Axon框架与GDPR(从域事件条目表中物理删除个人数据)

huangapple go评论111阅读模式
英文:

Axon Framewok vs GDPR (delete phisically personal data from Domain Event Entry table)

问题

让我们来看一下当今非常有趣的议题,即《通用数据保护条例》(GDPR)。让我们清楚地说明一下 Axon 在以下问题上的最佳解决方案。 (我正在使用 Axon 4.1 与 Spring Boot)
我向您介绍一下我的问题:

用户进来了,例如,他想要预约一个约会,在这里他必须输入他的电子邮件、电话号码等大量个人数据。在用户点击“确认”之前,他必须接受隐私声明,其中包括我们存储他的个人信息的时间长度。因此,当用户点击“确认”时,后端将对用户输入的所有信息进行事件源记录。他的所有隐私数据将存储到 Axon 的领域事件记录表中,用于已创建的事件的聚合。用户的个人数据可以在负载中找到。
因此,当存储时间到期时,我必须从所有表格中删除所有个人数据,包括 Axon 的领域事件记录表。

因此,我的问题是如何从领域事件记录中物理删除一个聚合。

我尝试了这个解决方案:

    @EventSourcingHandler
    public void on(CampaignDeletedEvent event) {
        markDeleted();
    }

但它什么都没做,API 说:“将此聚合标记为已删除,指示存储库在适当的时间删除该聚合。” - 它应该物理删除吗?它没有执行,我等了 30 分钟,聚合仍然在表中,这是什么意思,“适当的时间”是什么?

在我未能成功删除后,我阅读了这个 StackOverflow 的问题(https://stackoverflow.com/questions/59695175/axon-framework-delete-aggregate-root),在评论部分,Allard 说道:“这是正确的。在事件源记录中,‘删除’实际上并不存在。它只是像任何其他状态一样,只是在‘删除’状态下,所有命令都将被拒绝。”

好的。这意味着我的聚合已经“死亡”,但用户的个人数据仍然存在于领域事件记录表的负载字段中吗?

因此,我必须以某种方式创建一个存储库并删除它,或者使用 SQL 脚本,您是如何做到这一点的?我可能对新功能的情况有所错误和过时,但如果管理机构出手,罚款可能会很高。

谢谢,
Máté

英文:

So let's have a look at this very interisting point of nowadays the General Data Protection Regulation (GDPR). Let's make it clear what is Axon's best answer for the problem below. (I am using Axon 4.1 with Spring Boot)
I introduce you my problem:

The user comes and for example the he wants to book an appointment, where he must enter his email, phonenumber etc. a lot of personal data. Before the user click on Enter he has to accept a privacy statement which includes how long we store his personal information. So when the user click on Enter the backend will event source all the information the user entered. All his privacy data will be stored to Axon's Domain Event Entry table for an Aggregate for the created event. The user's personal data can be found in the payload.
So when the storage time expires I have to remove all the personal data from all my tables including Axon's Domain Event Entry table.

So my question is how to phisically remove an aggregate from Domain Event Entry.

I tried this solution:

    @EventSourcingHandler
    public void on(CampaignDeletedEvent event) {
        markDeleted();
    }

But it does not doing anything, the API says: "Marks this aggregate as deleted, instructing a repository to remove that aggregate at an appropriate time." - It should remove phisically? it not doing it, I waited for 30 minutes, the aggregate still in the table, what that means "appropriate time"?

After my failed attempt to delete I read this stackoverflow question (https://stackoverflow.com/questions/59695175/axon-framework-delete-aggregate-root) where Allard said this at the comment section: "That's correct. With Event Sourcing, "delete" doesn't really exist. It's just a state like any other, except that on a "deleted" state, all commands are rejected."

Ok. So this means my Aggregate is dead but the user's personal data still there in the payload field of Domain Event Entry table for the aggregate?

So I have to somehow create a Repository and delete it or with SQL script, How are you doing this? I might be wrong and outdated about new features but if the authority comes the fine is $$$$$$$$$$$$$$$$

Thanks,
Máté

答案1

得分: 2

事件溯源要求应用程序状态的更改不是显式地存储在数据库中作为新状态(覆盖先前状态),而是作为一系列不可变的事件存储。您不应删除这些事件和/或更改内容。这样您就不会丢失任何数据/信息。系统中发生的所有事情都被存储下来。信息在当今的环境中比存储的价格更有价值,不要将其丢弃;)

但是,某些事件的某些属性不应由所有消费者读取,我们应该能够删除它们,而不影响事件存储(事件序列)。解决此问题的一种常见方法是使用不同的加密密钥加密敏感属性,每个资源使用不同的加密密钥。只向需要的消费者提供密钥。当需要删除敏感信息时,只需删除加密密钥,以确保无法再次访问信息。这实际上使得敏感数据的所有副本和备份都无法使用。这种模式被称为加密销毁。当然,加密销毁模式的好坏取决于您的加密和密钥管理做法,在我看来,这是比仅在SQL表上执行删除(您真的删除了所有数据吗 - 日志呢?)更好的选择。

Axon为此提供了一个商业模块Axon Data Protection modulehttps://axoniq.io/product-overview/axon-data-protection)。

英文:

Event Sourcing mandates that the state change of the application isn't explicitly stored in the database as the new state (overwriting the previous state) but as an immutable series of events. You should not delete these events and/or change the content. This way you don't lose any data/information. Everything that happened in the system is stored. Information is far more valuable than the price of the storage these days, Don't throw it away Axon框架与GDPR(从域事件条目表中物理删除个人数据)

But, some attributes of an event should not be read by all consumers, and we should be able to delete them, without touching the event store (series of events). One of the common solutions to this problem is to encrypt the sensitive attributes, with a different encryption key for each resource. Only give the key to consumers that require it. When the sensitive information needs to be erased, delete the encryption key instead, to ensure the information can never be accessed again. This effectively makes all copies and backups of the sensitive data unusable. This pattern is known as Crypto-Shredding. The Crypto-Shredding pattern is of course only as good as your encryption and your key management practices and in my opinion a better option than just running the delete on SQL table (do you delete all the data really - what about logs?)

Axon provides a commercial module Axon Data Protection module (https://axoniq.io/product-overview/axon-data-protection) for this purpose.

huangapple
  • 本文由 发表于 2020年9月1日 22:18:48
  • 转载请务必保留本文链接:https://go.coder-hub.com/63689545.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定