ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bolke de Bruin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-980) User sync does not delete users if they do not exist anymore
Date Mon, 29 Aug 2016 21:37:21 GMT

    [ https://issues.apache.org/jira/browse/RANGER-980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15447114#comment-15447114
] 

Bolke de Bruin commented on RANGER-980:
---------------------------------------

Ok. I will add it to both. 

I'm not sure yet I have just started looking at the code and how it works. I guess Ranger
van work without the extra attribute. I will need to make it work anyway to account for upgrade
scenarios. 

However in case of LDAP I consider the uid (in other words the id that I need) to be the DN
as that is the only way to uniquely identify a user. 

The current approach is to remove permissions when it encounters a uid change. This will result
in issues in your scenario with a username being present in multiple OUs. I guess the only
way to work around that is to make the DN/uid required for syncing and to integrate it with
the user interface.  But then the username also needs to become the DN as Hadoop cannot make
that distinction otherwise (or you cannot use any of the underlying mechanisms like hdfs acls
- which we use). 

I take the simple approach first. Let's see how that works out

> User sync does not delete users if they do not exist anymore
> ------------------------------------------------------------
>
>                 Key: RANGER-980
>                 URL: https://issues.apache.org/jira/browse/RANGER-980
>             Project: Ranger
>          Issue Type: Bug
>          Components: usersync
>    Affects Versions: 0.6.0, 0.5.3
>            Reporter: Bolke de Bruin
>            Priority: Critical
>              Labels: security
>         Attachments: 0001-RANGER-980-User-sync-does-not-delete-users-if-they-d.patch,
RANGER-980.patch
>
>
> usersync for all sources creates users and groups, but does not delete them from Ranger's
database if these users and groups do not exists anymore in the original source.
> So if you have for example a user called "bob" and bob leaves the company his access
rights will continue to exist in Ranger. If a new employee comes in that is also "bob" he
is immediately granted the same access as the previous employee. This creates security incidents.
> In a reasonable complex company it cannot be expected that another user administration
is being taken care of, while deletion could and should happen automatically.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message