You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by ruoyu wang <ru...@sina.com> on 2016/07/06 02:57:46 UTC
Review Request 49684: RANGER-980 User sync does not delete users if
they do not exist anymore
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49684/
-----------------------------------------------------------
Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Repository: ranger
Description
-------
Problem Statement :
usersync for all sources creates users and groups, but does not delete them from Ranger's database if these users and groups do not exists anymore in the original source.
So if you have for example a user called "bob" and bob leaves the company his access rights will continue to exist in Ranger. If a new employee comes in that is also "bob" he is immediately granted the same access as the previous employee. This creates security incidents.
In a reasonable complex company it cannot be expected that another user administration is being taken care of, while deletion could and should happen automatically.
Proposed Solution : 1.compare user in unix/ldap with user in ranger db
2.delete user which is in ranger db but not exiting in unix/ldap anymore
3. the user is going to be deleted is external user
Diffs
-----
ugsync/src/main/java/org/apache/ranger/unixusersync/model/XPortalUserInfo.java PRE-CREATION
ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java 0c62b35
ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java c71bc90
ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java 9ee6d95
Diff: https://reviews.apache.org/r/49684/diff/
Testing
-------
the user deleted in unix will be deleted in ranger db.
and on ranger UI deleted user is not showing up.
Thanks,
ruoyu wang
Re: Review Request 49684: RANGER-980 User sync does not delete users
if they do not exist anymore
Posted by ruoyu wang <ru...@sina.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49684/
-----------------------------------------------------------
(Updated July 18, 2016, 8:10 a.m.)
Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
updated code.
Bugs: RANGER-980
https://issues.apache.org/jira/browse/RANGER-980
Repository: ranger
Description
-------
Problem Statement :
usersync for all sources creates users and groups, but does not delete them from Ranger's database if these users and groups do not exists anymore in the original source.
So if you have for example a user called "bob" and bob leaves the company his access rights will continue to exist in Ranger. If a new employee comes in that is also "bob" he is immediately granted the same access as the previous employee. This creates security incidents.
In a reasonable complex company it cannot be expected that another user administration is being taken care of, while deletion could and should happen automatically.
Proposed Solution : 1.compare user in unix/ldap with user in ranger db
2.delete user which is in ranger db but not exiting in unix/ldap anymore
3. the user is going to be deleted is external user
Diffs (updated)
-----
ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java c3adcd8
ugsync/src/main/java/org/apache/ranger/unixusersync/model/XPortalUserInfo.java PRE-CREATION
ugsync/src/main/java/org/apache/ranger/unixusersync/process/FileSourceUserGroupBuilder.java e41bb68
ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java 0c62b35
ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java c71bc90
ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java 9ee6d95
Diff: https://reviews.apache.org/r/49684/diff/
Testing
-------
the user deleted in unix will be deleted in ranger db.
and on ranger UI deleted user is not showing up.
Thanks,
ruoyu wang
Re: Review Request 49684: RANGER-980 User sync does not delete users
if they do not exist anymore
Posted by ruoyu wang <ru...@sina.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49684/
-----------------------------------------------------------
(Updated July 6, 2016, 3:01 a.m.)
Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-980
https://issues.apache.org/jira/browse/RANGER-980
Repository: ranger
Description
-------
Problem Statement :
usersync for all sources creates users and groups, but does not delete them from Ranger's database if these users and groups do not exists anymore in the original source.
So if you have for example a user called "bob" and bob leaves the company his access rights will continue to exist in Ranger. If a new employee comes in that is also "bob" he is immediately granted the same access as the previous employee. This creates security incidents.
In a reasonable complex company it cannot be expected that another user administration is being taken care of, while deletion could and should happen automatically.
Proposed Solution : 1.compare user in unix/ldap with user in ranger db
2.delete user which is in ranger db but not exiting in unix/ldap anymore
3. the user is going to be deleted is external user
Diffs
-----
ugsync/src/main/java/org/apache/ranger/unixusersync/model/XPortalUserInfo.java PRE-CREATION
ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java 0c62b35
ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java c71bc90
ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java 9ee6d95
Diff: https://reviews.apache.org/r/49684/diff/
Testing
-------
the user deleted in unix will be deleted in ranger db.
and on ranger UI deleted user is not showing up.
Thanks,
ruoyu wang