One Platform for All Your Database Queries — Introducing dbquery

sen ki — Wed, 25 Mar 2026 09:16:10 +0000

One Platform for All Your Database Queries — Introducing dbquery

tag ： devops selfhosted database django

The daily reality for ops and dev teams: Navicat open on one screen, DBeaver on another, Redis Desktop Manager somewhere else, MongoDB Compass somewhere else again — constantly switching. You want to let a QA engineer look up a production table, but you can't hand out the database password. New hires spend hours configuring client tools before they can do anything useful. dbquery solves all of this in one shot.

What Is dbquery?

dbquery is a lightweight, self-hosted database query platform built with Django 4.2 + Bootstrap 5. It runs entirely in the browser — no client installation required — and supports MySQL, TiDB, PostgreSQL, Redis, and MongoDB. It comes with a built-in role-based permission system so DBAs, developers, and QA engineers can safely share one tool.

One command to deploy, up and running in 5 minutes:

docker-compose up -d

GitHub: https://github.com/kisen9102-lgtm/dbquery

Core Features

1. Cross-Instance Database Search

Can't remember which server a database lives on? Type the database name into the search box and dbquery scans all registered instances, returning matching database names, their host instances, table counts, sizes, and types — all in one table.

You can also search by IP + port to get an overview of all databases on a specific instance.

2. Online SQL Editor

Select an instance and database, then start querying — right in the browser.

Syntax highlighting: SQL mode for MySQL/TiDB/PostgreSQL; plain text mode for Redis/MongoDB — switches automatically
Object browser: left panel shows all tables (MySQL/PG) or collections (MongoDB); click to insert the name into the editor
Multi-statement execution: submit multiple statements at once; each returns its own result set
CSV export: export any result set with one click
Row limit: results are automatically truncated with a warning to prevent accidental overload
DB type indicator: the current connection type (MySQL / TiDB / PostgreSQL / Redis / MongoDB) is shown in the top-left corner at all times

Redis read-only command whitelist:

GET  MGET  KEYS  SCAN  TYPE  TTL  PTTL  EXISTS  STRLEN  GETRANGE
INFO  DBSIZE  TIME  HGET  HGETALL  HMGET  HKEYS  HVALS  HLEN
LRANGE  LLEN  LINDEX  SCARD  SMEMBERS  SRANDMEMBER  SISMEMBER
ZRANGE  ZRANGEBYSCORE  ZREVRANGE  ZCARD  ZSCORE  ZRANK

MongoDB query syntax:

db.<collection>.find({"field": "value"})
db.<collection>.count_documents({"field": "value"})
db.<collection>.aggregate([{"$match": {...}}, {"$group": {...}}])

3. Instance Management

Set instance name, IP, port, environment (dev / staging / production), and database type
Redis / MongoDB support per-instance credentials (username, password, authSource); MySQL / TiDB / PostgreSQL use a shared service account
Each instance has a Test Connection button so you can verify connectivity before saving
Color-coded type badges: MySQL (blue), TiDB (cyan), PostgreSQL (dark blue), Redis (red), MongoDB (green)

4. User Management and Access Control

A three-tier role system for precise access control:

Role	Can Do	Restrictions
root	Everything, no limits	—
admin	Manage instances, users, and groups	Cannot modify the root account
query	Read-only SQL queries	Can only see instances in their assigned groups; instance IP/port is hidden; system databases are blocked; only SELECTis allowed

When a query user opens the SQL editor, they only see the instances they've been granted access to — and they never see the IP address or port. Even if their account is compromised, an attacker cannot use it to connect directly to any database.

5. Group Management

Create user groups, add instances and query users to them. Groups are the core unit of access control:

One instance can belong to multiple groups
One user can belong to multiple groups
All instances in a group are visible to all query users in that group

This makes it easy to partition access by team or environment: the e-commerce team only sees e-commerce instances; the payments team only sees payments instances.

6. Multilingual UI

The interface supports Chinese / English with one click. The preference is saved in localStorage and restored on next visit.

How It Compares

Feature	dbquery	Navicat	DBeaver	Archery	Yearning
Deployment	Docker, no client	Desktop install	Desktop install	Docker	Docker
Multi-user	✅ Web, built-in	❌ Per-person install	❌ Per-person install	✅	✅
MySQL	✅	✅	✅	✅	✅
TiDB	✅ Native label	⚠️ MySQL compat	⚠️ MySQL compat	⚠️ MySQL compat	⚠️ MySQL compat
PostgreSQL	✅ Multi-schema	✅	✅	✅	❌
Redis	✅ Read-only whitelist	✅ (paid)	✅ (plugin)	❌	❌
MongoDB	✅ Read-only queries	✅ (paid)	✅ (plugin)	❌	❌
Role-based access	✅ 3 roles + groups	❌ Local tool	❌ Local tool	✅	✅
Hide IP/port from query users	✅	❌	❌	❌	❌
Enforce read-only SQL	✅	❌	❌	✅	✅
Redis read-only whitelist	✅	❌	❌	❌	❌
Object browser	✅	✅	✅	⚠️ Limited	⚠️ Limited
i18n	✅ CN/EN	✅	✅	CN only	CN only
Open source & free	✅	❌ ($200+/yr)	✅ (community)	✅	✅
No frontend build step	✅	—	—	❌	❌

Summary:

vs. Navicat / DBeaver: dbquery is a web app — naturally multi-user, no per-person setup. Its built-in permission system lets you safely give developers and QA engineers database access without handing out credentials.
vs. Archery / Yearning: those are heavy SQL review and approval workflow platforms — powerful but complex to deploy. dbquery is lighter, focused on being a safe online query tool without the workflow overhead. Better fit for small and mid-sized teams.
dbquery's unique differentiator: read-only access to Redis and MongoDB — nearly absent from comparable open-source tools.

Deployment

Prerequisites

Docker + Docker Compose
An external MySQL 8.0 instance as the platform metadata database (stores users, instance info)

Steps

1. Create the metadata database

CREATE DATABASE ops_db CHARACTER SET utf8mb4;
CREATE USER 'ops_user'@'%' IDENTIFIED BY 'your-password';
GRANT ALL PRIVILEGES ON ops_db.* TO 'ops_user'@'%';
FLUSH PRIVILEGES;

2. Configure environment variables

cp .env.docker.example .env
# Edit .env with your metadata DB connection and query account credentials

Key .env settings:

DBS_DB_HOST=host.docker.internal   # metadata DB host
DBS_DB_PORT=3306
DBS_DB_USER=ops_user
DBS_DB_PASSWORD=your-password
DBS_DB_NAME=ops_db

QUERY_DEFAULT_ACCOUNT=dbs_admin    # account used to query MySQL/TiDB/PG instances
QUERY_DEFAULT_PASSWORD=your-dbs-admin-password

SECRET_KEY=your-random-secret-key

3. Start

docker-compose up -d

On first start, the container automatically: waits for MySQL → runs migrations → creates the superuser → starts gunicorn.

4. Open

Visit http://localhost:8000. Default credentials: dbsroot / Dbs@Root2026

Real-World Usage Examples

Scenario 1: Register a new TiDB instance

Log in as admin or root, go to Instance Management
Click Add Instance, fill in: name tidb-prod-primary, IP 10.0.1.100, port 4000, env Production, type TiDB
Click Test Connection to verify, then click Add
The instance appears in the list with a cyan TiDB badge

Scenario 2: Give a QA engineer read-only access

Go to User Management → Add User, set role to query
Go to Group Management → create a group "QA Team"
Add the relevant instances to the group, add the user to the group
The QA engineer logs in and sees only the instances in "QA Team" — no IP addresses, SELECT only

Scenario 3: Find a database across all instances

Go to Database Search
Type order in the search box
dbquery scans all instances and returns every database whose name contains order, with instance, type, table count, and size

Scenario 4: Query Redis

Select a Redis instance in the SQL editor
Top-left shows Redis; the object browser is hidden (Redis has no table structure)
Select db0 from the database selector
Enter a read-only command:

   HGETALL user:1001

   SCAN 0 MATCH user:* COUNT 100

Write commands (SET, DEL, etc.) are rejected immediately

Scenario 5: Query MongoDB

Select a MongoDB instance
Top-left shows MongoDB; the object browser lists collections with row counts
Select a database and enter a query:

   db.users.find({"age": 28})

or aggregation:

   db.orders.aggregate([{"$group": {"_id": "$status", "count": {"$sum": 1}}}])

Security Design

IP/port hidden from query users: even if an account is compromised, the attacker cannot connect directly to any database
Read-only enforcement: the backend validates every SQL statement; anything other than SELECT returns 403
Redis command whitelist: only pre-defined read-only commands are allowed; SET/DEL/FLUSHDB are rejected
MongoDB double validation: query structure is checked with regex first, then json.loads validates JSON — no eval(), no injection
CSRF protection: all write operations require a CSRF token
Session authentication: no JWT, no token leakage risk

Get It

GitHub: https://github.com/kisen9102-lgtm/dbquery
Docker image: docker pull ghcr.io/kisen9102-lgtm/dbquery:latest

If you find it useful, a ⭐ on GitHub goes a long way. Issues and PRs welcome.

dbquery — lightweight, secure, ready to deploy

DEV Community: sen ki

One Platform for All Your Database Queries — Introducing dbquery

One Platform for All Your Database Queries — Introducing dbquery

What Is dbquery?

Core Features

1. Cross-Instance Database Search

2. Online SQL Editor

3. Instance Management

4. User Management and Access Control

5. Group Management

6. Multilingual UI

How It Compares

Deployment

Prerequisites

Steps

Real-World Usage Examples

Scenario 1: Register a new TiDB instance

Scenario 2: Give a QA engineer read-only access

Scenario 3: Find a database across all instances

Scenario 4: Query Redis

Scenario 5: Query MongoDB

Security Design

Get It