Alexander Klimetschek created OAK-4825:
------------------------------------------
Summary: Support disabling of users instead of removal in
DefaultSyncHandler
Key: OAK-4825
URL: https://issues.apache.org/jira/browse/OAK-4825
Project: Jackrabbit Oak
Issue Type: Improvement
Components: auth-external
Reporter: Alexander Klimetschek
The DefaultSyncHandler by default will remove of (local) users when they are no
longer active in the external system aka no longer provided by the
ExternalIdentityProvider. It would be useful to have an option to _disable_
users instead of removing them completely.
This is good for use cases that need to keep the user's data around in the JCR
and can't just delete it. Also, we have seen cases where the user is only
temporarily removed from the external identity system (e.g. accidentally
removed from group that maps them to the JCR system and quickly added back),
where a full removal can do harm.
(Note: There is an [option in the SyncContext
interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38]
to suppress purging, and the JMX sync commands such as
[purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256]
"use" it. However, the users look like "valid" users then. Even if the
authentication is done completely through the IDP and will fail properly for
these missing users, it can be difficult for other uses like administration,
monitoring, other application code to detect that such a user is not active
anymore.)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
