Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions superset/db_engine_specs/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -537,6 +537,11 @@ class BaseEngineSpec: # pylint: disable=too-many-public-methods
# pylint: disable=invalid-name
encrypted_extra_sensitive_fields: set[str] = {"$.*"}

# Labels for sensitive fields in `encrypted_extra`, mapping
# JSONPath → display label. Used in import validation error messages
# so the UI can show a human-readable name instead of a raw JSONPath.
encrypted_extra_sensitive_field_labels: dict[str, str] = {}

# Whether the engine supports file uploads
# if True, database will be listed as option in the upload file form
supports_file_upload = True
Expand Down
3 changes: 3 additions & 0 deletions superset/db_engine_specs/bigquery.py
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,9 @@ class BigQueryEngineSpec(BaseEngineSpec): # pylint: disable=too-many-public-met
# when editing the database, mask this field in `encrypted_extra`
# pylint: disable=invalid-name
encrypted_extra_sensitive_fields = {"$.credentials_info.private_key"}
encrypted_extra_sensitive_field_labels = {
"$.credentials_info.private_key": "Service Account Private Key",
}

@betodealmeida betodealmeida Feb 18, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be better to just make encrypted_extra_sensitive_fields: set[str] | dict[str, str] for now, and where we consume it we do:

fields = (
    {field: field for field in encrypted_extra_sensitive_fields}
    if isinstance(encrypted_extra_sensitive_fields, set)
    else encrypted_extra_sensitive_fields
)

Then in 7.0 we make encrypted_extra_sensitive_fields: dict[str, str] only.

Otherwise we need to keep encrypted_extra_sensitive_fields and encrypted_extra_sensitive_field_labels in sync, ensuring they have the same keys.

We could also be fancy and try to autogenerate a label when encrypted_extra_sensitive_fields is a set, like:

def generate_field_label(key: str) -> str:
    return " ".join(part.title() for part in key[2:].replace("_", " ").split("."))

But it might not be worth the trouble.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I actually thought at this at first, but thought that perhaps changing an existing property from the DB Engine Spec could be bad. Let me work on this


"""
https://www.python.org/dev/peps/pep-0249/#arraysize
Expand Down
4 changes: 4 additions & 0 deletions superset/db_engine_specs/gsheets.py
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,10 @@ class GSheetsEngineSpec(ShillelaghEngineSpec):
"$.service_account_info.private_key",
"$.oauth2_client_info.secret",
}
encrypted_extra_sensitive_field_labels = {
"$.service_account_info.private_key": "Service Account Private Key",
"$.oauth2_client_info.secret": "OAuth2 Client Secret",
}

custom_errors: dict[Pattern[str], tuple[str, SupersetErrorType, dict[str, Any]]] = {
SYNTAX_ERROR_REGEX: (
Expand Down
4 changes: 4 additions & 0 deletions superset/db_engine_specs/mysql.py
Original file line number Diff line number Diff line change
Expand Up @@ -310,6 +310,10 @@ class MySQLEngineSpec(BasicParametersMixin, BaseEngineSpec):
"$.aws_iam.external_id",
"$.aws_iam.role_arn",
}
encrypted_extra_sensitive_field_labels = {
"$.aws_iam.external_id": "AWS IAM External ID",
"$.aws_iam.role_arn": "AWS IAM Role ARN",
}

@staticmethod
def update_params_from_encrypted_extra(
Expand Down
4 changes: 4 additions & 0 deletions superset/db_engine_specs/postgres.py
Original file line number Diff line number Diff line change
Expand Up @@ -467,6 +467,10 @@ class PostgresEngineSpec(BasicParametersMixin, PostgresBaseEngineSpec):
"$.aws_iam.external_id",
"$.aws_iam.role_arn",
}
encrypted_extra_sensitive_field_labels = {
"$.aws_iam.external_id": "AWS IAM External ID",
"$.aws_iam.role_arn": "AWS IAM Role ARN",
}

column_type_mappings = (
(
Expand Down
4 changes: 4 additions & 0 deletions superset/db_engine_specs/redshift.py
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,10 @@ def normalize_table_name_for_upload(
"$.aws_iam.external_id",
"$.aws_iam.role_arn",
}
encrypted_extra_sensitive_field_labels = {
"$.aws_iam.external_id": "AWS IAM External ID",
"$.aws_iam.role_arn": "AWS IAM Role ARN",
}

@staticmethod
def update_params_from_encrypted_extra(
Expand Down
4 changes: 4 additions & 0 deletions superset/db_engine_specs/snowflake.py
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,10 @@ class SnowflakeEngineSpec(PostgresBaseEngineSpec):
"$.auth_params.privatekey_body",
"$.auth_params.privatekey_pass",
}
encrypted_extra_sensitive_field_labels = {
"$.auth_params.privatekey_body": "Private Key Body",
"$.auth_params.privatekey_pass": "Private Key Password",
}

_time_grain_expressions = {
None: "{col}",
Expand Down
4 changes: 4 additions & 0 deletions superset/db_engine_specs/ydb.py
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,10 @@ class YDBEngineSpec(BaseEngineSpec):

# pylint: disable=invalid-name
encrypted_extra_sensitive_fields = {"$.connect_args.credentials", "$.credentials"}
encrypted_extra_sensitive_field_labels = {
"$.connect_args.credentials": "Connection Credentials",
"$.credentials": "Credentials",
}

disable_ssh_tunneling = False

Expand Down
Loading