Kafka credentials for removed users must be revoked

[cnweaver]

Currently, when a user is removed (offboarded) from COmanage, they will become immediately unable to log in to scimma-admin, and so unable to make any changes, but existing Kafka credentials will not be revoked. This should be automated.

Implementation of this is not obvious. The main issue stems from the fact that as set up now both COmanage and scimma-admin passively wait to act on requests/queries. As soon as the user is removed, COmanage will make this information available via SAML/LDAP but will do nothing to prompt outside systems (scimma-admin, hop-creds-sync, kafka) to check that updated data and act on it. Scimma-admin will not re-examine a user's data unless they attempt to log in, which could take arbitrarily long, or may never happen. Hop-creds-sync is more proactive, running periodically, but does not interface with COmanage/LDAP, and is currently conceived to only observe the contents of scimma-admin's database, not alter them, although nothing fundamental prevents it from doing so. Neither adding a periodic, active aspect to scimma-admin, nor having hop-creds-sync take charge of user deletions seems immediately compelling as a way forward.

[warren-anderson]

If there is an API to scimma-admin or some or another component of the hop creds system that can change user status, a COmanage plugin could be written to automatically tickle that API when a user is moved to inactive status in COmanage.

[cnweaver]

There isn't yet such an API, but we have talked before about wanting one, so if this is practical from the COmanage side, I think this is the direction I would like to pursue.

[warren-anderson]

OK, let me just double check with the COmanage experts before committing, but I'm pretty sure this would work. Warren Warren G Anderson, Ph.D. Leonard E Parker Center for Gravitation, Cosmology and Astrophysics

…

________________________________ From: C. Weaver <notifications@github.com> Sent: Thursday, February 25, 2021 13:44 To: scimma/scimma-admin <scimma-admin@noreply.github.com> Cc: Warren G Anderson <anders15@uwm.edu>; Comment <comment@noreply.github.com> Subject: Re: [scimma/scimma-admin] Kafka credentials for removed users must be revoked (#20) There isn't yet such an API, but we have talked before about wanting one, so if this is practical from the COmanage side, I think this is the direction I would like to pursue. — You are receiving this because you commented. Reply to this email directly, view it on GitHub<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fscimma%2Fscimma-admin%2Fissues%2F20%23issuecomment-786154959&data=04%7C01%7Canders15%40uwm.edu%7C2ad539a625844482218e08d8d9c5ca30%7C0bca7ac3fcb64efd89eb6de97603cf21%7C0%7C0%7C637498790810547050%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=B3FpBXFnR%2BDML5k84xqCcxt2Nx50EyprnulDjn50KDE%3D&reserved=0>, or unsubscribe<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAJRXQDYSASE66AFPY2K6JDDTA2SCPANCNFSM4YEYMFYQ&data=04%7C01%7Canders15%40uwm.edu%7C2ad539a625844482218e08d8d9c5ca30%7C0bca7ac3fcb64efd89eb6de97603cf21%7C0%7C0%7C637498790810556987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rkpYbVPNy%2BKquBrOjb1jEkwirGJSCj%2BNxNZTEGMdizU%3D&reserved=0>.