#7294 Add GDPR script for release-monitoring.org
Closed: Fixed 3 years ago by zlopez. Opened 5 years ago by jcline.

  • Describe what you need us to do:

There needs to be a script for GDPR for release-monitoring.org. It now has user accounts and saves the user's email address.

  • When do you need this? (YYYY/MM/DD)

  • When is this no longer needed or useful? (YYYY/MM/DD)

When GDPR isn't a thing.

  • If we cannot complete your request, what is the impact?

Admins have to manually query release-monitoring.org for GDPR data.


Metadata Update from @bowlofeggs:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: release-monitoring

5 years ago

@zlopez Might you be able to work on this? we have a SOP about how to make the playbooks: https://fedora-infra-docs.readthedocs.io/en/latest/sysadmin-guide/sops/gdpr_sar.html

Happy to help out..

@kevin
I'm working on the script for GDPR right now and I'm not sure if we should also print informations we have from third party authorization providers (FAS, Yahoo or OpenId)?
Right now I'm dumping every information from users table about user.

On Thu, 2018-10-25 at 12:08 +0000, Michal Kone=C4=8Dn=C3=BD wrote:

I'm working on the script for GDPR right now and I'm not sure if we
should also print informations we have from third party authorization
providers (FAS, Yahoo or OpenId)?

If it's being stored in our database and it's personal information,
then we should include it, so I'd say yes.

@bowlofeggs
Thanks for answer, I will try to get it from the social_auth table.

Script is done - https://github.com/release-monitoring/anitya/pull/649

Now I need to do changes in ansible. Is there any specific place where the environment variables should be added?

@bowlofeggs
I already have this open, but I'm not sure where I should add the environ variables:
sar_script
sar_script_user
sar_output_file

Is there any specific ansible script, or should I add them where I think appropriate?

@zlopez The SOP says you need to define it in the host vars for the host you want to run it on. So, as an example, Bodhi's run on bodhi-backend02, so they are defined here:

https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/inventory/host_vars/bodhi-backend02.phx2.fedoraproject.org#n17

You should be able to find a file for the host you want to run it on in that same folder.

Would you like to send a PR to the SOP to make that clearer?

@bowlofeggs
Is this same for openshift applications?

On Mon, 2018-10-29 at 16:02 +0000, Michal Kone=C4=8Dn=C3=BD wrote:

Is this same for openshift applications?

Hmmmm, that is a good question. When we designed the GDPR playbook, we
definitely didn't this situation into account. It was assumed you had a
host that could be ssh'd to by Ansible that can run the script. Is
there a way to ssh to OpenShift apps? I don't know of one, but perhaps
its possible to use oc rsh in some way to accomplish this from the
playbook?

@puiterwijk @kevin: do you have ideas on how an Ansible playbook could
run a script in an OpenShift container?

There is a 'oc exec' but it needs the full pod name, so you would need to do a 'oc get pods -n namespace' first, parse out the running one and pass that into the oc-exec.

I'm not sure if there's any other way. ;(

The GDPR script is merged and will be available in next release

ok, whats left to do here? an oc exec that calls the script?

@kevin
The script is already deployed. The path is "/usr/bin/sar.py". So I think only thing missing is the oc exec.

Metadata Update from @cverna:
- Issue tagged with: high-gain, medium-trouble

4 years ago

@zlopez is this still on your radar?

@pingou I did everything that I could on my side. Only thing missing was the oc exec as @kevin said.

So discussing with @zlopez in a meeting today.

The current playbook run is in ./playbooks/manual/gdpr/sar.yml in the ansible repo.
We would need to defined the sar_script variable for anitya together with another variable sar_openshift(?) which will instruct the playbook to run that script using oc-exec as Kevin mentioned above.
It may be an idea to put this logic in a role, up to see.

Metadata Update from @pingou:
- Issue tagged with: dev

3 years ago

Metadata Update from @zlopez:
- Issue assigned to zlopez

3 years ago

I created a https://pagure.io/fedora-infra/ansible/pull-request/165 to allow calling SAR scripts on openshift apps.

I don't know how to test this. I tried the commands itself except oc exec, because I don't have permission to run it.

What is missing is to update https://fedora-infra-docs.readthedocs.io/en/latest/sysadmin-guide/sops/gdpr_sar.html and I see a few strange ansible-review complains :-/

The PR is now merged, but we encountered an issue in Anitya SAR script. There is ticket created for this in Anitya tracker.

I still need to update https://fedora-infra-docs.readthedocs.io/en/latest/sysadmin-guide/sops/gdpr_sar.html.

This could be closed once the documentation is updated.

The PR for the documentation just got merged. So I'm closing this issue as fixed

Metadata Update from @zlopez:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata