Audit Database Activities with Bytebase API
Bytebase is a database DevSecOps platform designed for developers, security, DBA, and platform engineering teams. While it offers an intuitive GUI for managing database schema changes and access control, some teams may want to integrate Bytebase into their existing DevOps platforms using the Bytebase API.
In our previous tutorials, we demonstrated how to use the Bytebase API to:
This tutorial will focus on fetch and filter audit log in Bytebase, it's OK if you haven't gone through the previous tutorials.
Prerequisites
- Docker installed
- Node.js >= v18
Start Bytebase
Make sure your Docker daemon is running. Copy and paste the commands to start Bytebase.
Bytebase is now running via Docker, and you can access it via localhost:8080
. Register the first admin account which will be granted Workspace Admin
.
Create Service Account
-
Log in as the admin user, and go to Security & Policy > Users & Groups. Click + Add User, fill in with
api-example
, choose theDBA
role that is sufficient for this tutorial and click Confirm. -
Find the newly created service account and click on Copy Service Key. We will use this token to authenticate the API calls.
Run Demo
-
Go to Bytebase API Example repo and clone it.
-
Copy
env-template.local
to.env.local
.Update the variables.NEXT_PUBLIC_BB_URL
:http://localhost:8080
NEXT_PUBLIC_BB_SERVICE_ACCOUNT
:api-example
NEXT_PUBLIC_BB_SERVICE_KEY
: service key copied in previous step
-
Go to subfolder
audit-log
, and run the following commands to start the demo application. -
Open the demo in your browser, you'll see the following page.
-
To enhance the demo's realism, go to Bytebase:
- Go to SQL Editor to query the database
- Go to a specific project and do some database changes, e.g. create a database, create a table, add some data.
Fetch and Filter Audit Log
Let's dig into the code:
-
In
page.tsx
, we fetch all projects by calling the /v1/projects API before any project selection. -
Bytebase has two levels of audit log: Workspace and Project. When the user first visit the demo, We fetch Workspace-level audit log via /v1/auditLogs:search API. The default time range is 7 days back till now. You may also adjust the time range by passing
startTime
andendTime
in the request body viafilter
. -
In
db-fetch-user-permission.tsx
, if the user select a speicifc project, we fetch the project-level audit log via /v1/projects/PROJECT_ID/auditLogs:search API. The time range filter is the same as the workspace-level audit log.
Summary
Congratulations! You've successfully created a database audit viewer using the Bytebase API. Similarly, you may export the log by calling /v1/auditLogs:export API.