[
https://issues.apache.org/jira/browse/RANGER-2601?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17036504#comment-17036504
]
Yijun Wang edited comment on RANGER-2601 at 2/19/20 4:04 PM:
-------------------------------------------------------------
We are using Ranger 2.0.0 as well. Here's a use case based on what we observed:
We assign ROLE_ADMIN_AUDITOR to group1, where user1 was part of it. And user1
just got removed from group1 in ldap.
After a ldapsync, user1 is removed from group1 in Ranger. However, it remains
in the ROLE_ADMIN_AUDITOR.
For security reason, I think if user1 doesn't belong to any other group and
isn't related to any policy, we should delete this user. If it belongs to
another group, we should remove user1's role ROLE_ADMIN_AUDITOR which was
assigned with group1, and assign the role that is associated with the other
group.
was (Author: yzw0060):
We are using Ranger 2.0.0 as well. Here's a use case based on what we observed:
We assign ROLE_ADMIN_AUDITOR to group1, where user1 was part of it. And user1
just got removed from group1 in ldap.
After a ldapsync, user1 is removed from group1 in Ranger. However, it remains
in the ROLE_ADMIN_AUDITOR.
For security reason, I think if user1 doesn't belong to any other group, we
should delete this user. If it belongs to another group, we should remove
user1's role ROLE_ADMIN_AUDITOR which was assigned with group1, and assign the
role that is associated with the other group.
> Rangerusersync does not remove users from groups
> ------------------------------------------------
>
> Key: RANGER-2601
> URL: https://issues.apache.org/jira/browse/RANGER-2601
> Project: Ranger
> Issue Type: Bug
> Components: usersync
> Affects Versions: 2.0.0
> Reporter: t oo
> Priority: Major
>
> Usersync from ldap. Remove a user from a group in ldap. After next usersync
> the user is still in the group
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
