anti
e4ccf30133
polkit rule 50-decnet-workers.rules hardcoded isInGroup("decnet"),
so when 'decnet init --group anti' installed systemd units as
User=anti / Group=anti, the API (running as anti) could no longer
systemctl start/stop decnet-*.service — polkit fell back to
'interactive authentication required', which in a daemon context is
a hard fail:
START FAILED · COLLECTOR — Failed to start decnet-collector.service:
Access denied as the requested operation requires interactive
authentication.
Rename the rule to .j2, parameterise the group on {{ group }}, and
route _install_polkit through _render_template /
_write_rendered_if_changed. Now the polkit rule matches whatever
group was passed to 'decnet init'.
Test fixture updated to seed the .j2 variant.
24 lines
940 B
Django/Jinja
24 lines
940 B
Django/Jinja
// Allow members of the '{{ group }}' group to manage DECNET systemd units
|
|
// (start / stop / restart / reload) without a password prompt.
|
|
//
|
|
// Scope is locked to units matching `decnet-<name>.service` or the
|
|
// `decnet.target` grouping unit. Any other unit is unaffected by this
|
|
// rule and still goes through the default polkit policy.
|
|
//
|
|
// The group name is rendered at `decnet init` time from --group; the
|
|
// default is `decnet`, but dev boxes that pass --group $USER get a
|
|
// rule that matches the operator's own login group.
|
|
//
|
|
// Install: /etc/polkit-1/rules.d/50-decnet-workers.rules
|
|
|
|
polkit.addRule(function(action, subject) {
|
|
if (action.id == "org.freedesktop.systemd1.manage-units") {
|
|
var unit = action.lookup("unit");
|
|
if (unit &&
|
|
/^decnet-[a-z]+\.service$|^decnet\.target$/.test(unit) &&
|
|
subject.isInGroup("{{ group }}")) {
|
|
return polkit.Result.YES;
|
|
}
|
|
}
|
|
});
|