PolicyKit, KDE, Qt, and integration

Dario Freddi drf54321 at gmail.com
Tue May 26 09:14:47 PDT 2009 

Hello David,

sorry for the additional noise in the last mail, but it definitely was worth 
it :)

On Tuesday 26 May 2009 17:54:22 David Zeuthen wrote:
>
> Yes, for reasons mentioned earlier, this have now moved completely to
> using D-Bus instead of setuid helpers.

Great stuff, both for integration and security

> All you need to do is to provide
> a desktop environment specific authentication agent that calls

+1

>
> RegisterAuthenticationAgent()
> http://cgit.freedesktop.org/PolicyKit/tree/data/org.freedesktop.PolicyKit1.
>Authority.xml#n247
>
> on the Authority when your desktop session starts. Then all requests are
> channeled from the polkit daemon to this process using this D-Bus
> interface
>
> org.freedesktop.PolicyKit1.AuthenticationAgent
> http://cgit.freedesktop.org/PolicyKit/tree/data/org.freedesktop.PolicyKit1.
>AuthenticationAgent.xml
>
> and your authentication agent is supposed to call
>
> AuthenticationAgentResponse()
> http://cgit.freedesktop.org/PolicyKit/tree/data/org.freedesktop.PolicyKit1.
>Authority.xml#n275
>
> as uid 0 when the user is authorized. The docs should mostly be clear
> about this, otherwise please let me know.

Thanks for the pointers, i'll check them out these days and report to you 
afterwards

>
> There's some GObject-based classes and interfaces in
> libpolkit-agent-1.so (source is in src/polkit-agent) that makes all this
> very easy (including abstracting all the PAM bits) but you can also just
> use the D-Bus interfaces if you want to avoid that dependency.

Shouldn't the DBus interface just be a different interface for that library? 
If not, please consider doing so - it would be a shame to have a DBus 
interface that is not covering all the ease of use of the library - or I 
misunderstood you. If I got it well, I'll try and prepare a patch if there are 
additional advantages in polkit-agent

>
> I think you really want the KDE specific bits to live in the KDE repos;
> I certainly want the GNOME specific bits to live in the GNOME repos so I
> can get updated translations and so forth. Once PolicyKit 1.0 is out the
> API won't change so you shouldn't need to change authentication agents
> at all.

Great to hear that you're aiming for binary compatibility.

>
> Also note that one change in PolicyKit 1.0 is that e.g. desktop apps
> (such as a file manager) will not need to know that the mechanism (such
> as DeviceKit-disks) they are using are using PolicyKit at all. This is
> because mechanisms now use calls on the PolicyKit daemon that makes the
> authentication dialogs pop up and disappear as appropriate.

So the authentication is completely abstracted in the mechanism and everything 
happens in it? That sounds really like good stuff :)

> So that makes the whole desktop integration story _a lot_ easier since
> apps (such as a file manager) don't need this additional logic. It does
> make the mechanisms (such as DeviceKit-disks) slightly more complex but
> this is fine as the mechanisms are shared by all desktops. So all in
> all, things will be much simpler.

One of our goals with polkit-qt is to abstract the hard part to provide a 
simple interface (currently we have a single function) for mechanisms (and 
callers, but if I got you this won't be longer needed) to increase the ease of 
usage, so I think the solution makes the most sense.

>
> Hope this clarifies.

Sure it does

> And apologies for not replying earlier; need more
> of them 96 hour days.

No problem - my latest mail was driven by some "information" I got from Fedora 
guys, and from seeing activity in the repo. As I already told you, I just 
expected a reply regardless of the timeframe. I am sorry for the tone I used, 
but it should give you an overview of how much I am committed to the PolicyKit 
cause.

Obviously my last mail goes out of context now. For now, my plan is to branch 
polkit-qt 0.9 and develop in trunk polkit-qt 1.0. People in Fedora are already 
preparing the transition: we should see something soon.

>
>      David

-- 
-------------------

Dario Freddi
KDE Developer
GPG Key Signature: 511A9A3B

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freedesktop.org/archives/polkit-devel/attachments/20090526/68f6338f/attachment.pgp

More information about the polkit-devel mailing list