This tutorial will walk you through how data access control and data masking works in Bytebase. You’ll need two Bytebase accounts – one DBA and one Developer. DBA is the one who configures the settings and Developer is the one who should only see information based on the configuration.
Both data access control and data masking are Enterprise Plan only features. However, you can start a 14-day trial of the Enterprise Plan with one click without providing additional information (no credit card required).
Preparation phase
This phase will guide you configure and prepare testing data in Bytebase. You can adjust to your needs if you’re familiar with the system. If you already have set up the Bytebase environment, you can skip this part and start from Test phase.
During this phase, you’ll run one Bytebase and two MySQL instances, add the corresponding database instance to Bytebase’s Test and Prod environments, create tables, and populate them with data.
Make sure you have Docker (opens in a new tab) installed, and if you don’t have important existing Bytebase data locally, you can start over from scratch by rm -rf ~/.bytebase/data
.
Step 1 - Start Bytebase with Docker
- Make sure your docker daemon is running, and then start the Bytebase docker container by typing the following command in the terminal.
docker run --init \
--name bytebase \
--platform linux/amd64 \
--restart always \
--publish 5678:8080 \
--health-cmd "curl --fail http://localhost:5678/healthz || exit 1" \
--health-interval 5m \
--health-timeout 60s \
--volume ~/.bytebase/data:/var/opt/bytebase \
bytebase/bytebase:$$bb_version$$ \
--data /var/opt/bytebase \
--port 8080
- Type the following commands one by one in the terminal to start two MySQL instances, and they will be mapped to Test and Prod environments later.
docker run --name mysqldtest \
--publish 3307:3306 \
-e MYSQL_ROOT_HOST=172.17.0.1 \
-e MYSQL_ROOT_PASSWORD=testpwd1 \
mysql/mysql-server:8.0
docker run --name mysqldprod \
--publish 3308:3306 \
-e MYSQL_ROOT_HOST=172.17.0.1 \
-e MYSQL_ROOT_PASSWORD=testpwd1 \
mysql/mysql-server:8.0
- Register admin account DBA - we’ll refer to it as DBA. This account will be granted
Workspace Owner
role. Check Roles and Permissions (RBAC).
- Open another browser, and register a developer account DEV - we’ll refer to it as Developer. This account will be granted
Workspace Developer
role.
Step 2 - Configuration
- Follow the onboard guidance or click Add instance on home page.
- Create an instance for
Test
Environment with the following configuration. Fill username/password asroot
/testpwd1
.
- Follow the onboard guidance or click New Project on Projects page. Create a project
TestAccess
and click Next.
-
Follow the onboard guidance or Click New DB on the project
TestAccess
page. -
Create a database
demo
, and click Next.
- You'll be redirected to the issue page, and an issue is created. Since it’s for
Test
environment, it will execute without approval from you. Click Resolve issue, and the issue will be done.
- Repeat 1 and 2 to add another instance
MySQL Prod
forProd
environment. The adjustments are environment should beProd
instead ofTest
, and port number should be3308
instead of3307
.
- Repeat 4 and 5 to create another database
demo
but forProd
environment. Since it’s forProd
environment, theAssignee
should click Approve to allow it to execute. After its execution, click Resolve issue, and the issue will be done.
Step 3 - Table and Data
- Go to the project
TestAccess
, and click Alter Schema.
- Choose both Test and Prod, and click Next.
- Use Schema Editor to create
t1
table for both Test and Prod environments. Click Preview issue.
- An issue with the pipeline is created with information filled. Click Create.
- The issue will execute against
Test
environment without approval and then becomeWaiting Approval
onProd
environment. Click Approve and it will continue executing againstProd
environment.
- Click Resolve issue and the issue will be done.
- Go back to project
TestAccess
page, and click Change Data.
- Choose databases for both environments, and click Next.
- Fill SQL as follows:
INSERT INTO t1
VALUES
(1,'Adela','12345678'),
(2,'Bela','11111111');
and click Apply to other tasks. Click Create and the issue will be created.
- Repeat 5 and 6, and the issue is done.
Upgrade phase
With the preparation from the previous phase, you’re almost ready for testing. However, since access control and data masking are only available in the Enterprise Plan, you need to request a free 14-day Enterprise Plan trial.
Step 1 - Upgrade to a 14-day Enterprise Plan trial
- Log in as DBA, click Environments on the top navigation bar. Check Mark as protected environment under
Test
environment. Click Update, and click Upgrade trial.
- Now it’s Enterprise Plan. Uncheck Mark as protected environment and click Update.
Step 2 - Add developer as project member
Go to project TestAccess
> Settings > Manage members to add Developer as Project Developer
. Only after this, can Developer see the project.
Test phase
Test Data Access Control
- Log in as DBA, and click Environments on the top navigation bar. Click Prod, and make sure the Mark as protected environment is unchecked. It means the prod environment is not protected.
- Log in as Developer, and click SQL Editor on the left bar.
- Within SQL Editor, you can view both databases under
Prod
andTest
environments.
- Log in as DBA, and click Environments on the top navigation bar. Click Prod, and check Mark as protected environment and click Update. You can see there is a shield beside Prod, which means the environment is protected.
- Log in as Developer and go into SQL Editor again. Now you can only see database under
Test
environment. It’s becauseProd
environment is protected.
- Log in as DBA, and click Settings on the top navigation bar. Click Workspace > Access Control. Click Add rule.
- Choose
demo
underProd
environment and click Add. Only databases under protected environments will list here.
- Log in as Developer, and go to SQL Editor. You can see database
demo
under protectedProd
environment because of the Access rule DBA just granted.
- Login as DBA, click Environments, uncheck Mark as protected environment under Prod, and click Update. Click Settings > Workspace > Access Control, and click the trash icon to delete the rule.
Test Data Masking
- Log in as Developer, and go to SQL Editor. Currently, you can view all the information. We want to mask the
mobile
column.
- Log in as DBA, and click Databases on the top navigation bar. Click the
demo
under Prod environment, and clickt1
. Under the Columns section, you can see the Sensitive checkbox for each row.
- Check the checkbox for mobile row.
- Click Settings > Workspace > Sensitive Data, and you should see the sensitive rule list.
- Log in as Developer, and go to SQL Editor. The
mobile
column is maskd.
Summary
You have now tried out the basics of data access control and data masking in Bytebase. If you want to learn the overall picture of data access control, please check out How to Manage Data Access Control.