feat: add example

Author: tianzhou

README.md

@@ -1,2 +1,32 @@
-# database-security-github-actions-example
-Enforce database permissions, data masking with Bytebase API and GitHub Actions.
+# Data Security GitHub Actions Example
+
+This directory demonstrates how to use Bytebase API and GitHub Actions to configure data security related features.
+You can refer this example to build a GitOps solution to codify all data security policies.
+
+This example shows a typical directory structure:
+
+1. **principal**. Users, groups.
+1. **iam**. Roles, Query, and Export permission settings.
+1. **masking**. Dynamic data masking.
+
+If you are familiar with Google Cloud Platform (GCP), you may notice the Bytebase model is quite familiar:
+
+1. [GCP Project](https://cloud.google.com/resource-manager/docs/creating-managing-projects)
+1. [GCP IAM](https://cloud.google.com/security/products/iam)
+1. [GCP Org policy](https://cloud.google.com/resource-manager/docs/organization-policy/overview)
+
+# Fetch the access token with service account
+
+To call the Bytebase API, you need to use the service account
+
+Doc: https://www.bytebase.com/docs/api/authentication/
+
+```bash
+export bytebase_url=http://localhost:5678
+bytebase_account="[email protected]"
+bytebase_password="bbs_QUYgvZaOsI2Hlal3a7k4"
+bytebase_token=$(curl -v ${bytebase_url}/v1/auth/login \
+    --data-raw '{"email":"'${bytebase_account}'","password":"'${bytebase_password}'","web":true}' \
+    --compressed 2>&1 | grep token | grep -o 'access-token=[^;]*;' | grep -o '[^;]*' | sed 's/access-token=//g; s/;//g')
+echo $bytebase_token
+```

iam/README.md

@@ -0,0 +1,36 @@
+# Custom roles
+
+Docs: https://www.bytebase.com/docs/administration/custom-roles/
+
+API: https://api.bytebase.com/#tag/roleservice
+
+```bash
+## Create
+curl --request POST "${bytebase_url}/v1/roles?roleId=auditor" \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data @custom-role.json
+```
+
+```bash
+## Upsert
+curl --request PATCH "${bytebase_url}/v1/roles/auditor?allow_missing=true" \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data @custom-role.json
+```
+
+```bash
+## Delete
+curl --request DELETE "${bytebase_url}/v1/roles/auditor" \
+  --header 'Authorization: Bearer '${bytebase_token}
+```
+
+# Workspace-level IAM
+
+API: https://api.bytebase.com/#tag/workspaceservice
+
+```bash
+export workspace_id=6c86d081-379d-4366-be6f-481425e6f397
+curl --request POST "${bytebase_url}/v1/workspaces/${workspace_id}:setIamPolicy" \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data @iam.json
+```

iam/custom-role.json

@@ -0,0 +1,9 @@
+{
+  "title": "Auditor",
+  "description": "Role for auditor",
+  "permissions": [
+    "bb.auditLogs.export",
+    "bb.auditLogs.search",
+    "bb.projects.list"
+  ]
+}

iam/iam.json

@@ -0,0 +1,44 @@
+{
+  "bindings": [
+    {
+      "role": "roles/workspaceDBA",
+      "members": [
+        "user:[email protected]",
+        "user:[email protected]",
+        "user:[email protected]"
+      ],
+      "condition": {
+        "expression": "",
+        "title": "",
+        "description": ""
+      }
+    },
+    {
+      "role": "roles/workspaceAdmin",
+      "members": ["user:[email protected]", "user:[email protected]"],
+      "condition": {
+        "expression": "",
+        "title": "",
+        "description": ""
+      }
+    },
+    {
+      "role": "roles/workspaceMember",
+      "members": ["allUsers"],
+      "condition": {
+        "expression": "",
+        "title": "",
+        "description": ""
+      }
+    },
+    {
+      "role": "roles/auditor",
+      "members": ["user:[email protected]"],
+      "condition": {
+        "expression": "",
+        "title": "",
+        "description": ""
+      }
+    }
+  ]
+}

iam/projects/project-sample/README.md

@@ -0,0 +1,12 @@
+# IAM
+
+Docs: https://www.bytebase.com/docs/security/data-access-control/
+
+API: https://api.bytebase.com/#tag/projectservice/POST/v1/projects/{project}:setIamPolicy
+
+```bash
+export project_id=project-sample
+curl --request POST "${bytebase_url}/v1/projects/${project_id}:setIamPolicy" \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data @iam.json
+```

iam/projects/project-sample/iam.json

@@ -0,0 +1,65 @@
+{
+  "policy": {
+    "bindings": [
+      {
+        "role": "roles/projectDeveloper",
+        "members": [
+          "user:[email protected]",
+          "user:[email protected]",
+          "user:[email protected]",
+          "user:[email protected]"
+        ],
+        "condition": {
+          "expression": "",
+          "title": "Developer",
+          "description": ""
+        }
+      },
+      {
+        "role": "roles/projectOwner",
+        "members": ["user:[email protected]"],
+        "condition": {
+          "expression": "",
+          "title": "",
+          "description": ""
+        }
+      },
+      {
+        "role": "roles/projectReleaser",
+        "members": ["user:[email protected]"],
+        "condition": {
+          "expression": "",
+          "title": "Releaser",
+          "description": ""
+        }
+      },
+      {
+        "role": "roles/tester",
+        "members": ["user:[email protected]"],
+        "condition": {
+          "expression": "",
+          "title": "Tester",
+          "description": ""
+        }
+      },
+      {
+        "role": "roles/projectQuerier",
+        "members": ["group:[email protected]"],
+        "condition": {
+          "expression": "request.time < timestamp(\"2024-10-15T03:37:41.656Z\") && (resource.database == \"instances/prod-sample-instance/databases/hr_prod\" && resource.schema == \"public\" && resource.table in [\"department\",\"employee\",\"dept_emp\",\"dept_manager\"])",
+          "title": "Project Querier hr_prod.public.department and 3 more 10/12/2024-10/15/2024",
+          "description": "Query reason"
+        }
+      },
+      {
+        "role": "roles/projectExporter",
+        "members": ["group:[email protected]"],
+        "condition": {
+          "expression": "request.time < timestamp(\"2024-10-15T03:37:41.656Z\") && (resource.database == \"instances/prod-sample-instance/databases/hr_prod\" && resource.schema == \"public\" && resource.table in [\"department\",\"employee\",\"dept_emp\",\"dept_manager\"])",
+          "title": "Project Exporter hr_prod.public.department and 3 more 10/12/2024-10/15/2024",
+          "description": "Export reason"
+        }
+      }
+    ]
+  }
+}

masking/README.md

@@ -0,0 +1,65 @@
+# Dynamic Data Masking
+
+Docs: https://www.bytebase.com/docs/security/data-masking/overview/
+
+## Workspace-level policies and settings
+
+### Global masking rule
+
+Docs: https://www.bytebase.com/docs/security/data-masking/global-masking-rule/
+
+API: https://api.bytebase.com/#tag/orgpolicyservice/PATCH/v1/policies/{policy}
+
+```bash
+curl --request PATCH "${bytebase_url}/v1/policies/masking_rule?allow_missing=true&update_mask=payload" \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data @global-masking-rule.json
+```
+
+### Data classification
+
+Docs: https://www.bytebase.com/docs/security/data-masking/data-classification/
+
+API: https://api.bytebase.com/#tag/settingservice/PATCH/v1/settings/{setting}
+
+```bash
+curl --request PATCH ${bytebase_url}/v1/settings/bb.workspace.data-classification \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data @data-classification.json
+```
+
+### Masking algorithm
+
+Docs: https://www.bytebase.com/docs/security/data-masking/masking-algorithm/
+
+API: https://api.bytebase.com/#tag/settingservice/PATCH/v1/settings/{setting}
+
+```bash
+curl --request PATCH ${bytebase_url}/v1/settings/bb.workspace.masking-algorithm \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data @masking-algorithm.json
+```
+
+### Semantic type
+
+Docs: https://www.bytebase.com/docs/security/data-masking/semantic-types/
+
+API: https://api.bytebase.com/#tag/settingservice/PATCH/v1/settings/{setting}
+
+```bash
+curl --request PATCH ${bytebase_url}/v1/settings/bb.workspace.semantic-types \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data @semantic-type.json
+```
+
+## Project-level masking exception
+
+Project-level masking exception to overrule the workspace-level setting.
+
+https://github.com/bytebase/api-example/tree/main/data-security/masking/projects/project-sample
+
+## Schema configuration
+
+Configure metadata such as masking level, classification, semantic type at the table/column level.
+
+https://github.com/bytebase/api-example/tree/main/data-security/masking/databases

masking/data-classification.json

@@ -0,0 +1,82 @@
+{
+  "name": "bb.workspace.data-classification",
+  "value": {
+    "data_classification_setting_value": {
+      "configs": [
+        {
+          "title": "Classification Example",
+          "levels": [
+            {
+              "id": "1",
+              "title": "Level 1",
+              "description": ""
+            },
+            {
+              "id": "2",
+              "title": "Level 2",
+              "description": ""
+            },
+            {
+              "id": "3",
+              "title": "Level 3",
+              "description": ""
+            },
+            {
+              "id": "4",
+              "title": "Level 4",
+              "description": ""
+            }
+          ],
+          "classification": {
+            "1": {
+              "id": "1",
+              "title": "Basic",
+              "description": ""
+            },
+            "1-1": {
+              "id": "1-1",
+              "title": "Basic",
+              "description": "",
+              "levelId": "1"
+            },
+            "1-2": {
+              "id": "1-2",
+              "title": "Assert",
+              "description": "",
+              "levelId": "1"
+            },
+            "1-3": {
+              "id": "1-3",
+              "title": "Contact",
+              "description": "",
+              "levelId": "2"
+            },
+            "1-4": {
+              "id": "1-4",
+              "title": "Health",
+              "description": "",
+              "levelId": "2"
+            },
+            "2": {
+              "id": "2",
+              "title": "Relationship",
+              "description": ""
+            },
+            "2-1": {
+              "id": "2-1",
+              "title": "Social",
+              "description": "",
+              "levelId": "1"
+            },
+            "2-2": {
+              "id": "2-2",
+              "title": "Business",
+              "description": "",
+              "levelId": "1"
+            }
+          }
+        }
+      ]
+    }
+  }
+}

masking/databases/README.md

@@ -0,0 +1,3 @@
+## Database schema metadata
+
+Configure metadata such as masking level, classification, semantic type at the table/column level.

masking/databases/hr_prod/README.md

@@ -0,0 +1,25 @@
+## Column masking explicitly
+
+Docs: https://www.bytebase.com/docs/security/data-masking/column-masking/
+
+API: https://api.bytebase.com/#tag/orgpolicyservice/PATCH/v1/instances/{instance}/databases/{database}/policies/{policy}
+
+```bash
+curl --request PATCH "${bytebase_url}/v1/instances/prod-sample-instance/databases/hr_prod/policies/masking?allow_missing=true&update_mask=payload" \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data @column-masking.json
+```
+
+## Column semantic type and classification
+
+Docs: 
+  - Semantic type: https://www.bytebase.com/docs/security/data-masking/semantic-types/
+  - Classification: https://www.bytebase.com/docs/security/data-masking/data-classification/#manual-classification
+
+API: https://api.bytebase.com/#tag/databaseservice/PATCH/v1/instances/{instance}/databases/{database}/metadata
+
+```bash
+curl --request PATCH ${bytebase_url}/v1/instances/prod-sample-instance/databases/hr_prod/metadata \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data @metadata.json
+```