[Freeipa-devel] [PATCH 0049] Add support for protected tokens

[Nathaniel McCallum]

On Tue, 2014-05-06 at 09:49 -0400, Nathaniel McCallum wrote:
> On Mon, 2014-05-05 at 12:42 -0400, Nathaniel McCallum wrote:
> > This also constitutes a rethinking of the token ACIs after the
> > introduction of SELFDN support.
> > 
> > Admins, as before, have full access to all token permissions.
> > 
> > Normal users have read/search/compare access to all of the non-secret
> > data for tokens assigned to them, whether protected or non-protected.
> > Users can add or delete non-protected tokens and modify most of their
> > metadata. However they cannot create, delete or modify protected tokens.
> > Regardless of whether the token is protected or not, users cannot change
> > a token's ownership or unique identity.
> > 
> > In contrast, admins can create protected tokens. This protects the token
> > from deletion or modification when assigned to users. Additionally, when
> > a user account is deleted, the assigned non-protected tokens are deleted
> > but the protected tokens are merely orphaned. This permits the token to
> > be reassigned without having to recreate it. This last point is
> > particularly useful in the case of hardware tokens.
> > 
> > https://fedorahosted.org/freeipa/ticket/4228
> > 
> > NOTE: This patch depends on my patch 0048.
> 
> This new version makes ipatokenDisabled visible for token owners. It is
> also writable if the token is non-protected. This additionally fixes:
> 
> https://fedorahosted.org/freeipa/ticket/4259

This new version changes the way the default value of protected is setup
in accordance with the changes made for the review of my patch 0048.2.

Nathaniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-npmccallum-0049.2-Add-support-for-protected-tokens.patch
Type: text/x-patch
Size: 14434 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140506/08606c73/attachment.bin>