On Mon, Sep 30, 2013 at 9:32 PM, Miloslav Trmač <m...@redhat.com> wrote:
> On Mon, Sep 30, 2013 at 8:40 PM, Miloslav Trmač <m...@redhat.com> wrote: > >> Hello, >> ------------------------------ >> > What I'm trying to do is register a polkit authentication agent in a >> python >> > script, through the dbus api. I have attached, a rather simplistic, >> first >> > start of this. From what I can read out of the logs it seems to register >> > alright but nothing is relayed to it for authentication. >> >> > First question is that it seems like RegisterAuthenticationAgent takes >> a few >> > different subject kinds . unix-process and unix-session. What is the >> > difference between these and what should I be using? >> >> You can register more than one agent; each agent is only called for those >> subject they register for. unix-process is obviously limited to that >> single process. So if you want to register for all processes running >> within the session / within the appliance UI, unix-session is more >> appropriate. >> > > Does this mean that if xbmc runs within another session, say gnome, and we > use packagekit for installing our addons, if we'd register a unix-process > that one will take precedence over the one in gnome? > > Yes. (You can also register a "fallback agent" for a unix-process, but > you wouldn't to in this case.) > This is amazing, this is exactly what we want to achieve and something I've asked for before! Awesome! > > Or perhaps that only holds true for a polkit action which isn't > registered in the session agent? > > No, agents register for subjects, not for actions. > > > When registering I submit my object path, which is '/org/xbmc/polkit' >> but >> > what is the destination for this object? I'm using 'org.xbmc.polkit' >> for my >> > service, but how does polkit knows this? >> >> An agent can only register itself; polkit uses the identity of the caller >> of the RegisterAuthenticationAgent operation (technically using the :number >> unique identifier). I don't think it's necessary to register a >> well-known-name. >> > > So polkit is able to deduct the destination from the object path and the > bus used for the call? I'm not a dbus expert so wasn't aware that this was > possible? > > Yes; this is fundamental to being able to send a reply to a request at all. > Oh, that makes so much sense, thanks! > So if I understand you correctly I just need to make sure I use the same > bus for the service as the registration? > > That should be basically it. But I'm not a D-Bus expert either I'm > afraid, and especially not an expert in the various interface libraries. > > > Could this be why its not called to >> > authenticate even if register went through alright? >> >> These two lines seem rather suspect: >> > 'session-id': getSessionID(), >> > 'session_id': "" >> >> Other than that, if there are no error messages returned through the >> D-Bus API, I can suggest only running polkitd without --no-debug and >> capturing the output, and attaching a debugger to polkitd. >> > > Yeah I'm very uncertain on those, from the RegisterAuthenticationAgent > documentation I found this line > "Note that current versions of PolicyKit will only work if *session_id* is > set to the empty string. In the future it might work for non-empty strings > if the caller is sufficiently privileged." > > I thought that referred to be on the subject but it strikes me know that I > might have misunderstood this. If so I'm not sure at all where I should set > "session_id" :) > > (For others looking, it is data/org.freedesktop.PolicyKit1.Authority.xml > . I'm afraid this is a bug in the documentation; for now filed as > https://bugs.freedesktop.org/show_bug.cgi?id=69980 ). > > I tried to start polkitd with --no-debug (if I did it correctly) > > Note that, at least on Fedora, --no-debug is default, so it is necessary > to _remove_ it (and then capture stderr). > Sigh, when I read your response now I realized I ran the new polkitd _with_ --no-debug. I retried without --no-debug and got so much more information. Seems like my BeginAuthentication was wrong, I didn't have the proper parameters in my python script. ** (polkitd:8053): WARNING **: Error parsing identity unix-group:admin: No UNIX group with name admin: Success Error performing authentication: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: Method "BeginAuthentication" with signature "sssa{ss}sa(sa{sv})" on interface "org.freedesktop.PolicyKit1.AuthenticationAgent" doesn't exist (g-dbus-error-quark 19) I do have 6 parameters but I suspect I've done something wrong in my python implementation (I'm more used to do dbus stuff in c++). > and checked auth.log, it gave some interesting results (which I'm not > entirely sure how to interpret) > (at line3 is when I closed polkitd with a killall -9 polkitd) > > topfs@tobias-desktop:/var/log$ tail -f auth.log > Sep 30 21:01:16 tobias-desktop polkitd(authority=local): Registered > Authentication Agent for unix-session:/org/freedesktop/ConsoleKit/Session10 > (system bus name :1.119 [python simple-unix-session-agent.py], object path > /org/xbmc/polkit, locale sv_SE) > Sep 30 21:05:07 tobias-desktop polkitd(authority=local): Operator of > unix-session:/org/freedesktop/ConsoleKit/Session10 FAILED to authenticate > to gain authorization for action com.ubuntu.softwareproperties.applychanges > for system-bus-name::1.126 [/usr/bin/python3 > /usr/bin/software-properties-gtk -n -t 0] (owned by unix-user:topfs) > > So from what I can see it seems like it registers alright but it never > calls my python scripts method (begin authentication et al). > > I'm afraid it's time for gdb then; there is no logging inside the code of > get_authentication_agent_for_subject AFAICS. > > I've registered it under locale sv_SE, perhaps thats wrong or not what > fluxbox (which is my testing session) is using by default? > Can I register my agent on any locale? > > The locale is not involved in choosing which agent to run, only what > messages to give to it. > Mirek > I think I know what the error is now, thanks so much for helping me! Cheers, Tobias
_______________________________________________ polkit-devel mailing list polkit-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/polkit-devel
