[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15508305#comment-15508305 ]
Alexander Klimetschek edited comment on OAK-4825 at 9/21/16 1:05 AM: --------------------------------------------------------------------- [Attached|^OAK-4825.patch] a possible patch (alternatively [on github fork|https://github.com/alexkli/jackrabbit-oak/commit/49e48c43f4499d0eb29edca81f9e0a511450c9e9]). Some smaller questions: * does it need a new {{SyncResult.Status.DISABLE}} instead of {{SyncResult.Status.DELETE}}? * and {{SyncResult.Status.ENABLE}} instead of {{SyncResult.Status.UPDATE}} (upon re-enable)? * syncExternalIdentity() now [enables disabled users|https://github.com/alexkli/jackrabbit-oak/commit/49e48c43f4499d0eb29edca81f9e0a511450c9e9#diff-490ff25c104d019ee25f92b2b8bdbabdR488] regardless of the config setting; to generally ensure synced users are active. This would be important if someone switched a system from disable to remove (and disabled users are present). Maybe it needs a separate setting? Or should be governed by the same? * does it need more test cases ([testSyncDisabledUserById()|https://github.com/alexkli/jackrabbit-oak/blob/49e48c43f4499d0eb29edca81f9e0a511450c9e9/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java#L388-L419] added in the patch covers disable and re-enable)? Note: this change can be backported to the (current) 1.4 branch (a git cherry-pick worked fine). was (Author: alexander.klimetschek): [Attached|^OAK-4825.patch] a possible patch (alternatively [on github fork|https://github.com/alexkli/jackrabbit-oak/commit/49e48c43f4499d0eb29edca81f9e0a511450c9e9]). Some smaller questions: * does it need a new {{SyncResult.Status.DISABLE}} instead of {{SyncResult.Status.DELETE}}? * does it need more test cases ([testSyncDisabledUserById()|https://github.com/alexkli/jackrabbit-oak/blob/49e48c43f4499d0eb29edca81f9e0a511450c9e9/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java#L388-L419] added in the patch covers disable and re-enable)? Note: this change can be backported to the (current) 1.4 branch (a git cherry-pick worked fine). > Support disabling of users instead of removal in DefaultSyncHandler > ------------------------------------------------------------------- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external > Reporter: Alexander Klimetschek > Attachments: OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do harm. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging, and the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)