OCPBUGS-82140: Remove PII from events

[logonoff]

Analysis / Root cause:

accountMail is too much PII and the entire user resource is being sent to segment.ts

Solution description:

Strip the username from the email and only send the sandbox user ID instead of the whole resource

Screenshots / screen recording:

n/a

Test setup:

• Enable telemetry: CONSOLE-4491: Deanonymize Developer Sandbox users #15201 (comment)

Test cases:

• Test in a sandbox cluster and ensure the sandbox user ID is still being sent
• Ensure user and userResource objects are not sent ever
• Ensure accountMailDomain is sent instead of accountMail, which only sends the content after the @ symbol instead of the whole email

Summary by CodeRabbit

• New Features

  • Enhanced email privacy in telemetry tracking—now captures only email domain instead of full email addresses.
  • Improved telemetry collection for sandbox environments with proper user identification.

• Bug Fixes

  • Removed personally identifiable information (PII) fields from telemetry payloads to strengthen data privacy.

[openshift-ci-robot]

@logonoff: This pull request references Jira Issue OCPBUGS-82140, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Analysis / Root cause:

accountMail is too much PII and the entire user resource is being sent to segment.ts

Solution description:

Strip the username from the email and only send the sandbox user ID instead of the whole resource

Screenshots / screen recording:

n/a

Test setup:

• Enable telemetry: CONSOLE-4491: Deanonymize Developer Sandbox users #15201 (comment)

Test cases:

• Test in a sandbox cluster and ensure the sandbox user ID is still being sent
• Ensure user and userResource objects are not sent ever
• Ensure accountMailDomain is sent instead of accountMail, which only sends the content after the @ symbol instead of the whole email

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request refactors the telemetry system to improve data privacy and payload shape consistency. The changes replace the accountMail field with accountMailDomain (derived from email), remove userResource from the telemetry event properties, and introduce sandboxUserId for DEVSANDBOX clusters. A new helper function extracts email domains, while a new injectSandboxProperties function conditionally augments telemetry events with sandbox-specific data from user metadata annotations. The telemetry listener in the segment plugin is updated to consume the new sandboxUserId property directly instead of deriving it from userResource. Test cases verify email anonymization and confirm PII fields are properly excluded from telemetry payloads.

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the specific Jira issue and summarizes the main change: removing PII from telemetry events.
Description check	✅ Passed	The PR description adequately fills the required template sections with root cause analysis, solution details, and comprehensive test cases for validating PII removal.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This custom check is not applicable to the provided pull request. The check is specifically designed to validate Ginkgo test names (a Go testing framework using capitalized syntax like It(), Describe(), Context(), When()). However, the PR modifies only Jest test files (TypeScript/JavaScript) in the frontend package, which use lowercase describe() and it() syntax. All test names in the Jest test file are stable and deterministic, containing no dynamic values such as generated IDs, timestamps, or pod names. Since no Ginkgo tests are present in this PR, the check requirements do not apply.
Test Structure And Quality	✅ Passed	Jest tests demonstrate reasonable quality with proper setup/cleanup hooks and focused descriptions; Ginkgo-specific guidelines inapplicable to JavaScript/TypeScript unit tests.
Microshift Test Compatibility	✅ Passed	PR contains only Jest frontend tests for React hooks; no Ginkgo e2e tests present. MicroShift compatibility check is not applicable to frontend TypeScript/Jest unit tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Pull request contains only TypeScript/JavaScript frontend changes (Jest tests and telemetry hooks), not Go-based Ginkgo e2e tests, so SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only frontend telemetry collection code with no changes to deployment manifests, operator code, or Kubernetes controllers.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check is not applicable to this pull request as all changes are confined to frontend TypeScript code with no binary executables or test infrastructure.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR contains only frontend TypeScript/Jest unit tests and React hook implementations; no Go-based Ginkgo e2e tests are present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

frontend/packages/console-shared/src/hooks/useTelemetry.ts (1)

39-42: Harden email-domain extraction normalization.

At Line 40-41, consider using the last @, trim, and lowercase to avoid malformed/variant domains creating inconsistent telemetry values.

Optional refinement

 const getEmailDomainFromEmail = (email: string): string => {
-  const emailParts = email.split('@');
-  return emailParts.length > 1 ? emailParts[1] : '';
+  const atIndex = email.lastIndexOf('@');
+  return atIndex >= 0 ? email.slice(atIndex + 1).trim().toLowerCase() : '';
 };

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/packages/console-shared/src/hooks/useTelemetry.ts` around lines 39 -
42, The getEmailDomainFromEmail function can return inconsistent domains for
malformed emails; update it to locate the last '@' (use lastIndexOf) and, if
found, take the substring after that character, then trim() and toLowerCase()
the result, returning an empty string for missing or blank inputs; reference
getEmailDomainFromEmail to implement this normalization so telemetry always
receives a consistent, lowercased domain value.

frontend/packages/console-shared/src/hooks/__tests__/useTelemetry.spec.ts (1)

205-226: Add a DEVSANDBOX edge-case test for missing annotation.

Please add a case where toolchain.dev.openshift.com/sso-user-id is absent, and assert behavior stays valid (no invalid identifier propagation). This protects the new sandboxUserId contract end-to-end.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/packages/console-shared/src/hooks/__tests__/useTelemetry.spec.ts`
around lines 205 - 226, Add a new test in useTelemetry.spec.ts that mirrors the
existing DEVSANDBOX test but sets the cluster annotations so the key
"toolchain.dev.openshift.com/sso-user-id" is absent (e.g., telemetry DEVSANDBOX
= 'true' and annotations = {} or omit the sso-user-id), call
updateClusterPropertiesFromTests(), renderHook(() => useTelemetry()), fire the
telemetry event (fireTelemetryEvent('...')), and assert listener was called once
and the payload does NOT include sandboxUserId (i.e.,
expect(listener).toHaveBeenCalledWith('test', { ...exampleReturnValue,
clusterType: 'DEVSANDBOX', consoleVersion: 'x.y.z' }) without sandboxUserId) to
ensure no invalid identifier is propagated.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@frontend/packages/console-shared/src/hooks/useTelemetry.ts`:
- Around line 55-57: clusterProperties.accountMailDomain is set from
window.SERVER_FLAGS.telemetry.ACCOUNT_EMAIL but during operator rollout the key
may be ACCOUNT_MAIL; update the assignment in useTelemetry.ts to fall back to
telemetry.ACCOUNT_MAIL when telemetry.ACCOUNT_EMAIL is missing or empty so
getEmailDomainFromEmail always receives a string (e.g., use
telemetry.ACCOUNT_EMAIL || telemetry.ACCOUNT_MAIL || ''), ensuring
getEmailDomainFromEmail and clusterProperties.accountMailDomain remain
backward-compatible during the operator transition.

In `@frontend/packages/console-telemetry-plugin/src/listeners/segment.ts`:
- Around line 67-71: The DEVSANDBOX branch sets processedUserId directly to the
optional sandboxUserId which can be empty; update the branch so processedUserId
uses sandboxUserId when present otherwise falls back to the anonymized user id
by calling anonymizeId(userId). Locate the logic around getClusterProperties(),
processedUserId, and sandboxUserId and ensure analytics.identify receives a
non-empty id by defaulting to await anonymizeId(userId) when sandboxUserId is
falsy.

---

Nitpick comments:
In `@frontend/packages/console-shared/src/hooks/__tests__/useTelemetry.spec.ts`:
- Around line 205-226: Add a new test in useTelemetry.spec.ts that mirrors the
existing DEVSANDBOX test but sets the cluster annotations so the key
"toolchain.dev.openshift.com/sso-user-id" is absent (e.g., telemetry DEVSANDBOX
= 'true' and annotations = {} or omit the sso-user-id), call
updateClusterPropertiesFromTests(), renderHook(() => useTelemetry()), fire the
telemetry event (fireTelemetryEvent('...')), and assert listener was called once
and the payload does NOT include sandboxUserId (i.e.,
expect(listener).toHaveBeenCalledWith('test', { ...exampleReturnValue,
clusterType: 'DEVSANDBOX', consoleVersion: 'x.y.z' }) without sandboxUserId) to
ensure no invalid identifier is propagated.

In `@frontend/packages/console-shared/src/hooks/useTelemetry.ts`:
- Around line 39-42: The getEmailDomainFromEmail function can return
inconsistent domains for malformed emails; update it to locate the last '@' (use
lastIndexOf) and, if found, take the substring after that character, then trim()
and toLowerCase() the result, returning an empty string for missing or blank
inputs; reference getEmailDomainFromEmail to implement this normalization so
telemetry always receives a consistent, lowercased domain value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d070b91d-69fa-433a-9e43-062457610533

📥 Commits

Reviewing files that changed from the base of the PR and between 1298e98 and eaa633f.

📒 Files selected for processing (3)

• frontend/packages/console-shared/src/hooks/__tests__/useTelemetry.spec.ts
• frontend/packages/console-shared/src/hooks/useTelemetry.ts
• frontend/packages/console-telemetry-plugin/src/listeners/segment.ts

📜 Review details

🧰 Additional context used

🔀 Multi-repo context openshift/console-operator

[::openshift/console-operator::pkg/console/operator/operator.go:104] — operator struct defines accountMail field accountMail string.
[::openshift/console-operator::pkg/console/operator/sync_v400.go:474-481] — telemetry flow: calls telemetry.GetOrganizationMeta(...) returning organizationID, accountMail, refreshCache and sets co.trackables.accountMail = accountMail and telemetryConfig["ACCOUNT_MAIL"] = accountMail.

Implication: this operator produces telemetry config using key "ACCOUNT_MAIL" and the full email value. The PR changes in frontend replace accountMail with accountMailDomain and expect anonymized domain-derived value (and server flag might be named ACCOUNT_EMAIL), and remove sending full user resource. The operator code above is a direct producer of the "ACCOUNT_MAIL" value and therefore is a relevant cross-repo consumer/producer to verify for compatibility with the PR.

🔇 Additional comments (3)

frontend/packages/console-telemetry-plugin/src/listeners/segment.ts (1)

48-48: Good payload minimization in identify flow.

Line 48 cleanly drops userResource from listener properties and keeps only sandboxUserId, which aligns with the PII-reduction objective.

frontend/packages/console-shared/src/hooks/__tests__/useTelemetry.spec.ts (1)

352-378: Strong privacy regression test coverage.

This test correctly verifies accountMailDomain and explicitly asserts that user, userResource, and accountMail are not emitted.

frontend/packages/console-shared/src/hooks/useTelemetry.ts (1)

77-89: Good replacement of full user resource with scoped sandbox identifier.

injectSandboxProperties is a solid privacy improvement and keeps only the required sandbox identifier in DEVSANDBOX paths.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add fallback when sandbox ID is missing in DEVSANDBOX identify path.

At Line 68, processedUserId is set directly from optional sandboxUserId. If the annotation is absent, analytics.identify (Line 81) receives an invalid identifier. Fall back to anonymized userId when sandboxUserId is empty.

Suggested fix

-          if (getClusterProperties().clusterType === 'DEVSANDBOX') {
-            processedUserId = sandboxUserId;
-          } else {
-            processedUserId = await anonymizeId(userId);
-          }
+          if (getClusterProperties().clusterType === 'DEVSANDBOX' && sandboxUserId) {
+            processedUserId = sandboxUserId;
+          } else {
+            processedUserId = await anonymizeId(userId);
+          }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (getClusterProperties().clusterType === 'DEVSANDBOX') {
	processedUserId =
	userResource?.metadata?.annotations?.['toolchain.dev.openshift.com/sso-user-id'];
	processedUserId = sandboxUserId;
	} else {
	processedUserId = await anonymizeId(userId);
	}
	if (getClusterProperties().clusterType === 'DEVSANDBOX' && sandboxUserId) {
	processedUserId = sandboxUserId;
	} else {
	processedUserId = await anonymizeId(userId);
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@frontend/packages/console-telemetry-plugin/src/listeners/segment.ts` around
lines 67 - 71, The DEVSANDBOX branch sets processedUserId directly to the
optional sandboxUserId which can be empty; update the branch so processedUserId
uses sandboxUserId when present otherwise falls back to the anonymized user id
by calling anonymizeId(userId). Locate the logic around getClusterProperties(),
processedUserId, and sandboxUserId and ensure analytics.identify receives a
non-empty id by defaulting to await anonymizeId(userId) when sandboxUserId is
falsy.

[logonoff]

/jira refresh

[openshift-ci-robot]

@logonoff: This pull request references Jira Issue OCPBUGS-82140, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[vojtechszocs]

Shouldn't we use some email parser to avoid processing strings which are not proper email addresses?

[logonoff]

I'd like to avoid introducing new dependencies for this given the need for a backport. This is also already good enough for non-emails, e.g., redhat.com or matt@hicks@redhat.com this would return an empty string

[logonoff]

/cherry-pick release-4.22
/cherry-pick release-4.21
/cherry-pick release-4.20

[openshift-cherrypick-robot]

@logonoff: once the present PR merges, I will cherry-pick it on top of release-4.20, release-4.21, release-4.22 in new PRs and assign them to you.

Details

In response to this:

/cherry-pick release-4.22
/cherry-pick release-4.21
/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[spadgett]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: logonoff, spadgett

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• frontend/OWNERS [logonoff,spadgett]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Leo6Leo]

/verified by @Leo6Leo
Before the fix: accountMail is exposing the full email address and sent to all telemetry listeners, userResource contains the entire k8s user obj, no email anonymization.

After the fix,

1. accountMail replaced by accountMailDomain — only sends the part after @
2. userResource no longer sent to listeners at all
3. sandboxUserId extracted from annotation and sent only for DEVSANDBOX clusters
4. getEmailDomain() correctly handles edge cases (invalid emails return '')
5. segment.ts listener updated to destructure sandboxUserId instead of userResource

[openshift-ci-robot]

@Leo6Leo: This PR has been marked as verified by @Leo6Leo.

Details

In response to this:

/verified by @Leo6Leo
Before the fix: accountMail is exposing the full email address and sent to all telemetry listeners, userResource contains the entire k8s user obj, no email anonymization.

After the fix,

1. accountMail replaced by accountMailDomain — only sends the part after @
2. userResource no longer sent to listeners at all
3. sandboxUserId extracted from annotation and sent only for DEVSANDBOX clusters
4. getEmailDomain() correctly handles edge cases (invalid emails return '')
5. segment.ts listener updated to destructure sandboxUserId instead of userResource

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD f36d613 and 2 for PR HEAD 6187709 in total

[logonoff]

/test all

[openshift-ci]

@logonoff: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@logonoff: Jira Issue Verification Checks: Jira Issue OCPBUGS-82140
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-82140 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Analysis / Root cause:

accountMail is too much PII and the entire user resource is being sent to segment.ts

Solution description:

Strip the username from the email and only send the sandbox user ID instead of the whole resource

Screenshots / screen recording:

n/a

Test setup:

• Enable telemetry: CONSOLE-4491: Deanonymize Developer Sandbox users #15201 (comment)

Test cases:

• Test in a sandbox cluster and ensure the sandbox user ID is still being sent
• Ensure user and userResource objects are not sent ever
• Ensure accountMailDomain is sent instead of accountMail, which only sends the content after the @ symbol instead of the whole email

Summary by CodeRabbit

• New Features

• Enhanced email privacy in telemetry tracking—now captures only email domain instead of full email addresses.

• Improved telemetry collection for sandbox environments with proper user identification.

• Bug Fixes

• Removed personally identifiable information (PII) fields from telemetry payloads to strengthen data privacy.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-cherrypick-robot]

@logonoff: new pull request created: #16393

Details

In response to this:

/cherry-pick release-4.22
/cherry-pick release-4.21
/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-cherrypick-robot]

@logonoff: #16365 failed to apply on top of branch "release-4.21":

Applying: OCPBUGS-82140: Remove PII from events
Using index info to reconstruct a base tree...
M	frontend/packages/console-shared/src/hooks/__tests__/useTelemetry.spec.ts
M	frontend/packages/console-shared/src/hooks/useTelemetry.ts
M	frontend/packages/console-telemetry-plugin/src/listeners/segment.ts
Falling back to patching base and 3-way merge...
Auto-merging frontend/packages/console-telemetry-plugin/src/listeners/segment.ts
Auto-merging frontend/packages/console-shared/src/hooks/useTelemetry.ts
Auto-merging frontend/packages/console-shared/src/hooks/__tests__/useTelemetry.spec.ts
CONFLICT (content): Merge conflict in frontend/packages/console-shared/src/hooks/__tests__/useTelemetry.spec.ts
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 OCPBUGS-82140: Remove PII from events

Details

In response to this:

/cherry-pick release-4.22
/cherry-pick release-4.21
/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-cherrypick-robot]

@logonoff: #16365 failed to apply on top of branch "release-4.20":

Applying: OCPBUGS-82140: Remove PII from events
Using index info to reconstruct a base tree...
M	frontend/packages/console-shared/src/hooks/__tests__/useTelemetry.spec.ts
M	frontend/packages/console-shared/src/hooks/useTelemetry.ts
M	frontend/packages/console-telemetry-plugin/src/listeners/segment.ts
Falling back to patching base and 3-way merge...
Auto-merging frontend/packages/console-telemetry-plugin/src/listeners/segment.ts
Auto-merging frontend/packages/console-shared/src/hooks/useTelemetry.ts
Auto-merging frontend/packages/console-shared/src/hooks/__tests__/useTelemetry.spec.ts
CONFLICT (content): Merge conflict in frontend/packages/console-shared/src/hooks/__tests__/useTelemetry.spec.ts
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 OCPBUGS-82140: Remove PII from events

Details

In response to this:

/cherry-pick release-4.22
/cherry-pick release-4.21
/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-robot]

Fix included in release 5.0.0-0.nightly-2026-05-02-104839