sudo-less login in pytest-inmanta-lsm is not allowed by systemd-run

[bartv]

The issue here is the systemd-run command which used to be under sudo, but is now asking for credentials. I also managed to replicate the issue on our LAB where pytest-lsm used to work with a machine user (using passwordless sudo), and is now not working and giving the same error under Inmanta user.

The output of the command:

kwargs = {'stderr': -1, 'stdout': -1}, process = <Popen: returncode: 1 args: ['ssh', '-o', 'StrictHostKeyChecking=no', '-o', ...>, stdout = b''
stderr = b"Warning: Permanently added 'tns2370' (ECDSA) to the list of known hosts.\r\nFailed to start transient service unit: Interactive authentication required.\n", retcode = 1

And this can be shown on the server directly by running the following without sudo:

systemd-run --pipe -p User=inmanta -p EnvironmentFile=/etc/sysconfig/inmanta-server --wait /opt/inmanta/bin/python -c

One solution to this is to add a rule under polkit service rules (/etc/polkit-1/rules.d/49-polkit-pkla-compat.rules) that allow inmanta user to do actions of type "org.freedesktop.systemd1.manage-units" without prompting password. I did this on LAB and INT and the problem is solved.

The goal of this ticket is to:

• Is there a way to fix this without having to make changes to the polkit configuration?
• If not, document it clearly how to use the remote orchestrator without sudo