docs: add jit part2 (#483)

* docs: add jit-part2

* update

Author: adela-bytebase

content/docs/tutorials/just-in-time-part1.md

@@ -13,6 +13,14 @@ In a production environment, an incident arises that requires a developer to acc
 
 This tutorial will guide you through setting up Just-in-Time (JIT) access using the Bytebase GUI. In the next tutorial, we will explore automating JIT access through Slack by leveraging Bytebase webhooks and API.
 
+---
+
+This is Part 1 of our tutorial series on implementing Just-in-Time (JIT) access:
+
+- Part 1: JIT database access via Bytebase GUI
+- Part 2: [Approve JIT database access via Slack](/docs/tutorials/just-in-time-part2)
+- Part 3: Request JIT database access via Slack
+
 ## Prerequisites
 
 Before you begin, make sure you have:

content/docs/tutorials/just-in-time-part2.md

@@ -0,0 +1,119 @@
+---
+title: 'Just-in-Time Database Access - Part 2'
+author: Ningjing
+tags: Tutorial
+updated_at: 2024/12/11 18:15
+integrations: General
+level: Advanced
+estimated_time: '30 mins'
+description: 'In this tutorial, we will demonstrate how to automate JIT access via Slack, utilizing Bytebase webhooks and API'
+---
+
+In the [previous tutorial](/docs/tutorials/just-in-time-part1), we demonstrated how to set up JIT access using the Bytebase GUI. In this tutorial, we will cover how to automate JIT access via Slack, utilizing Bytebase webhooks and API.
+
+When developers need urgent production database access during incidents but lack permissions, they can request Just-in-Time (JIT) access. By triggering the Bytebase webhook, the DBA will receive a notification in Slack immediately and can approve there.
+
+---
+
+This is Part 2 of our tutorial series on implementing Just-in-Time (JIT) access:
+
+- Part 1: [Grant JIT database access via Bytebase GUI](/docs/tutorials/just-in-time-part1)
+- Part 2: Approve JIT database access via Slack (this one)
+- Part 3: Request JIT database access via Slack
+
+## Overview
+
+In this tutorial, you'll learn how to approve JIT access via Slack with the help of Bytebase webhooks and APIs.
+
+<HintBlock type="info">
+
+The complete code for this tutorial is available at: [slack-example](https://github.com/bytebase/slack-example)
+
+</HintBlock>
+
+This tutorial skips the Bytebase setup part, if you haven't set up the Bytebase and registered admin and developer users, please follow instructions in the [previous tutorial](/docs/tutorials/just-in-time-part1).
+
+## Prerequisites
+
+Before you begin, make sure you have:
+
+- Docker installed
+- Slack workspace
+- VS Code for port forwarding
+
+## Step 1 - Finished the previous tutorial
+
+Make sure you finished the [previous tutorial](/docs/tutorials/just-in-time-part1) and have the Bytebase instance running. Particularly, pay attention to **Step 4**, which is to request JIT access via Bytebase GUI.
+
+The `Request role` feature is supported by  **Enterprise Plan** which will be needed for this tutorial, other plans only allow the `Assign role` feature which is not enough. You may request a trial from [here](https://www.bytebase.com/contact-us/).
+
+## Step 2 - Register a service account in Bytebase
+
+<IncludeBlock url="/docs/share/tutorials/create-service-account"></IncludeBlock>
+
+3. Go to `Sample Project`, click **Manage > Members**, and assign the service account as `Project Owner` which can fit the custom approval set in the previous tutorial.
+
+## Step 3 - Download `slack-example` code and run it
+
+1. Download the [slack-example code](https://github.com/bytebase/slack-example).
+1. Go to the `approve-issue` folder and copy the `env-template.local` file to `.env.local`.
+1. Paste the registered service account information into the `.env.local` file.
+1. By using VS Code's [Port forwarding](https://code.visualstudio.com/docs/editor/port-forwarding), you can forward the local server's ports:
+   - `3000` for the `slack-example` app
+   - `8080` for the Bytebase instance
+   ![vscode-ports](/content/docs/tutorials/just-in-time-part2/vscode-ports.webp)
+1. Copy the 8080 port forwarded address to the `.env.local` file as `BB_HOST`.
+1. Also, go to Bytebase, click **Settings > General** to set the address as **External URL**.
+
+## Step 4 - Create Bytebase Webhook
+
+1. Go to Bytebase and select the `Sample Project`.
+1. Click **Integration > Webhooks** and click **Add Webhook**.
+1. Set the **Name** as `Slack` webhook, **URL** as `YOUR_3000_FORWARDED_URL/api/bytebase/webhook`.
+1. Select `Issue approval needed` as **Triggering activities**.
+1. Click **Test webhook** and if it's successful, then click **Create**.
+   ![bb-webhook](/content/docs/tutorials/just-in-time-part2/bb-webhook.webp)
+
+## Step 5 - Create and invite a Slack bot
+
+1. Go to [Slack apps](https://api.slack.com/apps) and click **Create New App**.
+1. Choose **From scratch**, enter the **App name**, and select your **Workspace**.
+1. Go to **OAuth & Permissions** and add the following permissions under **Scopes**:
+   - `chat:write`
+   - `chat:write.public`
+1. Scroll up to **OAuth Tokens**, click **Install to YOUR_WORKSPACE**, and authorize the app.
+1. Copy the **Bot User OAuth Token** and paste it into the `.env.local` file as **SLACK_BOT_TOKEN**.
+1. Choose a channel and invite the bot to the channel by typing `/invite @YOUR_BOT_NAME`.
+1. Get the **Channel ID** via copying the channel link and extracting the ID from the URL. Copy and paste it into the `.env.local` file as **SLACK_CHANNEL_ID**.
+1. Go to **Interactivity & Shortcuts** in app settings, turn on **Interactivity** and add the **Request URL**: `YOUR_3000_FORWARDED_URL/api/slack/interact`. Click **Save Changes**.
+
+## Step 6 - Verify the workflow
+
+Now, everything is ready, let's verify the workflow:
+
+1. Go to Bytebase, log in as the developer and go into the `Sample Project`.
+1. By default, the developer has no permission to access the database. Click **Manage > Members** and you'll see the devloper only has **Project Developer** role. If you go to **SQL Editor**, you'll see the `hr_prod` database is not accessible.
+1. Click **Database > databases**, select the `hr_prod` database, and click **Request Querier role**.
+   ![bb-db-request](/content/docs/tutorials/just-in-time-part2/bb-db-request.webp)
+1. Choose the database or table you want to access, and click **OK**.
+   ![bb-request-select](/content/docs/tutorials/just-in-time-part2/bb-request-select.webp)
+1. A request issue is created, the configured custom approval flow will be matched.
+   ![bb-issue-waiting](/content/docs/tutorials/just-in-time-part2/bb-issue-waiting.webp)
+1. Go to Slack, the bot already sent a message to the channel, which is triggered by the webhook.
+   ![slack-to-approve](/content/docs/tutorials/just-in-time-part2/slack-to-approve.webp)
+1. Click **Approve** and the Slack Bot will trigger the interact API, which calls Bytebase API to approve the issue.
+   ![slack-request-approved](/content/docs/tutorials/just-in-time-part2/slack-request-approved.webp)
+1. Go back to Bytebase, the issue is approved. The developer can access the database now.
+   ![bb-issue-approved](/content/docs/tutorials/just-in-time-part2/bb-issue-approved.webp)
+
+## Code structure
+
+If digging into the code is your interest, here is a brief explanation of the code structure:
+
+- `src/app/api/bytebase/webhook/route.ts`: handle the webhook from Bytebase.
+- `src/app/api/slack/interact/route.ts`: handle the interaction from Slack.
+- `src/lib/slack.ts`: send the message to Slack via using the its [web API](https://tools.slack.dev/node-slack-sdk/web-api/).
+
+## Conclusion
+
+In this tutorial, you learned how to set up JIT access via Slack with the help of Bytebase webhooks and APIs. In the next part, we will cover how to request JIT access via Slack.