Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
Description
Currently, Crowd deletes users if they're no longer found on the external directory (LDAP/AD) upon a sync.
In the case of AD/LDAP malfunctioning and erroneously providing Crowd/Jira no such users, Crowd/Jira will delete them and cause severe outage to the customer.
Deletion DEBUG logs can be spotted (if enabled) in the form of:
... 2020-07-22 09:26:15,468 Caesium-1-3 DEBUG anonymous [c.a.crowd.directory.DbCachingRemoteChangeOperations] user [ username_a ] not found, deleting 2020-07-22 09:26:15,468 Caesium-1-3 DEBUG anonymous [c.a.crowd.directory.DbCachingRemoteChangeOperations] user [ username_b ] not found, deleting 2020-07-22 09:26:15,468 Caesium-1-3 DEBUG anonymous [c.a.crowd.directory.DbCachingRemoteChangeOperations] user [ username_c ] not found, deleting ...
The source code from DbCachingRemoteChangeOperations reads as follows (Stash reference here):
for (User remoteUser : remoteUsers) { remoteUsernames.add(remoteUser.getName()); } Set<String> remoteExternalIds = externalIdsOf(remoteUsers); Map<String, TimestampedUser> internalUsers = findInternalUsersUpdatedBefore(synchStartDate); // Find all Users in our internal cache. for (TimestampedUser internalUser : internalUsers.values()) { String userName = internalUser.getName(); if (StringUtils.isBlank(internalUser.getExternalId())) { if (!remoteUsernames.contains(userName)) { logger.debug("user [ {} ] not found, deleting", userName); usersToDelete.add(userName); } } else { if (!remoteExternalIds.contains(internalUser.getExternalId())) { logger.debug("user [ {} ] not found, deleting", userName); usersToDelete.add(userName); } } }
That is: if the external users list is empty or have null or invalid external ids, Crowd/Jira will proceed to delete them.
The ask of this Feature Request is to provide some flag or config option to override and prevent user deletion even if the above conditions are met.
This case might be a regression of JRASERVER-24937 (When a user is deleted in AD or Crowd, JIRA could keep the user in JIRA as an inactive user)