Re: [D] How to Mask Passwords in Superset Action Log (DatabaseRestApi.import_) [superset]

Thu, 02 Oct 2025 22:32:21 -0700 


GitHub user user1500177 added a comment to the discussion: How to Mask 
Passwords in Superset Action Log (DatabaseRestApi.import_)

@dosu but this method is not working 

the log that came was as 

3951    DatabaseRestApi.import_ 6       {"path": "/api/v1/database/import/", 
"overwrite": "true", "passwords": "{\"PostgreSQL.yaml\": 
\"passwordofthePOSTGRE\"}", "object_ref": "DatabaseRestApi.import_"}      
2025-10-03 05:11:58.319 0       0       1090


My findings WHEN I TRIED THE BELOW CODE::

from superset.utils.json import redact_sensitive
from superset.constants import PASSWORD_MASK

class MaskPasswordsEventLogger(DBEventLogger):
    def log(self, user_id, action, *args, **kwargs):
        sensitive_fields = {"$.password","$.passwords", "$.db_password", 
"$.access_token", "$.secret"}
        masked_kwargs = redact_sensitive(kwargs, sensitive_fields)
        super().log(user_id, action, *args, **masked_kwargs)

EVENT_LOGGER = MaskPasswordsEventLogger()

JSONPath expressions like $.password only match if the data is a dict at the 
root level with a key named 
[password](vscode-file://vscode-app/c:/Users/kevin.paulson/AppData/Local/Programs/Microsoft%20VS%20Code/resources/app/out/vs/code/electron-browser/workbench/workbench.html).
In Superset, sensitive data is often nested (e.g., inside a 
[json](vscode-file://vscode-app/c:/Users/kevin.paulson/AppData/Local/Programs/Microsoft%20VS%20Code/resources/app/out/vs/code/electron-browser/workbench/workbench.html)
 key) or even stringified JSON (e.g., "passwords": "{\"PostgreSQL.yaml\": 
\"passwordofthePOSTGRE\"}"), so the JSONPath matcher doesn't find or mask these.
[redact_sensitive](vscode-file://vscode-app/c:/Users/kevin.paulson/AppData/Local/Programs/Microsoft%20VS%20Code/resources/app/out/vs/code/electron-browser/workbench/workbench.html)
 does not parse stringified JSON values, so passwords inside those strings are 
not masked.
As a result, passwords and secrets inside nested structures or stringified JSON 
were still visible in logs.



GitHub link: 
https://github.com/apache/superset/discussions/35415#discussioncomment-14580373

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: 
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to