Database Change with Risk-Based Approval Flow

Bytebase provides a basic yet configurable rollout mechanism by default. This means that manual rollout is skipped for Test environments and required for Prod environments.

However, for more complicated enterprise-level cases, users may need different approval flows to handle database changes according to different potential risks. For example, DDL in Prod environments is considered high risk, while DML in Test environments is low risk. Additionally, users may need to involve roles other than DBA/Developer/Project Leader, such as Testers.

This tutorial will walk you through how to create custom approval flows based on self-defined risk rules and how to add new roles to be involved.

Feature included#

• Custom approval
• Risk center
• Custom roles

Prerequisites#

• Docker must be installed on your system.
• This features require an Enterprise Plan.

Step 1 - Start Bytebase and Prepare the Users#

1. Make sure your Docker is running, and start the Bytebase Docker container with the following command:

   docker run --rm --init \
     --name bytebase \
     --publish 8080:8080 --pull always \
     --volume ~/.bytebase/data:/var/opt/bytebase \
     bytebase/bytebase:3.6.0

2. Open localhost:8080 in a browser, register as an admin and you will be granted as Workspace Admin role and automatically logged in.

3. Click IAM > Admin on the left bar. Add one dba@example.com as Worksace DBA, and one dev@example.com as Project Developer (which will apply to all projects).

   

Step 2 - Upgrade to Enterprise Plan#

1. Click Settings > Subscription on the left bar. Fill your Enterprise Plan license key and click Upload License. Now you have several instance licenses but not assigned to any instance.

   

2. Click Instances on the left bar. Now the existing sample instances are not assigned any license.

   

3. Click Assign license on the top bar. Select the instance you want to assign the license to and click Confirm. Now the instances are assigned with licenses.

   

Step 3 - Run Schema Change without Custom Approval Flow#

1. Log out and login as Developer. Go into the Sample Project , click Database > Databases on the left bar. Select both existing sample databases hr_prod and hr_test, and click Edit Schema.

   

2. It will redirect to the issue preview, paste the following SQL and click Create.

   CREATE TABLE t1 (
      id INT NOT NULL,
      name VARCHAR(255) NOT NULL,
      PRIMARY KEY (id)
   );

3. The issue is created and waiting for rollout. There's no approval flow for this issue, since we haven't configured any custom approval flow yet.

   

Step 4 - Configure a Custom Approval and Run a Schema Change#

To learn the best practice, check out Risk Center Best Practice.

1. Login as Admin. Click CI/CD > Custom Approval on the left bar. Choose Project Owner → DBA for DDL > High Risk and DBA for DDL > Moderate Risk.

   

2. Either click the related risk rules or CI/CD > Risks on the left bar. Add two new rules

   • Name: DDL ALTER; Risk Level: High; Type: DDL; Condition: sql_type == 'ALTER_TABLE'
   • Name: DDL CREATE; Risk Level: Moderate; Type: DDL; Condition: sql_type == 'CREATE_TABLE'

   

3. Logout and login as Developer. Go into the project, select both databases and click Edit Schema. Paste the same SQL as before and click Create.

   CREATE TABLE t1 (
      id INT NOT NULL,
      name VARCHAR(255) NOT NULL,
      PRIMARY KEY (id)
   );

4. This time, the issue is detected as Moderate risk, so it will be reviewed by DBA workflow.

   

5. Try another DDL with ALTER type.

   ALTER TABLE employee ADD COLUMN age INT NOT NULL;

6. This time, the issue is detected as High risk, so it will be reviewed by Project Owner -> DBA workflow.

   

Step 5 - Build Your Own Approval Flow#

What if there is other roles in the team, for example, a Tester . Bytebase has another feature called Custom Roles.

1. Login as Admin. Click IAM&Admin > Custom Roles on the left bar. You may also add a new role, e.g. Tester, here to make it simple, we can import permissions from Project Releaser role.

   

2. Click CI/CD > Custom Approval, and click Approval Flows tab. Click Create and fill in the form like this.

   

3. Create a new user with the role Tester.

4. Go to CI/CD > Custom Approval, and select Tester->DBA as the Moderate Risk approval flow.

5. Logout and login as Developer. Go into the project, select both databases and click Edit Schema. Paste the same SQL as before and click Create.

   CREATE TABLE t1 (
      id INT NOT NULL,
      name VARCHAR(255) NOT NULL,
      PRIMARY KEY (id)
   );

6. This time, the issue is detected as Moderate risk, so it will be reviewed by Tester -> DBA workflow.

   

Summary#

Now you have tried database change with risk-adjusted custom approval flow, and also create your own custom roles as well. Bytebase provides more enterprise-level features regarding data security and data access control. If you're interested in that, follow Just-in-Time Database Access.