[
https://issues.apache.org/jira/browse/RANGER-980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15384957#comment-15384957
]
Don Bosco Durai commented on RANGER-980:
----------------------------------------
Just curious, what is the logic here? Are we deleting all users that were not
returned in the search string?
If we are doing that, then we have to be absolutely sure that are taking care
of human error. If an admin configures an incorrect LDAP filter, then
unintentionally, users might be deleted and removed from policies. This could
be a non-recoverable action.
> User sync does not delete users if they do not exist anymore
> ------------------------------------------------------------
>
> Key: RANGER-980
> URL: https://issues.apache.org/jira/browse/RANGER-980
> Project: Ranger
> Issue Type: Bug
> Components: usersync
> Affects Versions: 0.6.0, 0.5.3
> Reporter: Bolke de Bruin
> Priority: Critical
> Labels: security
> Attachments:
> 0001-RANGER-980-User-sync-does-not-delete-users-if-they-d.patch,
> RANGER-980.patch
>
>
> usersync for all sources creates users and groups, but does not delete them
> from Ranger's database if these users and groups do not exists anymore in the
> original source.
> So if you have for example a user called "bob" and bob leaves the company his
> access rights will continue to exist in Ranger. If a new employee comes in
> that is also "bob" he is immediately granted the same access as the previous
> employee. This creates security incidents.
> In a reasonable complex company it cannot be expected that another user
> administration is being taken care of, while deletion could and should happen
> automatically.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
