make AdminIdentity configureable per user

2017-02-02 23:12:15 +01:00 · 2017-02-02 23:12:15 +01:00 · e1d0de230d
parent 8c6bbafd9b
commit e1d0de230d
4 changed files with 39 additions and 0 deletions
--- a/pillar.example
+++ b/pillar.example
@ -38,6 +38,8 @@ users:
      - ALL=(otheruser) /usr/bin/script.sh
    sudo_defaults:
      - '!requiretty'
+    # enable polkitadmin to make user an AdminIdentity for polkit
+    polkitadmin: True
    shell: /bin/bash
    remove_groups: False
    prime_group:
--- a/users/init.sls
+++ b/users/init.sls
@ -32,6 +32,7 @@ include:
  - users.user_files
 {%- endif %}
 {%- endif %}
+  - users.polkit

 {% for name, user in pillar.get('users', {}).items()
        if user.absent is not defined or not user.absent %}
--- a/users/map.jinja
+++ b/users/map.jinja
@ -10,6 +10,8 @@
    'bash_package': 'bash',
    'sudo_package': 'sudo',
    'googleauth_package': 'libpam-google-authenticator',
+    'polkit_dir': '/etc/polkit-1/localauthority.conf.d',
+    'polkit_defaults': 'unix-group:sudo;'
  },
  'Gentoo': {
    'sudoers_dir': '/etc/sudoers.d',
@ -43,5 +45,7 @@
    'bash_package': 'bash',
    'sudo_package': 'sudo',
    'googleauth_package': 'libpam-google-authenticator',
+    'polkit_dir': '/etc/polkit-1/localauthority.conf.d',
+    'polkit_defaults': 'unix-group:sudo;'
  },
 }, merge=salt['pillar.get']('users:lookup')) %}
--- a/users/polkit.sls
+++ b/users/polkit.sls
@ -0,0 +1,32 @@
+{% from "users/map.jinja" import users with context %}
+{% set polkitusers = {} %}
+{% set polkitusers = {'value': ''} %}
+
+{% for name, user in pillar.get('users', {}).items() %}
+  {% if user.absent is not defined or not user.absent %}
+    {% if 'polkitadmin' in user and user['polkitadmin'] %}
+      {% if polkitusers.update({'value': polkitusers.value + 'unix-user:' + name + ';'}) %}
+      {% endif %}
+    {% endif %}
+  {% endif %}
+{% endfor %}
+
+{% if polkitusers.value != '' %}
+users_{{ users.polkit_dir }}/99salt-users-formula.conf:
+  file.managed:
+    - replace: True
+    - onlyif: 'test -d {{ users.polkit_dir }}'
+    - name: {{ users.polkit_dir }}/99salt-users-formula.conf
+    - contents: |
+        ########################################################################
+        # File managed by Salt (users-formula).
+        # Your changes will be overwritten.
+        ########################################################################
+        #
+        [Configuration]
+        AdminIdentities={{ users.polkit_defaults }}{{ polkitusers.value }}
+{% else %}
+users_{{ users.polkit_dir }}/99salt-users-formula.conf_delete:
+  file.absent:
+    - name: {{ users.polkit_dir }}/99salt-users-formula.conf
+{% endif %}