[jira] [Updated] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dominique Jäggi updated OAK-4825: - Fix Version/s: 1.4.9 > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek >Assignee: Dominique Jäggi > Fix For: 1.6, 1.4.9 > > Attachments: OAK-4825-b.patch, OAK-4825-c.patch, OAK-4825-doc.patch, > OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do unnecessary operations. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging completely, aka they won't be removed nor disabled, and > the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dominique Jäggi updated OAK-4825: - Fix Version/s: 1.6 > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek > Fix For: 1.6 > > Attachments: OAK-4825-b.patch, OAK-4825-c.patch, OAK-4825-doc.patch, > OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do unnecessary operations. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging completely, aka they won't be removed nor disabled, and > the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Klimetschek updated OAK-4825: --- Attachment: OAK-4825-c.patch > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek > Attachments: OAK-4825-b.patch, OAK-4825-c.patch, OAK-4825-doc.patch, > OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do unnecessary operations. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging completely, aka they won't be removed nor disabled, and > the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Klimetschek updated OAK-4825: --- Attachment: (was: OAK-4825-b.patch) > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek > Attachments: OAK-4825-b.patch, OAK-4825-doc.patch, OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do unnecessary operations. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging completely, aka they won't be removed nor disabled, and > the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Klimetschek updated OAK-4825: --- Attachment: OAK-4825-b.patch > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek > Attachments: OAK-4825-b.patch, OAK-4825-doc.patch, OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do unnecessary operations. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging completely, aka they won't be removed nor disabled, and > the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Klimetschek updated OAK-4825: --- Attachment: OAK-4825-doc.patch Patch for documentation: [^OAK-4825-doc.patch] > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek > Attachments: OAK-4825-b.patch, OAK-4825-doc.patch, OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do unnecessary operations. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging completely, aka they won't be removed nor disabled, and > the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Klimetschek updated OAK-4825: --- Description: The DefaultSyncHandler by default will remove (local) users when they are no longer active in the external system aka no longer provided by the ExternalIdentityProvider. It would be useful to have an option to _disable_ users instead of removing them completely. This is good for use cases that need to keep the user's data around in the JCR and can't just delete it. Also, we have seen cases where the user is only temporarily removed from the external identity system (e.g. accidentally removed from group that maps them to the JCR system and quickly added back), where a full removal can do unnecessary operations. (Note: There is an [option in the SyncContext interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] to suppress purging, and the JMX sync commands such as [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] "use" it. However, the JCR users look like "valid" users then locally. Even if the authentication is done completely through the IDP and will fail properly for these missing users, it can be difficult for other uses like administration, monitoring, other application code to detect that such a user is not active anymore.) was: The DefaultSyncHandler by default will remove (local) users when they are no longer active in the external system aka no longer provided by the ExternalIdentityProvider. It would be useful to have an option to _disable_ users instead of removing them completely. This is good for use cases that need to keep the user's data around in the JCR and can't just delete it. Also, we have seen cases where the user is only temporarily removed from the external identity system (e.g. accidentally removed from group that maps them to the JCR system and quickly added back), where a full removal can do harm. (Note: There is an [option in the SyncContext interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] to suppress purging, and the JMX sync commands such as [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] "use" it. However, the JCR users look like "valid" users then locally. Even if the authentication is done completely through the IDP and will fail properly for these missing users, it can be difficult for other uses like administration, monitoring, other application code to detect that such a user is not active anymore.) > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek > Attachments: OAK-4825-b.patch, OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do unnecessary operations. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging, and the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is
[jira] [Updated] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Klimetschek updated OAK-4825: --- Description: The DefaultSyncHandler by default will remove (local) users when they are no longer active in the external system aka no longer provided by the ExternalIdentityProvider. It would be useful to have an option to _disable_ users instead of removing them completely. This is good for use cases that need to keep the user's data around in the JCR and can't just delete it. Also, we have seen cases where the user is only temporarily removed from the external identity system (e.g. accidentally removed from group that maps them to the JCR system and quickly added back), where a full removal can do unnecessary operations. (Note: There is an [option in the SyncContext interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] to suppress purging completely, aka they won't be removed nor disabled, and the JMX sync commands such as [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] "use" it. However, the JCR users look like "valid" users then locally. Even if the authentication is done completely through the IDP and will fail properly for these missing users, it can be difficult for other uses like administration, monitoring, other application code to detect that such a user is not active anymore.) was: The DefaultSyncHandler by default will remove (local) users when they are no longer active in the external system aka no longer provided by the ExternalIdentityProvider. It would be useful to have an option to _disable_ users instead of removing them completely. This is good for use cases that need to keep the user's data around in the JCR and can't just delete it. Also, we have seen cases where the user is only temporarily removed from the external identity system (e.g. accidentally removed from group that maps them to the JCR system and quickly added back), where a full removal can do unnecessary operations. (Note: There is an [option in the SyncContext interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] to suppress purging, and the JMX sync commands such as [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] "use" it. However, the JCR users look like "valid" users then locally. Even if the authentication is done completely through the IDP and will fail properly for these missing users, it can be difficult for other uses like administration, monitoring, other application code to detect that such a user is not active anymore.) > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek > Attachments: OAK-4825-b.patch, OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do unnecessary operations. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging completely, aka they won't be removed nor disabled, and > the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it
[jira] [Updated] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Klimetschek updated OAK-4825: --- Attachment: OAK-4825-b.patch > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek > Attachments: OAK-4825-b.patch, OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do harm. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging, and the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Klimetschek updated OAK-4825: --- Attachment: (was: OAK-4825-b.patch) > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek > Attachments: OAK-4825-b.patch, OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do harm. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging, and the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Klimetschek updated OAK-4825: --- Attachment: OAK-4825-b.patch Attached [new patch|^OAK-4825-b.patch] (alternatively [on github|https://github.com/alexkli/jackrabbit-oak/commit/6f2b0455f2cae2a69c2be8981e15e143d3d55011]. Improvements: * introduce {{SyncResult.Status.ENABLE}} and {{DISABLE}} for more accurate status reporting (it is already detailed, so I figured this new feature should be covered) * one caveat: if a user is re-enabled and updated along the way, you get {{ENABLE}} and not {{UPDATE}} * only re-enable users if the {{users.disableMissing}} config is {{true}}; the at this point unlikely case of systems migrating from disable to the remove option would have to be handled by "manually" enabling affected users * added a test that ensures this, i.e. that if the default remove option is on, the disabled status of users is not touched > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek > Attachments: OAK-4825-b.patch, OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do harm. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging, and the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Klimetschek updated OAK-4825: --- Attachment: OAK-4825.patch Attached a possible patch (alternatively [on github fork|https://github.com/alexkli/jackrabbit-oak/commit/49e48c43f4499d0eb29edca81f9e0a511450c9e9]). Some smaller questions: * does it need a new {{SyncResult.Status.DISABLE}} instead of {{SyncResult.Status.DELETE}}? * does it need more test cases (DefaultSyncContextTest#testSyncDisabledUserById() covers disable and re-enable)? Note: this change can be backported to the (current) 1.4 branch (a git cherry-pick worked fine). > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek > Attachments: OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do harm. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging, and the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Klimetschek updated OAK-4825: --- Description: The DefaultSyncHandler by default will remove (local) users when they are no longer active in the external system aka no longer provided by the ExternalIdentityProvider. It would be useful to have an option to _disable_ users instead of removing them completely. This is good for use cases that need to keep the user's data around in the JCR and can't just delete it. Also, we have seen cases where the user is only temporarily removed from the external identity system (e.g. accidentally removed from group that maps them to the JCR system and quickly added back), where a full removal can do harm. (Note: There is an [option in the SyncContext interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] to suppress purging, and the JMX sync commands such as [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] "use" it. However, the JCR users look like "valid" users then locally. Even if the authentication is done completely through the IDP and will fail properly for these missing users, it can be difficult for other uses like administration, monitoring, other application code to detect that such a user is not active anymore.) was: The DefaultSyncHandler by default will remove (local) users when they are no longer active in the external system aka no longer provided by the ExternalIdentityProvider. It would be useful to have an option to _disable_ users instead of removing them completely. This is good for use cases that need to keep the user's data around in the JCR and can't just delete it. Also, we have seen cases where the user is only temporarily removed from the external identity system (e.g. accidentally removed from group that maps them to the JCR system and quickly added back), where a full removal can do harm. (Note: There is an [option in the SyncContext interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] to suppress purging, and the JMX sync commands such as [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] "use" it. However, the users look like "valid" users then. Even if the authentication is done completely through the IDP and will fail properly for these missing users, it can be difficult for other uses like administration, monitoring, other application code to detect that such a user is not active anymore.) > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do harm. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging, and the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Klimetschek updated OAK-4825: --- Description: The DefaultSyncHandler by default will remove (local) users when they are no longer active in the external system aka no longer provided by the ExternalIdentityProvider. It would be useful to have an option to _disable_ users instead of removing them completely. This is good for use cases that need to keep the user's data around in the JCR and can't just delete it. Also, we have seen cases where the user is only temporarily removed from the external identity system (e.g. accidentally removed from group that maps them to the JCR system and quickly added back), where a full removal can do harm. (Note: There is an [option in the SyncContext interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] to suppress purging, and the JMX sync commands such as [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] "use" it. However, the users look like "valid" users then. Even if the authentication is done completely through the IDP and will fail properly for these missing users, it can be difficult for other uses like administration, monitoring, other application code to detect that such a user is not active anymore.) was: The DefaultSyncHandler by default will remove of (local) users when they are no longer active in the external system aka no longer provided by the ExternalIdentityProvider. It would be useful to have an option to _disable_ users instead of removing them completely. This is good for use cases that need to keep the user's data around in the JCR and can't just delete it. Also, we have seen cases where the user is only temporarily removed from the external identity system (e.g. accidentally removed from group that maps them to the JCR system and quickly added back), where a full removal can do harm. (Note: There is an [option in the SyncContext interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] to suppress purging, and the JMX sync commands such as [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] "use" it. However, the users look like "valid" users then. Even if the authentication is done completely through the IDP and will fail properly for these missing users, it can be difficult for other uses like administration, monitoring, other application code to detect that such a user is not active anymore.) > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do harm. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging, and the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the users look like "valid" users then. Even if the > authentication is done completely through the IDP and will fail properly for > these missing users, it can be difficult for other uses like administration, > monitoring, other application code to detect that such a user is not active > anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)