You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by ruoyu wang <ru...@sina.com> on 2016/07/06 02:57:46 UTC

Review Request 49684: RANGER-980 User sync does not delete users if they do not exist anymore

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49684/
-----------------------------------------------------------

Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.


Repository: ranger


Description
-------

Problem Statement :

usersync for all sources creates users and groups, but does not delete them from Ranger's database if these users and groups do not exists anymore in the original source.

So if you have for example a user called "bob" and bob leaves the company his access rights will continue to exist in Ranger. If a new employee comes in that is also "bob" he is immediately granted the same access as the previous employee. This creates security incidents.

In a reasonable complex company it cannot be expected that another user administration is being taken care of, while deletion could and should happen automatically.
Proposed Solution : 1.compare user in unix/ldap with user in ranger db
                    2.delete user which is in ranger db but not exiting in unix/ldap anymore
                    3. the user is going to be deleted is external user


Diffs
-----

  ugsync/src/main/java/org/apache/ranger/unixusersync/model/XPortalUserInfo.java PRE-CREATION 
  ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java 0c62b35 
  ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java c71bc90 
  ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java 9ee6d95 

Diff: https://reviews.apache.org/r/49684/diff/


Testing
-------

the user deleted in unix will be deleted in ranger db.
and on ranger UI deleted user is not showing up.


Thanks,

ruoyu wang

Re: Review Request 49684: RANGER-980 User sync does not delete users if they do not exist anymore

Posted by ruoyu wang <ru...@sina.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49684/
-----------------------------------------------------------

(Updated July 18, 2016, 8:10 a.m.)


Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.


Changes
-------

updated code.


Bugs: RANGER-980
    https://issues.apache.org/jira/browse/RANGER-980


Repository: ranger


Description
-------

Problem Statement :

usersync for all sources creates users and groups, but does not delete them from Ranger's database if these users and groups do not exists anymore in the original source.

So if you have for example a user called "bob" and bob leaves the company his access rights will continue to exist in Ranger. If a new employee comes in that is also "bob" he is immediately granted the same access as the previous employee. This creates security incidents.

In a reasonable complex company it cannot be expected that another user administration is being taken care of, while deletion could and should happen automatically.
Proposed Solution : 1.compare user in unix/ldap with user in ranger db
                    2.delete user which is in ranger db but not exiting in unix/ldap anymore
                    3. the user is going to be deleted is external user


Diffs (updated)
-----

  ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java c3adcd8 
  ugsync/src/main/java/org/apache/ranger/unixusersync/model/XPortalUserInfo.java PRE-CREATION 
  ugsync/src/main/java/org/apache/ranger/unixusersync/process/FileSourceUserGroupBuilder.java e41bb68 
  ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java 0c62b35 
  ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java c71bc90 
  ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java 9ee6d95 

Diff: https://reviews.apache.org/r/49684/diff/


Testing
-------

the user deleted in unix will be deleted in ranger db.
and on ranger UI deleted user is not showing up.


Thanks,

ruoyu wang

Re: Review Request 49684: RANGER-980 User sync does not delete users if they do not exist anymore

Posted by ruoyu wang <ru...@sina.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49684/
-----------------------------------------------------------

(Updated July 6, 2016, 3:01 a.m.)


Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-980
    https://issues.apache.org/jira/browse/RANGER-980


Repository: ranger


Description
-------

Problem Statement :

usersync for all sources creates users and groups, but does not delete them from Ranger's database if these users and groups do not exists anymore in the original source.

So if you have for example a user called "bob" and bob leaves the company his access rights will continue to exist in Ranger. If a new employee comes in that is also "bob" he is immediately granted the same access as the previous employee. This creates security incidents.

In a reasonable complex company it cannot be expected that another user administration is being taken care of, while deletion could and should happen automatically.
Proposed Solution : 1.compare user in unix/ldap with user in ranger db
                    2.delete user which is in ranger db but not exiting in unix/ldap anymore
                    3. the user is going to be deleted is external user


Diffs
-----

  ugsync/src/main/java/org/apache/ranger/unixusersync/model/XPortalUserInfo.java PRE-CREATION 
  ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java 0c62b35 
  ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java c71bc90 
  ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java 9ee6d95 

Diff: https://reviews.apache.org/r/49684/diff/


Testing
-------

the user deleted in unix will be deleted in ranger db.
and on ranger UI deleted user is not showing up.


Thanks,

ruoyu wang