GitHub user dosubot[bot] added a comment to the discussion: How to Mask
Passwords in Superset Action Log (DatabaseRestApi.import_)
<!-- Answer -->
Superset provides a utility function called `redact_sensitive` in
`superset/utils/json.py` that efficiently masks sensitive fields in nested data
structures using JSONPath expressions, without recursion. This is more
efficient and maintainable than custom recursive masking logic. You can
subclass `DBEventLogger` and call `redact_sensitive` on your payload before
logging to the Action Log. Example usage:
```python
from superset.utils.json import redact_sensitive
from superset.constants import PASSWORD_MASK
class MaskPasswordsEventLogger(DBEventLogger):
def log(self, user_id, action, *args, **kwargs):
sensitive_fields = {"$.password", "$.db_password", "$.access_token",
"$.secret"}
masked_kwargs = redact_sensitive(kwargs, sensitive_fields)
super().log(user_id, action, *args, **masked_kwargs)
```
This approach works for deeply nested structures and is used elsewhere in
Superset for masking secrets in database configs and extras. There is no
built-in masking in `DBEventLogger`, so custom logic like this is required for
sensitive data protection in logs. You can adjust the JSONPath selectors to
match any field you want to mask. More details in the source code:
[redact_sensitive
utility](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/utils/json.py)
[event logger
implementation](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/utils/log.py)
<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*
---
<sup>How did I do?
[Good](https://app.dosu.dev/response-feedback/79f4d445-8d82-4370-8afe-3c6937c7a0ca?feedback_type=great_response)
|
[Irrelevant](https://app.dosu.dev/response-feedback/79f4d445-8d82-4370-8afe-3c6937c7a0ca?feedback_type=irrelevant_answer)
|
[Incorrect](https://app.dosu.dev/response-feedback/79f4d445-8d82-4370-8afe-3c6937c7a0ca?feedback_type=incorrect_sources)
|
[Verbose](https://app.dosu.dev/response-feedback/79f4d445-8d82-4370-8afe-3c6937c7a0ca?feedback_type=too_verbose)
|
[Hallucination](https://app.dosu.dev/response-feedback/79f4d445-8d82-4370-8afe-3c6937c7a0ca?feedback_type=hallucination)
| [Report
🐛](https://app.dosu.dev/response-feedback/79f4d445-8d82-4370-8afe-3c6937c7a0ca?feedback_type=bug_report)
|
[Other](https://app.dosu.dev/response-feedback/79f4d445-8d82-4370-8afe-3c6937c7a0ca?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&
nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35415)
GitHub link:
https://github.com/apache/superset/discussions/35415#discussioncomment-14563269
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
