On 04/16/2014 09:56 AM, Justin Brown wrote: ... > L: This is interesting, and I have a couple of questions on how this > should work. > > 1) Is there an actual use-case when a tool actually would want to > check status of a port without correcting it? It seems to me that any > sort of is_port_open() call that returned False would be immediately > followed by open_port(). If that's the case, then why not just roll > them into one operation? There won't be any firewall reload if no > modifications take place, so there's no cost to combining them. We > could also find a middle ground where there's only one method with a > default parameter open_port(..., auto_add=True).
I can imagine situations when we would want to see if a port is open in a firewall and then ask user if he wants to automatically open it. In such cases, 2 separate calls would be indeed helpful. > 2) Will these tools be executed as root? To query NM and FirewallD, I > have to connect to the system bus, which by default, won't allow > access from other users without additional authorization. If > non-privileged users need to query the firewall configuration, I'll > need to look at the DBus policy more closely. In situations when we are about to manipulate ports, I think it is safe to assume we are operating under root account. I think you can have this assumption in your current code and do not deal with additional authorization at this point. We can think about this case when we need it. > > 3) Could you point me at a similar tool that has this check and modify > behavior? There are many situations in FreeIPA interactive wizards where we have a pattern do_action = check_something() if do_action: do_something() For example, ipa-adtrust-install is checking if there are any users without SID assigned and if there are, it offers to run a task to add them. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel