[Freeipa-devel] Ipa-server-install Firewall Support

Dmitri Pal dpal at redhat.com
Thu Apr 17 00:33:02 UTC 2014

On 04/16/2014 08:39 AM, Martin Kosek wrote:
> On 04/16/2014 09:56 AM, Justin Brown wrote:
> ...
>> L: This is interesting, and I have a couple of questions on how this
>> should work.
>> 1) Is there an actual use-case when a tool actually would want to
>> check status of a port without correcting it? It seems to me that any
>> sort of is_port_open() call that returned False would be immediately
>> followed by open_port(). If that's the case, then why not just roll
>> them into one operation? There won't be any firewall reload if no
>> modifications take place, so there's no cost to combining them. We
>> could also find a middle ground where there's only one method with a
>> default parameter open_port(..., auto_add=True).
> I can imagine situations when we would want to see if a port is open in a
> firewall and then ask user if he wants to automatically open it. In such cases,
> 2 separate calls would be indeed helpful.
>> 2) Will these tools be executed as root? To query NM and FirewallD, I
>> have to connect to the system bus, which by default, won't allow
>> access from other users without additional authorization. If
>> non-privileged users need to query the firewall configuration, I'll
>> need to look at the DBus policy more closely.
> In situations when we are about to manipulate ports, I think it is safe to
> assume we are operating under root account. I think you can have this
> assumption in your current code and do not deal with additional authorization
> at this point.
> We can think about this case when we need it.
>> 3) Could you point me at a similar tool that has this check and modify
>> behavior?
> There are many situations in FreeIPA interactive wizards where we have a pattern
> do_action = check_something()
> if do_action:
>      do_something()
> For example, ipa-adtrust-install is checking if there are any users without SID
> assigned and if there are, it offers to run a task to add them.
> Martin
+1 on all

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-devel mailing list