[
https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15511479#comment-15511479
]
Alexander Klimetschek edited comment on OAK-4825 at 9/22/16 7:04 PM:
---------------------------------------------------------------------
Attached [new patch|^OAK-4825-b.patch] (alternatively [on
github|https://github.com/alexkli/jackrabbit-oak/commit/ce3aeab653ab0a7e28e3ef105a66c7b79b4f09a8]).
Improvements:
* introduce {{SyncResult.Status.ENABLE}} and {{DISABLE}} for more accurate
status reporting (it is already detailed, so I figured this new feature should
be covered)
* one caveat: if a user is re-enabled and updated along the way, you get
{{ENABLE}} and not {{UPDATE}}
* only re-enable users if the {{users.disableMissing}} config is {{true}}; the
at this point unlikely case of systems migrating from disable to the remove
option would have to be handled by "manually" enabling affected users
* added a test that ensures this, i.e. that if the default remove option is on,
the disabled status of users is not touched
was (Author: alexander.klimetschek):
Attached [new patch|^OAK-4825-b.patch] (alternatively [on
github|https://github.com/alexkli/jackrabbit-oak/commit/6f2b0455f2cae2a69c2be8981e15e143d3d55011]).
Improvements:
* introduce {{SyncResult.Status.ENABLE}} and {{DISABLE}} for more accurate
status reporting (it is already detailed, so I figured this new feature should
be covered)
* one caveat: if a user is re-enabled and updated along the way, you get
{{ENABLE}} and not {{UPDATE}}
* only re-enable users if the {{users.disableMissing}} config is {{true}}; the
at this point unlikely case of systems migrating from disable to the remove
option would have to be handled by "manually" enabling affected users
* added a test that ensures this, i.e. that if the default remove option is on,
the disabled status of users is not touched
> Support disabling of users instead of removal in DefaultSyncHandler
> -------------------------------------------------------------------
>
> Key: OAK-4825
> URL: https://issues.apache.org/jira/browse/OAK-4825
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external
> Reporter: Alexander Klimetschek
> Attachments: OAK-4825-b.patch, OAK-4825.patch
>
>
> The DefaultSyncHandler by default will remove (local) users when they are no
> longer active in the external system aka no longer provided by the
> ExternalIdentityProvider. It would be useful to have an option to _disable_
> users instead of removing them completely.
> This is good for use cases that need to keep the user's data around in the
> JCR and can't just delete it. Also, we have seen cases where the user is only
> temporarily removed from the external identity system (e.g. accidentally
> removed from group that maps them to the JCR system and quickly added back),
> where a full removal can do harm.
> (Note: There is an [option in the SyncContext
> interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38]
> to suppress purging, and the JMX sync commands such as
> [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256]
> "use" it. However, the JCR users look like "valid" users then locally. Even
> if the authentication is done completely through the IDP and will fail
> properly for these missing users, it can be difficult for other uses like
> administration, monitoring, other application code to detect that such a user
> is not active anymore.)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
