You are not logged in.

Pages: 1

Topic closed

#1 2025-12-28 18:49:12

Koatao
Member
Registered: 2018-08-30
Posts: 105

[Closed] Ansible & Polkit auth_keep: password expiration

Hi,

With libvirt, I run a guest domain, named foo-domain on a host (both ArchLinux). Libvirt management is done at system level.

The user foo-user is launching Ansible playbook that interact with the guest domain using libvirt Ansible plugin. foo-user is not in the libvirt group, but is in the wheel group. This means that foo-user requires authorization to perform management tasks with libvirt.

foo-user has started hyprpolkitagent as GUI polkit agent. And he is running sway (wayland).

When foo-user is launching the Ansible playbook, authorization is required for every tasks that performs management actions with libvirt. It means hyprpolkitagent is asking for a password for every one of those tasks. This is a burden.

I thought this commit from april 2025 was allowing a less restricted and smarter way to allow temporary authorization. But I think I don't understand fully how it is supposed to work. I can't get my head around how to make use of auth_keep to have temporary authorization for an action.

Is it  possible to have the password asked only once during the playbook execution? If so, how? What am I missing?

playbook.yml

- name: Testing libvirt
  hosts: test
  strategy: debug
  tasks:
    - name: Ping my hosts
      ansible.builtin.ping:
    
    - name: Full system upgrade
      become: true
      community.general.pacman:
        update_cache: yes
        upgrade: true
      register: upgrade_result

    - name: Show upgrade result
      ansible.builtin.debug:
        var: upgrade_result

    - name: Gather facts after upgrade
      ansible.builtin.setup:

    - name: Show all gathered facts
      ansible.builtin.debug:
        var: ansible_facts

    - name: Reboot
      become: true
      ansible.builtin.reboot:

/etc/polkit-1/rules.d/40-libvirt.rules

polkit.addAdminRule(function(action, subject) {
    if (action.id == "org.libvirt.unix.manage") {
        return ["unix-user:root"];
    }
});

/etc/polkit-1/rules.d/41-libvirt.rules

polkit.addRule(function(action, subject) {
    if (action.id == "org.libvirt.unix.manage" &&
        subject.isInGroup("wheel")) {
        return polkit.Result.AUTH_ADMIN_KEEP;
    }
});

Polkit debug logs:

Dec 28 19:43:25 foo-host polkitd[9706]: action=[Action id='org.libvirt.unix.manage']
Dec 28 19:43:25 foo-host polkitd[9706]: subject=[Subject uid=1000 pid=11624 user='foo-user' groups=foo-user,wheel,wireshark seat='seat0' session='2' system_unit=null local=true active=true]
Dec 28 19:43:25 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication
Dec 28 19:43:25 foo-host hyprpolkitagent[11047]: GSimpleAsyncResult: 0x563157c84b00
Dec 28 19:43:25 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication callback for  0x563157c6ba50
Dec 28 19:43:25 foo-host hyprpolkitagent[11047]: REQUEST
Dec 28 19:43:32 foo-host kernel: audit: type=1100 audit(1766947412.074:568): pid=11637 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:authentication grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:32 foo-host kernel: audit: audit_lost=1397 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:32 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:32 foo-host kernel: audit: type=1101 audit(1766947412.076:569): pid=11637 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:32 foo-host kernel: audit: audit_lost=1398 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:32 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:32 foo-host hyprpolkitagent[11047]: COMPLETED
Dec 28 19:43:32 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication_finish
Dec 28 19:43:32 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication_finish callback for  0x563157c6ba50
Dec 28 19:43:32 foo-host polkitd[9706]: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11624:589301 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:32 foo-host polkitd[9706]: 19:43:32.081: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11624:589301 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:32 foo-host polkitd[9706]: action=[Action id='org.libvirt.unix.manage']
Dec 28 19:43:32 foo-host polkitd[9706]: subject=[Subject uid=1000 pid=11662 user='foo-user' groups=foo-user,wheel,wireshark seat='seat0' session='2' system_unit=null local=true active=true]
Dec 28 19:43:32 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:32 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication
Dec 28 19:43:32 foo-host hyprpolkitagent[11047]: GSimpleAsyncResult: 0x5631582b5500
Dec 28 19:43:32 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication callback for  0x563157c6ba50
Dec 28 19:43:32 foo-host hyprpolkitagent[11047]: ERROR: QQuickStyle::setStyle() must be called before loading QML that imports Qt Quick Controls 2.
Dec 28 19:43:32 foo-host hyprpolkitagent[11047]: REQUEST
Dec 28 19:43:36 foo-host kernel: audit: type=1100 audit(1766947416.347:570): pid=11666 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:authentication grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:36 foo-host kernel: audit: audit_lost=1399 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:36 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:36 foo-host kernel: audit: type=1101 audit(1766947416.349:571): pid=11666 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:36 foo-host hyprpolkitagent[11047]: COMPLETED
Dec 28 19:43:36 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication_finish
Dec 28 19:43:36 foo-host polkitd[9706]: 19:43:36.354: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11662:589962 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:36 foo-host polkitd[9706]: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11662:589962 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:36 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication_finish callback for  0x563157c6ba50
Dec 28 19:43:36 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:37 foo-host polkitd[9706]: action=[Action id='org.libvirt.unix.manage']
Dec 28 19:43:37 foo-host polkitd[9706]: subject=[Subject uid=1000 pid=11688 user='foo-user' groups=foo-user,wheel,wireshark seat='seat0' session='2' system_unit=null local=true active=true]
Dec 28 19:43:37 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:37 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:37 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication
Dec 28 19:43:37 foo-host hyprpolkitagent[11047]: GSimpleAsyncResult: 0x5631582b5500
Dec 28 19:43:37 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication callback for  0x563157c6ba50
Dec 28 19:43:37 foo-host hyprpolkitagent[11047]: ERROR: QQuickStyle::setStyle() must be called before loading QML that imports Qt Quick Controls 2.
Dec 28 19:43:37 foo-host hyprpolkitagent[11047]: REQUEST
Dec 28 19:43:40 foo-host kernel: kauditd_printk_skb: 2 callbacks suppressed
Dec 28 19:43:40 foo-host kernel: audit: type=1100 audit(1766947420.882:572): pid=11692 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:authentication grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:40 foo-host kernel: audit: audit_lost=1401 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:40 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:40 foo-host kernel: audit: type=1101 audit(1766947420.885:573): pid=11692 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:40 foo-host kernel: audit: audit_lost=1402 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:40 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:40 foo-host hyprpolkitagent[11047]: COMPLETED
Dec 28 19:43:40 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication_finish
Dec 28 19:43:40 foo-host polkitd[9706]: 19:43:40.890: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11688:590448 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:40 foo-host polkitd[9706]: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11688:590448 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:40 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication_finish callback for  0x563157c6ba50
Dec 28 19:43:40 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:41 foo-host polkitd[9706]: action=[Action id='org.libvirt.unix.manage']
Dec 28 19:43:41 foo-host polkitd[9706]: subject=[Subject uid=1000 pid=11715 user='foo-user' groups=foo-user,wheel,wireshark seat='seat0' session='2' system_unit=null local=true active=true]
Dec 28 19:43:41 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:41 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:41 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication
Dec 28 19:43:41 foo-host hyprpolkitagent[11047]: GSimpleAsyncResult: 0x7f3c64004030
Dec 28 19:43:41 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication callback for  0x563157c6ba50
Dec 28 19:43:41 foo-host hyprpolkitagent[11047]: ERROR: QQuickStyle::setStyle() must be called before loading QML that imports Qt Quick Controls 2.
Dec 28 19:43:41 foo-host hyprpolkitagent[11047]: REQUEST
Dec 28 19:43:45 foo-host kernel: audit: type=1100 audit(1766947425.161:574): pid=11719 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:authentication grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:45 foo-host kernel: audit: audit_lost=1403 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:45 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:45 foo-host kernel: audit: type=1101 audit(1766947425.163:575): pid=11719 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:45 foo-host hyprpolkitagent[11047]: COMPLETED
Dec 28 19:43:45 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication_finish
Dec 28 19:43:45 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication_finish callback for  0x563157c6ba50
Dec 28 19:43:45 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:45 foo-host polkitd[9706]: 19:43:45.168: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11715:590863 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:45 foo-host polkitd[9706]: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11715:590863 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:48 foo-host polkitd[9706]: action=[Action id='org.libvirt.unix.manage']
Dec 28 19:43:48 foo-host polkitd[9706]: subject=[Subject uid=1000 pid=11755 user='foo-user' groups=foo-user,wheel,wireshark seat='seat0' session='2' system_unit=null local=true active=true]
Dec 28 19:43:48 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:48 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:48 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication
Dec 28 19:43:48 foo-host hyprpolkitagent[11047]: GSimpleAsyncResult: 0x7f3c64003110
Dec 28 19:43:48 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication callback for  0x563157c6ba50
Dec 28 19:43:48 foo-host hyprpolkitagent[11047]: ERROR: QQuickStyle::setStyle() must be called before loading QML that imports Qt Quick Controls 2.
Dec 28 19:43:48 foo-host hyprpolkitagent[11047]: REQUEST
Dec 28 19:43:52 foo-host kernel: kauditd_printk_skb: 2 callbacks suppressed
Dec 28 19:43:52 foo-host kernel: audit: type=1100 audit(1766947432.667:576): pid=11759 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:authentication grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:52 foo-host kernel: audit: audit_lost=1405 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:52 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:52 foo-host kernel: audit: type=1101 audit(1766947432.668:577): pid=11759 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:52 foo-host kernel: audit: audit_lost=1406 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:52 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:52 foo-host hyprpolkitagent[11047]: COMPLETED
Dec 28 19:43:52 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication_finish
Dec 28 19:43:52 foo-host polkitd[9706]: 19:43:52.673: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11755:591572 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:52 foo-host polkitd[9706]: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11755:591572 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:52 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication_finish callback for  0x563157c6ba50
Dec 28 19:43:52 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:53 foo-host libvirtd[9510]: End of file while reading data: Input/output error
Dec 28 19:43:53 foo-host polkitd[9706]: action=[Action id='org.libvirt.unix.manage']
Dec 28 19:43:53 foo-host polkitd[9706]: subject=[Subject uid=1000 pid=11792 user='foo-user' groups=foo-user,wheel,wireshark seat='seat0' session='2' system_unit=null local=true active=true]
Dec 28 19:43:53 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:53 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:53 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication
Dec 28 19:43:53 foo-host hyprpolkitagent[11047]: GSimpleAsyncResult: 0x7f3c640038d0
Dec 28 19:43:53 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication callback for  0x563157c6ba50
Dec 28 19:43:53 foo-host hyprpolkitagent[11047]: ERROR: QQuickStyle::setStyle() must be called before loading QML that imports Qt Quick Controls 2.
Dec 28 19:43:53 foo-host hyprpolkitagent[11047]: REQUEST
Dec 28 19:43:57 foo-host kernel: audit: type=1100 audit(1766947437.063:578): pid=11798 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:authentication grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:57 foo-host kernel: audit: audit_lost=1407 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:57 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:57 foo-host kernel: audit: type=1101 audit(1766947437.065:579): pid=11798 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:57 foo-host hyprpolkitagent[11047]: COMPLETED
Dec 28 19:43:57 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication_finish
Dec 28 19:43:57 foo-host polkitd[9706]: 19:43:57.070: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11792:592071 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:57 foo-host polkitd[9706]: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11792:592071 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:57 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication_finish callback for  0x563157c6ba50
Dec 28 19:43:57 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:57 foo-host libvirtd[9510]: Guest agent is not responding: QEMU guest agent is not connected
Dec 28 19:43:59 foo-host libvirtd[9510]: Guest agent is not responding: QEMU guest agent is not connected
Dec 28 19:44:01 foo-host libvirtd[9510]: Guest agent is not responding: QEMU guest agent is not connected

Edit (renaming topic):

This has to do with how ansible is executing tasks.
For example:
The playbook below requires polkit authentication for each tasks, whereas running each command manually in the same shell asks for password once:

- name: Managing Services Test
  hosts: localhost

  tasks:
    - name: Start libvirtd.service
      ansible.builtin.command: systemctl start libvirtd.service
    - name: Start virtlogd.service
      ansible.builtin.command: systemctl start virtlogd.service
    - name: Stop libvirtd.service
      ansible.builtin.command: systemctl stop libvirtd.service
    - name: Stop virtlogd.service
      ansible.builtin.command: systemctl stop virtlogd.service

I can see that it created a temporary polkit authorization for each tasks.

authorization id: tmpauthz16
action:           org.freedesktop.systemd1.manage-units
subject:          unix-process:unknown (cannot read cmdline)
obtained:         13 sec ago (Sun Dec 28 22:28:17 2025)
expires:          4 min 46 sec from now (Sun Dec 28 22:33:16 2025)

authorization id: tmpauthz17
action:           org.freedesktop.systemd1.manage-units
subject:          unix-process:unknown (cannot read cmdline)
obtained:         9 sec ago (Sun Dec 28 22:28:21 2025)
expires:          4 min 50 sec from now (Sun Dec 28 22:33:20 2025)

authorization id: tmpauthz18
action:           org.freedesktop.systemd1.manage-units
subject:          unix-process:unknown (cannot read cmdline)
obtained:         6 sec ago (Sun Dec 28 22:28:24 2025)
expires:          4 min 53 sec from now (Sun Dec 28 22:33:23 2025)

authorization id: tmpauthz19
action:           org.freedesktop.systemd1.manage-units
subject:          unix-process:unknown (cannot read cmdline)
obtained:         2 sec ago (Sun Dec 28 22:28:28 2025)
expires:          4 min 57 sec from now (Sun Dec 28 22:33:27 2025)

Last edited by Koatao (2025-12-31 15:44:25)

Offline

#2 2025-12-29 13:21:22

5hridhyan
Member
From: Asia
Registered: 2025-12-25
Posts: 311

Re: [Closed] Ansible & Polkit auth_keep: password expiration

No.
AUTH_ADMIN_KEEP is per PID, not per user or session.
Ansible spawns a new process for every task, so polkit re-authenticates every time. That is expected.
Different PID => different subject => different temporary authorization.
Your logs already show this.
Works in an interactive shell because the process context is shared. Ansible does not do that.
This is not a bug, not a regression, and not affected by recent polkit changes.
Polkit is not meant for automation.
Use become/sudo, sudoers, or the libvirt group instead.
There is no way to make polkit prompt once for an entire playbook.

Last edited by 5hridhyan (2025-12-31 15:21:45)

I expect some mercy from my fellow humans! ^^
Keep your virtue sharpened in a kingdom of carrion, and the throne they offer will be built from your ribs.

Online

#3 2025-12-29 13:25:30

Lone_Wolf
Administrator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 14,806

Re: [Closed] Ansible & Polkit auth_keep: password expiration

Moderator Note
Moving to System Administration

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Online

#4 2025-12-31 15:49:56

Koatao
Member
Registered: 2018-08-30
Posts: 105

Re: [Closed] Ansible & Polkit auth_keep: password expiration

Hello 5hridyan,

Thanks for the response and the pointers.

I started looking into Ansible's source code. As you said, the way it is done does not integrate well with Polkit.

I will look for others options and see what can fit my use cases the most.

Closing this topic.

Offline

#5 2026-01-01 21:42:15

WorMzy
Administrator
From: Scotland
Registered: 2010-06-16
Posts: 13,337
Website

Re: [Closed] Ansible & Polkit auth_keep: password expiration

Mod note: closing on implied request.

Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

Pages: 1

Topic closed

Board footer

Powered by FluxBB