Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu

[Jamie Lokier]

Daniel P. Berrange wrote:
> On Thu, Nov 05, 2009 at 04:41:45PM +0000, Jamie Lokier wrote:
> > Anthony Liguori wrote:
> > > Absolutely.  I wanted to not have a hard dependency on PolicyKit to 
> > > start out with but that's always been the plan.  I'd like to eventually 
> > > add an optional PolicyKit dependency and when that's available not even 
> > > bother with the qemu acl file.  The nice thing about PolicyKit is the 
> > > desktop integration.  It's a much better user experience to allow a user 
> > > to be prompted to allow qemu to access a bridge vs. having to error out 
> > > to the user and tell them to muck with a config file.
> > 
> > Please do keep it optional.
> > 
> > PolicyKit is actively unhelpful when you're configuring a remote
> > server which doesn't have a desktop, or you don't have access to it's
> > desktop.
> > 
> > It's also unhelpful when you're trying to script something.  The last
> > thing you want a test harness script to do is prompt the user.
> 
> PolicyKit has no fundamental requirement for a graphical prompt. The
> default policy file for an app might require prompting, but is it
> easy to add a admin defined policy override. The separation of app
> logic from the authentication policy also makes it easy to provide
> different ways of prompting, whether graphical, or command line based,
> or totally disabled.

I'll question "easy".  PolicyKit remains an un-unixlike mystery to my
addled brain, which can't keep up with the high rate of new things and
high rate of obsoleting their own things which comes out of
freedesktop.org.

Can you override the policy for a specific instance with an
environment variable, without knowing anything about the original
policy (i.e. "just give me errors or succeed" :-) and without having
to learn all about PolicyKit, as you would want to when executing qemu
from some scripts?

-- Jamie