Manage actions through netgroup triples and PolKit
Hello!
We are implementing a libvirt-based solution to let users see status of their virtual machines (domains), reboot or stop (destroy) them when needed.
So far we've ended up writing plenty of individual rules for PolKit to associate usernames with their virtual machines (aka "domains" in libvirt terminology).
However this becomes quite complicated as the list of users and their virtual machines grows. In fact it grows exponentially since one user can be permitted to have access to more than one VM, and several users could need access to one VM. So it turned to be rather a matrix than a list.
If we had a way to use netgroup triples and permit certain actions based on them, this will save much efforts and let shifting granting access from PolKit servers to LDAP or NIS where netgroups usually live. I hope this would simplify PolKit rules to only one file where required netgroup is mentioned. The rest - pairing users to domains through netgroup triples - should be left to PolKit logic.