_driver == 'LXC' &&
- action._detail_domain_name == 'demo') {
+ if (action.lookup("connect_driver") == 'LXC' &&
+ action.lookup("domain_name") == 'demo') {
return polkit.Result.YES;
} else {
return polkit.Result.NO;
--
1.8.3.2