chore: improve mask/unmask encrypted_extra #29943
Conversation
dosubot
bot
added
data:connect:googlebigquery
betodealmeida
force-pushed
the
simplify-encrypted-extra-masking
branch
from
d4b73ad
to
e2a8519
Compare
betodealmeida
force-pushed
the
simplify-encrypted-extra-masking
branch
from
2ca5e83
to
0328c48
Compare
michael-s-molina
added
review:checkpoint
superset/db_engine_specs/base.py
Outdated
| # list of JSON path to fields in `encrypted_extra` that should be masked when the | ||
| # database is edited | ||
| # pylint: disable=invalid-name | ||
| encrypted_extra_sensitive_fields: list[str] = [] |
There was a problem hiding this comment.
[optional] usually we put class-level attributes at the top above all the methods, but I can see how it's nice to have it there right by the method that uses this one... Personally I'd expect this being at the top
There was a problem hiding this comment.
[optional] another approach here would be to assume all keys in encrypted_extra are sensitive and allow-list the ones that we know are not sensitive. Seems it would be more cautious overall if it's not more work (?)
There was a problem hiding this comment.
Ah, good point about the default behavior. We could have the attribute in the base class default to:
["$"]This way everything would be masked.
superset/db_engine_specs/base.py
Outdated
| @@ -45,6 +45,7 @@ | |||
| from flask import current_app, g, url_for | |||
| from flask_appbuilder.security.sqla.models import User | |||
| from flask_babel import gettext as __, lazy_gettext as _ | |||
| from jsonpath_ng import parse | |||
There was a problem hiding this comment.
[optional] jsonpath_ng.parse could be wrapped in utils/json.py, maybe something like def redact_sensitive(json, sensitive_paths)
There was a problem hiding this comment.
Another good point! I've had issues with JSONPath libraries in the past, wrapping them in a helper method will help in the future.
|
|
|
|
|
... may cause seizures ... |
sadpandajoe
added
the
v4.1
(cherry picked from commit 4b59e42)
SUMMARY
When the user edits a database, the password in the SQLAlchemy URI is masked (replaced with
XXXXXXXXXX), so that the sensitive information is not transmitted down the wire unneedlessly. If the user saves the database edit, the mask is replaced with the original password, unless it has been changed.The
encrypted_extrafield in a database may also contain sensitive fields. Instead of masking the whole field, in #21248 we introduced logic to mask only selected fields, so we can provide a better editing experience for users. For BigQuery, eg, the credentials look like this:{ "type": "service_account", "project_id": "your project id", "private_key_id": "your private key id", "private_key": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----\n", ... }When editing, it will show in database modal as:
{ "type": "service_account", "project_id": "your project id", "private_key_id": "your private key id", "private_key": "XXXXXXXXXX", ... }The user can then selectively change some of the fields, and when the database is edited the
private_keywill be replaced with the old value if it's equal toXXXXXXXXXX.Currently this functionality is only implemented for BigQuery and GSheets, but it should be implemented in all databases that store sensitive information under
encrypted_extra. To simplify the process and remove duplicate code, in this PR I updated the methods in the base class to work with JSON paths. For BigQuery, for example, all that is needed now is:This PR also adds the logic for Snowflake.
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A
TESTING INSTRUCTIONS
Confirmed existing tests work, added a few more tests.
ADDITIONAL INFORMATION