[
https://issues.apache.org/jira/browse/QPID-7340?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15373148#comment-15373148
]
Keith Wall edited comment on QPID-7340 at 7/13/16 1:42 PM:
-----------------------------------------------------------
We will add managed operation {{Broker#purgeUser(AuthenticationProvider,
String)}}. This will delete the records corresponding the user.
If the identified AuthenticationProvider is a
{{PasswordCredentialManagingAuthenticationProvider}}, the algorithm will call
PasswordCredentialManagingAuthenticationProvider#deleteUser to cause the user
to be removed.
For {{GroupProviders}}, we will need to iterate the {{GroupProviders}} and
check for the existence of {{GroupMember}} child with a name matching the
target username. Any matching GroupMembers that are found will be deleted.
For preferences, internally a {{GenericAuthenticationPrinicpal}} will be
created. The configured object tree will be traversed and preferences
belonging the the target user deleted (UserPreferences#replace with empty set)
within a {{Subject.doAs}}.
For the ACL check, with latest ACL work, the ACL check is automatic, but will
require a change to the LegacyAccessControlAdapter to convert into an old-style
rule. It should be converted into a METHOD "purgeUser" type check. This
permission will be given to someone in the identity maintainer role.
was (Author: k-wall):
We will add managed operation {{Broker#purgeUser(AuthenticationProvider,
String)}}. This will delete the records corresponding the user.
If the identified AuthenticationProvider is a
{{PasswordCredentialManagingAuthenticationProvider}}, the algorithm will call
PasswordCredentialManagingAuthenticationProvider#deleteUser to cause the user
to be removed.
For GroupProviders, we will need to iterate the GroupProviders and check for
the existence of GroupMember child with name matching the target username. Any
GroupMembers that are found will be deleted.
For preferences, internally a {{GenericAuthenticationPrinicpal}} will be
created. The configured object tree will be traversed and preferences
belonging the the target user deleted (UserPreferences#replace with empty set)
within a {{Subject.doAs}}.
For the ACL check, with latest ACL work, the ACL check is automatic, but will
require a change to the LegacyAccessControlAdapter to convert into an old-style
rule. It should be converted into a METHOD "purgeUser" type check. This
permission will be given to someone in the identity maintainer role.
> Implement purge user managed operation
> --------------------------------------
>
> Key: QPID-7340
> URL: https://issues.apache.org/jira/browse/QPID-7340
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
> Reporter: Keith Wall
> Fix For: qpid-java-6.1
>
>
> When a human user leaves an organisation, it is normally desirable to remove
> the records that belong to that user. Implement an operation to allow a
> named user to be removed. This could be hooked to to an organisation's
> 'leavers-feed'.
> This operation should remove:
> * preferences
> * for authentication providers that manage their own database, the user's
> password entry
> * for group providers that manage their own database, remove the user from
> any groups
> What ACL permission should protect this operation?
> What if a Virtualhost is offline at the time the operation is invoked?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
