GNOME Bugzilla – Bug 739568
nmcli: add 'agent' command for running nmcli as a secret/polkit agent
Last modified: 2014-11-07 12:48:12 UTC
cli: add 'nmcli agent' command Synopsis: nmcli agent { secret | polkit } The command runs separate NetworkManager secret agent or session polkit agent. It is useful when - no other secret agent is available (such as GUI nm-applet, gnome-shell, KDE applet) - no other polkit agent is available (such as polkit-gnome-authentication-agent-1, polkit-kde-authentication-agent-1 or lxpolkit) branch: jk/nmcli-agent-command
+You do usually not need this command, because nmcli can handle secrets when +while connecting to networks. ^^^^^ + _nmcli_compl_COMMAND "$command" nm_secret polkit ^^^ +do_agent_nm_secret (NmCli *nmc, int argc, char **argv) ^^^ $ nmcli agent polkit Error: polkit agent initialization failed: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for the given subject the above error seems like an expected failure. Maybe special case this error and print a tailored error message? + /* Prefill the password if we have it. */ whitespace^^^^^ `nmcli agent` is equal to `nmcli agent secret`. Can we not support a `nmcli agent all`, where nmcli is both secret and polkit agent? (that mode should be default).
All issues of comment #1 fixed, branch re-pushed.
So what's the use case here? GUI users should be running either gnome-shell or nm-applet, and for non-GUI users both nmcli and nmtui will have a secret agent now (and nmcli will have a polkit agent, and we should fix nmtui to have one soon as well). So who would need this? >+ "Registers nmcli as a polkit action for the user session.\n" >+ "When a polkit daemon requires an authorization, nmcli asks the user and gives\n" >+ "the reponse back to polkit.\n\n")); might be worth some extra clarification that this applies to ALL polkit requests, not just ones from NetworkManager. Which, actually, is a little weird... maybe NMPolkitListener should only respond to NM's action_ids? >+get_secrets_from_user (const char *request_id, There's no way to share this between agent.c and connections.c?
I'd echo danw's comments; could the stuff in agent.c be shared? And yeah, I think we should also respond only to NM's polkit requests. I think we can just "g_str_has_prefix (action_id, NM_DBUS_INTERFACE ".")" in nm-polkit-listener.c::initiate_authentication() and return an error if it's not NM?
(In reply to comment #3) > So what's the use case here? GUI users should be running either gnome-shell or > nm-applet, and for non-GUI users both nmcli and nmtui will have a secret agent > now (and nmcli will have a polkit agent, and we should fix nmtui to have one > soon as well). So who would need this? > > >+ "Registers nmcli as a polkit action for the user session.\n" > >+ "When a polkit daemon requires an authorization, nmcli asks the user and gives\n" > >+ "the reponse back to polkit.\n\n")); > > might be worth some extra clarification that this applies to ALL polkit > requests, not just ones from NetworkManager. > > Which, actually, is a little weird... maybe NMPolkitListener should only > respond to NM's action_ids? > nmcli agent polkit will run the agent for the user session. However, it fails if another polkit agent has been already registered. So I think that if nmcli is the only polkit client, it is good and makes no harm to serve non-NM related requests as well. As for use case, somebody can have his own NM client/script suitable for his purposes (for whatever reason) and it may need a text based polkit agent. > >+get_secrets_from_user (const char *request_id, > > There's no way to share this between agent.c and connections.c? It is. But, the function is not the same. So I left it for later changes, not to destabilize the code now. Committed to master, thanks for reviews. 3a55166 cli: add 'nmcli agent' command (bgo #739568)