infosys GDPR compliance, BUGZ-3980

According to GDPR regulations we should avoid people's DNs in any record. The proposed fix is to use a non invertible hash.

This requires fixes in the:

• infosys @floridop status: in WIP !1122 (merged), to be tested
• client @? status: in WIP !1122 (merged), to be tested

These below are additional suggestions to ease the sysadmin and debugging tasks. They are not required for the patch to work, but may be a nice aid for debugging.

• server side logs or controldir files if we want to map DN to hash in the logs @aleksandr.konstantinov status:?
  Example: (arex.log)

     [2020-03-27 14:34:38] [Arc] [VERBOSE] [22276/3] Current jobs in system (PREPARING to FINISHING) per-DN (1 entries)
     [2020-03-27 14:34:38] [Arc] [VERBOSE] [22276/3] /DC=org/DC=nordugrid/DC=ARC/O=TestCA/CN=testexample (sha512:d760683d4227d31f388c7eaec87fe9ad3819f2416c614257f11afdaefc37ca27f14b6881ecc38258af66a41ca3002ac1594c48c4ca9ea5a9a804d4ff17d77d64): 1

  Example: (gridftpd.log)

     [2021-02-02 17:23:21] [Arc.GridFTP_Commands] [VERBOSE] [13090/9416752] response: 220 Server ready\\
     [2021-02-02 17:23:22] [Arc.GridFTP_Commands] [INFO] [13090/139954999238336] User subject: /DC=org/DC=nordugrid/DC=ARC/O=TestCA/CN=testexample (sha512:d760683d4227d31f388c7eaec87fe9ad3819f2416c614257f11afdaefc37ca27f14b6881ecc38258af66a41ca3002ac1594c48c4ca9ea5a9a804d4ff17d77d64)
     [2021-02-02 17:23:22] [Arc.GridFTP_Commands] [INFO] [13090/139954999238336] Encrypted: true

  Example: (job.*.local, add a new field subjecthash)

     [root@arc-iridium arc]# cat /home/arccontrol/job.wMtMDmlBtMynVALY5mGJwcyoABFKDmABFKDmNxGKDmABFKDmTahA1n.local
     [...]
     subject=/DC=org/DC=terena/DC=tcs/C=SE/O=Lunds universitet/CN=Florido Paganelli hep-frp@lu.se   
     subjecthash=sha512:d760683d4227d31f388c7eaec87fe9ad3819f2416c614257f11afdaefc37ca27f14b6881ecc38258af66a41ca3002ac1594c48c4ca9ea5a9a804d4ff17d77d64)
     [...]

• arcctl if we want to provide ways to see these hashes @andrii status:?
  Example:

     root@arc-iridium arc]# arcctl job info wMtMDmlBtMynVALY5mGJwcyoABFKDmABFKDmNxGKDmABFKDmTahA1n
          Name            : testsimple
          Owner           : /DC=org/DC=nordugrid/DC=ARC/O=TestCA/CN=testexample (sha512:d760683d4227d31f388c7eaec87fe9ad3819f2416c614257f11afdaefc37ca27f14b6881ecc38258af66a41ca3002ac1594c48c4ca9ea5a9a804d4ff17d77d64)
          State           : DELETED
          LRMS ID         : 5261
          Modified        : 2021-01-29 12:34:01
  

in CC for reference: @Konya @maikenp @waananen @ellert

!1122 (merged)

infosys

UPDATE: After a discussion on skype, I decided to implement just a minimal change where only nordugrid schema contains hashed DNs based on coreutils sha512sum. The resulting string is hex encoded.

example:

Subject: /DC=org/DC=nordugrid/DC=ARC/O=TestCA/CN=testexample
sha512sum: d760683d4227d31f388c7eaec87fe9ad3819f2416c614257f11afdaefc37ca27f14b6881ecc38258af66a41ca3002ac1594c48c4ca9ea5a9a804d4ff17d77d64

Another decision is whether to hash both nordigrid-arc-globalowner and GLUE2Owner, I would prefer to hash both to have consistency, but it has been currently not accepted by the rest of the team.