If available, Polkit can also be used for authentication. The client may choose to allow user interaction for authentication, e.g. showing a graphical dialogue. This is done by setting an HTTP header (defaults to false):
It’s a system option, the actual endpoint I want to access is
/v2/snaps/system/conf,
to enable, disable or query experimental.apparmor-prompting (so analogous to snap {get,set} system experimental.apparmor-prompting).
I tried with snap login first this time but still fails with “unathorized”.
I think I agree that a dedicated endpoint would be clearer, and allow us to construct a more purpose-built authentication and configuration mechanism. Previously, I was steered towards using the existing endpoints for simplicity, but this shows that that’s not quite sufficient in this case.
Additionally, to discuss @robert.ancell 's question about the scope of configuration, we would set the config option system-wide, not on a single app/snap (as far as I know). It’s possible we might want to enable prompting for particular interfaces, but that would be a future extension.
Another important point is that even if experimental.apparmor-prompting=true is set in the system snap configuration, the host kernel might not support prompting, or the prompt subsystem could be in an error state or otherwise disabled, so querying that experimental option isn’t really sufficient to know if prompting is enabled/supported/running. A dedicated endpoint would solve this problem too.
There’s a prompting sync tomorrow, I’ll bring up this topic again there.
Rather than creating a new endpoint for querying the status of and enabling/disabling prompting, we’ll do the following:
Enable polkit authentication on the /v2/snaps/{snap}/conf endpoint, so clients can trigger a pop-up via X-Allow-Interaction: true — this is already in the works: https://github.com/snapcore/snapd/pull/13653
Expose information about apparmor prompting on the /v2/system-info endpoint, which will indicate whether prompting is unsupported by the kernel, supported but disabled, or supported and enabled.
@nteodosio does this approach sound alright with you?
This (polkit authentication on /v2/snaps/{snap}/conf) has been merged into snapd master, and will be included in the 2.62 release of snapd: https://github.com/snapcore/snapd/pull/13653
This will also include the “apparmor-prompting” experimental feature, which was merged (as a no-op stub for now) into snapd master: https://github.com/snapcore/snapd/pull/13693
I will rebase the prompting branch on snapd master after 2.62 is cut.