[jira] [Comment Edited] (RANGER-980) User sync does not delete users if they do not exist anymore

[Bolke de Bruin (JIRA)]

    [ 
https://issues.apache.org/jira/browse/RANGER-980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15439577#comment-15439577
 ] 

Bolke de Bruin edited comment on RANGER-980 at 8/26/16 7:02 PM:
----------------------------------------------------------------

Then what happens if the user gets added it again (same username) but isnt the 
original user (not same uid)?

My suggestion would be - if you are really concerned about human error -, to 
remove the users after a configurable amount of time when they are not present 
anymore at the sync source. This would give the admin some time to correct his 
error.

What also can be done is to add the uid field to ranger's db and verify if the 
user name is still connected to the original uid and remove the old one if it 
isn't.


was (Author: bolke):
Then what happens if the user gets added it again (same username) but isnt the 
original user (not same uid)?

My suggestion would be - if you are really concerned about human error -, to 
remove the users after a configurable amount of time when they are not present 
anymore at the sync source. This would give the admin some time to correct his 
error.

> User sync does not delete users if they do not exist anymore
> ------------------------------------------------------------
>
>                 Key: RANGER-980
>                 URL: https://issues.apache.org/jira/browse/RANGER-980
>             Project: Ranger
>          Issue Type: Bug
>          Components: usersync
>    Affects Versions: 0.6.0, 0.5.3
>            Reporter: Bolke de Bruin
>            Priority: Critical
>              Labels: security
>         Attachments: 
> 0001-RANGER-980-User-sync-does-not-delete-users-if-they-d.patch, 
> RANGER-980.patch
>
>
> usersync for all sources creates users and groups, but does not delete them 
> from Ranger's database if these users and groups do not exists anymore in the 
> original source.
> So if you have for example a user called "bob" and bob leaves the company his 
> access rights will continue to exist in Ranger. If a new employee comes in 
> that is also "bob" he is immediately granted the same access as the previous 
> employee. This creates security incidents.
> In a reasonable complex company it cannot be expected that another user 
> administration is being taken care of, while deletion could and should happen 
> automatically.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)