Fedora Server Role D-BUS API Design Discussion
Stephen Gallagher
sgallagh at redhat.com
Wed Mar 26 17:10:45 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/25/2014 06:54 PM, Miloslav Trmač wrote:
> 2014-03-25 18:29 GMT+01:00 Stephen Gallagher
> <sgallagh at redhat.com>:
>> We also want this interface to have an association with the Role
>> object in the system, so that a client such as Cockpit can easily
>> query a Role for "What ports do you need and on which interfaces
>> can that port be reached?" Furthermore, we want there to be a
>> mechanism to apply a set of very simple changes.
> <snip>
>> Also, in cases where a Role might require more than one port
>> (such as the Domain Controller) I might also want to only allow a
>> subset of the Role's ports access on a particular interface.
>
> I think this really should be "a pre-designed subset", not
> "arbitrary subset"; once the user starts listing port numbers, the
> connection with the role starts becoming tenuous. It would be
> reasonable for some roles to provide consistent set of ports (e.g.
> "company-visible public data" vs. "DHCP and PXE and tftp server to
> be restricted to a specific interface"), but we shouldn't need
> arbitrary subsets that don't make sense (say, enabling cups
> announcing itself over avai while preventing access to the IPP
> service).
>
> IPA might be a "worst-case" situation; if IPA can only live with
> pre-designed subsets of ports, probably every thing can.
Good point. I could get on board with that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEUEARECAAYFAlMzChQACgkQeiVVYja6o6NIbQCXSQOz3oCRVHuFFfM1dOsv7Ljn
0QCghtkKW9/QqvzTs7btm+uruF6lPJU=
=i1ls
-----END PGP SIGNATURE-----
More information about the server
mailing list