PolicyKit, KDE, Qt, and integration
David Zeuthen
david at fubar.dk
Tue May 26 08:54:22 PDT 2009
On Thu, 2009-03-12 at 13:01 +0100, Dario Freddi wrote:
> After some months of work, we introduced complete feature parity with GNOME,
> both for users and developers. Though, yesterday I saw that polkit-dbus & -
> grant have been discontinued, and we used them a lot in our code.
Yes, for reasons mentioned earlier, this have now moved completely to
using D-Bus instead of setuid helpers. All you need to do is to provide
a desktop environment specific authentication agent that calls
RegisterAuthenticationAgent()
http://cgit.freedesktop.org/PolicyKit/tree/data/org.freedesktop.PolicyKit1.Authority.xml#n247
on the Authority when your desktop session starts. Then all requests are
channeled from the polkit daemon to this process using this D-Bus
interface
org.freedesktop.PolicyKit1.AuthenticationAgent
http://cgit.freedesktop.org/PolicyKit/tree/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml
and your authentication agent is supposed to call
AuthenticationAgentResponse()
http://cgit.freedesktop.org/PolicyKit/tree/data/org.freedesktop.PolicyKit1.Authority.xml#n275
as uid 0 when the user is authorized. The docs should mostly be clear
about this, otherwise please let me know.
There's some GObject-based classes and interfaces in
libpolkit-agent-1.so (source is in src/polkit-agent) that makes all this
very easy (including abstracting all the PAM bits) but you can also just
use the D-Bus interfaces if you want to avoid that dependency.
> What came to my mind is that we should integrate more the work between you,
> the PolicyKit team, and us. I'm not asking you to code for us, but more a
> closer co-operation.
>
> A small example: Polkit-qt (the library that lets developers access PolicyKit
> API) is now in kdesupport. Though, I'd favor to put it into the
> freedesktop.org trees and release it side-by-side with Policykit, just as it
> happens now with polkit-gnome.
I think you really want the KDE specific bits to live in the KDE repos;
I certainly want the GNOME specific bits to live in the GNOME repos so I
can get updated translations and so forth. Once PolicyKit 1.0 is out the
API won't change so you shouldn't need to change authentication agents
at all.
Also note that one change in PolicyKit 1.0 is that e.g. desktop apps
(such as a file manager) will not need to know that the mechanism (such
as DeviceKit-disks) they are using are using PolicyKit at all. This is
because mechanisms now use calls on the PolicyKit daemon that makes the
authentication dialogs pop up and disappear as appropriate.
So that makes the whole desktop integration story _a lot_ easier since
apps (such as a file manager) don't need this additional logic. It does
make the mechanisms (such as DeviceKit-disks) slightly more complex but
this is fine as the mechanisms are shared by all desktops. So all in
all, things will be much simpler.
Hope this clarifies. And apologies for not replying earlier; need more
of them 96 hour days.
David
More information about the polkit-devel
mailing list