Limiting access to one libvirt domain via polkit (older .pksa format)

Question

I have a hypervisor running libvirt on a Ubuntu 18.04 system. I need to configure access so that user 'joe' can only manage one domain.

Recently, policykit moved from the .pksa configuration files onto .rules. However, Ubuntu 18.04 ships with an old version of Policykit:

# pkaction --version
pkaction version 0.105

All the relevant examples only include .rules files; the documentation also states:

If using versions of polkit prior to 0.106 then it is only possible to validate (user, permission) pairs via the .pkla files. Fully validation of the (user, permission, object) triple requires the new JavaScript .rules support that was introduced in version 0.106. The latter is what will be described here.

When I look at the only .pksa example, I see things like:

[Allow fred libvirt management permissions]
Identity=unix-user:fred
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

Which is too generic. Am I correct in deducting that in Ubuntu 18.04, it is not possible to limit users to access a single domain via Policykit?

If that's the case, is there an alternative?

Note: a similar, unanswered question is: https://unix.stackexchange.com/questions/367731/libvirt-debian-restrict-user-domain-access

Answer 1

policykit 0.105 is the ancient version dating from 2012 that lacks the flexible javascript rules engine. Sadly for reasons unknown to me, Debian & Ubuntu have declined to follow upstream releases since that time. So if you want a flexible access control system you'll need to switch to a different distro which has modern polkit.