diff --git a/masking/README.md b/masking/README.md index 0bc3310..9777767 100644 --- a/masking/README.md +++ b/masking/README.md @@ -6,6 +6,18 @@ Tutorials: [Data Masking with GitHub Actions](https://www.bytebase.com/docs/tuto ## Workspace-level policies and settings +### Semantic type + +Docs: https://www.bytebase.com/docs/security/data-masking/semantic-types/ + +API: https://api.bytebase.com/#tag/settingservice/PATCH/v1/settings/{setting} + +```bash +curl --request PATCH ${bytebase_url}/v1/settings/bb.workspace.semantic-types \ + --header 'Authorization: Bearer '${bytebase_token} \ + --data @semantic-type.json +``` + ### Global masking rule Docs: https://www.bytebase.com/docs/security/data-masking/global-masking-rule/ @@ -30,30 +42,6 @@ curl --request PATCH ${bytebase_url}/v1/settings/bb.workspace.data-classificatio --data @data-classification.json ``` -### Masking algorithm - -Docs: https://www.bytebase.com/docs/security/data-masking/masking-algorithm/ - -API: https://api.bytebase.com/#tag/settingservice/PATCH/v1/settings/{setting} - -```bash -curl --request PATCH ${bytebase_url}/v1/settings/bb.workspace.masking-algorithm \ - --header 'Authorization: Bearer '${bytebase_token} \ - --data @masking-algorithm.json -``` - -### Semantic type - -Docs: https://www.bytebase.com/docs/security/data-masking/semantic-types/ - -API: https://api.bytebase.com/#tag/settingservice/PATCH/v1/settings/{setting} - -```bash -curl --request PATCH ${bytebase_url}/v1/settings/bb.workspace.semantic-types \ - --header 'Authorization: Bearer '${bytebase_token} \ - --data @semantic-type.json -``` - ## Project-level masking exception Project-level masking exception to overrule the workspace-level setting. diff --git a/masking/databases/README.md b/masking/databases/README.md index 1d362a1..da9a180 100644 --- a/masking/databases/README.md +++ b/masking/databases/README.md @@ -1,25 +1,14 @@ -## Column masking explicitly +## Database catalog for semantic type and classification -Docs: https://www.bytebase.com/docs/security/data-masking/column-masking/ - -API: https://api.bytebase.com/#tag/orgpolicyservice/PATCH/v1/instances/{instance}/databases/{database}/policies/{policy} - -```bash -curl --request PATCH "${bytebase_url}/v1/instances/prod-sample-instance/databases/hr_prod/policies/masking?allow_missing=true&update_mask=payload" \ - --header 'Authorization: Bearer '${bytebase_token} \ - --data @column-masking.json -``` - -## Column semantic type and classification - -Docs: +Docs: - Semantic type: https://www.bytebase.com/docs/security/data-masking/semantic-types/ - Classification: https://www.bytebase.com/docs/security/data-masking/data-classification/#manual-classification -API: https://api.bytebase.com/#tag/databaseservice/PATCH/v1/instances/{instance}/databases/{database}/metadata +API: https://api.bytebase.com/#tag/databasecatalogservice/PATCH/v1/instances/%7Binstance%7D/databases/{database}/catalog ```bash -curl --request PATCH ${bytebase_url}/v1/instances/prod-sample-instance/databases/hr_prod/metadata \ +cd prod-sample-instance/hr_prod +curl --request PATCH ${bytebase_url}/v1/instances/prod-sample-instance/databases/hr_prod/catalog \ --header 'Authorization: Bearer '${bytebase_token} \ - --data @metadata.json + --data @database-catalog.json ``` diff --git a/masking/databases/prod-sample-instance/hr_prod/column-masking.json b/masking/databases/prod-sample-instance/hr_prod/column-masking.json deleted file mode 100644 index f381fd6..0000000 --- a/masking/databases/prod-sample-instance/hr_prod/column-masking.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "inheritFromParent": false, - "type": "MASKING", - "maskingPolicy": { - "maskData": [ - { - "schema": "public", - "table": "salary", - "column": "amount", - "maskingLevel": "FULL", - "fullMaskingAlgorithmId": "", - "partialMaskingAlgorithmId": "" - } - ] - }, - "enforce": true, - "resourceType": "DATABASE" -} diff --git a/masking/databases/prod-sample-instance/hr_prod/database-catalog.json b/masking/databases/prod-sample-instance/hr_prod/database-catalog.json new file mode 100644 index 0000000..8189fad --- /dev/null +++ b/masking/databases/prod-sample-instance/hr_prod/database-catalog.json @@ -0,0 +1,24 @@ +{ + "name": "instances/prod-sample-instance/databases/hr_test/catalog", + "schemas": [ + { + "name": "", + "tables": [ + { + "name": "salary", + "columns": { + "columns": [ + { + "name": "amount", + "semanticType": "bb.default", + "labels": {}, + "classification": "" + } + ] + }, + "classification": "2-2" + } + ] + } + ] +} \ No newline at end of file diff --git a/masking/databases/prod-sample-instance/hr_prod/metadata.json b/masking/databases/prod-sample-instance/hr_prod/metadata.json deleted file mode 100644 index 18c3b47..0000000 --- a/masking/databases/prod-sample-instance/hr_prod/metadata.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "schemaConfigs": [ - { - "name": "public", - "tableConfigs": [ - { - "name": "salary", - "columnConfigs": [ - { - "name": "amount", - "semanticTypeId": "e8d3fd41-eba0-4afd-ae0f-32c91a4ee710", - "labels": {}, - "classificationId": "" - } - ], - "classificationId": "2-2", - "updater": "", - "sourceBranch": "", - "updateTime": null - } - ], - "functionConfigs": [], - "procedureConfigs": [], - "viewConfigs": [] - } - ] -} diff --git a/masking/databases/test-sample-instance/hr_test/column-masking.json b/masking/databases/test-sample-instance/hr_test/column-masking.json deleted file mode 100644 index f381fd6..0000000 --- a/masking/databases/test-sample-instance/hr_test/column-masking.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "inheritFromParent": false, - "type": "MASKING", - "maskingPolicy": { - "maskData": [ - { - "schema": "public", - "table": "salary", - "column": "amount", - "maskingLevel": "FULL", - "fullMaskingAlgorithmId": "", - "partialMaskingAlgorithmId": "" - } - ] - }, - "enforce": true, - "resourceType": "DATABASE" -} diff --git a/masking/databases/test-sample-instance/hr_test/database-catalog.json b/masking/databases/test-sample-instance/hr_test/database-catalog.json new file mode 100644 index 0000000..448876c --- /dev/null +++ b/masking/databases/test-sample-instance/hr_test/database-catalog.json @@ -0,0 +1,24 @@ +{ + "name": "instances/test-sample-instance/databases/hr_test/catalog", + "schemas": [ + { + "name": "", + "tables": [ + { + "name": "salary", + "columns": { + "columns": [ + { + "name": "amount", + "semanticType": "bb.default", + "labels": {}, + "classification": "" + } + ] + }, + "classification": "" + } + ] + } + ] +} \ No newline at end of file diff --git a/masking/global-masking-rule.json b/masking/global-masking-rule.json index 687f02e..4ff3dec 100644 --- a/masking/global-masking-rule.json +++ b/masking/global-masking-rule.json @@ -4,24 +4,6 @@ "type": "MASKING_RULE", "maskingRulePolicy": { "rules": [ - { - "id": "9dda9145-895e-451a-99d8-16254c4eb287", - "condition": { - "expression": "environment_id == \"test\"", - "title": "", - "description": "" - }, - "maskingLevel": "NONE" - }, - { - "id": "d188a226-5ed6-45cc-82e3-baa890a87962", - "condition": { - "expression": "classification_level in [\"1\"]", - "title": "", - "description": "" - }, - "maskingLevel": "NONE" - }, { "id": "76356d81-6231-4128-9be7-2c549fc505f5", "condition": { @@ -29,7 +11,7 @@ "title": "", "description": "" }, - "maskingLevel": "PARTIAL" + "semanticType": "bb.default-partial" }, { "id": "1ddc47c9-6ab6-4760-accd-947bc1a5f155", @@ -38,7 +20,7 @@ "title": "", "description": "" }, - "maskingLevel": "FULL" + "semanticType": "bb.default" } ] }, diff --git a/masking/masking-algorithm.json b/masking/masking-algorithm.json deleted file mode 100644 index d5d017a..0000000 --- a/masking/masking-algorithm.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "name": "bb.workspace.masking-algorithm", - "value": { - "maskingAlgorithmSettingValue": { - "algorithms": [ - { - "id": "9347822e-5a4a-4797-85ed-a59bb3115622", - "title": "md5-mask", - "description": "iii am md5-mask", - "category": "HASH", - "md5Mask": { - "salt": "salt" - } - }, - { - "id": "bbd2893d-55b2-429c-bf7c-6f073e2bcdeb", - "title": "RangeMask", - "description": "this is range mask", - "category": "MASK", - "rangeMask": { - "slices": [ - { - "start": 0, - "end": 4, - "substitution": "*" - } - ] - } - } - ] - } - } -} diff --git a/masking/projects/project-sample/masking-exception.json b/masking/projects/project-sample/masking-exception.json index 4f1742a..1011e1b 100644 --- a/masking/projects/project-sample/masking-exception.json +++ b/masking/projects/project-sample/masking-exception.json @@ -5,7 +5,6 @@ "maskingExceptions": [ { "action": "EXPORT", - "maskingLevel": "NONE", "member": "user:dev@x.com", "condition": { "expression": "resource.instance_id == \"prod-sample-instance\" && resource.database_name == \"hr_prod\" && resource.schema_name == \"public\" && resource.table_name == \"salary\" && resource.column_name == \"amount\"", @@ -15,7 +14,6 @@ }, { "action": "QUERY", - "maskingLevel": "PARTIAL", "member": "user:dev2@x.com", "condition": { "expression": "resource.instance_id == \"prod-sample-instance\" && resource.database_name == \"hr_prod\" && resource.schema_name == \"public\" && resource.table_name == \"salary\" && resource.column_name == \"amount\"", @@ -25,7 +23,6 @@ }, { "action": "QUERY", - "maskingLevel": "PARTIAL", "member": "group:contractor@x.com", "condition": { "expression": "resource.instance_id == \"prod-sample-instance\" && resource.database_name == \"hr_prod\" && resource.schema_name == \"public\" && resource.table_name == \"salary\" && resource.column_name == \"amount\"", diff --git a/masking/semantic-type.json b/masking/semantic-type.json index e85b52b..f03e55c 100644 --- a/masking/semantic-type.json +++ b/masking/semantic-type.json @@ -3,12 +3,41 @@ "value": { "semanticTypeSettingValue": { "types": [ + { + "id": "bb.default", + "title": "Default", + "description": "Default semantic type for full masking" + }, + { + "id": "bb.default-partial", + "title": "Default Partial", + "description": "Default semantic for partial masking" + }, { "id": "e8d3fd41-eba0-4afd-ae0f-32c91a4ee710", - "title": "semantic-type-001", - "description": "", - "partialMaskAlgorithmId": "9347822e-5a4a-4797-85ed-a59bb3115622", - "fullMaskAlgorithmId": "" + "title": "Personal sensitive data", + "description": "Custom semantic type with full masking for personal sensitive data", + "algorithm": { + "fullMask": { + "substitution": "***" + } + } + }, + { + "id": "38b31ac4-b90d-44ac-b42a-19d9c76c83ea", + "title": "Location", + "description": "Custom semantic type with range masking for location", + "algorithm": { + "rangeMask": { + "slices": [ + { + "start": 0, + "end": 4, + "substitution": "*" + } + ] + } + } } ] }