Cups/PolicyKit Integration
Summary
Use PolicyKit to define policies for accessing the cups functionality.
Owner
- Name: Marek Kašík
- Email: mkasik@redhat.com
Current status
- Targeted release: Fedora 11
- Last updated: 2009-03-05
- Percentage of completion: 100%
cups-pk-helper has been built in rawhide.
The system-config-printer patch is merged upstream and has been built in rawhide.
cups-pk-helper changes are being upstreamed, which may lead to some changes in the granularity of the policy.
cups-pk-helper changes are merged upstream, which changed the set of policies.
Still to do: - Document actions and default policy somehow
Detailed Description
Cups has its own authentication and policy configuration mechanism, which basically consists in specifying users/groups that are allowed administrative access to the cups server. In an ideal world, cups would expose its administrative functions as a PolicyKit mechanism via d-bus. Since that is unlikely to happen in the short term (if ever), Vincent Untz of OpenSUSE has written a small wrapper called cups-pk-helper to do this, together with the necessary changes to pycups and system-config-printer to talk to cups-pk-helper instead of directly to cups.
The following functions are controlled via PolicyKit policies currently:
- add/remove/edit local printers
- add/remove/edit remote printers
- add/remove/edit classes
- enable/disable printer
- set printer as default printer
- get/set server settings (this includes getting/putting a file in the cups config)
- restart/cancel/edit a job owned by another user
- restart/cancel/edit a job
Benefit to Fedora
Administration of Fedora installations becomes more uniform, cups policies can be configured with the same tools that are used for other PolicyKit-enabled parts of the system.
Scope
cups-pk-helper has to be packaged, system-config-printer needs to be changed to incorporate the PolicyKit-related changes (probably best done by merging those changes upstream, since system-config-printer is no longer a Fedora-only tool). Suitable default policies have to be defined for the functionalities listed above.
How To Test
- Testing this feature will likely benefit from having a printer available.
- You need to have cups, system-config-printer and cups-pk-helper installed.
- Use system-config-printer and perform the functions listed above. Verify that the defined polices are enforced (e.g. if the policy demands admin authentication to enable a printer, trying to enable a printer should bring up a dialog asking for the root password).
- Verify that changing policies using polkit-gnome-authorization is reflected in system-config-printer (e.g. changing the policy for adding classes to 'no' should make the controls for adding classes in system-config-printer become insensitive or invisible).
User Experience
This feature will affect people who configure cups using system-config-printer; they will see the same PolicyKit dialogs that they see in other configuration tools, instead of a custom s-c-p root password dialog. This feature also affects administrators who need to define policies for access to the printing system; they can use PolicyKit to define more finegrained policy than previously possible by editing cupsd.conf.
Dependencies
A PolicyKit-enabled system-config-printer release would be good, to avoid carrying a large patch in our package, but it is not, strictly, a requirement. cups-pk-helper is currently developed at http://www.vuntz.net/git/cups-pk-helper.git/, it would be good to turn it into an actual project, maybe hosted at freedesktop.org, to make collaboration on its future development easier. The cups-pk-helper package is under review.
Contingency Plan
If things don't work out, we don't ship cups-pk-helper by default and revert to a not-PolicyKit-enabled version of system-config-printer.
Documentation
Release Notes
In this release, system-config-printer uses PolicyKit to control access to restricted cups functionality. The following functions are controlled via PolicyKit policies currently:
- add/remove/edit local printers
- add/remove/edit remote printers
- add/remove/edit classes
- enable/disable printer
- set printer as default printer
- get/set server settings
- restart/cancel/edit a job owned by another user
- restart/cancel/edit a job