Open allemp opened 1 year ago
Maybe we should remove email from the log. WDYT? @alexec
I’m not a lawyer.
The email is logged for audit purposes. The email is not a customer’s email, it would be that of Argo operator’s employee.
It would be helpful to see a lawyer’s opinion on that.
I had to research this at work and while I am also not a lawyer the conclusion I've come to is that it's still personal data for employees (source) and having it in log files is not great practice. The proper way is already implemented: The logs also record the ID of the user which makes it a lot more secure than plaintext email.
I currently have a workaround in my environment (OIDC scope doesn't include email so it's blank in the logs), but I think this is a very subtle gotcha that could get other Argo Workflows users (in European Union) in trouble.
OK. We can remove this logging. Could you submit a PR?
I need the email because username appears as garbled string
Instead of nuking this useful feature, let's please make this configurable if some people don't want it logged. Auditing is an important feature and ensuring auditing is human readable is just as important. ArgoCD is already adding more audit information, so I don't see why we would want to make Argo Worfklows less auditable.
Summary
Currently argo server gatekeeper will log the email in an audit log. This is not great because email is personally identifiable information in Europe and is subject to GDPR.
I suggest being able to choose what is logged/what is not logged through the argo server configmap. For example custom claims, groups etc.
Use Cases
Message from the maintainers:
Love this enhancement proposal? Give it a đź‘Ť. We prioritise the proposals with the most đź‘Ť.