Data Masking with GitHub Actions Part 3 - Data Classification
Bytebase is a database DevSecOps platform designed for developers, security, DBA, and platform engineering teams. While it offers an intuitive GUI for managing database schema changes and access control, some teams may want to integrate Bytebase into their existing DevOps platforms using the Bytebase API.
In the previous tutorial, you learned how to apply column masking and masking exemption. In this tutorial, we will explore how to use data classification.
This is Part 3 of our tutorial series on implementing automated database masking using GitHub Actions:
- Part 1: Semantic Type and Global Masking Rule
- Part 2: Column Masking and Masking Exemption
- Part 3: Data Classification (this one)
- Part 4: Data Export with Masking (TBD)
Overview
In this tutorial, you'll learn how to automate data classification using GitHub Actions and the Bytebase API. This integration allows you to:
- Manage data classification and global masking policy as code
- Automatically apply masking policies when PRs are merged
The complete code for this tutorial is available at: database-security-github-actions-example
This tutorial skips the setup part, if you haven't set up the Bytebase and GitHub Action, please follow Setup Instructions section in the previous tutorial.
Data Classification
Data Classification allows you to manage masking policy for many columns by controlling only a small number of classifications.
In Bytebase Console
Go to Data Access > Data Classification, you can upload the classification file.
In GitHub Workflow
Find the step Apply classification, which will apply the classification to the database via API. All the classifications should be defined in one file in the root directory as masking/classification.json. The code it calls Bytebase API is as follows:
response=$(curl -s -w "\n%{http_code}" --request PATCH "${BYTEBASE_API_URL}/settings/bb.workspace.classification" \
--header "Authorization: Bearer ${BYTEBASE_TOKEN}" \
--header "Content-Type: application/json" \
--data @"$CHANGED_FILE")By changing file masking/data-classification.json, creating a PR and merging, you can apply the classification. Go to Bytebase console, click Data Access > Data Classification, you can see the classification is applied.
Here in the github workflow, we also apply global masking rule and column masking with classification with files masking/global-masking-rule-classification.json and masking/databases/test-sample-instance/hr_test/database-catalog-classification.json.
Summary
Through out this tutorial series, you have learned how to automate data masking semantic type, global masking rule, column masking, masking exemption and data classification using GitHub Actions and Bytebase API.
