Polkit and KDE: let’s make the point of the situation

Hello folks,

Welcome to a post describing the current and future status of all things PolicyKit, polkit, $%$”, whatever related to policy handling in KDE, for users, developers, packagers and distributors. A must read, let’s say :).

PolicyKit, polkit… what the hell?

Yes, PolicyKit and polkit are two different pieces of software. After reaching version 0.9, PolicyKit has been discontinued, and polkit-1 took its place. polkit-1 is not backwards compatible with PolicyKit, but still it is able to run together with it, even if you probably don’t want to do that. Also the API are completely different, so polkit-qt was no longer sufficient to cover up polkit-1. That’s the reason why polkit-qt-1 was born.

Yet another Qt wrapper: polkit-qt-1

First things first, the main credits for polkit-qt-1 go to the awesome Fedora KDE team, especially to Radek Novacek, Jaroslav Reznik and Lukas Tinkl, who did most of the job, whereas I mainly reviewed and put quite a lot of finishing touches. Now that credits are due, let’s dive into what is polkit-qt-1. It is a wrapper library around polkit-gobject and polkit-agent, which lets developers write easily applications using polkit-1, and even write custom authentication agents.

Compared to polkit-qt, the API is much nicer and the library itself is much more polished: I also changed a lot of things I wanted to change in polkit-qt (especially in the GUI part) but I couldn’t do for the sake of BC. Of course you are NOT encouraged to use this library if you’re developing on the KDE Development Platform >= 4.4: you want to use KAuth instead. But, if your application depends only on Qt or you need to do something strictly related to polkit-1, then polkit-qt-1 is your first choice.

Then what about polkit-qt?

Polkit-qt will experience one last release (0.9.3), on which trunk already depends on. This release is critical for it to work well with KDE 4.4 and Qt 4.6. I sincerely hope this will be the very last release of polkit-qt, since the only reason why I will want to do another one is for fixing a critical bug.

Ok. In all of this mess, I didn’t really get the point of what’s happening with polkit or PolicyKit in KDE 4.4

Fairly reasonable. Let’s try to get things explained better. There will be lots of changes from KDE 4.4 to KDE 4.5. KDE 4.4 will still use PolicyKit 0.9 and polkit-qt as the default supported authorization framework. This is because polkit-1 has not yet been released to a stable version, and because we’re not yet in feature parity with the GUI tools PolicyKit 0.9: the authorization manager KCM is not there yet in polkit-1.

Polkit developers decided not to provide a similar tool in GNOME. I feel this is a strong regression, as a lot of users appreciated the authorization manager and used it to solve some policy related problems, and it’s a tool of unvaluable help for system administrators. For these reasons, KDE will surely provide in the near future a similar tool for polkit-1.

Just like it happened with KDE 4.2, the KDE tools for polkit-1 will be released separately. They now lie in extragear/base/polkit-kde-1. Only the authorization agent is in (which is the authentication dialog), the KCM will be developed later. I will do a release shortly (in a pair of days) together with polkit-qt and polkit-qt-1, and I will post a small entry on my blog when I’ll do.

KAuth has a working backend for polkit-1 based on polkit-qt-1: however, the default backend is still the one based on polkit-qt. To use KAuth with polkit-1, simply compile kdelibs with -DKAUTH_BACKEND=PolkitQt-1, and that will do.

And for developers? Well, if you used KAuth, don’t you worry. You don’t have to port a single line of code. Just recompile kdelibs as explained above, recompile your application from scratch, and watch it run on the top of polkit-1. Sooo amazing.

And what about KDE 4.5?

In 4.5 the following things will happen:

  • polkit-kde-1 will be moved to kdebase/workspace
  • PolicyKit-kde in kdebase/workspace might be removed and put in extragear, where it will enter maintenance mode.
  • polkit-qt might be removed from kdesupport and put somewhere on gitorious
  • In KDElibs, KAuth will default to polkit-1 for its backend

This is because by the time 4.5 will be released, probably PolicyKit 0.9 will be completely deprecated, and polkit-1 be absolutely ready for prime time.

The “might” points have to be discussed with the whole community, and they will probably strongly depend on the situation of PolicyKit at the time when the decision will be due.

Awesome. Now it’s all clear: just tell me what I need and where to grab it

KDE 4.4 trunk opt-depends (since a pair of hours, actually) on polkit-qt 0.9.3 and polkit-qt-1 0.95.1, both of which have not yet been released, but if you compile kdesupport from trunk you can simply do a fresh checkout. They will get official releases in a pair of days, just to let some hours pass. polkit-kde-1’s first release will happen together with the two libraries, but if you’re extremely impatient you can check it out in extragear/base/polkit-kde-1.

Good. But since we’ve reached the end of the post, what about giving a small advice on which polkit/PolicyKit should I use?

Uhm, now you’re becoming pretentious… ok -.-. Look, if I were a distributor, and all the major tools (NM, HAL, whatever) started requiring polkit-1 and KDE would be the only thing using PolicyKit, I’d go for polkit-1 to avoid having 2 system that do the very same thing overlapping. But, if that was not the case, I’d probably stay with PolicyKit 0.9.

If you were wondering, I have both (PolicyKit and polkit-1) installed, as you might have imagined, but I’m still using the first. I will probably move to polkit-1 soon, though, since it’s the future and I don’t like living stable πŸ™‚

I hope you enjoyed the post, which was hopefully explainatory and complete. For any questions, drop a line in the comment box.


~ by Dario on 22 December, 2009.

15 Responses to “Polkit and KDE: let’s make the point of the situation”

  1. Quick question about kauth. How can I debug (from a user perspective) a kauth install?

    In systemsettings Date & Time I see a “You are not allowed to save the configuration” but no explanation as to how to fix this.

    Since I’m building from source, I’ve (incorrectly) installed this myself. Since PolicyKit-KDE is part of kdebase though, I’m not sure what I’m doing incorrectly. Are there any special instructions for building and using kauth from trunk?

    • If you get such an error it means that your polkit/policykit installation is screwed, as in: files are not installed in the right place (this is quite likely to happen if you are installing in a different prefix than /usr), or your system policy prevents you from doing that, which in most cases boils down to the fact that ConsoleKit is not running or did not register your session.

      For now, try moving any files installed in $prefix/share/PolicyKit/whatever to /usr/share/PolicyKit.

      Anyway, for 4.5 I will improve error messages and before 4.4 is out I hope to write a Troubleshooting page in UserBase

      • I’m running KDE 4.5 Beta 2 under kubuntu (ppa packages) and have the same problem. I don’t use a custom installation for PolicyKit (whatever comes with the repositories), so its files should be in the right place (appear in /usr/share/PolicyKit). How do I check if ConsoleKit is running ?

  2. KAuth is really a great thing πŸ™‚

    Would be nice if you have a look at this:

  3. Awesome – thanks for your work, and thanks also to the Redhat/ Fedora guys – if Redhat sponsored this, then this surely counts as the most significant code contribution they’ve made to KDE πŸ™‚

    • Thanks for the explanation! But please can you link sme ML discussion on why polkit is going to replace policykit? I’d like to have some more insights, cause policykit was quite new… another wrong design on first iteration? what were the limitations? Thanks!

      • I can’t speak for PolicyKit team but yes – it is all about wrong design on first iteration. New PolicyKit offers more powerful design especially in terms of backends – check PK-1 documentation. And yes – it caused some problems for our Fedora KDE team (and for Fedora 12 we had to use Gnome auth. agent) but I think it’s a move in right direction (even it’s a big step in a time of wider adoption of the old one PK).

  4. […] of large code drops, Dario tries to explain polkit — a good thing, but I’m still not sure if this thing actually exists for me or […]

  5. Dario, thanks for great article on Polkit-Qt & KDE!!!

  6. The only problem is that I cannot easily install the old PolicyKit in Fedora 12 😦

  7. I’m not against the Kauth but I’m not happy at all that this is using polkit, which depends on pam. The whole KDE statement that says “Among KDE’s products are a modern desktop system for Linux and UNIX platforms” from the main KDE page. Isn’t so true any more. They now only favor platforms that want to use PAM. the rest are stuck with things that will not work any more if they don’t use PAM.
    This alone shows the statement isn’t true any more at all.
    It should be changed to “Among KDE’s products are a modern desktop system for our favorite Linux and UNIX platforms that use PAM only for full use.”
    I sad that now all those platforms have to hack the polkit to get it to work as it used to with out PAM. KDE made the choice to use this dominating PAM as a dependency and trying to force these platform into using it. Then choice not to ends up with breakage.
    I hope they fix this to work with the “Linux and UNIX platforms”
    That the choice of using PAM or not will still had what used to work , still work.

  8. So I finally sort of understand why knetworkmanager doesn’t work. I give it permissions with polkit via pkla files. However, does it not work because it’s looking for policykit? Or should I use KAuth? Ouch I’m confused.

  9. I think it’s great how you can have PolicyKit and polkit working side by side. I was wondering (1) can you get polkit to obey PolicyKit settings via a proxy and (2) is there an easy way to migrate settings from PolicyKit to polkit. I understand this may be out of your scope, just wanted your opinion.

    BTW like U Avalos, i was trying to get knetworkmanager to set system settings, so my laptop can connect to a network before i signed in.

  10. […] or no effect for some authentication roles. Perhaps this has changed. Did you try changing it yet? Polkit and KDE: let’s make the point of the situation Reply With […]

  11. I find it disturbing that polkit sustains 14% CPU usage
    on a 3.3GHz Nehalem system (OpenSuSE 12.2).
    That’s an _awfully_ lot of CPU horsepower you’re

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: