blob: afedb7e13e9521d518d09f146f3605aac55b4a6d [file] [log] [blame]
Albert Cui8e4897c2021-03-05 00:55:00 +00001:linkattrs:
2= Gerrit Code Review - User Privacy
3
4== Purpose
5
6This page documents how Gerrit handles user data.
7
8|===
9| Note: Gerrit has extensive support for link:config-plugins.html[plugins]
10 which extend Gerrits functionality, and these plugins could access, export, or
Han-Wen Nienhuys7ee6cd32022-08-22 17:06:50 +020011 manipulate user data. This document only focuses on the behavior of Gerrit
Albert Cui8e4897c2021-03-05 00:55:00 +000012 core and its link:dev-core-plugins.html[core plugins].
13|===
14
15== Types of User Data
16
17Gerrit stores account data required for collaborating on source code changes.
18This data is described by
19link:config-accounts.html#account-data-in-user-branch[Account Data in User
20Branch] and includes link:config-accounts.html#external-ids[External IDs],
21link:config-accounts.html#preferences[User Preferences],
22link:config-accounts.html#project-watches[Project Watches] and personally
23identifiable information, including name and email address. The email
24address is required to associate Git commits with a Gerrit user account. All
25data except passwords is made accessible to other users who you are visible to,
26as detailed below.
27
28== User Visibility
29
30Gerrit has a concept of link:config-gerrit.html#accounts[account visibility]
31which determines what users a given user can see. This visibility configuration
32applies in account search, reviewer suggestion, and when accessing data through
33the link:rest-api-accounts.html#account-endpoints[Account REST endpoints]. If
34you can see a user, you have read access to most of the
35link:rest-api-accounts.html#account-info[AccountInfo] for that user, including
36name and email address. Additional information, including secondary emails, is
37included in AccountInfo if the caller has “Modify Account” permissions.
38
39Additionally, all users on a change (author, cc’d, reviewer) can see each other,
40irrespective of the account visibility settings. For example: Say you are a
41reviewer on a change where user Foo is also a reviewer. Even if by account
42visibility you could not search for Foo, you'd still see their avatar, name,
43and email now because you can see the change; this information is required to
44collaborate on a code review. If Foo wasn't on that change, you could not add
45them because reviewer suggestions would not find them due to the account
46visibility settings.
47
48By default, account visibility on a Gerrit instance is set to `ALL` which allows
49all users to be visible to other users, even anonymous (i.e. unauthenticated)
50users. Depending on your installation type, you may want to change this:
51
52* For completely company-internal Gerrit installations (no external users), the
53`ALL` default may make sense.
54
55* If you work with multiple vendors who have
56access to their own independent sets of repos, `VISIBLE_GROUP` may be more
57appropriate as you wouldn’t want vendor A to see accounts from vendor B.
58
59* For public installations, e.g. for open source projects, you may want to
60change this setting or add a notice for users when they create an account e.g.
61“Most of what you submit on this site, including your email address and name,
62will be visible to others who use this service. You may prefer to use an email
63account specifically for this purpose.” One way to do this is using
64link:config-gerrit.html[`auth.registerPageUrl`] in `gerrit.config`.
65
66== ACLs and User Visibility
67
68User suggestions for changes, when adding a reviewer or cc-ing someone, always
69respect ACLs for that change: only users who can see the change are suggested.
70The suggested users are an intersection of who you can see and who can see the
71change.
72
73Consider the following situation:
74
75* `READ` permission for Registered Users on the host
76* User visibility is set to `VISIBILE_GROUP`, so only users of the same domain can
77 see each other
78* a@foo.com creates change 123
79
80This would mean:
81
82* a@foo.com cannot add b@bar.com to the change because these users cannot see
83 each other due to the user visibility setting.
84* b@bar.com can find change 123
85 because they have READ permission and could add themselves to the change.
86* a@foo.com would then be able to see b@bar.com’s name, avatar, and email on
87 change 123
88
89The only caveat to the above are Private Changes, which are only visible to the
90owner and reviewers; reviewers can only see the change once they are added to
91the change (if ACLs allow them to be added in the first place), not before.
92
93## Right to be Forgotten Limitations
94
95As a source control system, Gerrit has limited abilities to remove personally
96identifiable information. Notably, Gerrit cannot:
97
98* Remove a user's e-mail from all existing commits
99* Remove a user's username
100
Albert Cui8e4897c2021-03-05 00:55:00 +0000101
102## Open Source Software Limitations
103
104Gerrit is open-source software licensed under the Apache 2.0 license. Unless
105required by applicable law or agreed to in writing, software distributed under
106the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
107OF ANY KIND, either express or implied. See the License for the specific
Han-Wen Nienhuys7ee6cd32022-08-22 17:06:50 +0200108language governing permissions and limitations under the License.