Re: Review Request 49684: RANGER-980 User sync does not delete users if they do not exist anymore

Mon, 18 Jul 2016 01:11:09 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49684/
-----------------------------------------------------------

(Updated July 18, 2016, 8:10 a.m.)


Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay 
Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, 
Sailaja Polavarapu, and Velmurugan Periasamy.


Changes
-------

updated code.


Bugs: RANGER-980
    https://issues.apache.org/jira/browse/RANGER-980


Repository: ranger


Description
-------

Problem Statement :

usersync for all sources creates users and groups, but does not delete them 
from Ranger's database if these users and groups do not exists anymore in the 
original source.

So if you have for example a user called "bob" and bob leaves the company his 
access rights will continue to exist in Ranger. If a new employee comes in that 
is also "bob" he is immediately granted the same access as the previous 
employee. This creates security incidents.

In a reasonable complex company it cannot be expected that another user 
administration is being taken care of, while deletion could and should happen 
automatically.
Proposed Solution : 1.compare user in unix/ldap with user in ranger db
                    2.delete user which is in ranger db but not exiting in 
unix/ldap anymore
                    3. the user is going to be deleted is external user


Diffs (updated)
-----

  
ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java
 c3adcd8 
  
ugsync/src/main/java/org/apache/ranger/unixusersync/model/XPortalUserInfo.java 
PRE-CREATION 
  
ugsync/src/main/java/org/apache/ranger/unixusersync/process/FileSourceUserGroupBuilder.java
 e41bb68 
  
ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
 0c62b35 
  
ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java
 c71bc90 
  ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java 
9ee6d95 

Diff: https://reviews.apache.org/r/49684/diff/


Testing
-------

the user deleted in unix will be deleted in ranger db.
and on ranger UI deleted user is not showing up.


Thanks,

ruoyu wang

Reply via email to