[
https://issues.apache.org/jira/browse/RANGER-980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15443307#comment-15443307
]
Bolke de Bruin commented on RANGER-980:
---------------------------------------
Ok. While I think you can just track the source system with a configurable uid,
I really wonder what happens now with multiple source authentication systems?
The username is unique to Ranger/Hadoop. Does every same username across the
different authentication systems now get the same permissions? I really hope
that is not the case (we dont use multiple source and I havent tried).
> User sync does not delete users if they do not exist anymore
> ------------------------------------------------------------
>
> Key: RANGER-980
> URL: https://issues.apache.org/jira/browse/RANGER-980
> Project: Ranger
> Issue Type: Bug
> Components: usersync
> Affects Versions: 0.6.0, 0.5.3
> Reporter: Bolke de Bruin
> Priority: Critical
> Labels: security
> Attachments:
> 0001-RANGER-980-User-sync-does-not-delete-users-if-they-d.patch,
> RANGER-980.patch
>
>
> usersync for all sources creates users and groups, but does not delete them
> from Ranger's database if these users and groups do not exists anymore in the
> original source.
> So if you have for example a user called "bob" and bob leaves the company his
> access rights will continue to exist in Ranger. If a new employee comes in
> that is also "bob" he is immediately granted the same access as the previous
> employee. This creates security incidents.
> In a reasonable complex company it cannot be expected that another user
> administration is being taken care of, while deletion could and should happen
> automatically.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
