Learn how to use the Bytebase API to inspect user and database permissions.
Bytebase is a database DevSecOps platform designed for developers, security, DBA, and platform engineering teams. While it offers an intuitive GUI for managing database schema changes and access control, some teams may want to integrate Bytebase into their existing DevOps platforms using the Bytebase API.
In our previous tutorial, we demonstrated how to create a schema change using the Bytebase API. This tutorial will focus on inspect user and database permissions in Bytebase, it’s OK if you haven’t gone through the previous tutorial.
By following this guide, you’ll learn how to:
https://github.com/bytebase/example-api/tree/main/permission-check
Make sure your Docker daemon is running. Copy and paste the commands to start Bytebase.
Bytebase is now running via Docker, and you can access it via localhost:8080
. Register the first admin account which will be granted Workspace Admin
.
Log in as Workspace Admin
, and go to IAM & Admin > Users & Groups. Click + Add User, fill in with api-sample
, choose the Workspace DBA
role sufficient for this tutorial and click Confirm.
Find the newly created service account and Copy Service Key. We will use this token to authenticate the API calls.
Go to Bytebase API Example repo and clone it.
Copy env-template.local
to .env.local
.Update the variables.
NEXT_PUBLIC_BB_URL
: http://localhost:8080
NEXT_PUBLIC_BB_SERVICE_ACCOUNT
: api-example
NEXT_PUBLIC_BB_SERVICE_KEY
: service key copied in previous stepGo to subfolder permission-check
, and run the following commands to start the demo application.
Open the demo in your browser, you’ll see the following page.
To enhance the demo’s realism, go to Bytebase and add more users and set up user permissions:
The left side form demonstrates a scenario where you have a database and want to inspect who has access to it. This is useful for continuously tracking access to sensitive databases and ensuring only authorized users have permissions.
Let’s dig into the code:
In page.tsx
, we fetch all roles by calling the /v1/roles API before any user selection.
In db-fetch-user-permission.tsx
, after the user selects a project, database, and permission, we filter the roles with the given permission:
Bytebase has two levels of Identity Access Management (IAM): Workspace and Project. We fetch both:
The IAM object structure varies slightly between levels. Here’s an example of a workspace-level IAM:
We compare the roles with the given IAM to find matches:
Some project-level IAM objects include a condition
field for fine-grained access control. For example:
This grants the SQL Editor User
role only for the hr_test
database in test-sample-instance
.
When processing IAM policies, handle CEL (Common Expression Language) format conditions carefully. In this demo, we parse these conditions using a custom parseCelExpression
function:
This function parseCelExpression
, adapted from Bytebase’s CEL plugin and cel.ts, parses the condition expression string. It is primarily based on the convertFromCELString
function in cel.ts, though you could use convertFromExpr
to create your own. The function returns an array of database resources with their associated expiration times. This function and related CEL parsing logic are implemented in a custom plugins/cel
folder within the demo project.
We then check if the conditions are met for the specific database:
The members
array may include both users and groups. To handle groups, use the v1/groups API:
By following these steps, you can effectively determine which users have access to a specific database, taking into account both direct user assignments and group memberships, as well as any conditional access rules.
The right side form demonstrates a scenario where you have a user and want to inspect which databases they have access to. This is useful for ongoing tracking of user permissions, especially when roles change or users leave the company.
Fetch all roles using the /v1/roles API in page.tsx
.
In user-fetch-db-permission.tsx
, filter roles based on the selected permission:
Fetch and compare workspace-level and project-level IAM policies:
Handle CEL conditions:
Group should be taken into consideration too.
By following these steps, you can effectively identify all databases a specific user has access to, taking into account various permission levels and conditions.
Congratulations! You’ve successfully created a user and database permission inspection tool using the Bytebase API. This allows you to:
By leveraging these API calls within existing DevOps platforms, organizations can improve their database access governance and security posture.
Learn how to use the Bytebase API to inspect user and database permissions.
Bytebase is a database DevSecOps platform designed for developers, security, DBA, and platform engineering teams. While it offers an intuitive GUI for managing database schema changes and access control, some teams may want to integrate Bytebase into their existing DevOps platforms using the Bytebase API.
In our previous tutorial, we demonstrated how to create a schema change using the Bytebase API. This tutorial will focus on inspect user and database permissions in Bytebase, it’s OK if you haven’t gone through the previous tutorial.
By following this guide, you’ll learn how to:
https://github.com/bytebase/example-api/tree/main/permission-check
Make sure your Docker daemon is running. Copy and paste the commands to start Bytebase.
Bytebase is now running via Docker, and you can access it via localhost:8080
. Register the first admin account which will be granted Workspace Admin
.
Log in as Workspace Admin
, and go to IAM & Admin > Users & Groups. Click + Add User, fill in with api-sample
, choose the Workspace DBA
role sufficient for this tutorial and click Confirm.
Find the newly created service account and Copy Service Key. We will use this token to authenticate the API calls.
Go to Bytebase API Example repo and clone it.
Copy env-template.local
to .env.local
.Update the variables.
NEXT_PUBLIC_BB_URL
: http://localhost:8080
NEXT_PUBLIC_BB_SERVICE_ACCOUNT
: api-example
NEXT_PUBLIC_BB_SERVICE_KEY
: service key copied in previous stepGo to subfolder permission-check
, and run the following commands to start the demo application.
Open the demo in your browser, you’ll see the following page.
To enhance the demo’s realism, go to Bytebase and add more users and set up user permissions:
The left side form demonstrates a scenario where you have a database and want to inspect who has access to it. This is useful for continuously tracking access to sensitive databases and ensuring only authorized users have permissions.
Let’s dig into the code:
In page.tsx
, we fetch all roles by calling the /v1/roles API before any user selection.
In db-fetch-user-permission.tsx
, after the user selects a project, database, and permission, we filter the roles with the given permission:
Bytebase has two levels of Identity Access Management (IAM): Workspace and Project. We fetch both:
The IAM object structure varies slightly between levels. Here’s an example of a workspace-level IAM:
We compare the roles with the given IAM to find matches:
Some project-level IAM objects include a condition
field for fine-grained access control. For example:
This grants the SQL Editor User
role only for the hr_test
database in test-sample-instance
.
When processing IAM policies, handle CEL (Common Expression Language) format conditions carefully. In this demo, we parse these conditions using a custom parseCelExpression
function:
This function parseCelExpression
, adapted from Bytebase’s CEL plugin and cel.ts, parses the condition expression string. It is primarily based on the convertFromCELString
function in cel.ts, though you could use convertFromExpr
to create your own. The function returns an array of database resources with their associated expiration times. This function and related CEL parsing logic are implemented in a custom plugins/cel
folder within the demo project.
We then check if the conditions are met for the specific database:
The members
array may include both users and groups. To handle groups, use the v1/groups API:
By following these steps, you can effectively determine which users have access to a specific database, taking into account both direct user assignments and group memberships, as well as any conditional access rules.
The right side form demonstrates a scenario where you have a user and want to inspect which databases they have access to. This is useful for ongoing tracking of user permissions, especially when roles change or users leave the company.
Fetch all roles using the /v1/roles API in page.tsx
.
In user-fetch-db-permission.tsx
, filter roles based on the selected permission:
Fetch and compare workspace-level and project-level IAM policies:
Handle CEL conditions:
Group should be taken into consideration too.
By following these steps, you can effectively identify all databases a specific user has access to, taking into account various permission levels and conditions.
Congratulations! You’ve successfully created a user and database permission inspection tool using the Bytebase API. This allows you to:
By leveraging these API calls within existing DevOps platforms, organizations can improve their database access governance and security posture.