diff --git a/docs/changelog/bytebase-3-15-0.mdx b/docs/changelog/bytebase-3-15-0.mdx index 19590277..9ad81bf5 100644 --- a/docs/changelog/bytebase-3-15-0.mdx +++ b/docs/changelog/bytebase-3-15-0.mdx @@ -28,16 +28,22 @@ We introduce project-level Service Accounts and Workload Identities in addition Affected APIs: `CreateServiceAccount`, `ListServiceAccounts`, `CreateWorkloadIdentity`, `ListWorkloadIdentities`. Endpoint change: `/v1/serviceAccounts` → `/v1/workspaces/-/serviceAccounts` - - Terraform users must update IAM member prefixes and use the new service account/workload identity resources. + - Terraform users must update IAM member prefixes and use the new service account/workload identity resources. [Latest provider documentation](https://registry.terraform.io/providers/bytebase/bytebase/latest/docs) ## 🔔 Other Notable Changes +- **DDL and DML execution control update** + - Environment condition is added to `bb.sql.ddl` and `bb.sql.dml` role grants as a replacement for the `disallow_ddl` and `disallow_dml` environment policy. + - Each IAM Policy (i.e. role grant) has a single environment condition that applies to both `bb.sql.ddl` and `bb.sql.dml` permissions together. This means you cannot allow DDL but disallow DML (or vice versa) within the same role. If you need different environment restrictions for DDL and DML, the recommended practice is to create 2 separate roles — one with `bb.sql.ddl` and one with `bb.sql.dml` — each with its own environment condition. + - `disallow_ddl` and `disallow_dml` are automatically migrated to be reflected in role grants in an OR manner — if for a specific environment, either `disallow_ddl` or `disallow_dml` is set to OFF, this environment condition will be configured for the role with `bb.sql.ddl` or `bb.sql.dml` permission. This could lead to **breaking changes** to DDL and DML control if your `disallow_ddl` and `disallow_dml` settings differ across environment policies. Please review after upgrading and follow the recommended practice to configure your role grants. + - Add `bb.sql.ddl` and `bb.sql.dml` permissions to the **SQL Editor User** and **Project Owner** role. + - For Terraform users, update the environment policy and your role grants accordingly. [Latest provider documentation](https://registry.terraform.io/providers/bytebase/bytebase/latest/docs) + - **SQL Editor settings consolidation & policy updates** - Add a dedicated **SQL Editor** section under **Workspace Settings > General**, consolidating data export, data copying, admin data source access, max result size, max result rows, and max query time. - **Max result rows** can also be configured at the project level. - `DataSourceQueryPolicy` is merged into `QueryDataPolicy` and deprecated (auto-migrated). - - DDL/DML execution control is now configured at the project role level using `bb.sql.ddl` and `bb.sql.dml` permissions. The previous `disallow_ddl` / `disallow_dml` environment policy is removed. - - For Terraform users, the settings update also affect Terraform, need to update bytebase_policy configuration. [Latest provider documentation](https://registry.terraform.io/providers/bytebase/bytebase/3.15.1/docs/resources/policy) + - For Terraform users, update `bytebase_policy` configuration. [Latest provider documentation](https://registry.terraform.io/providers/bytebase/bytebase/latest/docs) - **Role & permission adjustments** - Add `bb.taskRuns.create` permission to the **Project Owner** role. @@ -77,6 +83,6 @@ We introduce project-level Service Accounts and Workload Identities in addition - Fix access token refresh on SQL Editor LSP websocket reconnection. - Fix incorrect Learn More link for online migration. - **Google Cloud SQL** - Fix IAM authentication while creating instances in Bytebase Cloud. -- **PostgreSQL** - Support CTE for Backup. +- **PostgreSQL** - Support Common Table Expressions (CTE) in backup statement execution.