[
https://issues.apache.org/jira/browse/QPID-7340?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15373148#comment-15373148
]
Keith Wall edited comment on QPID-7340 at 7/13/16 1:47 PM:
-----------------------------------------------------------
We will add managed operation {{Broker#purgeUser(AuthenticationProvider,
String)}}. This will delete the records corresponding the user.
If the identified AuthenticationProvider is a
{{PasswordCredentialManagingAuthenticationProvider}}, the algorithm will call
PasswordCredentialManagingAuthenticationProvider#deleteUser to cause the user
to be removed.
For {{GroupProviders}}, we will need to iterate the {{GroupProviders}} and
check for the existence of {{GroupMember}} child with a name matching the
target username. Any matching GroupMembers that are found will be deleted.
For preferences, internally a {{GenericAuthenticationPrinicpal}} will be
created. The configured object tree will be traversed and preferences
belonging the the target user deleted (UserPreferences#replace with empty set)
within a {{Subject.doAs}}.
For the ACL check, with latest ACL work, the ACL check is automatic, but will
require a change to the LegacyAccessControlAdapter to convert into an old-style
rule. It should be converted into a METHOD "purgeUser" type check. This
permission will be given to someone in the identity maintainer role.
There should be a new operation log message to record the fact that a user was
removed.
was (Author: k-wall):
We will add managed operation {{Broker#purgeUser(AuthenticationProvider,
String)}}. This will delete the records corresponding the user.
If the identified AuthenticationProvider is a
{{PasswordCredentialManagingAuthenticationProvider}}, the algorithm will call
PasswordCredentialManagingAuthenticationProvider#deleteUser to cause the user
to be removed.
For {{GroupProviders}}, we will need to iterate the {{GroupProviders}} and
check for the existence of {{GroupMember}} child with a name matching the
target username. Any matching GroupMembers that are found will be deleted.
For preferences, internally a {{GenericAuthenticationPrinicpal}} will be
created. The configured object tree will be traversed and preferences
belonging the the target user deleted (UserPreferences#replace with empty set)
within a {{Subject.doAs}}.
For the ACL check, with latest ACL work, the ACL check is automatic, but will
require a change to the LegacyAccessControlAdapter to convert into an old-style
rule. It should be converted into a METHOD "purgeUser" type check. This
permission will be given to someone in the identity maintainer role.
> Implement purge user managed operation
> --------------------------------------
>
> Key: QPID-7340
> URL: https://issues.apache.org/jira/browse/QPID-7340
> Project: Qpid
> Issue Type: New Feature
> Components: Java Broker
> Reporter: Keith Wall
> Fix For: qpid-java-6.1
>
>
> When a human user leaves an organisation, it is normally desirable to remove
> the records that belong to that user. Implement an operation to allow a
> named user to be removed. This could be hooked to to an organisation's
> 'leavers-feed'.
> This operation should remove:
> * preferences
> * for authentication providers that manage their own database, the user's
> password entry
> * for group providers that manage their own database, remove the user from
> any groups
> What ACL permission should protect this operation?
> What if a Virtualhost is offline at the time the operation is invoked?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
