[
https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15504785#comment-15504785
]
Alexander Klimetschek edited comment on OAK-4825 at 9/20/16 11:56 PM:
----------------------------------------------------------------------
The implementation would have to do something along these lines:
* add configuration option on the DefaultSyncHandler {{disableUsers}} which is
false by default (= removal)
* disable users instead of removing them inside
[DefaultSyncContext.handleMissingIdentity()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L328-L332]
if {{disableUsers=true}}
* ensure users are re-enabled if they come back, do this in
[DefaultSyncContext.syncExternalIdentity()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L465-L470]
* (maybe something inside the [JMX bean
implementation|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java]
as well, for a consistent behavior regarding purging, not sure)
I am currently doing this in custom code, which is possible, but slightly ugly,
as I have to do the disabling in a custom batch sync code (alternatively copy
the logic from DefaultSyncContext.java completely and overwrite), and the
re-enabling in a custom SyncHandler that returns DefaultSyncContext and only
overwrites syncUser() with the re-enable logic. A custom DefaultSyncHandler
that works mostly the same means that you have to copy the entire
DefaultSyncConfigImpl for the configuration part, which is a bit suboptimal.
was (Author: alexander.klimetschek):
The implementation would have to do something along these lines:
* add configuration option on the DefaultSyncHandler {{disableUsers}} which is
false by default (= removal)
* disable users instead of removing them inside
[DefaultSyncContext.handleMissingIdentity()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L328-L332]
if {{disableUsers=true}}
* ensure users (and groups) are re-enabled if they come back, do this in
[DefaultSyncContext.syncExternalIdentity()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L465-L470]
(for both users and groups)
* (maybe something inside the [JMX bean
implementation|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java]
as well, for a consistent behavior regarding purging, not sure)
I am currently doing this in custom code, which is possible, but slightly ugly,
as I have to do the disabling in a custom batch sync code (alternatively copy
the logic from DefaultSyncContext.java completely and overwrite), and the
re-enabling in a custom SyncHandler that returns DefaultSyncContext and only
overwrites syncUser() with the re-enable logic. A custom DefaultSyncHandler
that works mostly the same means that you have to copy the entire
DefaultSyncConfigImpl for the configuration part, which is a bit suboptimal.
> Support disabling of users instead of removal in DefaultSyncHandler
> -------------------------------------------------------------------
>
> Key: OAK-4825
> URL: https://issues.apache.org/jira/browse/OAK-4825
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external
> Reporter: Alexander Klimetschek
>
> The DefaultSyncHandler by default will remove (local) users when they are no
> longer active in the external system aka no longer provided by the
> ExternalIdentityProvider. It would be useful to have an option to _disable_
> users instead of removing them completely.
> This is good for use cases that need to keep the user's data around in the
> JCR and can't just delete it. Also, we have seen cases where the user is only
> temporarily removed from the external identity system (e.g. accidentally
> removed from group that maps them to the JCR system and quickly added back),
> where a full removal can do harm.
> (Note: There is an [option in the SyncContext
> interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38]
> to suppress purging, and the JMX sync commands such as
> [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256]
> "use" it. However, the JCR users look like "valid" users then locally. Even
> if the authentication is done completely through the IDP and will fail
> properly for these missing users, it can be difficult for other uses like
> administration, monitoring, other application code to detect that such a user
> is not active anymore.)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
