PackageKit policy: background and plans

Matthias Clasen mclasen at redhat.com
Mon Nov 23 18:21:12 UTC 2009


On Thu, 2009-11-19 at 21:29 -0500, Owen Taylor wrote:

> 
> I'm writing this mail somewhat by default: the people who really matter
> are the maintainers of the relevant packages, but Richard has gone to
> bed, and David Zeuthen and Matthias Clasen are on vacation this week.
> I'll try to reflect what they would say; much of it is certainly my own
> personal take on things instead.

[...]

> 
> Executive summary
> =================
> 
> We'll make an update to the F12 PackageKit, so that the root password is
> required to install packages.


Wow, I go on vacation for a week, and as a welcome-back-present I get
this 1000+-message monster thread :-)

Thanks for filling in for me so eloquently, Owen. I thought I should
follow up and provide some more clarifications on the changes that have
happened in PolicyKit and where we hope to get to, user-experience-wise.

First of all, you should realize that the PolicyKit in F12 is quite
different from the one in F11, which should already be apparent from the
package name change (from PolicyKit to polkit). Many of the changes that
happened on the way are about making PolicyKit more 'enterprise-ready'
and maintainable:

1) The daemon has been refactored to allow separate backends. PolicyKit
itself ships a 'local files' backend, but all the infrastructure is in
place to write a backend that e.g. determines its policy by talking to a
directory server. 

2) The 'action definitions' (in /usr/share/polkit-1/actions/) have been
separated from the policy itself (in /var/lib/polkit-1/localauthority/).

3) Policy for the 'local files' backend can easily be overridden on a
site-, org- or, local- granularity.

4) Policy for the 'local files' backend can be defined based on group
membership.

4) There is quite a bit of useful documentation in polkit(8) and
pklocalauthority(8). Docs could of course always be improved, but David
has every reason to be proud of the amount of work he invested in the
polkit docs, in my opinion. 


Then there have been a few changes where things in PolicyKit 0.9 were
just not quite right:

5) Retained authorizations have already been discussed as a somewhat
questionable feature. It also leads to awkward UI (nested checkboxes),
so these have been removed.

6) polkit-gnome-authorization was really not a usable tool to configure
policy. At best, it was a debug tool. It has been removed. 

If people are desperate to have a similar policy tweak tool back, it is
certainly possible to implement one for the local files backend (it
doesn't really make sense for e.g. a directory server backend), but that
is not our priority.

Our plan for policy configuration is, as Owen explained, is to ship a
default set of roles and have a simple user interface that allows to
assign roles to users. The roles will use the ability of the local files
backend to define group-based policy. In fact, we already have a package
defining such roles: polkit-desktop-policy. 

The one thing that we did not get done for F12 is the user interface
that allows to easily assign roles to users. The plans for that are
outlined here:
http://www.fedoraproject.org/wiki/Features/UserAccountDialog

Once we have roles in place, the package defaults for authorizations
(i.e. what gets installed in the .policy files) should be changed to be
very restrictive.


Matthias




More information about the devel mailing list