What were you trying to do that didn't work?

On systems running a GUI and for which many users have a GUI session active (e.g. because of vncserver@<id>.service instances), executing flatpak list as a user (e.g. "root") can take up to several seconds.
Digging into this, it appears that the call to UnregisterAuthenticationAgent DBus operation at the end of the command is super costly from polkit's point of view.
It makes polkit execute 4 times per active user the /usr/bin/pkla-check-authorization command with various arguments, as seen in the strace excerpt below for currently connected "user5":

30182 08:58:02.022773 execve("/usr/bin/pkla-check-authorization", ["/usr/bin/pkla-check-authorization", "user5", "false", "true", "org.freedesktop.bolt.enroll"], ["LANG=en_US.UTF-8
30238 08:58:03.047509 execve("/usr/bin/pkla-check-authorization", ["/usr/bin/pkla-check-authorization", "user5", "false", "true", "org.freedesktop.packagekit.trigger-offline-update
30250 08:58:03.266571 execve("/usr/bin/pkla-check-authorization", ["/usr/bin/pkla-check-authorization", "user5", "false", "true", "org.freedesktop.NetworkManager.network-control"],
30314 08:58:04.425192 execve("/usr/bin/pkla-check-authorization", ["/usr/bin/pkla-check-authorization", "user5", "false", "true", "org.freedesktop.packagekit.trigger-offline-update

These executions are done for all active users (+ "gdm" if nobody is connected on the display).

Additionally even though the flatpak list returns after these executions happened, same executions are seen again. For example, executing the command with 30 active users (+ "gdm" greeter) leads to seeing 246 executions of /usr/bin/pkla-check-authorization:

# grep -c " execve(" polkit_30users.strace
246

All those executions check group membership, which adds additional delays when sssd is enabled for example.

This looks somehow similar to Jira RHEL-28863 but I don't know if it has same root cause.

Clearly this is problematic since it brings a high load to the system for no evident value.

I'm attaching straces of flatpak list and polkit backend showing the many executions of /usr/bin/pkla-check-authorization due to unregistering.

Please provide the package NVR for which bug is seen:

polkit-0.117-11.el9.x86_64
flatpak-1.12.8-1.el9.x86_64

How reproducible:

Always

Steps to reproduce

1. Install a VM with 30GB memory in "Server with GUI" profile
2. Start/configure sssd (this adds additional delay)
3. Configure many users and start VNC sessions for those

   # for i in $(seq 1 30); do echo $i; useradd user$i; echo redhat | passwd --stdin user$i; done
   # for i in $(seq 1 30); do echo ":$i=user$i"; done >> /etc/tigervnc/vncserver.users
   # vncpasswd vncpasswd
   # for i in $(seq 1 30); do mkdir -p /home/user$i/.vnc && cp vncpasswd /home/user$i/.vnc/passwd && chown -R user$i:user$i /home/user$i/.vnc; done
   # for i in $(seq 1 30); do systemctl start vncserver@:$i; done
   

4. Execute flatpak command

   # time flatpak list

   Expected results

Almost no time

Actual results

real 0m1.212s (or more, depending on sssd) + high load