You are not logged in.

Pages: 1

#1 Yesterday 18:49:12

Koatao
Member
Registered: 2018-08-30
Posts: 104

Ansible & Polkit auth_keep: how to properly use password expiration

Hi,

With libvirt, I run a guest domain, named foo-domain on a host (both ArchLinux). Libvirt management is done at system level.

The user foo-user is launching Ansible playbook that interact with the guest domain using libvirt Ansible plugin. foo-user is not in the libvirt group, but is in the wheel group. This means that foo-user requires authorization to perform management tasks with libvirt.

foo-user has started hyprpolkitagent as GUI polkit agent. And he is running sway (wayland).

When foo-user is launching the Ansible playbook, authorization is required for every tasks that performs management actions with libvirt. It means hyprpolkitagent is asking for a password for every one of those tasks. This is a burden.

I thought this commit from april 2025 was allowing a less restricted and smarter way to allow temporary authorization. But I think I don't understand fully how it is supposed to work. I can't get my head around how to make use of auth_keep to have temporary authorization for an action.

Is it  possible to have the password asked only once during the playbook execution? If so, how? What am I missing?

playbook.yml

- name: Testing libvirt
  hosts: test
  strategy: debug
  tasks:
    - name: Ping my hosts
      ansible.builtin.ping:
    
    - name: Full system upgrade
      become: true
      community.general.pacman:
        update_cache: yes
        upgrade: true
      register: upgrade_result

    - name: Show upgrade result
      ansible.builtin.debug:
        var: upgrade_result

    - name: Gather facts after upgrade
      ansible.builtin.setup:

    - name: Show all gathered facts
      ansible.builtin.debug:
        var: ansible_facts

    - name: Reboot
      become: true
      ansible.builtin.reboot:

/etc/polkit-1/rules.d/40-libvirt.rules

polkit.addAdminRule(function(action, subject) {
    if (action.id == "org.libvirt.unix.manage") {
        return ["unix-user:root"];
    }
});

/etc/polkit-1/rules.d/41-libvirt.rules

polkit.addRule(function(action, subject) {
    if (action.id == "org.libvirt.unix.manage" &&
        subject.isInGroup("wheel")) {
        return polkit.Result.AUTH_ADMIN_KEEP;
    }
});

Polkit debug logs:

Dec 28 19:43:25 foo-host polkitd[9706]: action=[Action id='org.libvirt.unix.manage']
Dec 28 19:43:25 foo-host polkitd[9706]: subject=[Subject uid=1000 pid=11624 user='foo-user' groups=foo-user,wheel,wireshark seat='seat0' session='2' system_unit=null local=true active=true]
Dec 28 19:43:25 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication
Dec 28 19:43:25 foo-host hyprpolkitagent[11047]: GSimpleAsyncResult: 0x563157c84b00
Dec 28 19:43:25 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication callback for  0x563157c6ba50
Dec 28 19:43:25 foo-host hyprpolkitagent[11047]: REQUEST
Dec 28 19:43:32 foo-host kernel: audit: type=1100 audit(1766947412.074:568): pid=11637 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:authentication grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:32 foo-host kernel: audit: audit_lost=1397 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:32 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:32 foo-host kernel: audit: type=1101 audit(1766947412.076:569): pid=11637 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:32 foo-host kernel: audit: audit_lost=1398 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:32 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:32 foo-host hyprpolkitagent[11047]: COMPLETED
Dec 28 19:43:32 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication_finish
Dec 28 19:43:32 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication_finish callback for  0x563157c6ba50
Dec 28 19:43:32 foo-host polkitd[9706]: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11624:589301 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:32 foo-host polkitd[9706]: 19:43:32.081: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11624:589301 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:32 foo-host polkitd[9706]: action=[Action id='org.libvirt.unix.manage']
Dec 28 19:43:32 foo-host polkitd[9706]: subject=[Subject uid=1000 pid=11662 user='foo-user' groups=foo-user,wheel,wireshark seat='seat0' session='2' system_unit=null local=true active=true]
Dec 28 19:43:32 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:32 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication
Dec 28 19:43:32 foo-host hyprpolkitagent[11047]: GSimpleAsyncResult: 0x5631582b5500
Dec 28 19:43:32 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication callback for  0x563157c6ba50
Dec 28 19:43:32 foo-host hyprpolkitagent[11047]: ERROR: QQuickStyle::setStyle() must be called before loading QML that imports Qt Quick Controls 2.
Dec 28 19:43:32 foo-host hyprpolkitagent[11047]: REQUEST
Dec 28 19:43:36 foo-host kernel: audit: type=1100 audit(1766947416.347:570): pid=11666 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:authentication grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:36 foo-host kernel: audit: audit_lost=1399 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:36 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:36 foo-host kernel: audit: type=1101 audit(1766947416.349:571): pid=11666 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:36 foo-host hyprpolkitagent[11047]: COMPLETED
Dec 28 19:43:36 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication_finish
Dec 28 19:43:36 foo-host polkitd[9706]: 19:43:36.354: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11662:589962 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:36 foo-host polkitd[9706]: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11662:589962 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:36 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication_finish callback for  0x563157c6ba50
Dec 28 19:43:36 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:37 foo-host polkitd[9706]: action=[Action id='org.libvirt.unix.manage']
Dec 28 19:43:37 foo-host polkitd[9706]: subject=[Subject uid=1000 pid=11688 user='foo-user' groups=foo-user,wheel,wireshark seat='seat0' session='2' system_unit=null local=true active=true]
Dec 28 19:43:37 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:37 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:37 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication
Dec 28 19:43:37 foo-host hyprpolkitagent[11047]: GSimpleAsyncResult: 0x5631582b5500
Dec 28 19:43:37 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication callback for  0x563157c6ba50
Dec 28 19:43:37 foo-host hyprpolkitagent[11047]: ERROR: QQuickStyle::setStyle() must be called before loading QML that imports Qt Quick Controls 2.
Dec 28 19:43:37 foo-host hyprpolkitagent[11047]: REQUEST
Dec 28 19:43:40 foo-host kernel: kauditd_printk_skb: 2 callbacks suppressed
Dec 28 19:43:40 foo-host kernel: audit: type=1100 audit(1766947420.882:572): pid=11692 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:authentication grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:40 foo-host kernel: audit: audit_lost=1401 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:40 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:40 foo-host kernel: audit: type=1101 audit(1766947420.885:573): pid=11692 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:40 foo-host kernel: audit: audit_lost=1402 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:40 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:40 foo-host hyprpolkitagent[11047]: COMPLETED
Dec 28 19:43:40 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication_finish
Dec 28 19:43:40 foo-host polkitd[9706]: 19:43:40.890: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11688:590448 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:40 foo-host polkitd[9706]: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11688:590448 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:40 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication_finish callback for  0x563157c6ba50
Dec 28 19:43:40 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:41 foo-host polkitd[9706]: action=[Action id='org.libvirt.unix.manage']
Dec 28 19:43:41 foo-host polkitd[9706]: subject=[Subject uid=1000 pid=11715 user='foo-user' groups=foo-user,wheel,wireshark seat='seat0' session='2' system_unit=null local=true active=true]
Dec 28 19:43:41 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:41 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:41 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication
Dec 28 19:43:41 foo-host hyprpolkitagent[11047]: GSimpleAsyncResult: 0x7f3c64004030
Dec 28 19:43:41 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication callback for  0x563157c6ba50
Dec 28 19:43:41 foo-host hyprpolkitagent[11047]: ERROR: QQuickStyle::setStyle() must be called before loading QML that imports Qt Quick Controls 2.
Dec 28 19:43:41 foo-host hyprpolkitagent[11047]: REQUEST
Dec 28 19:43:45 foo-host kernel: audit: type=1100 audit(1766947425.161:574): pid=11719 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:authentication grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:45 foo-host kernel: audit: audit_lost=1403 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:45 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:45 foo-host kernel: audit: type=1101 audit(1766947425.163:575): pid=11719 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:45 foo-host hyprpolkitagent[11047]: COMPLETED
Dec 28 19:43:45 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication_finish
Dec 28 19:43:45 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication_finish callback for  0x563157c6ba50
Dec 28 19:43:45 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:45 foo-host polkitd[9706]: 19:43:45.168: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11715:590863 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:45 foo-host polkitd[9706]: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11715:590863 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:48 foo-host polkitd[9706]: action=[Action id='org.libvirt.unix.manage']
Dec 28 19:43:48 foo-host polkitd[9706]: subject=[Subject uid=1000 pid=11755 user='foo-user' groups=foo-user,wheel,wireshark seat='seat0' session='2' system_unit=null local=true active=true]
Dec 28 19:43:48 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:48 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:48 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication
Dec 28 19:43:48 foo-host hyprpolkitagent[11047]: GSimpleAsyncResult: 0x7f3c64003110
Dec 28 19:43:48 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication callback for  0x563157c6ba50
Dec 28 19:43:48 foo-host hyprpolkitagent[11047]: ERROR: QQuickStyle::setStyle() must be called before loading QML that imports Qt Quick Controls 2.
Dec 28 19:43:48 foo-host hyprpolkitagent[11047]: REQUEST
Dec 28 19:43:52 foo-host kernel: kauditd_printk_skb: 2 callbacks suppressed
Dec 28 19:43:52 foo-host kernel: audit: type=1100 audit(1766947432.667:576): pid=11759 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:authentication grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:52 foo-host kernel: audit: audit_lost=1405 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:52 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:52 foo-host kernel: audit: type=1101 audit(1766947432.668:577): pid=11759 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:52 foo-host kernel: audit: audit_lost=1406 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:52 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:52 foo-host hyprpolkitagent[11047]: COMPLETED
Dec 28 19:43:52 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication_finish
Dec 28 19:43:52 foo-host polkitd[9706]: 19:43:52.673: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11755:591572 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:52 foo-host polkitd[9706]: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11755:591572 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:52 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication_finish callback for  0x563157c6ba50
Dec 28 19:43:52 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:53 foo-host libvirtd[9510]: End of file while reading data: Input/output error
Dec 28 19:43:53 foo-host polkitd[9706]: action=[Action id='org.libvirt.unix.manage']
Dec 28 19:43:53 foo-host polkitd[9706]: subject=[Subject uid=1000 pid=11792 user='foo-user' groups=foo-user,wheel,wireshark seat='seat0' session='2' system_unit=null local=true active=true]
Dec 28 19:43:53 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:53 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:53 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication
Dec 28 19:43:53 foo-host hyprpolkitagent[11047]: GSimpleAsyncResult: 0x7f3c640038d0
Dec 28 19:43:53 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication callback for  0x563157c6ba50
Dec 28 19:43:53 foo-host hyprpolkitagent[11047]: ERROR: QQuickStyle::setStyle() must be called before loading QML that imports Qt Quick Controls 2.
Dec 28 19:43:53 foo-host hyprpolkitagent[11047]: REQUEST
Dec 28 19:43:57 foo-host kernel: audit: type=1100 audit(1766947437.063:578): pid=11798 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:authentication grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:57 foo-host kernel: audit: audit_lost=1407 audit_rate_limit=0 audit_backlog_limit=64
Dec 28 19:43:57 foo-host kernel: audit: kauditd hold queue overflow
Dec 28 19:43:57 foo-host kernel: audit: type=1101 audit(1766947437.065:579): pid=11798 uid=1000 auid=1000 ses=3 subj=unconfined msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="root" exe="/usr/lib/polkit-1/polkit-agent-helper-1" hostname=? addr=? terminal=? res=success'
Dec 28 19:43:57 foo-host hyprpolkitagent[11047]: COMPLETED
Dec 28 19:43:57 foo-host hyprpolkitagent[11047]: Listener adapter polkit_qt_listener_initiate_authentication_finish
Dec 28 19:43:57 foo-host polkitd[9706]: 19:43:57.070: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11792:592071 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:57 foo-host polkitd[9706]: Operator of unix-session:2 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.libvirt.unix.manage for unix-process:11792:592071 [/usr/bin/python /usr/bin/ansible-playbook playbook.yml -i inventory_plugins -vvv] (owned by unix-user:foo-user)
Dec 28 19:43:57 foo-host hyprpolkitagent[11047]: polkit_qt_listener_initiate_authentication_finish callback for  0x563157c6ba50
Dec 28 19:43:57 foo-host polkitd[9706]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Dec 28 19:43:57 foo-host libvirtd[9510]: Guest agent is not responding: QEMU guest agent is not connected
Dec 28 19:43:59 foo-host libvirtd[9510]: Guest agent is not responding: QEMU guest agent is not connected
Dec 28 19:44:01 foo-host libvirtd[9510]: Guest agent is not responding: QEMU guest agent is not connected

Edit (renaming topic):

This has to do with how ansible is executing tasks.
For example:
The playbook below requires polkit authentication for each tasks, whereas running each command manually in the same shell asks for password once:

- name: Managing Services Test
  hosts: localhost

  tasks:
    - name: Start libvirtd.service
      ansible.builtin.command: systemctl start libvirtd.service
    - name: Start virtlogd.service
      ansible.builtin.command: systemctl start virtlogd.service
    - name: Stop libvirtd.service
      ansible.builtin.command: systemctl stop libvirtd.service
    - name: Stop virtlogd.service
      ansible.builtin.command: systemctl stop virtlogd.service

I can see that it created a temporary polkit authorization for each tasks.

authorization id: tmpauthz16
action:           org.freedesktop.systemd1.manage-units
subject:          unix-process:unknown (cannot read cmdline)
obtained:         13 sec ago (Sun Dec 28 22:28:17 2025)
expires:          4 min 46 sec from now (Sun Dec 28 22:33:16 2025)

authorization id: tmpauthz17
action:           org.freedesktop.systemd1.manage-units
subject:          unix-process:unknown (cannot read cmdline)
obtained:         9 sec ago (Sun Dec 28 22:28:21 2025)
expires:          4 min 50 sec from now (Sun Dec 28 22:33:20 2025)

authorization id: tmpauthz18
action:           org.freedesktop.systemd1.manage-units
subject:          unix-process:unknown (cannot read cmdline)
obtained:         6 sec ago (Sun Dec 28 22:28:24 2025)
expires:          4 min 53 sec from now (Sun Dec 28 22:33:23 2025)

authorization id: tmpauthz19
action:           org.freedesktop.systemd1.manage-units
subject:          unix-process:unknown (cannot read cmdline)
obtained:         2 sec ago (Sun Dec 28 22:28:28 2025)
expires:          4 min 57 sec from now (Sun Dec 28 22:33:27 2025)

Last edited by Koatao (Yesterday 21:42:30)

Offline

#2 Today 13:21:22

5hridhyan
Member
Registered: 2025-12-25
Posts: 12

Re: Ansible & Polkit auth_keep: how to properly use password expiration

No — with Ansible you cannot get a single polkit prompt for the whole playbook, even with AUTH_ADMIN_KEEP. This is expected behavior.

Why:
AUTH_ADMIN_KEEP is scoped to the polkit subject, and the subject is the unix process (PID), not the user, session, or playbook.
Ansible spawns a new process per task, so each task appears to polkit as a new subject and therefore requires a new authorization.

This is visible in the logs:

TEMPORARY authorization … for unix-process:<pid>


Each task has a different PID, so the temporary authorization is not reused.
When running commands manually in a shell, they share the same process context, so the authorization is reused — hence the difference in behavior.

The April 2025 polkit changes do not alter this model; they improve cleanup and scoping but do not allow authorization reuse across different processes.

Conclusion:
This is not a misconfiguration of polkit rules and not a bug. It’s a consequence of Ansible’s execution model.

Workarounds:

Use Ansible privilege escalation (become: true with sudo) instead of polkit

Grant controlled access via sudoers (NOPASSWD for specific libvirt/systemctl commands)

Add the user to the libvirt group if appropriate

Avoid polkit for non-interactive automation

Polkit is designed for interactive authorization, not batch automation like Ansible.

Offline

#3 Today 13:25:30

Lone_Wolf
Administrator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 14,574

Re: Ansible & Polkit auth_keep: how to properly use password expiration

Moderator Note
Moving to System Administration

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Offline

Pages: 1

Board footer

Powered by FluxBB