Re: [PR] chore: improve mask/unmask encrypted_extra [superset]

Fri, 16 Aug 2024 12:13:16 -0700 


mistercrunch commented on code in PR #29943:
URL: https://github.com/apache/superset/pull/29943#discussion_r1720235960


##########
superset/db_engine_specs/base.py:
##########
@@ -45,6 +45,7 @@
 from flask import current_app, g, url_for
 from flask_appbuilder.security.sqla.models import User
 from flask_babel import gettext as __, lazy_gettext as _
+from jsonpath_ng import parse

Review Comment:
   [optional] `jsonpath_ng.parse` could be wrapped in `utils/json.py`, maybe 
something like `def redact_sensitive(json, sensitive_paths)`



##########
superset/db_engine_specs/base.py:
##########
@@ -2160,29 +2161,63 @@ def get_impersonation_key(cls, user: User | None) -> 
Any:
         """
         return user.username if user else None
 
+    # list of JSON path to fields in `encrypted_extra` that should be masked 
when the
+    # database is edited
+    # pylint: disable=invalid-name
+    encrypted_extra_sensitive_fields: list[str] = []

Review Comment:
   [optional] usually we put class-level attributes at the top above all the 
methods, but I can see how it's nice to have it there right by the method that 
uses this one... Personally I'd expect this being at the top



##########
superset/db_engine_specs/base.py:
##########
@@ -2160,29 +2161,63 @@ def get_impersonation_key(cls, user: User | None) -> 
Any:
         """
         return user.username if user else None
 
+    # list of JSON path to fields in `encrypted_extra` that should be masked 
when the
+    # database is edited
+    # pylint: disable=invalid-name
+    encrypted_extra_sensitive_fields: list[str] = []

Review Comment:
   [optional] another approach here would be to assume all keys in 
`encrypted_extra_sensitive_fields` are sensitive and allow-list the ones that 
we know are not sensitive. Seems it would be more cautious overall if it's not 
more work (?)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to