Removing user data
Removing user data according to GDPR
The General Data Protection Regulation (GDPR) law enforces the right for individuals to have personal data erased.
The following procedure describes how to remove a user’s data from a cluster and the Keycloak database.
The following commands use the default Kubernetes namespace or OpenShift project, |
-
A user or an administrator authorization token. To delete any other data except the data bound to a user account,
admin
privileges are required. Theadmin
is a special Che administrator account pre-created and enabled using theCHE_SYSTEM_ADMIN__NAME
andCHE_SYSTEM_SUPER__PRIVILEGED__MODE = true
Custom Resource definitions.spec: server: customCheProperties: CHE_SYSTEM_SUPER__PRIVILEGED__MODE: 'true' CHE_SYSTEM_ADMIN__NAME: '<admin-name>'
If needed, use commands below for creating the
admin
user:$ kubectl patch checluster/eclipse-che \ --type merge \ -p '{ "spec": { "server": {"customCheProperties": {"CHE_SYSTEM_SUPER__PRIVILEGED__MODE": "true"} } }}' \ -n eclipse-che
$ kubectl patch checluster/eclipse-che \ --type merge \ -p '{ "spec": { "server": {"customCheProperties": {"CHE_SYSTEM_ADMIN__NAME": "<admin-name>"} } }}' \ -n eclipse-che
All system permissions are granted to the administrative user. To configure the administrative user, use the
CHE_SYSTEM_ADMIN__NAME
property. The default value isadmin
. The system permissions are granted when the Che server starts. If the user record is not in the Che user database, the permissions are granted after the first login of the user.Authorization token privileges:-
admin
- Can delete all personal data of all users -
user
- Can delete only the data related to the user
-
-
A user or an administrator is logged in the OpenShift cluster with deployed Che.
-
A user ID is obtained. Get the user ID using the commands below:
-
For the current user:
$ curl -X GET \ --header 'Authorization: Bearer <user-token>' \ 'https://<che-host>/api/user'
-
To find a user by name:
$ curl -X GET \ --header 'Authorization: Bearer <user-token>' \ 'https://<che-host>/api/user/find?name=<username>'
-
To find a user by email:
$ curl -X GET \ --header 'Authorization: Bearer <user-token>' \ 'https://<che-host>/api/user/find?email=<email>'
Example of obtaining a user IDThis example uses
vparfono
as a local user name.$ curl -X GET \ --header 'Authorization: Bearer <user-token>' \ 'https://che-vp-che.apps.che-dev.x6e0.p1.openshiftapps.com/api/user/find?name=vparfono'
The user ID is at the bottom of the curl command output.
{ "name": "vparfono", "links": [ { . . . } ], "email": "vparfono@redhat.com", "id": "921b6f33-2657-407e-93a6-fb14cf2329ce" }
-
-
Update the
eclipse-che
CheCluster Custom
Resource (CR) definition to permit the removal of a user’s data from the Keycloak database:$ kubectl patch checluster/eclipse-che \ --patch "{\"spec\":{\"server\":{\"customCheProperties\": {\"CHE_KEYCLOAK_CASCADE__USER__REMOVAL__ENABLED\": \"true\"}}}}" \ --type=merge -n eclipse-che
-
Remove the data using the API:
$ curl -i -X DELETE \ --header 'Authorization: Bearer <user-token>' \ https://<che-host>/api/user/<user-id>
Running the following command returns code 204
as the API response:
$ curl -i -X DELETE \ --header 'Authorization: Bearer <user-token>' \ https://<che-host>/api/user/<user-id>
To remove the data of all users, follow the instructions for Uninstalling Che.