From oak-issues-return-38912-apmail-jackrabbit-oak-issues-archive=jackrabbit.apache.org@jackrabbit.apache.org Tue Oct 25 10:20:59 2016 Return-Path: X-Original-To: apmail-jackrabbit-oak-issues-archive@minotaur.apache.org Delivered-To: apmail-jackrabbit-oak-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B54ED1941F for ; Tue, 25 Oct 2016 10:20:59 +0000 (UTC) Received: (qmail 81073 invoked by uid 500); 25 Oct 2016 10:20:59 -0000 Delivered-To: apmail-jackrabbit-oak-issues-archive@jackrabbit.apache.org Received: (qmail 80657 invoked by uid 500); 25 Oct 2016 10:20:59 -0000 Mailing-List: contact oak-issues-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: oak-dev@jackrabbit.apache.org Delivered-To: mailing list oak-issues@jackrabbit.apache.org Received: (qmail 80237 invoked by uid 99); 25 Oct 2016 10:20:59 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Oct 2016 10:20:59 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id B6BE12C2A6D for ; Tue, 25 Oct 2016 10:20:58 +0000 (UTC) Date: Tue, 25 Oct 2016 10:20:58 +0000 (UTC) From: "Davide Giannella (JIRA)" To: oak-issues@jackrabbit.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Closed] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/OAK-4825?page=3Dcom.atlassian.= jira.plugin.system.issuetabpanels:all-tabpanel ] Davide Giannella closed OAK-4825. --------------------------------- Bulk close for 1.4.9 > Support disabling of users instead of removal in DefaultSyncHandler > ------------------------------------------------------------------- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external > Reporter: Alexander Klimetschek > Assignee: Dominique J=C3=A4ggi > Fix For: 1.6, 1.4.9 > > Attachments: OAK-4825-b.patch, OAK-4825-c.patch, OAK-4825-doc.pat= ch, OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are= no longer active in the external system aka no longer provided by the Exte= rnalIdentityProvider. It would be useful to have an option to _disable_ use= rs instead of removing them completely. > This is good for use cases that need to keep the user's data around in th= e JCR and can't just delete it. Also, we have seen cases where the user is = only temporarily removed from the external identity system (e.g. accidental= ly removed from group that maps them to the JCR system and quickly added ba= ck), where a full removal can do unnecessary operations. > (Note: There is an [option in the SyncContext interface|https://github.co= m/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apac= he/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38= ] to suppress purging completely, aka they won't be removed nor disabled, a= nd the JMX sync commands such as [purgeOrphanedUsers()|https://github.com/a= pache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/= jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java= #L256] "use" it. However, the JCR users look like "valid" users then locall= y. Even if the authentication is done completely through the IDP and will f= ail properly for these missing users, it can be difficult for other uses li= ke administration, monitoring, other application code to detect that such a= user is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)