Data Bridge, August 31, 2022

The August release of the Data Bridge API introduces group-level access controls for server instances and services that enable Data Bridge cluster security administration.

Cluster API

All connections between clients and managed SQL Server instances are encrypted automatically using Transport Layer Security (TLS). Data Bridge now enables organizations to configure the minimum version of TLS supported by the organizations managed SQL Server instances.

The Get server security service (GET /databridge/v1/Cluster/server-security) returns cluster-level security information including the minTlsVersion and allConnectedEncrypted attributes. The minTlsVersion attribute identifies the minimum version of TLS supported by the Data Bridge cluster. Clients connecting to managed SQL Server instances must supporte the minimum version to connect to the Data Bridge cluster. The allConnectedEncrypted attribute returns a Boolean value that indicates whether connections to the Data Bridge cluster encrypted. By default, true.

The Set TLS protocol service (PUT /databridge/v1/Cluster/server-security) sets the minimum TLS protocol version on the cluster. The minTlsVersion attribute is specified in the request body. Data Bridge uses Transport Layer Security (TLS) to manage connections between clients and managed SQL Server instances. By default, Data Bridge is configured to support TLS 1.2 or newer. If you need to allow a lower level of encryption to support legacy applications, Data Bridge supports setting the minimum supported TLS version as 1.0, 1.1 or 1.2. RMS recommends the default setting of TLS 1.2.

SQL Instance API

Organizations may now control access to managed SQL Servers on a group-by-group basis:

The Get groups by server instance service (GET /databridge/v1/sql-instances/{instanceName}/groups) returns a list of the groups granted access to the specified managed server instance.

The Manage groups by server instance service (PATCH /databridge/v1/sql-instances/{instanceName}/groups) grants or revokes group access to the specified managed server instance.

The server instance is identified in the endpoint path. The request body defines the groupOperations array that may be used to grant or revoke access for one or more groups:

{
  "groupOperations": [
    {
      "groupAction": 1,
      "groupId": "group1ID"
    },
    {
      "groupAction": 0,
      "groupId": "group2ID"
    }
  ]
}

Each operation object defines a groupAction and a groupId.

  • The groupAction parameter specifies the operation type. One of 0 or 1. If 0, the request revokes the access previously granted to the server instance. If 0, the request grants access to the server instance to the specified group and its members.
  • The groupId parameter identifies the group that will be granted access to the server instance or have its access revoked.

Database API

The Get groups by database service (GET /databridge/v1/sql-instances/{instanceName}/Databases/{databaseName/groups) returns a list of the groups granted access to the specified managed database.

The Manage groups by database service (PATCH /databridge/v1/sql-instances/{instanceName}/Databases/{databaseName/groups}) grants or revokes group access to the specified database.

The server instance and database are identified in the endpoint path. The request body defines the groupOperations array that may be used to grant or revoke access for one or more groups:

{
  "groupOperations": [
    {
      "groupAction": 0,
      "groupId": "string"
    }
  ]
}

Each operation object defines a groupAction and a groupId.

  • The groupAction parameter specifies the operation type. One of 0 or 1. If 0, the request revokes the access previously granted to the server instance. If 0, the request grants access to the server instance to the specified group and its members.
  • The groupId parameter identifies the group that will be granted access to the server instance or have its access revoked.