Add configuration options for privacy-aware reduced/disabled logging
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Description
With recent steps to handle the now-in-effect GDPR regulation GitLab has so far made a real effort to make this easy for us admins (ToS-panel etc.) — thanks for that. Under previous German data prevention, protection, and privacy law, the principle of "Datenvermeidung und Datensparsamkeit" (data reduction and data economy) was something my employer and me had to abide by (I am a research assistant and maintainer of the GitLab instance at a German university). Now under GDPR the concepts have gotten their European equivalents: data minimisation, and storage limitation from Art. 5 – 1c,e. I would summarize them as follows:
- Only collect as much data as you absolutely need to provide your service
- Only collect the data for as long as you need it to provide the service, and delete it after that
In the process of GDPR-related adjustments to our services, respective policies, and updating the codification our data processing and deletion workflows, the logging framework of GitLab came up. I spent some time researching the related configuration options in gitlab.rb. It seems while it is possible to set logrotate and svlogd to a shorter rotation and deletion cycles, there is no way to completely disable logging in normal operation, when there are no errors to debug. In addition to that, logs such as gitlab-rails/application.log contain a tremendous amount or have personally identifying information about users and detailed information about their actions and behaviour. To my eyes there is no way to have such info removed from the logs or disable logging for parts or all of GitLab.
Proposal
Therefore to allow GitLab admins to reduce the amount of data collected in day-to-day business I am proposing the addition of the following configuration options to gitlab.rb:
- Show/hide personally identifying information (IP addresses, user names, email addresses, etc.) in all log files, defaulting to a privacy-first approach, i.e. removing the information without the explicitly setting the option.
- Enable/disable logging entirely for application services by setting their respective
$service['log_directory'] = nil. This seems currently to be ignored and overridden by the default log_directory for the service.