User soft deletion #7537
User soft deletion #7537
Conversation
Suggested tests to cover this Pull Request
|
parlt91
force-pushed
the
user-soft-deletion
branch
7 times, most recently
from
ad034f1
to
fb1b98a
Compare
parlt91
force-pushed
the
user-soft-deletion
branch
from
fb1b98a
to
cddd512
Compare
|
Before looking at the code, I have a fundamental question: Is "soft deletion" in line with regulations such as the GDPR? So far I'm under the impression that Uyuni needs to have a way to delete user data and not just hide it, but I'm not law expert. |
There was a problem hiding this comment.
Apart from the regulation issues raised by @agraul, which I agree are relevant, the changes in Java LGTM.
|
Also not an expert but to my knowledge, we're allowed to keep such data as long as it has a use for a functionality that serves customers' needs according to GDPR. I believe this is a valid case. |
There was a problem hiding this comment.
I don't know if this has been discussed before, but from the UX perspective so far I imagined "soft delete" would be completely transparent to the user. That is, we would still have the "Delete" function in the GUI/API, but effectively that would hide the user from all UI instead of removing the data completely. This would be separate disabling.
They might miss their "Delete" button :D
GDPR includes a right to have your personal data deleted (Article 17). Of course it's not applicable in all cases (e.g. a company can't delete an invoice with your name for X years because it has to store them for bookkeeping purposes), so the question is: Is there a situation in which a Uyuni user can demand deletion of their user data from the Uyuni "hoster"? I think the answer is yes (e.g. you stop using a hosted Uyuni service and want your data deleted). None of us is actually an expert in law, and we can spend hours trying to argue how to interpret the GDPR or other, similar, laws. Instead I propose we keep a way to delete/anonymize user accounts. Maybe just a table for admins of deactivated accounts that has a button: delete deactivated user Joe. Anonymization would also work (removing first/last name, changing username), if that's needed for auditing of Uyuni itself. |
|
I'm not sure if any of this applies to us at all since all the data in question is actually hosted by the user. We're not keeping any data in our domain. They can exercise their right to delete all data basically with sql DELETE statements :) |
|
I think @admd can ping the Legal team to address any concerns, but I don't think we need to proactively spend any extra effort on this. |
Right, we just provide the software that stores the data in question. It might not be our problem legally since we don't offer hosted Uyuni ourselves, but to me that's not good enough. I don't want our users to have to fight our product just to do what they are lawfully required to do.
Aren't we striving to be API-first? Is this a serious proposal to ask Uyuni operators to run delete statements because we want to drop something from the API? |
|
Personally, I don't think this is a problem honestly as we are not storing any data at our end as Can has pointed out but I will clarify with the legal team anyways. Removing user completely gets us in different problem. There is requirement to keep track of all the actions that are performed by a user on the server. If we do allow deletion of user, we lose track of all actions that user has performed. Now again I am not sure how should we handle this ideally. I will clarify this with the legal team and will get back to you on this one. |
If I may, a good approach would be to decouple sensitive user data from the identifier that we need, to track the actions of that user. |
Signed-off-by: Pascal Arlt <parlt@suse.com>
Signed-off-by: Pascal Arlt <parlt@suse.com>
Signed-off-by: Pascal Arlt <parlt@suse.com>
Signed-off-by: Pascal Arlt <parlt@suse.com>
parlt91
force-pushed
the
user-soft-deletion
branch
from
cddd512
to
30d9248
Compare
|
This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
|
Still waiting for a final answer from Legal. |
|
This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
|
This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
|
This PR was closed because it has been stalled for 10 days with no activity. |
What does this PR change?
Remove functionality for users to 'hard' delete users from the webUI API and spacecmd.
Deactivate should be used instead to serve as a soft deletion mechanism that can be reverted if needed.
This way references to the deactivated user e.g. Recurring Actions will be kept if the user is disabled (as opposed to deleted).
The
UserFactory.deleteUser()function was preserved since we use it to clean up API testsSee:
BaseHandlerTestCase.tearDown()The stored procedure to delete users from the db will also be kept since we still want to able to delete users when deleting an organization.
GUI diff
Before:
After:
Documentation
Documentation issue was created: TODO
Will add documentation changes once this PR is approved
(OPTIONAL) Documentation PR
DONE
Test coverage
Unit tests were adapted
Cucumber tests were adapted
DONE
Links
Fixes https://github.com/SUSE/spacewalk/issues/21035
Changelogs
Make sure the changelogs entries you are adding are compliant with https://github.com/uyuni-project/uyuni/wiki/Contributing#changelogs and https://github.com/uyuni-project/uyuni/wiki/Contributing#uyuni-projectuyuni-repository
If you don't need a changelog check, please mark this checkbox:
If you uncheck the checkbox after the PR is created, you will need to re-run
changelog_test(see below)Re-run a test
If you need to re-run a test, please mark the related checkbox, it will be unchecked automatically once it has re-run: