From 95eb2845751a05f723f35a65f99ee7b31c3e3e4c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tomasz=20Tr=C4=99bski?= <tomasz.trebski@ts.fujitsu.com>
Date: Mon, 12 Jun 2017 09:38:01 +0200
Subject: [PATCH] Add polkit permissions for monasca-agent user

On SLES12 monasca-agent user cannot execute libvirt plugin.
The problems lies in lack of permissions over 'org.libvirt.unix.monitor'
in polkit. Commits adds necessary file that enables,
on behalf of user who runs monasca-agent, executing commands from libvirt
plugin.

Change-Id: I6ab8c28dd4c913f1d21931c064de0b50435593d4
---
 openstack/monasca-agent/monasca-agent.spec.j2         | 11 +++++++++--
 .../monasca-agent/openstack-monasca-agent.polkit      |  6 ++++++
 2 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 openstack/monasca-agent/openstack-monasca-agent.polkit

diff --git a/openstack/monasca-agent/monasca-agent.spec.j2 b/openstack/monasca-agent/monasca-agent.spec.j2
index 784471b78..299082a20 100644
--- a/openstack/monasca-agent/monasca-agent.spec.j2
+++ b/openstack/monasca-agent/monasca-agent.spec.j2
@@ -27,7 +27,8 @@ Url:            https://wiki.openstack.org/wiki/Monasca
 Source0:        https://pypi.io/packages/source/m/%{sname}/%{sname}-%{version}.tar.gz
 Source1:        %{name}-sudoers
 Source2:        %{name}.service
-Source3:        openstack-monasca-agent.tmpfiles
+Source3:        %{name}.tmpfiles
+Source4:        %{name}.polkit
 BuildRequires:  openstack-macros
 BuildRequires:  {{ py2pkg('PyYAML') }}
 BuildRequires:  {{ py2pkg('devel') }}
@@ -132,7 +133,10 @@ ln -sr %{buildroot}%{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
 %endif
 
 # systemd tmpfile
-install -D -m 644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/openstack-monasca-agent.conf
+install -D -m 644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}/openstack-monasca-agent.conf
+
+# polkit permissions
+install -D -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/polkit-1/rules.d/49-monasca-agent.rules
 
 %pre
 # create user and groups
@@ -166,6 +170,9 @@ PYTHONPATH=. NOSE_EXCLUDE=test_override_values nosetests tests -v
 %if 0%{?suse_version}
 %{_sbindir}/rc%{name}
 %endif
+%{_sysconfdir}/polkit-1/
+%{_sysconfdir}/polkit-1/rules.d/
+%{_sysconfdir}/polkit-1/rules.d/49-monasca-agent.rules
 
 %files -n python-%{sname}
 %doc README.md
diff --git a/openstack/monasca-agent/openstack-monasca-agent.polkit b/openstack/monasca-agent/openstack-monasca-agent.polkit
new file mode 100644
index 000000000..6d0571c39
--- /dev/null
+++ b/openstack/monasca-agent/openstack-monasca-agent.polkit
@@ -0,0 +1,6 @@
+/* This rule let's monasca-agent's libvirt check monitor libvirt */
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.libvirt.unix.monitor") && (subject.user == "monasca-agent")) {
+        return polkit.Result.YES;
+    }
+});