[yast-devel] YaST++ Sprint Review 2012-02-21
Generic Reminders ----------------- * Keep it simple * Some parts might be projects for Google Summer of Code ACLs ---- * Bind to path * Roles defined as in WebYast * Check how the others solve this (e.g., KDE) * AI: jsuchome & jreidinger New Project Name ---------------- * Ask community * Code name (maybe something known, easy to remember) * Package name (might differ to code name, but needn’t) * AI: everyone DBUS Optional ------------- * Depends on ACLs - how we define them * Anyway, root is always without DBUS already * Modular - created as plug-in * To lower the complexity * AI: jreidinger YaST-Related Data ----------------- * Stored in /usr/share/YaST2/data/ * Separate data to a different package? YaST++ must not depend on Classical YaST * Discussion WIP -- Lukas Ocilka, Appliances Department SUSE LINUX s.r.o., Praha -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
Dne 22.2.2012 15:25, Lukas Ocilka napsal(a):
Generic Reminders ----------------- * Keep it simple * Some parts might be projects for Google Summer of Code
ACLs ---- * Bind to path * Roles defined as in WebYast
BTW, today I came across an interesting polkit feature: org.freedesktop.policykit.imply annotation: "The org.freedesktop.policykit.imply annotation (its value is a string containing a space separated list of action identifiers) can be used to define meta actions. The way it works is that if a subject is authorized for an action with this annotation, then it is also authorized for any action specified by the annotation. A typical use of this annotation is when defining an UI shell with a single lock button that should unlock multiple actions from distinct mechanisms." (See "man polkit") Using this annotations we could easily define high-level roles from low-level actions and it would be transparent for polkit and work with all polkit tools and services (pkaction, pkcheck, DBus service, etc...) The drawback is that it could not be used in WebYaST on SLES (due to the old PolicyKit), we would need a workaround there... :-( -- Ladislav Slezák Appliance department / YaST Developer Lihovarská 1060/12 190 00 Prague 9 / Czech Republic tel: +420 284 028 960 lslezak@suse.com SUSE -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
On Wed, Feb 22, 2012 at 03:45:18PM +0100, Ladislav Slezak wrote:
Dne 22.2.2012 15:25, Lukas Ocilka napsal(a):
ACLs ---- * Bind to path * Roles defined as in WebYast
BTW, today I came across an interesting polkit feature: org.freedesktop.policykit.imply annotation:
"The org.freedesktop.policykit.imply annotation (its value is a string containing a space separated list of action identifiers) can be used to define meta actions. The way it works is that if a subject is authorized for an action with this annotation, then it is also authorized for any action specified by the annotation. A typical use of this annotation is when defining an UI shell with a single lock button that should unlock multiple actions from distinct mechanisms." (See "man polkit")
Using this annotations we could easily define high-level roles from low-level actions and it would be transparent for polkit and work with all polkit tools and services (pkaction, pkcheck, DBus service, etc...)
The drawback is that it could not be used in WebYaST on SLES (due to the old PolicyKit), we would need a workaround there... :-(
Ah, interesting. Now, to continue the general discussion, some summary is in this file (to which I have added now): https://github.com/yast/yast--/blob/master/doc/comparing-policies.txt To compare with other designs, see the list of polkit actions on your system: run "pkaction". -- Martin Vidner, YaST developer http://en.opensuse.org/User:Mvidner Kuracke oddeleni v restauraci je jako fekalni oddeleni v bazenu
On Mon March 12 2012 15:43:52 Martin Vidner wrote:
On Wed, Feb 22, 2012 at 03:45:18PM +0100, Ladislav Slezak wrote:
Dne 22.2.2012 15:25, Lukas Ocilka napsal(a):
ACLs ---- * Bind to path * Roles defined as in WebYast
BTW, today I came across an interesting polkit feature:
org.freedesktop.policykit.imply annotation: "The org.freedesktop.policykit.imply annotation (its value is a string containing a
space separated list of action identifiers) can be used to define meta actions. The way it works is that if a subject is authorized for an action with this annotation, then it is also authorized for any action specified by the annotation. A typical use of this annotation is when defining an UI shell with a single lock button that should unlock multiple actions from distinct mechanisms." (See "man polkit")
Using this annotations we could easily define high-level roles from low-level actions and it would be transparent for polkit and work with all polkit tools and services (pkaction, pkcheck, DBus service, etc...) I think that makes a lot of sense. On the one hand policy checks should be very low level for security reasons. On the other hand it's easier to administrate high level roles. The mentioned technologies fits both.
The drawback is that it could not be used in WebYaST on SLES (due to the old PolicyKit), we would need a workaround there... :-(
Can we make next SLES (SLE12) to contain the new PolicyKit version? Wouldn't it be good enough if future versions of WebYaST used yast++ with these PolicyKit roles as backend?
Ah, interesting.
Now, to continue the general discussion, some summary is in this file (to which I have added now): https://github.com/yast/yast--/blob/master/doc/comparing-policies.txt
To compare with other designs, see the list of polkit actions on your system: run "pkaction".
-- Thomas Goettlicher SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany
Dne 13.3.2012 15:57, Thomas Goettlicher napsal(a): [...]
The drawback is that it could not be used in WebYaST on SLES (due to the old PolicyKit), we would need a workaround there... :-(
Can we make next SLES (SLE12) to contain the new PolicyKit version? Wouldn't it be good enough if future versions of WebYaST used yast++ with these PolicyKit roles as backend?
Of course, SLE12 _will_ contain polkit (the new policykit), there's no problem. The problem is with SLE11 (which we have to maintain for several years...). -- Best Regards Ladislav Slezák Yast Developer ------------------------------------------------------------------------ SUSE LINUX, s.r.o. e-mail: lslezak@suse.cz Lihovarská 1060/12 tel: +420 284 028 960 190 00 Prague 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz/ -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org To contact the owner, e-mail: yast-devel+owner@opensuse.org
participants (4)
-
Ladislav Slezak -
Lukas Ocilka -
Martin Vidner -
Thomas Goettlicher