From 2f05ea40baf56973ec3cc6a11821d87f58132b22 Mon Sep 17 00:00:00 2001 From: adela Date: Thu, 12 Mar 2026 00:43:28 +0100 Subject: [PATCH 1/4] add 3.16.0 changelog --- docs/changelog/bytebase-3-16-0.mdx | 71 ++++++++++++++++++++++++++++++ docs/docs.json | 1 + 2 files changed, 72 insertions(+) create mode 100644 docs/changelog/bytebase-3-16-0.mdx diff --git a/docs/changelog/bytebase-3-16-0.mdx b/docs/changelog/bytebase-3-16-0.mdx new file mode 100644 index 00000000..ba228cc5 --- /dev/null +++ b/docs/changelog/bytebase-3-16-0.mdx @@ -0,0 +1,71 @@ +--- +title: Bytebase 3.16.0 - Mar 12, 2026 +author: Adela +updated_at: 2026/03/12 18:00:00 +description: 'Just-In-Time (JIT) Data Access' + +--- + +import InstallUpgrade from '/snippets/install/install-upgrade.mdx'; + +## 🔔 Notable Changes + +- **Workspace API breaking changes** — Policy API: `/v1/policies` → `/v1/workspaces/{id}/policies`. Workspace API now requires explicit workspace ID instead of `/v1/workspaces/-`. + +- **Legacy service account email migration** — Service accounts, workload identities, and end users are now stored separately. Legacy emails with `{name}@service.bytebase.com` and `{name}@{project}.service.bytebase.com` are auto-migrated. + +- Non-release database migrations now run in parallel; only release-based migrations remain sequential per database. + +- **Terraform provider 3.16.1 required** — Covers workspace policy API changes, UserType removal, and JIT approval flow. [Migration guide](https://github.com/bytebase/terraform-provider-bytebase/blob/main/migration/3.16.1.md) + +## 🚀 Features + +- **Just-In-Time (JIT) Data Access** — Users without database access can request approval to execute a specific read-only query. Enable JIT in project settings and configure approval rules with the new `REQUEST_ACCESS` source type. Once approved, the grant is scoped to that query and auto-expires after the configured duration. + +- Add **GitOps** landing page with guided setup for workload identity selection and CI/CD YAML generation. + +- **Elasticsearch & MongoDB** — Dynamic data masking support. + +## 🎄 Enhancements + +- Redesign issue list with streamlined layout and improved information density. Support sorting by created/updated time, all approval status options (Checking, Pending, Approved, Rejected, Skipped) in advanced search filter, and more prominent approval status in issue detail. + +- Standardize timestamp display to relative time with absolute time tooltip. + +- Redesign **Create Instance** page as a full-page layout. + +- Support access-token authentication for Bytebase Action, enabling CI/CD pipelines to authenticate to Bytebase via workload identity federation. + +- Support copying the entire query result. + +- **PostgreSQL & Oracle** — Improve schema sync accuracy. + +- **MongoDB & Elasticsearch** — Preview query results in document view or table view. Live syntax checking and auto-complete in SQL Editor. + +- **BigQuery & Spanner** — Support Workload Identity Federation credentials for non-GCP hosted Bytebase. + +- **Oracle** — Add ROW STORE COMPRESS syntax support. + +## 🐞 Bug Fixes + +- Fix cross-project authorization bypass in rollout and worksheet endpoints, stale task execution when target database's project or environment changes, and IAM permission check not considering binding expiration time. + +- Fix issues incorrectly moved to DONE by migration 3.14/0034. + +- Fix semantic JSON/Array masking for non-full maskers. + +- Skip databases without environments during task creation. + +- Classify CALL/EXEC stored procedure statements as DML to allow execution in SQL Editor. + +- **PostgreSQL** — Fix data masking bypass via `jsonb_array_elements` lateral joins, search_path handling across DML dry-run and SQL review, DML prior backup not supporting CTE (WITH clause), and Schema Sync incorrectly dropping extensions and creating phantom schemas. + +- **MariaDB** — Fix SQL review plan check not blocking rollout on ERROR-level violations. + +- **MSSQL** — Fix error messages missing line number when rolling out multiple statements. + +- **Oracle** — Fix UTF-8 encoding issues in comment fields during schema sync. + +- **TiDB** — Fix DROP INDEX IF EXISTS walk-through, CHECK_CONSTRAINTS query compatibility for TiDB < 7.4.0, and SQL export resource extraction. + + diff --git a/docs/docs.json b/docs/docs.json index e2471c98..b8832486 100644 --- a/docs/docs.json +++ b/docs/docs.json @@ -368,6 +368,7 @@ { "tab": "Changelog", "pages": [ + "changelog/bytebase-3-16-0", "changelog/bytebase-3-15-1", "changelog/bytebase-3-15-0", "changelog/bytebase-3-14-1", From df615fc1f4417f96f8c444017830e0e726c6b023 Mon Sep 17 00:00:00 2001 From: adela Date: Thu, 12 Mar 2026 11:12:57 +0100 Subject: [PATCH 2/4] update --- docs/changelog/bytebase-3-16-0.mdx | 73 +++++++++++++++++++++++++----- 1 file changed, 62 insertions(+), 11 deletions(-) diff --git a/docs/changelog/bytebase-3-16-0.mdx b/docs/changelog/bytebase-3-16-0.mdx index ba228cc5..aa52afa5 100644 --- a/docs/changelog/bytebase-3-16-0.mdx +++ b/docs/changelog/bytebase-3-16-0.mdx @@ -10,13 +10,15 @@ import InstallUpgrade from '/snippets/install/install-upgrade.mdx'; ## 🔔 Notable Changes -- **Workspace API breaking changes** — Policy API: `/v1/policies` → `/v1/workspaces/{id}/policies`. Workspace API now requires explicit workspace ID instead of `/v1/workspaces/-`. +- **Workspace API breaking changes** — Policy API: `/v1/policies` → `/v1/workspaces/{id}/policies`. All workspace-scoped APIs now require explicit workspace ID instead of `/v1/workspaces/-`. Service accounts, workload identities, and end users are now stored separately; `User.user_type` and `UserType` enum are removed. See [change details](<#workspace-api-breaking-changes>). -- **Legacy service account email migration** — Service accounts, workload identities, and end users are now stored separately. Legacy emails with `{name}@service.bytebase.com` and `{name}@{project}.service.bytebase.com` are auto-migrated. +- **Legacy service account email migration** — Legacy emails with `{name}@service.bytebase.com` and `{name}@{project}.service.bytebase.com` are auto-migrated. Use the dedicated Service Account and Workload Identity services introduced in 3.15.0. + +- **Resource ID migration** — Several API resource IDs migrate from sequential integers to opaque UUID strings (revision, changelog, issue comment, project webhook). Previously bookmarked integer IDs will no longer work. See [change details](<#resource-id-migration>). - Non-release database migrations now run in parallel; only release-based migrations remain sequential per database. -- **Terraform provider 3.16.1 required** — Covers workspace policy API changes, UserType removal, and JIT approval flow. [Migration guide](https://github.com/bytebase/terraform-provider-bytebase/blob/main/migration/3.16.1.md) +- **Terraform provider 3.16.1 required** — Covers workspace policy API changes, UserType removal, resource ID migration, and JIT approval flow. [Migration guide]() ## 🚀 Features @@ -36,9 +38,11 @@ import InstallUpgrade from '/snippets/install/install-upgrade.mdx'; - Support access-token authentication for Bytebase Action, enabling CI/CD pipelines to authenticate to Bytebase via workload identity federation. -- Support copying the entire query result. +- Add pre-execution drift validation that detects schema changes before executing stale tasks. -- **PostgreSQL & Oracle** — Improve schema sync accuracy. +- Support copying the entire query result in SQL Editor. + +- Update default AI model placeholders to current-generation models (GPT-4o, Gemini 2.5 Flash, Claude Sonnet 4). - **MongoDB & Elasticsearch** — Preview query results in document view or table view. Live syntax checking and auto-complete in SQL Editor. @@ -46,20 +50,18 @@ import InstallUpgrade from '/snippets/install/install-upgrade.mdx'; - **Oracle** — Add ROW STORE COMPRESS syntax support. -## 🐞 Bug Fixes +- **PostgreSQL** — Support `search_path` resolution via current user in schema -- Fix cross-project authorization bypass in rollout and worksheet endpoints, stale task execution when target database's project or environment changes, and IAM permission check not considering binding expiration time. +- **PostgreSQL & Oracle** — Improve schema sync accuracy. -- Fix issues incorrectly moved to DONE by migration 3.14/0034. +## 🐞 Bug Fixes -- Fix semantic JSON/Array masking for non-full maskers. +- Fix issues incorrectly moved to DONE by migration 3.14/0034. - Skip databases without environments during task creation. - Classify CALL/EXEC stored procedure statements as DML to allow execution in SQL Editor. -- **PostgreSQL** — Fix data masking bypass via `jsonb_array_elements` lateral joins, search_path handling across DML dry-run and SQL review, DML prior backup not supporting CTE (WITH clause), and Schema Sync incorrectly dropping extensions and creating phantom schemas. - - **MariaDB** — Fix SQL review plan check not blocking rollout on ERROR-level violations. - **MSSQL** — Fix error messages missing line number when rolling out multiple statements. @@ -69,3 +71,52 @@ import InstallUpgrade from '/snippets/install/install-upgrade.mdx'; - **TiDB** — Fix DROP INDEX IF EXISTS walk-through, CHECK_CONSTRAINTS query compatibility for TiDB < 7.4.0, and SQL export resource extraction. + +## 📃 Change Details + +### Workspace API Breaking Changes + +**1. Policy API path changes (workspace-level policies only):** + +| Method | Before | After | +| -- | -- | -- | +| Get | `/v1/{name=policies/*}` | `/v1/{name=workspaces/*/policies/*}` | +| List | `/v1/policies` | `/v1/{parent=workspaces/*}/policies` | +| Create | `/v1/policies` | `/v1/{parent=workspaces/*}/policies` | +| Update | `/v1/{policy.name=policies/*}` | `/v1/{policy.name=workspaces/*/policies/*}` | +| Delete | `/v1/{name=policies/*}` | `/v1/{name=workspaces/*/policies/*}` | + +Environment, instance, and database-level policy bindings are unchanged. + +**2. APIs that no longer accept** `workspaces/-` (must use `workspaces/{id}`): + +| Service | Affected Operations | +| -- | -- | +| ServiceAccountService | `CreateServiceAccount`, `ListServiceAccounts` | +| WorkloadIdentityService | `CreateWorkloadIdentity`, `ListWorkloadIdentities` | +| DatabaseService | `ListDatabases` | +| WorkspaceService | `GetIamPolicy`, `SetIamPolicy` | + +**3. User API changes:** + +| Change | Details | +| -- | -- | +| `User.user_type` field removed | Reserved field 5. Use dedicated Service Account / Workload Identity services. | +| `UserType` enum removed | Deleted from `user_service.proto`. | +| `WorkloadIdentityConfig` moved | From `User` message to `workload_identity_service.proto`. | +| `ActuatorInfo.user_stats` removed | Replaced with `int32 activated_user_count`. | +| `CreateUser` behavior | Only creates end users. Service accounts / workload identities must use their dedicated services. | +| `ListUsers` behavior | Only returns end users. | + +### Resource ID Migration + +Resource IDs in the following API resource names change from sequential integers to UUID strings: + +| Resource | Resource Name Pattern | ID Format Change | +| -- | -- | -- | +| Revision | `instances/{id}/databases/{db}/revisions/{id}` | integer → UUID | +| Changelog | `instances/{id}/databases/{db}/changelogs/{id}` | integer → UUID | +| Issue Comment | `projects/{id}/issues/{uid}/issueComments/{id}` | integer → UUID | +| Project Webhook | `projects/{id}/webhooks/{id}` | integer → UUID | + +Existing records receive randomly generated UUIDs during migration. Any previously bookmarked or cached integer IDs will stop working. \ No newline at end of file From f9ad679fb010840508df2c48dbbd02ebcf488854 Mon Sep 17 00:00:00 2001 From: adela Date: Thu, 12 Mar 2026 11:19:40 +0100 Subject: [PATCH 3/4] update --- docs/changelog/bytebase-3-16-0.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/changelog/bytebase-3-16-0.mdx b/docs/changelog/bytebase-3-16-0.mdx index aa52afa5..05a2059e 100644 --- a/docs/changelog/bytebase-3-16-0.mdx +++ b/docs/changelog/bytebase-3-16-0.mdx @@ -26,7 +26,7 @@ import InstallUpgrade from '/snippets/install/install-upgrade.mdx'; - Add **GitOps** landing page with guided setup for workload identity selection and CI/CD YAML generation. -- **Elasticsearch & MongoDB** — Dynamic data masking support. +- **Elasticsearch & MongoDB** — Support dynamic data masking. Masking is configured per-collection through the Catalog using `objectSchema` (not the column-based configuration used by relational databases). Global masking rules and masking exemption are not supported for document databases at this time. ## 🎄 Enhancements From f7bf9ac8ea3819b2b204253a6565026e245e4e3c Mon Sep 17 00:00:00 2001 From: adela Date: Thu, 12 Mar 2026 11:40:33 +0100 Subject: [PATCH 4/4] update --- docs/changelog/bytebase-3-16-0.mdx | 34 ++++++++++++++++-------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/docs/changelog/bytebase-3-16-0.mdx b/docs/changelog/bytebase-3-16-0.mdx index 05a2059e..721d3648 100644 --- a/docs/changelog/bytebase-3-16-0.mdx +++ b/docs/changelog/bytebase-3-16-0.mdx @@ -10,23 +10,25 @@ import InstallUpgrade from '/snippets/install/install-upgrade.mdx'; ## 🔔 Notable Changes -- **Workspace API breaking changes** — Policy API: `/v1/policies` → `/v1/workspaces/{id}/policies`. All workspace-scoped APIs now require explicit workspace ID instead of `/v1/workspaces/-`. Service accounts, workload identities, and end users are now stored separately; `User.user_type` and `UserType` enum are removed. See [change details](<#workspace-api-breaking-changes>). +- **Workspace API breaking changes** - Policy API: `/v1/policies` → `/v1/workspaces/{id}/policies`. All workspace-scoped APIs now require explicit workspace ID instead of `/v1/workspaces/-`. See [Change Details](<#workspace-api-breaking-changes>). -- **Legacy service account email migration** — Legacy emails with `{name}@service.bytebase.com` and `{name}@{project}.service.bytebase.com` are auto-migrated. Use the dedicated Service Account and Workload Identity services introduced in 3.15.0. +- **User API breaking changes** - Decouple identity types and migrate Service Accounts and Workload Identities into separate data models. The unified User API no longer handles these identity types; `User.user_type` and `UserType` enum are removed. See [Change Details](<#user-api-breaking-changes>). -- **Resource ID migration** — Several API resource IDs migrate from sequential integers to opaque UUID strings (revision, changelog, issue comment, project webhook). Previously bookmarked integer IDs will no longer work. See [change details](<#resource-id-migration>). +- **Legacy service account email migration** - Legacy emails with `{name}@service.bytebase.com` and `{name}@{project}.service.bytebase.com` are auto-migrated. Use the dedicated Service Account and Workload Identity services introduced in 3.15.0. + +- **Resource ID migration** - Several API resource IDs migrate from sequential integers to opaque UUID strings (revision, changelog, issue comment, project webhook). Previously bookmarked integer IDs will no longer work. See [Change Details](<#resource-id-migration>). - Non-release database migrations now run in parallel; only release-based migrations remain sequential per database. -- **Terraform provider 3.16.1 required** — Covers workspace policy API changes, UserType removal, resource ID migration, and JIT approval flow. [Migration guide]() +- **Terraform provider 3.16.1 required** - Covers workspace policy API changes, UserType removal, resource ID migration, and JIT approval flow. See [Migration Guide]() ## 🚀 Features -- **Just-In-Time (JIT) Data Access** — Users without database access can request approval to execute a specific read-only query. Enable JIT in project settings and configure approval rules with the new `REQUEST_ACCESS` source type. Once approved, the grant is scoped to that query and auto-expires after the configured duration. +- **Just-In-Time (JIT) Data Access** - Users without database access can request approval to execute a specific read-only query. Enable JIT in project settings and configure approval rules with the new `REQUEST_ACCESS` source type. Once approved, the grant is scoped to that query and auto-expires after the configured duration. - Add **GitOps** landing page with guided setup for workload identity selection and CI/CD YAML generation. -- **Elasticsearch & MongoDB** — Support dynamic data masking. Masking is configured per-collection through the Catalog using `objectSchema` (not the column-based configuration used by relational databases). Global masking rules and masking exemption are not supported for document databases at this time. +- **Elasticsearch & MongoDB** - Support dynamic data masking. Masking is configured per-collection through the Catalog using `objectSchema` (not the column-based configuration used by relational databases). Global masking rules and masking exemption are not supported for document databases at this time. ## 🎄 Enhancements @@ -44,15 +46,15 @@ import InstallUpgrade from '/snippets/install/install-upgrade.mdx'; - Update default AI model placeholders to current-generation models (GPT-4o, Gemini 2.5 Flash, Claude Sonnet 4). -- **MongoDB & Elasticsearch** — Preview query results in document view or table view. Live syntax checking and auto-complete in SQL Editor. +- **MongoDB & Elasticsearch** - Preview query results in document view or table view. Live syntax checking and auto-complete in SQL Editor. -- **BigQuery & Spanner** — Support Workload Identity Federation credentials for non-GCP hosted Bytebase. +- **BigQuery & Spanner** - Support Workload Identity Federation credentials for non-GCP hosted Bytebase. -- **Oracle** — Add ROW STORE COMPRESS syntax support. +- **Oracle** - Add ROW STORE COMPRESS syntax support. -- **PostgreSQL** — Support `search_path` resolution via current user in schema +- **PostgreSQL** - Support `search_path` resolution via current user in schema -- **PostgreSQL & Oracle** — Improve schema sync accuracy. +- **PostgreSQL & Oracle** - Improve schema sync accuracy. ## 🐞 Bug Fixes @@ -62,13 +64,13 @@ import InstallUpgrade from '/snippets/install/install-upgrade.mdx'; - Classify CALL/EXEC stored procedure statements as DML to allow execution in SQL Editor. -- **MariaDB** — Fix SQL review plan check not blocking rollout on ERROR-level violations. +- **MariaDB** - Fix SQL review plan check not blocking rollout on ERROR-level violations. -- **MSSQL** — Fix error messages missing line number when rolling out multiple statements. +- **MSSQL** - Fix error messages missing line number when rolling out multiple statements. -- **Oracle** — Fix UTF-8 encoding issues in comment fields during schema sync. +- **Oracle** - Fix UTF-8 encoding issues in comment fields during schema sync. -- **TiDB** — Fix DROP INDEX IF EXISTS walk-through, CHECK_CONSTRAINTS query compatibility for TiDB < 7.4.0, and SQL export resource extraction. +- **TiDB** - Fix DROP INDEX IF EXISTS walk-through, CHECK_CONSTRAINTS query compatibility for TiDB < 7.4.0, and SQL export resource extraction. @@ -97,7 +99,7 @@ Environment, instance, and database-level policy bindings are unchanged. | DatabaseService | `ListDatabases` | | WorkspaceService | `GetIamPolicy`, `SetIamPolicy` | -**3. User API changes:** +### User API Breaking Changes | Change | Details | | -- | -- |