jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dominique Jäggi (JIRA) <j...@apache.org>
Subject [jira] [Commented] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
Date Mon, 03 Oct 2016 07:59:20 GMT

    [ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15541826#comment-15541826

Dominique Jäggi commented on OAK-4825:

as discussed by phone with [~alexander.klimetschek], the removal and re-syncing of group memberships
upon enable/disable will not be part of the patch. it is the client's responsibility of filtering
users by disabled status instead of having oak remove groupmembership upon which filtering
previously occurred in the requestor's application.

> Support disabling of users instead of removal in DefaultSyncHandler
> -------------------------------------------------------------------
>                 Key: OAK-4825
>                 URL: https://issues.apache.org/jira/browse/OAK-4825
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: auth-external
>            Reporter: Alexander Klimetschek
>         Attachments: OAK-4825-b.patch, OAK-4825-c.patch, OAK-4825-doc.patch, OAK-4825.patch
> The DefaultSyncHandler by default will remove (local) users when they are no longer active
in the external system aka no longer provided by the ExternalIdentityProvider. It would be
useful to have an option to _disable_ users instead of removing them completely.
> This is good for use cases that need to keep the user's data around in the JCR and can't
just delete it. Also, we have seen cases where the user is only temporarily removed from the
external identity system (e.g. accidentally removed from group that maps them to the JCR system
and quickly added back), where a full removal can do unnecessary operations.
> (Note: There is an [option in the SyncContext interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38]
to suppress purging completely, aka they won't be removed nor disabled, and the JMX sync commands
such as [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256]
"use" it. However, the JCR users look like "valid" users then locally. Even if the authentication
is done completely through the IDP and will fail properly for these missing users, it can
be difficult for other uses like administration, monitoring, other application code to detect
that such a user is not active anymore.)

This message was sent by Atlassian JIRA

View raw message