Alexander Klimetschek commented on OAK-4825:

The implementation would have to do something along these lines:
* add configuration option on the DefaultSyncHandler {{disableUsers}} which is 
false by default (= removal)
* disable users instead of removing them inside 
 if {{disableUsers=true}}
* ensure users (and groups) are re-enabled if they come back, do this in 
 (for both users and groups)
* (maybe something inside the [JMX bean 
 as well, for a consistent behavior regarding purging, not sure)

> Support disabling of users instead of removal in DefaultSyncHandler
> -------------------------------------------------------------------
>                 Key: OAK-4825
>                 URL: https://issues.apache.org/jira/browse/OAK-4825
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: auth-external
>            Reporter: Alexander Klimetschek
> The DefaultSyncHandler by default will remove of (local) users when they are 
> no longer active in the external system aka no longer provided by the 
> ExternalIdentityProvider. It would be useful to have an option to _disable_ 
> users instead of removing them completely.
> This is good for use cases that need to keep the user's data around in the 
> JCR and can't just delete it. Also, we have seen cases where the user is only 
> temporarily removed from the external identity system (e.g. accidentally 
> removed from group that maps them to the JCR system and quickly added back), 
> where a full removal can do harm.
> (Note: There is an [option in the SyncContext 
> interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38]
>  to suppress purging, and the JMX sync commands such as 
> [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256]
>  "use" it. However, the users look like "valid" users then. Even if the 
> authentication is done completely through the IDP and will fail properly for 
> these missing users, it can be difficult for other uses like administration, 
> monitoring, other application code to detect that such a user is not active 
> anymore.)

This message was sent by Atlassian JIRA

Reply via email to