[
https://issues.apache.org/jira/browse/RANGER-980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15441164#comment-15441164
]
Bolke de Bruin commented on RANGER-980:
---------------------------------------
I disagree. Ghost users remain in your suggestion it is essentially the same as
the current situation.
If you take the uid not as primary key but take the username as primary (equal
to what it is now) but require the uid to be unique it will be fine. Eg. User
bolke with uid 500 is removed. Now a new user bolke is added but its uid is
501. This would mean a different user and all current tokens / mappings for
username bolke should be removed.
With a expiry added this would solve all issues (database too large, outdated
users, administrative error, incorrect user security settings).
> User sync does not delete users if they do not exist anymore
> ------------------------------------------------------------
>
> Key: RANGER-980
> URL: https://issues.apache.org/jira/browse/RANGER-980
> Project: Ranger
> Issue Type: Bug
> Components: usersync
> Affects Versions: 0.6.0, 0.5.3
> Reporter: Bolke de Bruin
> Priority: Critical
> Labels: security
> Attachments:
> 0001-RANGER-980-User-sync-does-not-delete-users-if-they-d.patch,
> RANGER-980.patch
>
>
> usersync for all sources creates users and groups, but does not delete them
> from Ranger's database if these users and groups do not exists anymore in the
> original source.
> So if you have for example a user called "bob" and bob leaves the company his
> access rights will continue to exist in Ranger. If a new employee comes in
> that is also "bob" he is immediately granted the same access as the previous
> employee. This creates security incidents.
> In a reasonable complex company it cannot be expected that another user
> administration is being taken care of, while deletion could and should happen
> automatically.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
