Removing user data

Removing user data according to GDPR

The General Data Protection Regulation (GDPR) law enforces the right for individuals to have personal data erased.

The following procedure describes how to remove a user’s data from a cluster and the Keycloak database.

The following commands use the default Kubernetes namespace or OpenShift project, eclipse-che, as a user’s example for the -n option.

Prerequisites
  • A user or an administrator authorization token. To delete any other data except the data bound to a user account, admin privileges are required. The admin is a special Che administrator account pre-created and enabled using the CHE_SYSTEM_ADMIN__NAME and CHE_SYSTEM_SUPER__PRIVILEGED__MODE = true Custom Resource definitions.

    spec:
     server:
       customCheProperties:
         CHE_SYSTEM_SUPER__PRIVILEGED__MODE: 'true'
         CHE_SYSTEM_ADMIN__NAME: '<admin-name>'

    If needed, use commands below for creating the admin user:

    $ kubectl patch checluster/eclipse-che \
      --type merge \
      -p '{ "spec": { "server": {"customCheProperties": {"CHE_SYSTEM_SUPER__PRIVILEGED__MODE": "true"} } }}' \
      -n eclipse-che
    $ kubectl patch checluster/eclipse-che \
      --type merge \
      -p '{ "spec": { "server": {"customCheProperties": {"CHE_SYSTEM_ADMIN__NAME": "<admin-name>"} } }}' \
      -n eclipse-che

    All system permissions are granted to the administrative user who is configured in the CHE_SYSTEM_ADMIN__NAME property (the default is admin). The system permissions are granted when the Che server starts. If the user is not present in the Che user database, it happens after the first user’s login.

    Authorization token privileges:
    • admin - Can delete all personal data of all users

    • user - Can delete only the data related to the user

  • A user or an administrator is logged in the OpenShift cluster with deployed Che.

  • A user ID is obtained. Get the user ID using the commands below:

    • For the current user:

      $ curl -X GET \
        --header 'Authorization: Bearer <user-token>' \
        'https://<che-host>/api/user'
    • To find a user by name:

      $ curl -X GET \
        --header 'Authorization: Bearer <user-token>' \
        'https://<che-host>/api/user/find?name=<username>'
    • To find a user by email:

      $ curl -X GET \
        --header 'Authorization: Bearer <user-token>' \
        'https://<che-host>/api/user/find?email=<email>'
      Example of obtaining a user ID

      This example uses vparfono as a local user name.

      $ curl -X GET \
        --header 'Authorization: Bearer <user-token>' \
        'https://che-vp-che.apps.che-dev.x6e0.p1.openshiftapps.com/api/user/find?name=vparfono'

      The user ID is at the bottom of the curl command output.

      {
       "name": "vparfono",
       "links": [
         {
      .
      .
      .
         }
       ],
       "email": "vparfono@redhat.com",
       "id": "921b6f33-2657-407e-93a6-fb14cf2329ce"
      }
Procedure
  1. Update the eclipse-che CheCluster Custom Resource (CR) definition to permit the removal of a user’s data from the Keycloak database:

    $ kubectl patch checluster/eclipse-che \
      --patch "{\"spec\":{\"server\":{\"customCheProperties\": {\"CHE_KEYCLOAK_CASCADE__USER__REMOVAL__ENABLED\": \"true\"}}}}" \
      --type=merge -n eclipse-che
  2. Remove the data using the API:

    $ curl -i -X DELETE \
      --header 'Authorization: Bearer <user-token>' \
      https://<che-host>/api/user/<user-id>
Verification

Running the following command returns code 204 as the API response:

$ curl -i -X DELETE \
  --header 'Authorization: Bearer <user-token>' \
  https://<che-host>/api/user/<user-id>
Additional resources

To remove the data of all users, follow the instructions for Uninstalling Che.