ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bryan Bende (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-980) User sync does not delete users if they do not exist anymore
Date Wed, 18 May 2016 13:07:13 GMT

    [ https://issues.apache.org/jira/browse/RANGER-980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15288921#comment-15288921
] 

Bryan Bende commented on RANGER-980:
------------------------------------

I suppose we could take all the users in Ranger that are "external" and compare them against
the source, and any that are not found could be removed? 

Would have to assume that only one external source was ever synced, although that is probably
true in most cases.

> User sync does not delete users if they do not exist anymore
> ------------------------------------------------------------
>
>                 Key: RANGER-980
>                 URL: https://issues.apache.org/jira/browse/RANGER-980
>             Project: Ranger
>          Issue Type: Bug
>          Components: usersync
>    Affects Versions: 0.6.0, 0.5.3
>            Reporter: Bolke de Bruin
>            Priority: Critical
>              Labels: security
>
> usersync for all sources creates users and groups, but does not delete them from Ranger's
database if these users and groups do not exists anymore in the original source.
> So if you have for example a user called "bob" and bob leaves the company his access
rights will continue to exist in Ranger. If a new employee comes in that is also "bob" he
is immediately granted the same access as the previous employee. This creates security incidents.
> In a reasonable complex company it cannot be expected that another user administration
is being taken care of, while deletion could and should happen automatically.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message