[
https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15508305#comment-15508305
]
Alexander Klimetschek edited comment on OAK-4825 at 9/21/16 1:05 AM:
---------------------------------------------------------------------
[Attached|^OAK-4825.patch] a possible patch (alternatively [on github
fork|https://github.com/alexkli/jackrabbit-oak/commit/49e48c43f4499d0eb29edca81f9e0a511450c9e9]).
Some smaller questions:
* does it need a new {{SyncResult.Status.DISABLE}} instead of
{{SyncResult.Status.DELETE}}?
* and {{SyncResult.Status.ENABLE}} instead of {{SyncResult.Status.UPDATE}}
(upon re-enable)?
* syncExternalIdentity() now [enables disabled
users|https://github.com/alexkli/jackrabbit-oak/commit/49e48c43f4499d0eb29edca81f9e0a511450c9e9#diff-490ff25c104d019ee25f92b2b8bdbabdR488]
regardless of the config setting; to generally ensure synced users are active.
This would be important if someone switched a system from disable to remove
(and disabled users are present). Maybe it needs a separate setting? Or should
be governed by the same?
* does it need more test cases
([testSyncDisabledUserById()|https://github.com/alexkli/jackrabbit-oak/blob/49e48c43f4499d0eb29edca81f9e0a511450c9e9/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java#L388-L419]
added in the patch covers disable and re-enable)?
Note: this change can be backported to the (current) 1.4 branch (a git
cherry-pick worked fine).
was (Author: alexander.klimetschek):
[Attached|^OAK-4825.patch] a possible patch (alternatively [on github
fork|https://github.com/alexkli/jackrabbit-oak/commit/49e48c43f4499d0eb29edca81f9e0a511450c9e9]).
Some smaller questions:
* does it need a new {{SyncResult.Status.DISABLE}} instead of
{{SyncResult.Status.DELETE}}?
* does it need more test cases
([testSyncDisabledUserById()|https://github.com/alexkli/jackrabbit-oak/blob/49e48c43f4499d0eb29edca81f9e0a511450c9e9/oak-auth-external/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContextTest.java#L388-L419]
added in the patch covers disable and re-enable)?
Note: this change can be backported to the (current) 1.4 branch (a git
cherry-pick worked fine).
> Support disabling of users instead of removal in DefaultSyncHandler
> -------------------------------------------------------------------
>
> Key: OAK-4825
> URL: https://issues.apache.org/jira/browse/OAK-4825
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external
> Reporter: Alexander Klimetschek
> Attachments: OAK-4825.patch
>
>
> The DefaultSyncHandler by default will remove (local) users when they are no
> longer active in the external system aka no longer provided by the
> ExternalIdentityProvider. It would be useful to have an option to _disable_
> users instead of removing them completely.
> This is good for use cases that need to keep the user's data around in the
> JCR and can't just delete it. Also, we have seen cases where the user is only
> temporarily removed from the external identity system (e.g. accidentally
> removed from group that maps them to the JCR system and quickly added back),
> where a full removal can do harm.
> (Note: There is an [option in the SyncContext
> interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38]
> to suppress purging, and the JMX sync commands such as
> [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256]
> "use" it. However, the JCR users look like "valid" users then locally. Even
> if the authentication is done completely through the IDP and will fail
> properly for these missing users, it can be difficult for other uses like
> administration, monitoring, other application code to detect that such a user
> is not active anymore.)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
