Cups/PolicyKit Integration
Summary
Use PolicyKit to define policies for accessing the cups functionality.
Owner
- Name: Marek Kašík
- Email: mkasik@redhat.com
Current status
- Targeted release: Fedora 11
- Last updated: 2009-02-12
- Percentage of completion: 99%
cups-pk-helper has been built in rawhide.
The system-config-printer patch is merged upstream and has been built in rawhide.
cups-pk-helper changes are being upstreamed, which may lead to some changes in the granularity of the policy.
Detailed Description
Cups has its own authentication and policy configuration mechanism, which basically consists in specifying users/groups that are allowed administrative access to the cups server. In an ideal world, cups would expose its administrative functions as a PolicyKit mechanism via d-bus. Since that is unlikely to happen in the short term (if ever), Vincent Untz of OpenSUSE has written a small wrapper called cups-pk-helper to do this, together with the necessary changes to pycups and system-config-printer to talk to cups-pk-helper instead of directly to cups.
The following functions are controlled via PolicyKit policies currently:
- add/remove/edit local printers
- add/remove/edit remote printers
- add/remove/edit classes
- enable/disable printer
- set printer as default printer
- get/set server settings (this includes getting/putting a file in the cups config)
- set hold-until time of a job owned by another user
- set hold-until time of a job
- restart a job owned by another user
- restart a job
- cancel a job owned by another user
- cancel a job
Benefit to Fedora
Administration of Fedora installations becomes more uniform, cups policies can be configured with the same tools that are used for other PolicyKit-enabled parts of the system.
Scope
cups-pk-helper has to be packaged, system-config-printer needs to be changed to incorporate the PolicyKit-related changes (probably best done by merging those changes upstream, since system-config-printer is no longer a Fedora-only tool). Suitable default policies have to be defined for the functionalities listed above.
How To Test
- Testing this feature will likely benefit from having a printer available.
- You need to have cups, system-config-printer and cups-pk-helper installed.
- Use system-config-printer and perform the functions listed above. Verify that the defined polices are enforced (e.g. if the policy demands admin authentication to enable a printer, trying to enable a printer should bring up a dialog asking for the root password).
- Verify that changing policies using polkit-gnome-authorization is reflected in system-config-printer (e.g. changing the policy for adding classes to 'no' should make the controls for adding classes in system-config-printer become insensitive or invisible).
User Experience
This feature will affect people who configure cups using system-config-printer; they will see the same PolicyKit dialogs that they see in other configuration tools, instead of a custom s-c-p root password dialog. This feature also affects administrators who need to define policies for access to the printing system; they can use PolicyKit to define more finegrained policy than previously possible by editing cupsd.conf.
Dependencies
A PolicyKit-enabled system-config-printer release would be good, to avoid carrying a large patch in our package, but it is not, strictly, a requirement. cups-pk-helper is currently developed at http://www.vuntz.net/git/cups-pk-helper.git/, it would be good to turn it into an actual project, maybe hosted at freedesktop.org, to make collaboration on its future development easier. The cups-pk-helper package is under review.
Contingency Plan
If things don't work out, we don't ship cups-pk-helper by default and revert to a not-PolicyKit-enabled version of system-config-printer.
Documentation
- FIXME: None, currently.
Release Notes
In this release, system-config-printer uses PolicyKit to control access to restricted cups functionality. The following functions are controlled via PolicyKit policies currently:
- add/remove/edit local printers
- add/remove/edit remote printers
- add/remove/edit classes
- enable/disable printer
- set printer as default printer
- get/set server settings
- set hold-until time of a job owned by another user
- set hold-until time of a job
- restart a job owned by another user
- restart a job
- cancel a job owned by another user
- cancel a job