From Fedora Project Wiki

Cups/PolicyKit Integration

Summary

Use PolicyKit to define policies for accessing the cups functionality.

Owner

Current status

  • Targeted release: Fedora 11
  • Last updated: 2009-03-05
  • Percentage of completion: 100%

cups-pk-helper has been built in rawhide.

The system-config-printer patch is merged upstream and has been built in rawhide.

cups-pk-helper changes are being upstreamed, which may lead to some changes in the granularity of the policy.

cups-pk-helper changes are merged upstream, which changed the set of policies.

Still to do: - Document actions and default policy somehow

Detailed Description

Cups has its own authentication and policy configuration mechanism, which basically consists in specifying users/groups that are allowed administrative access to the cups server. In an ideal world, cups would expose its administrative functions as a PolicyKit mechanism via d-bus. Since that is unlikely to happen in the short term (if ever), Vincent Untz of OpenSUSE has written a small wrapper called cups-pk-helper to do this, together with the necessary changes to pycups and system-config-printer to talk to cups-pk-helper instead of directly to cups.

The following functions are controlled via PolicyKit policies currently:

  • add/remove/edit local printers
  • add/remove/edit remote printers
  • add/remove/edit classes
  • enable/disable printer
  • set printer as default printer
  • get/set server settings (this includes getting/putting a file in the cups config)
  • restart/cancel/edit a job owned by another user
  • restart/cancel/edit a job

Benefit to Fedora

Administration of Fedora installations becomes more uniform, cups policies can be configured with the same tools that are used for other PolicyKit-enabled parts of the system.

Scope

cups-pk-helper has to be packaged, system-config-printer needs to be changed to incorporate the PolicyKit-related changes (probably best done by merging those changes upstream, since system-config-printer is no longer a Fedora-only tool). Suitable default policies have to be defined for the functionalities listed above.

How To Test

  • Testing this feature will likely benefit from having a printer available.
  • You need to have cups, system-config-printer and cups-pk-helper installed.
  • Use system-config-printer and perform the functions listed above. Verify that the defined polices are enforced (e.g. if the policy demands admin authentication to enable a printer, trying to enable a printer should bring up a dialog asking for the root password).
  • Verify that changing policies using polkit-gnome-authorization is reflected in system-config-printer (e.g. changing the policy for adding classes to 'no' should make the controls for adding classes in system-config-printer become insensitive or invisible).

User Experience

This feature will affect people who configure cups using system-config-printer; they will see the same PolicyKit dialogs that they see in other configuration tools, instead of a custom s-c-p root password dialog. This feature also affects administrators who need to define policies for access to the printing system; they can use PolicyKit to define more finegrained policy than previously possible by editing cupsd.conf.

Dependencies

A PolicyKit-enabled system-config-printer release would be good, to avoid carrying a large patch in our package, but it is not, strictly, a requirement. cups-pk-helper is currently developed at http://www.vuntz.net/git/cups-pk-helper.git/, it would be good to turn it into an actual project, maybe hosted at freedesktop.org, to make collaboration on its future development easier. The cups-pk-helper package is under review.

Contingency Plan

If things don't work out, we don't ship cups-pk-helper by default and revert to a not-PolicyKit-enabled version of system-config-printer.

Documentation

Release Notes

In this release, system-config-printer uses PolicyKit to control access to restricted cups functionality. The following functions are controlled via PolicyKit policies currently:

  • add/remove/edit local printers
  • add/remove/edit remote printers
  • add/remove/edit classes
  • enable/disable printer
  • set printer as default printer
  • get/set server settings
  • restart/cancel/edit a job owned by another user
  • restart/cancel/edit a job

Comments and Discussion