terrytangyuan
commented
1 year ago Maybe we should remove email from the log. WDYT? @alexec
Open allemp opened 1 year ago
terrytangyuan
commented
1 year ago Maybe we should remove email from the log. WDYT? @alexec
alexec
commented
1 year ago I’m not a lawyer.
The email is logged for audit purposes. The email is not a customer’s email, it would be that of Argo operator’s employee.
It would be helpful to see a lawyer’s opinion on that.
allemp
commented
1 year ago I had to research this at work and while I am also not a lawyer the conclusion I've come to is that it's still personal data for employees (source) and having it in log files is not great practice. The proper way is already implemented: The logs also record the ID of the user which makes it a lot more secure than plaintext email.
I currently have a workaround in my environment (OIDC scope doesn't include email so it's blank in the logs), but I think this is a very subtle gotcha that could get other Argo Workflows users (in European Union) in trouble.
alexec
commented
1 year ago OK. We can remove this logging. Could you submit a PR?
tooptoop4
commented
1 year ago I need the email because username appears as garbled string
ericblackburn
commented
2 weeks ago Instead of nuking this useful feature, let's please make this configurable if some people don't want it logged. Auditing is an important feature and ensuring auditing is human readable is just as important. ArgoCD is already adding more audit information, so I don't see why we would want to make Argo Worfklows less auditable.
Summary
Currently argo server gatekeeper will log the email in an audit log. This is not great because email is personally identifiable information in Europe and is subject to GDPR.
I suggest being able to choose what is logged/what is not logged through the argo server configmap. For example custom claims, groups etc.
Use Cases
Message from the maintainers:
Love this enhancement proposal? Give it a đź‘Ť. We prioritise the proposals with the most đź‘Ť.