[
https://issues.apache.org/jira/browse/RANGER-980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15443842#comment-15443842
]
Yan commented on RANGER-980:
----------------------------
Sound good to me. One observation I'd like to mention is the need to keep the
user name as the primary key, which implies, e.g., if two users with the same
user name but different UIDs are synced to Ranger, some resolution measure is
needed. With the introduction of PAM(Ranger-842), it's more likely to see
multiple sources besides the existing two (internal/external) sources. There is
a jira (Ranger-1102) already on the external/internal name conflict resolution.
> User sync does not delete users if they do not exist anymore
> ------------------------------------------------------------
>
> Key: RANGER-980
> URL: https://issues.apache.org/jira/browse/RANGER-980
> Project: Ranger
> Issue Type: Bug
> Components: usersync
> Affects Versions: 0.6.0, 0.5.3
> Reporter: Bolke de Bruin
> Priority: Critical
> Labels: security
> Attachments:
> 0001-RANGER-980-User-sync-does-not-delete-users-if-they-d.patch,
> RANGER-980.patch
>
>
> usersync for all sources creates users and groups, but does not delete them
> from Ranger's database if these users and groups do not exists anymore in the
> original source.
> So if you have for example a user called "bob" and bob leaves the company his
> access rights will continue to exist in Ranger. If a new employee comes in
> that is also "bob" he is immediately granted the same access as the previous
> employee. This creates security incidents.
> In a reasonable complex company it cannot be expected that another user
> administration is being taken care of, while deletion could and should happen
> automatically.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
