You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Alexander Klimetschek (JIRA)" <ji...@apache.org> on 2016/09/19 21:47:22 UTC
[jira] [Commented] (OAK-4825) Support disabling of users instead of
removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15504785#comment-15504785 ]
Alexander Klimetschek commented on OAK-4825:
--------------------------------------------
The implementation would have to do something along these lines:
* add configuration option on the DefaultSyncHandler {{disableUsers}} which is false by default (= removal)
* disable users instead of removing them inside [DefaultSyncContext.handleMissingIdentity()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L328-L332] if {{disableUsers=true}}
* ensure users (and groups) are re-enabled if they come back, do this in [DefaultSyncContext.syncExternalIdentity()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L465-L470] (for both users and groups)
* (maybe something inside the [JMX bean implementation|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java] as well, for a consistent behavior regarding purging, not sure)
> Support disabling of users instead of removal in DefaultSyncHandler
> -------------------------------------------------------------------
>
> Key: OAK-4825
> URL: https://issues.apache.org/jira/browse/OAK-4825
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external
> Reporter: Alexander Klimetschek
>
> The DefaultSyncHandler by default will remove of (local) users when they are no longer active in the external system aka no longer provided by the ExternalIdentityProvider. It would be useful to have an option to _disable_ users instead of removing them completely.
> This is good for use cases that need to keep the user's data around in the JCR and can't just delete it. Also, we have seen cases where the user is only temporarily removed from the external identity system (e.g. accidentally removed from group that maps them to the JCR system and quickly added back), where a full removal can do harm.
> (Note: There is an [option in the SyncContext interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] to suppress purging, and the JMX sync commands such as [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] "use" it. However, the users look like "valid" users then. Even if the authentication is done completely through the IDP and will fail properly for these missing users, it can be difficult for other uses like administration, monitoring, other application code to detect that such a user is not active anymore.)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)