ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Don Bosco Durai (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-980) User sync does not delete users if they do not exist anymore
Date Sun, 28 Aug 2016 15:36:20 GMT

    [ https://issues.apache.org/jira/browse/RANGER-980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15443626#comment-15443626
] 

Don Bosco Durai commented on RANGER-980:
----------------------------------------

Going through the discussion, can I suggest couple of options?

Option 1:
1. Store the uid or DN along with the username
2. When the username is not synchronized (missing), then do an explicit look up to see if
the user is really deleted from the source system. If the user is not found, then we can optionally
delete from Ranger

Option 2:
1. Store the uid or DN along with the username
2. When the same username comes again, but with different uid/DN, then remove all the policies
for the previous uid/DN.

Both options require to store uid/DN or some sort of unique ID from the source system.

My preference would be Option #2, because we can retain the policies. If the user is removed
from the source system, then the user can't authenticate. So it won't be major issue

If we go by Option #1, we can use a configurable property to decide whether to delete or even
delete after certain expiry period.


> User sync does not delete users if they do not exist anymore
> ------------------------------------------------------------
>
>                 Key: RANGER-980
>                 URL: https://issues.apache.org/jira/browse/RANGER-980
>             Project: Ranger
>          Issue Type: Bug
>          Components: usersync
>    Affects Versions: 0.6.0, 0.5.3
>            Reporter: Bolke de Bruin
>            Priority: Critical
>              Labels: security
>         Attachments: 0001-RANGER-980-User-sync-does-not-delete-users-if-they-d.patch,
RANGER-980.patch
>
>
> usersync for all sources creates users and groups, but does not delete them from Ranger's
database if these users and groups do not exists anymore in the original source.
> So if you have for example a user called "bob" and bob leaves the company his access
rights will continue to exist in Ranger. If a new employee comes in that is also "bob" he
is immediately granted the same access as the previous employee. This creates security incidents.
> In a reasonable complex company it cannot be expected that another user administration
is being taken care of, while deletion could and should happen automatically.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message