Skip to content

Commit e65fae8

Browse files
committed
feat: add example
1 parent a7da969 commit e65fae8

22 files changed

+663
-2
lines changed

README.md

Lines changed: 32 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,32 @@
1-
# database-security-github-actions-example
2-
Enforce database permissions, data masking with Bytebase API and GitHub Actions.
1+
# Data Security GitHub Actions Example
2+
3+
This directory demonstrates how to use Bytebase API and GitHub Actions to configure data security related features.
4+
You can refer this example to build a GitOps solution to codify all data security policies.
5+
6+
This example shows a typical directory structure:
7+
8+
1. **principal**. Users, groups.
9+
1. **iam**. Roles, Query, and Export permission settings.
10+
1. **masking**. Dynamic data masking.
11+
12+
If you are familiar with Google Cloud Platform (GCP), you may notice the Bytebase model is quite familiar:
13+
14+
1. [GCP Project](https://cloud.google.com/resource-manager/docs/creating-managing-projects)
15+
1. [GCP IAM](https://cloud.google.com/security/products/iam)
16+
1. [GCP Org policy](https://cloud.google.com/resource-manager/docs/organization-policy/overview)
17+
18+
# Fetch the access token with service account
19+
20+
To call the Bytebase API, you need to use the service account
21+
22+
Doc: https://www.bytebase.com/docs/api/authentication/
23+
24+
```bash
25+
export bytebase_url=http://localhost:5678
26+
bytebase_account="[email protected]"
27+
bytebase_password="bbs_QUYgvZaOsI2Hlal3a7k4"
28+
bytebase_token=$(curl -v ${bytebase_url}/v1/auth/login \
29+
--data-raw '{"email":"'${bytebase_account}'","password":"'${bytebase_password}'","web":true}' \
30+
--compressed 2>&1 | grep token | grep -o 'access-token=[^;]*;' | grep -o '[^;]*' | sed 's/access-token=//g; s/;//g')
31+
echo $bytebase_token
32+
```

iam/README.md

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
# Custom roles
2+
3+
Docs: https://www.bytebase.com/docs/administration/custom-roles/
4+
5+
API: https://api.bytebase.com/#tag/roleservice
6+
7+
```bash
8+
## Create
9+
curl --request POST "${bytebase_url}/v1/roles?roleId=auditor" \
10+
--header 'Authorization: Bearer '${bytebase_token} \
11+
--data @custom-role.json
12+
```
13+
14+
```bash
15+
## Upsert
16+
curl --request PATCH "${bytebase_url}/v1/roles/auditor?allow_missing=true" \
17+
--header 'Authorization: Bearer '${bytebase_token} \
18+
--data @custom-role.json
19+
```
20+
21+
```bash
22+
## Delete
23+
curl --request DELETE "${bytebase_url}/v1/roles/auditor" \
24+
--header 'Authorization: Bearer '${bytebase_token}
25+
```
26+
27+
# Workspace-level IAM
28+
29+
API: https://api.bytebase.com/#tag/workspaceservice
30+
31+
```bash
32+
export workspace_id=6c86d081-379d-4366-be6f-481425e6f397
33+
curl --request POST "${bytebase_url}/v1/workspaces/${workspace_id}:setIamPolicy" \
34+
--header 'Authorization: Bearer '${bytebase_token} \
35+
--data @iam.json
36+
```

iam/custom-role.json

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
{
2+
"title": "Auditor",
3+
"description": "Role for auditor",
4+
"permissions": [
5+
"bb.auditLogs.export",
6+
"bb.auditLogs.search",
7+
"bb.projects.list"
8+
]
9+
}

iam/iam.json

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
{
2+
"bindings": [
3+
{
4+
"role": "roles/workspaceDBA",
5+
"members": [
6+
7+
8+
9+
],
10+
"condition": {
11+
"expression": "",
12+
"title": "",
13+
"description": ""
14+
}
15+
},
16+
{
17+
"role": "roles/workspaceAdmin",
18+
"members": ["user:[email protected]", "user:[email protected]"],
19+
"condition": {
20+
"expression": "",
21+
"title": "",
22+
"description": ""
23+
}
24+
},
25+
{
26+
"role": "roles/workspaceMember",
27+
"members": ["allUsers"],
28+
"condition": {
29+
"expression": "",
30+
"title": "",
31+
"description": ""
32+
}
33+
},
34+
{
35+
"role": "roles/auditor",
36+
"members": ["user:[email protected]"],
37+
"condition": {
38+
"expression": "",
39+
"title": "",
40+
"description": ""
41+
}
42+
}
43+
]
44+
}

iam/projects/project-sample/README.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# IAM
2+
3+
Docs: https://www.bytebase.com/docs/security/data-access-control/
4+
5+
API: https://api.bytebase.com/#tag/projectservice/POST/v1/projects/{project}:setIamPolicy
6+
7+
```bash
8+
export project_id=project-sample
9+
curl --request POST "${bytebase_url}/v1/projects/${project_id}:setIamPolicy" \
10+
--header 'Authorization: Bearer '${bytebase_token} \
11+
--data @iam.json
12+
```

iam/projects/project-sample/iam.json

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"policy": {
3+
"bindings": [
4+
{
5+
"role": "roles/projectDeveloper",
6+
"members": [
7+
8+
9+
10+
11+
],
12+
"condition": {
13+
"expression": "",
14+
"title": "Developer",
15+
"description": ""
16+
}
17+
},
18+
{
19+
"role": "roles/projectOwner",
20+
"members": ["user:[email protected]"],
21+
"condition": {
22+
"expression": "",
23+
"title": "",
24+
"description": ""
25+
}
26+
},
27+
{
28+
"role": "roles/projectReleaser",
29+
"members": ["user:[email protected]"],
30+
"condition": {
31+
"expression": "",
32+
"title": "Releaser",
33+
"description": ""
34+
}
35+
},
36+
{
37+
"role": "roles/tester",
38+
"members": ["user:[email protected]"],
39+
"condition": {
40+
"expression": "",
41+
"title": "Tester",
42+
"description": ""
43+
}
44+
},
45+
{
46+
"role": "roles/projectQuerier",
47+
"members": ["group:[email protected]"],
48+
"condition": {
49+
"expression": "request.time < timestamp(\"2024-10-15T03:37:41.656Z\") && (resource.database == \"instances/prod-sample-instance/databases/hr_prod\" && resource.schema == \"public\" && resource.table in [\"department\",\"employee\",\"dept_emp\",\"dept_manager\"])",
50+
"title": "Project Querier hr_prod.public.department and 3 more 10/12/2024-10/15/2024",
51+
"description": "Query reason"
52+
}
53+
},
54+
{
55+
"role": "roles/projectExporter",
56+
"members": ["group:[email protected]"],
57+
"condition": {
58+
"expression": "request.time < timestamp(\"2024-10-15T03:37:41.656Z\") && (resource.database == \"instances/prod-sample-instance/databases/hr_prod\" && resource.schema == \"public\" && resource.table in [\"department\",\"employee\",\"dept_emp\",\"dept_manager\"])",
59+
"title": "Project Exporter hr_prod.public.department and 3 more 10/12/2024-10/15/2024",
60+
"description": "Export reason"
61+
}
62+
}
63+
]
64+
}
65+
}

masking/README.md

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
# Dynamic Data Masking
2+
3+
Docs: https://www.bytebase.com/docs/security/data-masking/overview/
4+
5+
## Workspace-level policies and settings
6+
7+
### Global masking rule
8+
9+
Docs: https://www.bytebase.com/docs/security/data-masking/global-masking-rule/
10+
11+
API: https://api.bytebase.com/#tag/orgpolicyservice/PATCH/v1/policies/{policy}
12+
13+
```bash
14+
curl --request PATCH "${bytebase_url}/v1/policies/masking_rule?allow_missing=true&update_mask=payload" \
15+
--header 'Authorization: Bearer '${bytebase_token} \
16+
--data @global-masking-rule.json
17+
```
18+
19+
### Data classification
20+
21+
Docs: https://www.bytebase.com/docs/security/data-masking/data-classification/
22+
23+
API: https://api.bytebase.com/#tag/settingservice/PATCH/v1/settings/{setting}
24+
25+
```bash
26+
curl --request PATCH ${bytebase_url}/v1/settings/bb.workspace.data-classification \
27+
--header 'Authorization: Bearer '${bytebase_token} \
28+
--data @data-classification.json
29+
```
30+
31+
### Masking algorithm
32+
33+
Docs: https://www.bytebase.com/docs/security/data-masking/masking-algorithm/
34+
35+
API: https://api.bytebase.com/#tag/settingservice/PATCH/v1/settings/{setting}
36+
37+
```bash
38+
curl --request PATCH ${bytebase_url}/v1/settings/bb.workspace.masking-algorithm \
39+
--header 'Authorization: Bearer '${bytebase_token} \
40+
--data @masking-algorithm.json
41+
```
42+
43+
### Semantic type
44+
45+
Docs: https://www.bytebase.com/docs/security/data-masking/semantic-types/
46+
47+
API: https://api.bytebase.com/#tag/settingservice/PATCH/v1/settings/{setting}
48+
49+
```bash
50+
curl --request PATCH ${bytebase_url}/v1/settings/bb.workspace.semantic-types \
51+
--header 'Authorization: Bearer '${bytebase_token} \
52+
--data @semantic-type.json
53+
```
54+
55+
## Project-level masking exception
56+
57+
Project-level masking exception to overrule the workspace-level setting.
58+
59+
https://github.com/bytebase/api-example/tree/main/data-security/masking/projects/project-sample
60+
61+
## Schema configuration
62+
63+
Configure metadata such as masking level, classification, semantic type at the table/column level.
64+
65+
https://github.com/bytebase/api-example/tree/main/data-security/masking/databases

masking/data-classification.json

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
{
2+
"name": "bb.workspace.data-classification",
3+
"value": {
4+
"data_classification_setting_value": {
5+
"configs": [
6+
{
7+
"title": "Classification Example",
8+
"levels": [
9+
{
10+
"id": "1",
11+
"title": "Level 1",
12+
"description": ""
13+
},
14+
{
15+
"id": "2",
16+
"title": "Level 2",
17+
"description": ""
18+
},
19+
{
20+
"id": "3",
21+
"title": "Level 3",
22+
"description": ""
23+
},
24+
{
25+
"id": "4",
26+
"title": "Level 4",
27+
"description": ""
28+
}
29+
],
30+
"classification": {
31+
"1": {
32+
"id": "1",
33+
"title": "Basic",
34+
"description": ""
35+
},
36+
"1-1": {
37+
"id": "1-1",
38+
"title": "Basic",
39+
"description": "",
40+
"levelId": "1"
41+
},
42+
"1-2": {
43+
"id": "1-2",
44+
"title": "Assert",
45+
"description": "",
46+
"levelId": "1"
47+
},
48+
"1-3": {
49+
"id": "1-3",
50+
"title": "Contact",
51+
"description": "",
52+
"levelId": "2"
53+
},
54+
"1-4": {
55+
"id": "1-4",
56+
"title": "Health",
57+
"description": "",
58+
"levelId": "2"
59+
},
60+
"2": {
61+
"id": "2",
62+
"title": "Relationship",
63+
"description": ""
64+
},
65+
"2-1": {
66+
"id": "2-1",
67+
"title": "Social",
68+
"description": "",
69+
"levelId": "1"
70+
},
71+
"2-2": {
72+
"id": "2-2",
73+
"title": "Business",
74+
"description": "",
75+
"levelId": "1"
76+
}
77+
}
78+
}
79+
]
80+
}
81+
}
82+
}

masking/databases/README.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
## Database schema metadata
2+
3+
Configure metadata such as masking level, classification, semantic type at the table/column level.

masking/databases/hr_prod/README.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
## Column masking explicitly
2+
3+
Docs: https://www.bytebase.com/docs/security/data-masking/column-masking/
4+
5+
API: https://api.bytebase.com/#tag/orgpolicyservice/PATCH/v1/instances/{instance}/databases/{database}/policies/{policy}
6+
7+
```bash
8+
curl --request PATCH "${bytebase_url}/v1/instances/prod-sample-instance/databases/hr_prod/policies/masking?allow_missing=true&update_mask=payload" \
9+
--header 'Authorization: Bearer '${bytebase_token} \
10+
--data @column-masking.json
11+
```
12+
13+
## Column semantic type and classification
14+
15+
Docs:
16+
- Semantic type: https://www.bytebase.com/docs/security/data-masking/semantic-types/
17+
- Classification: https://www.bytebase.com/docs/security/data-masking/data-classification/#manual-classification
18+
19+
API: https://api.bytebase.com/#tag/databaseservice/PATCH/v1/instances/{instance}/databases/{database}/metadata
20+
21+
```bash
22+
curl --request PATCH ${bytebase_url}/v1/instances/prod-sample-instance/databases/hr_prod/metadata \
23+
--header 'Authorization: Bearer '${bytebase_token} \
24+
--data @metadata.json
25+
```

0 commit comments

Comments
 (0)