[
https://issues.apache.org/jira/browse/RANGER-980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15439721#comment-15439721
]
Yan commented on RANGER-980:
----------------------------
The namesake confusion is what I feared about as well. Disabling a user won't
solve the problem but will prevent a ghost user (to a degree) from being dealt
with.
Introducing a uid would change the key of the user management and cause other
confusions. For instance two users with the same name but different uids may
coexist in Ranger.
I think a configurable, provider-specific boolean controlling the sync of
absent users, as mentioned as the first option in my last comment, might be a
feasible solution.
> User sync does not delete users if they do not exist anymore
> ------------------------------------------------------------
>
> Key: RANGER-980
> URL: https://issues.apache.org/jira/browse/RANGER-980
> Project: Ranger
> Issue Type: Bug
> Components: usersync
> Affects Versions: 0.6.0, 0.5.3
> Reporter: Bolke de Bruin
> Priority: Critical
> Labels: security
> Attachments:
> 0001-RANGER-980-User-sync-does-not-delete-users-if-they-d.patch,
> RANGER-980.patch
>
>
> usersync for all sources creates users and groups, but does not delete them
> from Ranger's database if these users and groups do not exists anymore in the
> original source.
> So if you have for example a user called "bob" and bob leaves the company his
> access rights will continue to exist in Ranger. If a new employee comes in
> that is also "bob" he is immediately granted the same access as the previous
> employee. This creates security incidents.
> In a reasonable complex company it cannot be expected that another user
> administration is being taken care of, while deletion could and should happen
> automatically.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
