Bamboo: Right to erasure
GRPR の第 17 条において、個人には個人データの削除権が保証されています。これは、"忘れられる権利" としても知られます。この権利は絶対的なものではなく、特定の状況でのみ適用されます。個人データの削除の削除について、個人の要求に対応するために必要となる妥当な対応の範囲は場合によって異なるため、弁護士に相談することをおすすめします。個人データの削除義務があると判断された場合は、特定のアトラシアン製品内でこれを実行するための方法について、以降の手順をご確認ください。
製品に保存される個人データは、1) アカウントレベルの個人データと 2) フリーフォーム テキスト形式の個人データに区別されます。アカウントレベルの個人データとは、製品内に存在し、製品で各ユーザーを区別するためにのみ使用されるデータ フィールドです。アカウントレベルの個人データの例には、ユーザーの表示名、プロファイル画像またはアバター、メール アドレスが含まれます。これらのデータ要素は通常ユーザーのプロファイル内で確認でき、スペースやコンテンツ内でユーザーが @メンションやタグ付けされた場合にプロフィールを参照できるようにするため、製品全体で使用されます。構造化された個人データ要素を削除すると、製品内で関連する構造化データ要素が表示される箇所やデータベース (後述の制限事項を参照) からデータ要素が取り除かれます。
フリーフォームのテキスト形式で個人データを追加していた場合 (コンテンツのスペースへの入力やカスタム フィールドのラベル名など)、製品のグローバル検索機能を使ってこのような個人データを検出し、個別に削除する必要があります。
Locating and Accessing Personal Data in Bamboo
Personal Data (PD) is stored in Bamboo in one of four ways:
- Structured PD: data in user profiles
- Unstructured PD: data associated with Bamboo builds, results, deployment projects, environments, versions - free text
- Filesystem PD on the server: other data stored on a server (build result logs, artifacts, audit logs, global entities, configuration etc.)
- Filesystem PD on the agent: other data stored on the agent (build result logs, caches, artifacts)
Structured PD
User profiles contain specific PD elements used to represent users in Bamboo system.
This data is mainly used in:
- profile page (https://confluence.atlassian.com/bamboo/managing-your-user-profile-289277031.html)
- REST API (https://developer.atlassian.com/server/bamboo/rest-apis/)
- ユーザー ピッカー
- user authentication purpose (unsuccessful login attempts number, password reset token, remember me)
- user permissions
- repository commit author
- result comments author
- 通知
- user responsible for result failure
- favorite builds (kept per user)
- deployment version approver
- author of change in the audit log
User profiles hold the following PD elements:
User profile data | 説明 |
---|---|
氏名 | Text used to represent a user in Bamboo interface. All links to user profile will be using this text. In many cases, it is holding PD such as name and surname. |
User name / login | Text representing a person during login. It is used internally in a database to correlate additional data with a user profile. It can be also visible in some REST and pages URL. |
メール | Email associated with a user account. Accessible on the user profile. |
IM | IM address associated with user IM account. Accessible on the user profile. |
Unstructured PD
PD could also be stored in free-form text data fields. Because these fields allow any content, topic or label, they may or may not contain PD, depending on the instance configuration.
Domain Objects (Plans, Results, Deployment projects, Releases) - and associated entities can hold any type of information, as they can contain many free text values.
Global entities (project descriptions, variables, repositories, shared credentials, other configuration etc.) can hold free text values.
Incidental PD
Various processes that run within or alongside Bamboo may store PD incidental to their functions. Below are is a list of processes that may store PD incidentally.
ファイルシステム
Lucene index
To speed up searching Bamboo uses Lucene library (search index). This index will duplicate some information from the DB and store it into a filesystem. When SQL queries are executed against DB there's a risk that stale data will remain in the Lucene index (e.g. authors in the build results index, or project/plan names and descriptions in quick search index). In order to refresh Lucene index, reindex needs to be performed. See https://confluence.atlassian.com/display/BAMBOO/Reindexing+data.
Lucene indexes are located in the ${bamboo_home}/index
directory.
If reindexing is not possible, selected documents could be searched and deleted using this tool: https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/luke/lukeall-3.5.0.jar
アーティファクト
Placement of artifacts depends on artifact handler that was used for plan result (or global artifact handler if it was not set for a specific plan).
The most popular artifact handler is Bamboo Remote Handler - artifacts are stored on Bamboo server and are located in the ${bamboo_home}/artifacts
directory.
Other popular artifact handler is Amazon S3 Handler - artifact are stored on Amazon S3 servers, location is configured in administration panel in Bamboo.
To read more about artifact handlers and its configuration, see: https://confluence.atlassian.com/display/BAMBOOSERVERM/Artifact+handlers
Server Logs
名前 | 場所 | DP details |
---|---|---|
Bamboo server logs | ${bamboo_home}/log/* 、${bamboo_install}/logs/catalina.out | Can contain arbitrary data (hard to tell because of possible extensive logging) |
Bamboo build logs | {bamboo_home}/xml-data/builds/JOB_KEY/* | Information specific to all builds, can contain arbitrary data |
Analytics logs | ${bamboo_home}/analytics-logs/* | Generally should not contain PD |
アクセス ログ | ${bamboo_install}/logs/access_log.* | Can contain username/ip address and URL of accessed resources. |
Tomcat ログ | ${bamboo_install}/logs/* | Might contain some PD. |
Other server logs | ${bamboo_home}/log/*, ${bamboo_install}/logs/* | Might contain some PD. |
To read more about logging in Bamboo, see https://confluence.atlassian.com/bamboo/logging-in-bamboo-289277239.html
メモリ
Bamboo caches
In order to speed up certain actions, Bamboo uses internal caches that make DB calls unnecessary.
Certain data from DB is cached in memory to speed up things. It's inaccessible for users directly, used by the system to speed serving of the data.
It's recommended to update DB with manual SQL queries only while the Bamboo server is stopped, otherwise cached data being different than data in DB may lead to data inconsistency.
エージェント
Remote agent
All remote agent activity is recorded in the atlassian-bamboo-agent.log
file stored on the agent machine in the running directory of the agent. The running directory can be viewed in the remote agent's system properties in the Bamboo Paths section. These logs can contain arbitrary data, and in general, they do not contain PD used by Bamboo.
When the agent is performing builds, it stores data in ${bamboo_agent_home}/xml-data/build-dir/
JOB_KEY/*
. The default name of the Bamboo agent home directory is bamboo-agent-home
and its location depends on your operating system. To read more about it, check Bamboo agent home directory section here: https://confluence.atlassian.com/bamboo/locating-important-directories-and-files-289277247.html
Elastic agent
All elastic agent activity is logged inside the elastic instance where the elastic agent runs. By default, it's stored in two files: atlassian-bamboo.log
and bamboo-elastic-agent.out
, but it depends very much on elastic image configuration. It will also depend on the operating system of the elastic agent.
Builds data on the elastic agent is stored in the same way it's stored on remote agent.
To read more about elastic agent logs, see here: https://confluence.atlassian.com/bamboo/viewing-an-elastic-instance-289277134.html.
External storage
バックアップ
It's up to you to define purpose/retention policy for backed up files. Bamboo just generates the backup to be used by the end user. See more: https://confluence.atlassian.com/bamboo/exporting-data-for-backup-289277255.html.
Deleting and/or Modifying PD in Bamboo
Once you've identified where PD may be stored in your Bamboo instance, this section describes how to delete or modify that PD.
回避策
Follow best practices for Change Management - test and validate these settings in a Test/Development and Staging environment prior to rolling any changes in a Production environment. You must test and validate these changes to ensure that they will function well within your infrastructure prior to placing these changes in production.
Deleting or modifying PD
Deleting and modifying user PD is virtually the same process. This is because we do not recommend deleting an entire user account from Bamboo. They are an integral part of Bamboo data structure and critical for maintaining data consistency of our system.
Rather than deleting the data, we recommend modifying PD elements in the account to display elements that do not identify the user. For example, replacing the username johnsmith with deleteduser1. This way the system will be able to properly function while allowing you to remove profile-level PD that otherwise could identify the user. You can also use this process if you are simply looking to modify a user's PD - for example, if nicholassmith is actually nicksmith.
Modifying user PD
Modifying user data PD has to be performed in several steps, depending on where data are stored.
To modify user data:
- Handle PD in "structured" data fields
- (UI) Modify data in user profile - this step depends on the type of Directory that Bamboo is using for managing users.
- (SQL) Optionally, modify "username" - only if "username" contains PD (SQL update statements have to be executed against stopped Bamboo instance)
- Handle PD in "free-form text" data fields
- (SQL) handle PD in other entries (SQL update statements have to be executed against the stopped Bamboo instance).
- After change actions (only if SQL update statements were executed)
- Reindex Bamboo. See Reindexing data.
Handle PD in "structured" data fields
Modify PD in user profile - external user directory
Modify PD in user profile - internal User Directory
How to modify PD in user profile using internal directory
Modifying username (Optional - only when username contains PD)
This could possibly break the third party plugin that could reference username.
Handle PD in "free-form text" data fields
After change actions (if SQL update statements were executed)
If SQL update statements were executed you will have to reindex Bamboo.
- Reindex Bamboo - Lucene reindex is required because some data are stored and read from Lucene index and after updating DB Lucene index could contain stale data. Reindexing data
バージョンの互換性
All workarounds are compatible with Bamboo 6.5 and later.
制限事項
SQL statements are using pattern matching so they require manual inspection before each update.
MySQL doesn't have the REGEXP_REPLACE function (or any other functions that would work in a similar manner) so we are able to find matching records ignoring case, but we are not able to generate SQL that will update values in a case-insensitive way. Manual inspection/update is needed.
- Microsoft SQL Server does not support regular expressions to the extent other supported databases - records are matched using the LIKE operator which can match longer substrings. In updates "replace" function is used, which in conjunction with case-insensitive collation will replace all occurrences case-insensitive to case-sensitive replacement eg. replace("and TEST second as test third", "test", "tESt") = "and tESt second as tESt third".
Data could be stored inside third-party plugins and not discovered/altered/deleted via querying DB (plugin tables are not scanned for PD)
その他の注意事項
お使いの製品バージョンに応じた制約がある可能性があります
上記に関連する GDPR 回避策は、本製品の最新バージョン用に最適化されていることにご注意ください。製品のレガシー バージョンを実行している場合、回避策の効果は限定的である可能性があります。この記事で案内されている回避策を最適化するには、最新の製品バージョンにアップグレードすることを検討してください。
サードパーティ製アドオンは、独自のデータベース テーブルまたはファイルシステム内に個人データを保存する可能性があります。
GDPR コンプライアンスへの取り組みに関する上記の記事は、アトラシアンのサーバーおよびデータセンター製品内に保存されている個人データのみを対象としています。サーバーまたはデータセンター環境にサードパーティ製アドオンをインストールしている場合、お客様のサーバーまたはデータセンター環境でアクセス、転送、または処理する可能性がある個人データと GDPR コンプライアンスへの取り組みについて、サードパーティのアドオン プロバイダにお問い合わせください。
サーバーまたはデータ センターのお客様の場合、アトラシアンはお客様が製品内で保存するように選択した個人データへのアクセス、保管、または処理は行いません。アトラシアンが処理する個人データの詳細については、プライバシー ポリシーを参照してください。