-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/25/2014 06:54 PM, Miloslav Trmač wrote:
2014-03-25 18:29 GMT+01:00 Stephen Gallagher
<sgallagh(a)redhat.com>:
> We also want this interface to have an association with the Role
> object in the system, so that a client such as Cockpit can easily
> query a Role for "What ports do you need and on which interfaces
> can that port be reached?" Furthermore, we want there to be a
> mechanism to apply a set of very simple changes.
<snip>
> Also, in cases where a Role might require more than one port
> (such as the Domain Controller) I might also want to only allow a
> subset of the Role's ports access on a particular interface.
I think this really should be "a pre-designed subset", not
"arbitrary subset"; once the user starts listing port numbers, the
connection with the role starts becoming tenuous. It would be
reasonable for some roles to provide consistent set of ports (e.g.
"company-visible public data" vs. "DHCP and PXE and tftp server to
be restricted to a specific interface"), but we shouldn't need
arbitrary subsets that don't make sense (say, enabling cups
announcing itself over avai while preventing access to the IPP
service).
IPA might be a "worst-case" situation; if IPA can only live with
pre-designed subsets of ports, probably every thing can.
Good point. I could get on board with that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEUEARECAAYFAlMzChQACgkQeiVVYja6o6NIbQCXSQOz3oCRVHuFFfM1dOsv7Ljn
0QCghtkKW9/QqvzTs7btm+uruF6lPJU=
=i1ls
-----END PGP SIGNATURE-----