[ 
https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexander Klimetschek updated OAK-4825:
---------------------------------------
    Description: 
The DefaultSyncHandler by default will remove (local) users when they are no 
longer active in the external system aka no longer provided by the 
ExternalIdentityProvider. It would be useful to have an option to _disable_ 
users instead of removing them completely.

This is good for use cases that need to keep the user's data around in the JCR 
and can't just delete it. Also, we have seen cases where the user is only 
temporarily removed from the external identity system (e.g. accidentally 
removed from group that maps them to the JCR system and quickly added back), 
where a full removal can do unnecessary operations.

(Note: There is an [option in the SyncContext 
interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38]
 to suppress purging, and the JMX sync commands such as 
[purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256]
 "use" it. However, the JCR users look like "valid" users then locally. Even if 
the authentication is done completely through the IDP and will fail properly 
for these missing users, it can be difficult for other uses like 
administration, monitoring, other application code to detect that such a user 
is not active anymore.)

  was:
The DefaultSyncHandler by default will remove (local) users when they are no 
longer active in the external system aka no longer provided by the 
ExternalIdentityProvider. It would be useful to have an option to _disable_ 
users instead of removing them completely.

This is good for use cases that need to keep the user's data around in the JCR 
and can't just delete it. Also, we have seen cases where the user is only 
temporarily removed from the external identity system (e.g. accidentally 
removed from group that maps them to the JCR system and quickly added back), 
where a full removal can do harm.

(Note: There is an [option in the SyncContext 
interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38]
 to suppress purging, and the JMX sync commands such as 
[purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256]
 "use" it. However, the JCR users look like "valid" users then locally. Even if 
the authentication is done completely through the IDP and will fail properly 
for these missing users, it can be difficult for other uses like 
administration, monitoring, other application code to detect that such a user 
is not active anymore.)


> Support disabling of users instead of removal in DefaultSyncHandler
> -------------------------------------------------------------------
>
>                 Key: OAK-4825
>                 URL: https://issues.apache.org/jira/browse/OAK-4825
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: auth-external
>            Reporter: Alexander Klimetschek
>         Attachments: OAK-4825-b.patch, OAK-4825.patch
>
>
> The DefaultSyncHandler by default will remove (local) users when they are no 
> longer active in the external system aka no longer provided by the 
> ExternalIdentityProvider. It would be useful to have an option to _disable_ 
> users instead of removing them completely.
> This is good for use cases that need to keep the user's data around in the 
> JCR and can't just delete it. Also, we have seen cases where the user is only 
> temporarily removed from the external identity system (e.g. accidentally 
> removed from group that maps them to the JCR system and quickly added back), 
> where a full removal can do unnecessary operations.
> (Note: There is an [option in the SyncContext 
> interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38]
>  to suppress purging, and the JMX sync commands such as 
> [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256]
>  "use" it. However, the JCR users look like "valid" users then locally. Even 
> if the authentication is done completely through the IDP and will fail 
> properly for these missing users, it can be difficult for other uses like 
> administration, monitoring, other application code to detect that such a user 
> is not active anymore.)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to