[ 
https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15508305#comment-15508305
 ] 

Alexander Klimetschek edited comment on OAK-4825 at 9/21/16 12:59 AM:
----------------------------------------------------------------------

Attached a possible patch (alternatively [on github 
fork|https://github.com/alexkli/jackrabbit-oak/commit/49e48c43f4499d0eb29edca81f9e0a511450c9e9]).

Some smaller questions:
* does it need a new {{SyncResult.Status.DISABLE}} instead of 
{{SyncResult.Status.DELETE}}?
* does it need more test cases 
([testSyncDisabledUserById()|https://github.com/alexkli/jackrabbit-oak/blob/49e48c43f4499d0eb29edca81f9e0a511450c9e9/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java#L388-L419]
 added in the patch covers disable and re-enable)?

Note: this change can be backported to the (current) 1.4 branch (a git 
cherry-pick worked fine).


was (Author: alexander.klimetschek):
Attached a possible patch (alternatively [on github 
fork|https://github.com/alexkli/jackrabbit-oak/commit/49e48c43f4499d0eb29edca81f9e0a511450c9e9]).

Some smaller questions:
* does it need a new {{SyncResult.Status.DISABLE}} instead of 
{{SyncResult.Status.DELETE}}?
* does it need more test cases 
(DefaultSyncContextTest#testSyncDisabledUserById() covers disable and 
re-enable)?

Note: this change can be backported to the (current) 1.4 branch (a git 
cherry-pick worked fine).

> Support disabling of users instead of removal in DefaultSyncHandler
> -------------------------------------------------------------------
>
>                 Key: OAK-4825
>                 URL: https://issues.apache.org/jira/browse/OAK-4825
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: auth-external
>            Reporter: Alexander Klimetschek
>         Attachments: OAK-4825.patch
>
>
> The DefaultSyncHandler by default will remove (local) users when they are no 
> longer active in the external system aka no longer provided by the 
> ExternalIdentityProvider. It would be useful to have an option to _disable_ 
> users instead of removing them completely.
> This is good for use cases that need to keep the user's data around in the 
> JCR and can't just delete it. Also, we have seen cases where the user is only 
> temporarily removed from the external identity system (e.g. accidentally 
> removed from group that maps them to the JCR system and quickly added back), 
> where a full removal can do harm.
> (Note: There is an [option in the SyncContext 
> interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38]
>  to suppress purging, and the JMX sync commands such as 
> [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256]
>  "use" it. However, the JCR users look like "valid" users then locally. Even 
> if the authentication is done completely through the IDP and will fail 
> properly for these missing users, it can be difficult for other uses like 
> administration, monitoring, other application code to detect that such a user 
> is not active anymore.)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to