On 04/16/2014 09:56 AM, Justin Brown wrote:
...
> L: This is interesting, and I have a couple of questions on how this
> should work.
>
> 1) Is there an actual use-case when a tool actually would want to
> check status of a port without correcting it? It seems to me that any
> sort of is_port_open() call that returned False would be immediately
> followed by open_port(). If that's the case, then why not just roll
> them into one operation? There won't be any firewall reload if no
> modifications take place, so there's no cost to combining them. We
> could also find a middle ground where there's only one method with a
> default parameter open_port(..., auto_add=True).
I can imagine situations when we would want to see if a port is open in a
firewall and then ask user if he wants to automatically open it. In such cases,
2 separate calls would be indeed helpful.
> 2) Will these tools be executed as root? To query NM and FirewallD, I
> have to connect to the system bus, which by default, won't allow
> access from other users without additional authorization. If
> non-privileged users need to query the firewall configuration, I'll
> need to look at the DBus policy more closely.
In situations when we are about to manipulate ports, I think it is safe to
assume we are operating under root account. I think you can have this
assumption in your current code and do not deal with additional authorization
at this point.
We can think about this case when we need it.
>
> 3) Could you point me at a similar tool that has this check and modify
> behavior?
There are many situations in FreeIPA interactive wizards where we have a pattern
do_action = check_something()
if do_action:
do_something()
For example, ipa-adtrust-install is checking if there are any users without SID
assigned and if there are, it offers to run a task to add them.
Martin
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
