Copilot commented on code in PR #40584:
URL: https://github.com/apache/superset/pull/40584#discussion_r3336951171
##########
superset/commands/dataset/importers/v0.py:
##########
@@ -211,7 +211,13 @@ def import_from_dict(data: dict[str, Any], sync:
Optional[list[str]] = None) ->
if isinstance(data, dict):
logger.info("Importing %d %s", len(data.get(DATABASES_KEY, [])),
DATABASES_KEY)
for database in data.get(DATABASES_KEY, []):
- Database.import_from_dict(database, sync=sync)
+ db_obj = Database.import_from_dict(database, sync=sync)
+ # ``import_from_dict`` sets fields via setattr, bypassing
+ # ``set_sqlalchemy_uri``. Call it explicitly so that any plaintext
+ # password in the URI is extracted into the encrypted ``password``
+ # column and replaced with the password mask in ``sqlalchemy_uri``.
+ if db_obj is not None:
+ db_obj.set_sqlalchemy_uri(db_obj.sqlalchemy_uri)
Review Comment:
`set_sqlalchemy_uri()` overwrites `Database.password` whenever the parsed
URL password is not `PASSWORD_MASK`. If an imported `sqlalchemy_uri` omits the
password (common when users keep secrets out of YAML and rely on the existing
encrypted `password` column), calling
`set_sqlalchemy_uri(db_obj.sqlalchemy_uri)` will set `password` to `None` and
break existing connections. It can also raise if `sqlalchemy_uri` is missing.
Only call `set_sqlalchemy_uri` when the imported URI actually contains a
non-masked password segment.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
