From Fedora Project Wiki
 
(8 intermediate revisions by 2 users not shown)
Line 10: Line 10:
== Current status ==
== Current status ==
* Targeted release: [[Releases/11| Fedora 11]]  
* Targeted release: [[Releases/11| Fedora 11]]  
* Last updated: 2009-01-20
* Last updated: 2009-03-05
* Percentage of completion: 95%
* Percentage of completion: 100%


cups-pk-helper has been built in rawhide.
cups-pk-helper has been built in rawhide.


The system-config-printer patch is merged upstream and has been built in rawhide.
The system-config-printer patch is merged upstream and has been built in rawhide.
cups-pk-helper changes are being upstreamed, which may lead to some changes in the granularity of the policy.
cups-pk-helper changes are merged upstream, which changed the set of policies.
Still to do:
- Document actions and default policy somehow


== Detailed Description ==
== Detailed Description ==
Line 33: Line 40:
* set printer as default printer
* set printer as default printer
* get/set server settings (this includes getting/putting a file in the cups config)
* get/set server settings (this includes getting/putting a file in the cups config)
       
* restart/cancel/edit a job owned by another user
* restart/cancel/edit a job
 
== Benefit to Fedora ==
== Benefit to Fedora ==
Administration of Fedora installations becomes more uniform, cups policies can be configured with the same
Administration of Fedora installations becomes more uniform, cups policies can be configured with the same
Line 69: Line 78:


== Documentation ==
== Documentation ==
* '''FIXME''': None, currently.
* [http://mkasik.fedorapeople.org/doc.txt cups-pk-helper's DBus api]


== Release Notes ==
== Release Notes ==
Line 80: Line 89:
* set printer as default printer
* set printer as default printer
* get/set server settings
* get/set server settings
 
* restart/cancel/edit a job owned by another user
* restart/cancel/edit a job


== Comments and Discussion ==
== Comments and Discussion ==

Latest revision as of 16:17, 6 March 2009

Cups/PolicyKit Integration

Summary

Use PolicyKit to define policies for accessing the cups functionality.

Owner

Current status

  • Targeted release: Fedora 11
  • Last updated: 2009-03-05
  • Percentage of completion: 100%

cups-pk-helper has been built in rawhide.

The system-config-printer patch is merged upstream and has been built in rawhide.

cups-pk-helper changes are being upstreamed, which may lead to some changes in the granularity of the policy.

cups-pk-helper changes are merged upstream, which changed the set of policies.

Still to do: - Document actions and default policy somehow

Detailed Description

Cups has its own authentication and policy configuration mechanism, which basically consists in specifying users/groups that are allowed administrative access to the cups server. In an ideal world, cups would expose its administrative functions as a PolicyKit mechanism via d-bus. Since that is unlikely to happen in the short term (if ever), Vincent Untz of OpenSUSE has written a small wrapper called cups-pk-helper to do this, together with the necessary changes to pycups and system-config-printer to talk to cups-pk-helper instead of directly to cups.

The following functions are controlled via PolicyKit policies currently:

  • add/remove/edit local printers
  • add/remove/edit remote printers
  • add/remove/edit classes
  • enable/disable printer
  • set printer as default printer
  • get/set server settings (this includes getting/putting a file in the cups config)
  • restart/cancel/edit a job owned by another user
  • restart/cancel/edit a job

Benefit to Fedora

Administration of Fedora installations becomes more uniform, cups policies can be configured with the same tools that are used for other PolicyKit-enabled parts of the system.

Scope

cups-pk-helper has to be packaged, system-config-printer needs to be changed to incorporate the PolicyKit-related changes (probably best done by merging those changes upstream, since system-config-printer is no longer a Fedora-only tool). Suitable default policies have to be defined for the functionalities listed above.

How To Test

  • Testing this feature will likely benefit from having a printer available.
  • You need to have cups, system-config-printer and cups-pk-helper installed.
  • Use system-config-printer and perform the functions listed above. Verify that the defined polices are enforced (e.g. if the policy demands admin authentication to enable a printer, trying to enable a printer should bring up a dialog asking for the root password).
  • Verify that changing policies using polkit-gnome-authorization is reflected in system-config-printer (e.g. changing the policy for adding classes to 'no' should make the controls for adding classes in system-config-printer become insensitive or invisible).

User Experience

This feature will affect people who configure cups using system-config-printer; they will see the same PolicyKit dialogs that they see in other configuration tools, instead of a custom s-c-p root password dialog. This feature also affects administrators who need to define policies for access to the printing system; they can use PolicyKit to define more finegrained policy than previously possible by editing cupsd.conf.

Dependencies

A PolicyKit-enabled system-config-printer release would be good, to avoid carrying a large patch in our package, but it is not, strictly, a requirement. cups-pk-helper is currently developed at http://www.vuntz.net/git/cups-pk-helper.git/, it would be good to turn it into an actual project, maybe hosted at freedesktop.org, to make collaboration on its future development easier. The cups-pk-helper package is under review.

Contingency Plan

If things don't work out, we don't ship cups-pk-helper by default and revert to a not-PolicyKit-enabled version of system-config-printer.

Documentation

Release Notes

In this release, system-config-printer uses PolicyKit to control access to restricted cups functionality. The following functions are controlled via PolicyKit policies currently:

  • add/remove/edit local printers
  • add/remove/edit remote printers
  • add/remove/edit classes
  • enable/disable printer
  • set printer as default printer
  • get/set server settings
  • restart/cancel/edit a job owned by another user
  • restart/cancel/edit a job

Comments and Discussion