Defined Type: polkit::authorization::basic_policy

Defined in:: manifests/authorization/basic_policy.pp

Summary

Add a rule file containing javascript Polkit configuration to the system

Overview

The intention of this define is to make it easy to add simple polkit rules to a system. An example simple rule template is shown below:

“‘ // This file is managed by Puppet polkit.addRule(function(action, subject) {

if (<condition>) {
    return polkit.Result.<result>;
  }
}

}); “‘

A user-specified <condition> can be supplied with the $condition parameter, or the define can use the polkit::condition function to generate a condition using $action_id, $user and/or $group, an (optionally) $local and $active.

Examples:

Allow users in the virtusers group to use the system libvirt

polkit::authorization::basic_policy { 'Allow users to use libvirt':
  ensure    => present,
  group     => 'virtusers',
  result    => 'yes'
  action_id => 'org.libvirt.unix.manage',
  priority  => 20,
  local     => true,
  active    => true,
}

# Generates a policy file that looks like this
// This file is managed by Puppet
polkit.addRule(function(action, subject) {
  if ((action.id == 'org.libvirt.unix.manage') && subject.user == 'testuser' && subject.isInGroup('testgroup') && subject.local && subject.active) {
      return polkit.Result.YES;
    }
  }
});

Parameters:

ensure (Enum['present','absent']) (defaults to: 'present') —

Create or destroy the rules file
result (Polkit::Result) —

The authorization result of the polkit transaction, for example ‘yes` or `auth_admin`
action_id (Optional[String]) (defaults to: undef) —
The polkit action to operate on
- A list of available actions can be found by running ‘pkaction`
user (Variant[Undef,String,Array[String]]) (defaults to: undef) —

User to check
group (Variant[Undef,String,Array[String]]) (defaults to: undef) —

The group(s) that the user checking authorization belongs to
local (Boolean) (defaults to: false) —

Check if the user is a local user. See man page for more explaination
active (Boolean) (defaults to: false) —

Check if the user is currently active. See man page for more explaination
condition (Optional[String]) (defaults to: undef) —

If specified, will be placed in the javascript condition to be met for polkit authorization
log_action (Boolean) (defaults to: true) —

Log the action to the system log
log_subject (Boolean) (defaults to: true) —

Log the subject to the system log
priority (Integer[0,99]) (defaults to: 10) —

Priority of the file to be created
rulesd (Stdlib::AbsolutePath) (defaults to: '/etc/polkit-1/rules.d') —

Location of the poklit rules directory

See Also:

polkit(8)

# File 'manifests/authorization/basic_policy.pp', line 79

define polkit::authorization::basic_policy (
  Polkit::Result                      $result,
  Enum['present','absent']            $ensure      = 'present',
  Optional[String]                    $action_id   = undef,
  Variant[Undef,String,Array[String]] $user        = undef,
  Variant[Undef,String,Array[String]] $group       = undef,
  Boolean                             $local       = false,
  Boolean                             $active      = false,
  Optional[String]                    $condition   = undef,
  Boolean                             $log_action  = true,
  Boolean                             $log_subject = true,
  Integer[0,99]                       $priority    = 10,
  Stdlib::AbsolutePath                $rulesd      = '/etc/polkit-1/rules.d',
) {
  # For backwards compatibility purposes, this defined type is inert if called from an unsupported OS
  if simplib::module_metadata::os_supported( load_module_metadata($module_name), { 'release_match' => 'major' }) {
    include polkit

    if !$condition {
      if !$action_id {
        fail('If $condition is not specified, $action_id must be')
      }
    }

    polkit::authorization::rule { $name:
      ensure   => $ensure,
      priority => $priority,
      rulesd   => $rulesd,
      content  => template('polkit/basic_policy.erb'),
    }
  }
}