[Freeipa-devel] [PATCH 0049] Add support for protected tokens
Dmitri Pal
dpal at redhat.com
Tue May 6 15:27:29 UTC 2014
On 05/06/2014 11:08 AM, Nathaniel McCallum wrote:
> On Tue, 2014-05-06 at 09:49 -0400, Nathaniel McCallum wrote:
>> On Mon, 2014-05-05 at 12:42 -0400, Nathaniel McCallum wrote:
>>> This also constitutes a rethinking of the token ACIs after the
>>> introduction of SELFDN support.
>>>
>>> Admins, as before, have full access to all token permissions.
>>>
>>> Normal users have read/search/compare access to all of the non-secret
>>> data for tokens assigned to them, whether protected or non-protected.
>>> Users can add or delete non-protected tokens and modify most of their
>>> metadata. However they cannot create, delete or modify protected tokens.
>>> Regardless of whether the token is protected or not, users cannot change
>>> a token's ownership or unique identity.
>>>
>>> In contrast, admins can create protected tokens. This protects the token
>>> from deletion or modification when assigned to users. Additionally, when
>>> a user account is deleted, the assigned non-protected tokens are deleted
>>> but the protected tokens are merely orphaned. This permits the token to
>>> be reassigned without having to recreate it. This last point is
>>> particularly useful in the case of hardware tokens.
>>>
>>> https://fedorahosted.org/freeipa/ticket/4228
>>>
>>> NOTE: This patch depends on my patch 0048.
>> This new version makes ipatokenDisabled visible for token owners. It is
>> also writable if the token is non-protected. This additionally fixes:
>>
>> https://fedorahosted.org/freeipa/ticket/4259
> This new version changes the way the default value of protected is setup
> in accordance with the changes made for the review of my patch 0048.2.
>
> Nathaniel
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
Have we recorded any new OIDs added as a part of this OTP cleanup in our
OID registry?
If not we should collect all added attributes and make sure they are
recorded.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140506/950f9adc/attachment.htm>
More information about the Freeipa-devel
mailing list