[jira] [Commented] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15541826#comment-15541826 ] Dominique Jäggi commented on OAK-4825: -- as discussed by phone with [~alexander.klimetschek], the removal and re-syncing of group memberships upon enable/disable will not be part of the patch. it is the client's responsibility of filtering users by disabled status instead of having oak remove groupmembership upon which filtering previously occurred in the requestor's application. > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek > Attachments: OAK-4825-b.patch, OAK-4825-c.patch, OAK-4825-doc.patch, > OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do unnecessary operations. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging completely, aka they won't be removed nor disabled, and > the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[
https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15534196#comment-15534196
]
Alexander Klimetschek commented on OAK-4825:
One important piece is missing: updating memberships. When users are removed,
they are automatically removed from groups. If they get disabled, one has to
explicitly update their memberships (remove on disable and add on re-enable).
Tried to do this in a new version: [^OAK-4825-c.patch]
Note that this makes it quite clear that OAK-4845 and the safe handling removal
of lost groups requires to set the {{rep:externalId}} on previously local only
groups (solution #2 in my [comment
here|https://issues.apache.org/jira/browse/OAK-4845?focusedCommentId=15533952=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15533952].
Otherwise with solution #1 it would remove all group memberships, even pure
local ones, that could not be reinstated later if the user comes back in the
external IDP.
> Support disabling of users instead of removal in DefaultSyncHandler
> ---
>
> Key: OAK-4825
> URL: https://issues.apache.org/jira/browse/OAK-4825
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external
>Reporter: Alexander Klimetschek
> Attachments: OAK-4825-b.patch, OAK-4825-c.patch, OAK-4825-doc.patch,
> OAK-4825.patch
>
>
> The DefaultSyncHandler by default will remove (local) users when they are no
> longer active in the external system aka no longer provided by the
> ExternalIdentityProvider. It would be useful to have an option to _disable_
> users instead of removing them completely.
> This is good for use cases that need to keep the user's data around in the
> JCR and can't just delete it. Also, we have seen cases where the user is only
> temporarily removed from the external identity system (e.g. accidentally
> removed from group that maps them to the JCR system and quickly added back),
> where a full removal can do unnecessary operations.
> (Note: There is an [option in the SyncContext
> interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38]
> to suppress purging completely, aka they won't be removed nor disabled, and
> the JMX sync commands such as
> [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256]
> "use" it. However, the JCR users look like "valid" users then locally. Even
> if the authentication is done completely through the IDP and will fail
> properly for these missing users, it can be difficult for other uses like
> administration, monitoring, other application code to detect that such a user
> is not active anymore.)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15532692#comment-15532692 ] Dominique Jäggi commented on OAK-4825: -- [~alexander.klimetschek], thanks for the patch, i am reviewing it. please provide an additional patch for the missing documentation (oak-doc module) of this enhancement / additional config / behavior of the external auth module. > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek > Attachments: OAK-4825-b.patch, OAK-4825.patch > > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do unnecessary operations. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging completely, aka they won't be removed nor disabled, and > the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[ https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15505661#comment-15505661 ] Alexander Klimetschek commented on OAK-4825: The linger time is nice, but wouldn't necessarily be required in our use case, also considering it is some extra work (e.g. some new background job). What we currently do is a daily sync run that basically does syncAllExternalUsers() + purgeOrphanedUses() in SyncMbean terms. With the exception that we optimize it by calling list users and fetching of each external user only once. So it might be useful to have this as e.g. syncAndPurgeExternalUsers() on the Mbean or on the synchandler. > Support disabling of users instead of removal in DefaultSyncHandler > --- > > Key: OAK-4825 > URL: https://issues.apache.org/jira/browse/OAK-4825 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Alexander Klimetschek > > The DefaultSyncHandler by default will remove (local) users when they are no > longer active in the external system aka no longer provided by the > ExternalIdentityProvider. It would be useful to have an option to _disable_ > users instead of removing them completely. > This is good for use cases that need to keep the user's data around in the > JCR and can't just delete it. Also, we have seen cases where the user is only > temporarily removed from the external identity system (e.g. accidentally > removed from group that maps them to the JCR system and quickly added back), > where a full removal can do harm. > (Note: There is an [option in the SyncContext > interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38] > to suppress purging, and the JMX sync commands such as > [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256] > "use" it. However, the JCR users look like "valid" users then locally. Even > if the authentication is done completely through the IDP and will fail > properly for these missing users, it can be difficult for other uses like > administration, monitoring, other application code to detect that such a user > is not active anymore.) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[
https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15505286#comment-15505286
]
Tobias Bocanegra commented on OAK-4825:
---
I like the idea:
{noformat}
/**
* Controls the behavior for users that no longer exist on the external
provider. The default is to delete the repository users
* if they no longer exist on the external provider. If set to true, they will
be disabled instead, and re-enabled once they appear
* again.
*/
boolean disableMissingUsers;
{noformat}
we could add a bit more flexibility and add a auto-purge time instead of just a
flag.
eg:
{noformat}
/**
* Timespan (human notation) after which an externally deleted user is purged.
A user that is no longer available on the external
* provider will linger in the repository as a disabled user until this
expiration time has passed, after which it will be deleted.
* Use 0 to delete immediately, -1 to never delete.
*
* Example: "30d" will invalidate a no longer existing user and delete it after
30 days"
*/
String userLingerTime;
{noformat}
> Support disabling of users instead of removal in DefaultSyncHandler
> ---
>
> Key: OAK-4825
> URL: https://issues.apache.org/jira/browse/OAK-4825
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external
>Reporter: Alexander Klimetschek
>
> The DefaultSyncHandler by default will remove (local) users when they are no
> longer active in the external system aka no longer provided by the
> ExternalIdentityProvider. It would be useful to have an option to _disable_
> users instead of removing them completely.
> This is good for use cases that need to keep the user's data around in the
> JCR and can't just delete it. Also, we have seen cases where the user is only
> temporarily removed from the external identity system (e.g. accidentally
> removed from group that maps them to the JCR system and quickly added back),
> where a full removal can do harm.
> (Note: There is an [option in the SyncContext
> interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38]
> to suppress purging, and the JMX sync commands such as
> [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256]
> "use" it. However, the JCR users look like "valid" users then locally. Even
> if the authentication is done completely through the IDP and will fail
> properly for these missing users, it can be difficult for other uses like
> administration, monitoring, other application code to detect that such a user
> is not active anymore.)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OAK-4825) Support disabling of users instead of removal in DefaultSyncHandler
[
https://issues.apache.org/jira/browse/OAK-4825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504785#comment-15504785
]
Alexander Klimetschek commented on OAK-4825:
The implementation would have to do something along these lines:
* add configuration option on the DefaultSyncHandler {{disableUsers}} which is
false by default (= removal)
* disable users instead of removing them inside
[DefaultSyncContext.handleMissingIdentity()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L328-L332]
if {{disableUsers=true}}
* ensure users (and groups) are re-enabled if they come back, do this in
[DefaultSyncContext.syncExternalIdentity()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L465-L470]
(for both users and groups)
* (maybe something inside the [JMX bean
implementation|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java]
as well, for a consistent behavior regarding purging, not sure)
> Support disabling of users instead of removal in DefaultSyncHandler
> ---
>
> Key: OAK-4825
> URL: https://issues.apache.org/jira/browse/OAK-4825
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external
>Reporter: Alexander Klimetschek
>
> The DefaultSyncHandler by default will remove of (local) users when they are
> no longer active in the external system aka no longer provided by the
> ExternalIdentityProvider. It would be useful to have an option to _disable_
> users instead of removing them completely.
> This is good for use cases that need to keep the user's data around in the
> JCR and can't just delete it. Also, we have seen cases where the user is only
> temporarily removed from the external identity system (e.g. accidentally
> removed from group that maps them to the JCR system and quickly added back),
> where a full removal can do harm.
> (Note: There is an [option in the SyncContext
> interface|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.java#L38]
> to suppress purging, and the JMX sync commands such as
> [purgeOrphanedUsers()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.java#L256]
> "use" it. However, the users look like "valid" users then. Even if the
> authentication is done completely through the IDP and will fail properly for
> these missing users, it can be difficult for other uses like administration,
> monitoring, other application code to detect that such a user is not active
> anymore.)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
