Languages: عربي | Asturianu | Català | Česky | Kaszëbsczi | Dansk | Deutsch | English | Esperanto | Español | Eesti | فارسی | Suomi | Français | Galego | Italiano | 日本語 | 한국어 | Norwegian | Polski | Português Brasileiro | Română | Русский | Svenska | Slovenčina | Slovenščina | српски | Türkçe | Tiếng Việt | Українська | 简体中文 | 繁體中文
|Tutorial Series||PolicyKit Tutorial|
|Previous||D-Bus activation, Basic D-Bus knowledge, Basic polkit-qt knowledge|
|What's Next||Using the caller-helper model to perform actions as root|
The new tutorial series can be found here, please use KAuth when developing with KDE: it's easier, more integrated, and portable
PolicyKit is an authentication system, that lets developers set a policy on specific actions. It works in strict correlation with D-Bus and ConsoleKit, and it is really useful in cases where you need to perform privileged actions
This tutorial is aimed to developers who want their application to perform privileged actions in a secure, consistent and easy way.
PolicyKit is closely integrated with KDE starting from version 4.3. In kdebase-workspace we have an authorization manager and an authentication agent. What matters the most, though, is polkit-qt library, in kdesupport, that lets us use the PolicyKit library through a nice Qt-styled API. In this tutorial we will be using it as our main development resource.
Your application does not need very special prerequisites to be integrated with PolicyKit. Console applications or libraries can also link to polkit-qt-core, that doesn't add a dependency to QtGui.
As a developer, you probably need to read the Polkit-qt api documentation, that is a fundamental compound of this tutorial. A fair knowledge of D-Bus (have a look at the D-Bus tutorial series for that) can make your workflow better.
Before you start diving into PolicyKit integration, you have to know how a .policy file is made. Those files contain a definition of actions carried out by your application that require authorization by PolicyKit. So let's suppose we are creating the application foo that can do action1, that requires authentication as the current user, and action2, that requires authentication as an administrator. Our policy file will be named org.kde.foo.policy and will look like this:
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd"> <policyconfig> <action id="org.kde.foo.action1"> <description>Action number one</description> <message>Prevents from doing action one</message> <defaults> <allow_inactive>no</allow_inactive> <allow_active>auth_self</allow_active> </defaults> </action> <action id="org.kde.foo.action2"> <description>Action number two</description> <message>Prevents from doing action two</message> <defaults> <allow_inactive>no</allow_inactive> <allow_active>auth_admin</allow_active> </defaults> </action> </policyconfig>
Let's see how we wrote it:
This is a very simple overview on .policy files that should be enough for most needs, should you need some more information, you can consult PolicyKit reference manual.
Polkit-qt is splitted into 2 libraries, one for working without GUI interaction (-core), and one for working with it (-gui). It also includes some nice additions to make working with helpers easier, as you will see in the next tutorial. Let's see how to use Polkit-qt
You will find this file into polkit-qt source. This file not only defines the dbus_add_activation_system_service macro, that will be extremely useful later, but also lets you find and link against -core, -gui or both.
Polkit-qt-core is composed by Auth and Context. The first is a namespace that lets you easily obtain and check for authorizations, while Context lets you retrieve informations about PolicyKit context. Please refer to polkit-qt docs for more details.
Polkit-qt-core is composed by Action, ActionButton and ActionButtons. They are simply wrappers around QAction and QAbstractButton that let you integrate those two elements with a PolicyKit action. The library will take care not only of obtaining and notify you upon authorization, but also to change the GUI elements (text, icon, etc...) accordingly to the result PolicyKit streams to you.
The api docs for Polkit-qt are really detailed and a strongly advised read. Even if in the next tutorial we'll show you how to use Polkit-qt in the most common case, having some more knowledge on it will surely help you in advanced uses.
In the next tutorial, we'll see how to obtain root privileges with an helper, using some of the knowledge we have gathered now