[
https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15505286#comment-15505286
]
Tobias Bocanegra commented on OAK-4825:
---------------------------------------
I like the idea:
{noformat}
/**
* Controls the behavior for users that no longer exist on the external
provider. The default is to delete the repository users
* if they no longer exist on the external provider. If set to true, they will
be disabled instead, and re-enabled once they appear
* again.
*/
boolean disableMissingUsers;
{noformat}
we could add a bit more flexibility and add a auto-purge time instead of just a
flag.
eg:
{noformat}
/**
* Timespan (human notation) after which an externally deleted user is purged.
A user that is no longer available on the external
* provider will linger in the repository as a disabled user until this
expiration time has passed, after which it will be deleted.
* Use 0 to delete immediately, -1 to never delete.
*
* Example: "30d" will invalidate a no longer existing user and delete it after
30 days"
*/
String userLingerTime;
{noformat}
> Support disabling of users instead of removal in DefaultSyncHandler
> -------------------------------------------------------------------
>
> Key: OAK-4825
> URL: https://issues.apache.org/jira/browse/OAK-4825
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external
> Reporter: Alexander Klimetschek
>
> The DefaultSyncHandler by default will remove (local) users when they are no
> longer active in the external system aka no longer provided by the
> ExternalIdentityProvider. It would be useful to have an option to _disable_
> users instead of removing them completely.
> This is good for use cases that need to keep the user's data around in the
> JCR and can't just delete it. Also, we have seen cases where the user is only
> temporarily removed from the external identity system (e.g. accidentally
> removed from group that maps them to the JCR system and quickly added back),
> where a full removal can do harm.
> (Note: There is an [option in the SyncContext
> interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38]
> to suppress purging, and the JMX sync commands such as
> [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256]
> "use" it. However, the JCR users look like "valid" users then locally. Even
> if the authentication is done completely through the IDP and will fail
> properly for these missing users, it can be difficult for other uses like
> administration, monitoring, other application code to detect that such a user
> is not active anymore.)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
