[jira] [Commented] (RANGER-980) User sync does not delete users if they do not exist anymore

Mon, 29 Aug 2016 11:47:38 -0700 

    [ 
https://issues.apache.org/jira/browse/RANGER-980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15446726#comment-15446726
 ] 

Sailaja Polavarapu commented on RANGER-980:
-------------------------------------------

Currently x_portal_user contains more details about the user like first name, 
last name, login id, etc... and I think it is better to add uid or DN also to 
this table.
One quick question - Currently all the user/group attributes are configurable 
in ranger and Ranger syncs only the attributes that are configured. Does the 
new approach means that we always sync an extra attribute (UID or DN) without 
making it configurable? Currently we are already saving DN in memory in 
usersync for group membership computation. This info can be propagated to 
ranger admin as well if we are planning to save DN in the ranger DB. For unix 
based ldap servers anyway we recommend to configure uid as the username 
attribute in ranger. 

One more thing to point out is - currently when same user name is present in 
multiple OUs, we are overwriting the already sync'd user with the latest 
information. This ambiguity can be avoided by storing the DN information.

Thanks,
Sailaja.

> User sync does not delete users if they do not exist anymore
> ------------------------------------------------------------
>
>                 Key: RANGER-980
>                 URL: https://issues.apache.org/jira/browse/RANGER-980
>             Project: Ranger
>          Issue Type: Bug
>          Components: usersync
>    Affects Versions: 0.6.0, 0.5.3
>            Reporter: Bolke de Bruin
>            Priority: Critical
>              Labels: security
>         Attachments: 
> 0001-RANGER-980-User-sync-does-not-delete-users-if-they-d.patch, 
> RANGER-980.patch
>
>
> usersync for all sources creates users and groups, but does not delete them 
> from Ranger's database if these users and groups do not exists anymore in the 
> original source.
> So if you have for example a user called "bob" and bob leaves the company his 
> access rights will continue to exist in Ranger. If a new employee comes in 
> that is also "bob" he is immediately granted the same access as the previous 
> employee. This creates security incidents.
> In a reasonable complex company it cannot be expected that another user 
> administration is being taken care of, while deletion could and should happen 
> automatically.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to