-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: improve mask/unmask encrypted_extra #29943
Conversation
d4b73ad
to
e2a8519
Compare
2ca5e83
to
0328c48
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a few optional optional comments for consideration, otherwise LGTM
superset/db_engine_specs/base.py
Outdated
# list of JSON path to fields in `encrypted_extra` that should be masked when the | ||
# database is edited | ||
# pylint: disable=invalid-name | ||
encrypted_extra_sensitive_fields: list[str] = [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[optional] usually we put class-level attributes at the top above all the methods, but I can see how it's nice to have it there right by the method that uses this one... Personally I'd expect this being at the top
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[optional] another approach here would be to assume all keys in encrypted_extra
are sensitive and allow-list the ones that we know are not sensitive. Seems it would be more cautious overall if it's not more work (?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, good point about the default behavior. We could have the attribute in the base class default to:
["$"]
This way everything would be masked.
superset/db_engine_specs/base.py
Outdated
@@ -45,6 +45,7 @@ | |||
from flask import current_app, g, url_for | |||
from flask_appbuilder.security.sqla.models import User | |||
from flask_babel import gettext as __, lazy_gettext as _ | |||
from jsonpath_ng import parse |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[optional] jsonpath_ng.parse
could be wrapped in utils/json.py
, maybe something like def redact_sensitive(json, sensitive_paths)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another good point! I've had issues with JSONPath libraries in the past, wrapping them in a helper method will help in the future.
... may cause seizures ... |
(cherry picked from commit 4b59e42)
SUMMARY
When the user edits a database, the password in the SQLAlchemy URI is masked (replaced with
XXXXXXXXXX
), so that the sensitive information is not transmitted down the wire unneedlessly. If the user saves the database edit, the mask is replaced with the original password, unless it has been changed.The
encrypted_extra
field in a database may also contain sensitive fields. Instead of masking the whole field, in #21248 we introduced logic to mask only selected fields, so we can provide a better editing experience for users. For BigQuery, eg, the credentials look like this:When editing, it will show in database modal as:
The user can then selectively change some of the fields, and when the database is edited the
private_key
will be replaced with the old value if it's equal toXXXXXXXXXX
.Currently this functionality is only implemented for BigQuery and GSheets, but it should be implemented in all databases that store sensitive information under
encrypted_extra
. To simplify the process and remove duplicate code, in this PR I updated the methods in the base class to work with JSON paths. For BigQuery, for example, all that is needed now is:This PR also adds the logic for Snowflake.
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A
TESTING INSTRUCTIONS
Confirmed existing tests work, added a few more tests.
ADDITIONAL INFORMATION