GitHub user dosubot[bot] added a comment to the discussion: How to Mask
Passwords in Superset Action Log (DatabaseRestApi.import_)
<!-- Answer -->
You're right—`redact_sensitive` only masks fields in parsed dicts/lists, not
inside stringified JSON values. That's why passwords in `"passwords":
"{\"PostgreSQL.yaml\": \"passwordofthePOSTGRE\"}"` remain unmasked in the logs.
Superset's logging system collects all request data and logs it as-is, so any
secrets inside stringified JSON fields will be visible unless you handle them
before logging. There is no built-in utility or config to mask these
automatically [[source]](https://github.com/apache/superset/issues/35355).
To efficiently mask passwords in stringified JSON fields, you need a custom
function that detects such fields, parses them, applies masking (using
`redact_sensitive` or your own logic), and then re-serializes them. For example:
```python
import json
from superset.utils.json import redact_sensitive
from superset.constants import PASSWORD_MASK
def mask_stringified_json_fields(payload, sensitive_fields):
for k, v in payload.items():
if isinstance(v, str):
try:
parsed = json.loads(v)
masked = redact_sensitive(parsed, sensitive_fields)
payload[k] = json.dumps(masked)
except Exception:
pass # Not a JSON string, skip
elif isinstance(v, dict):
mask_stringified_json_fields(v, sensitive_fields)
elif isinstance(v, list):
for item in v:
if isinstance(item, dict):
mask_stringified_json_fields(item, sensitive_fields)
return payload
class MaskPasswordsEventLogger(DBEventLogger):
def log(self, user_id, action, *args, **kwargs):
sensitive_fields = {"$.password", "$.db_password", "$.access_token",
"$.secret"}
masked_kwargs = redact_sensitive(kwargs, sensitive_fields)
masked_kwargs = mask_stringified_json_fields(masked_kwargs,
sensitive_fields)
super().log(user_id, action, *args, **masked_kwargs)
```
This approach parses and masks any stringified JSON fields before logging. Make
sure to handle errors gracefully and avoid unnecessary recursion for
performance. This is the only way to reliably mask secrets in these cases until
Superset provides a built-in solution
[[source]](https://github.com/apache/superset/issues/35355).
<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*
---
<sup>How did I do?
[Good](https://app.dosu.dev/response-feedback/eef4d2d7-2b92-4ecc-ba37-b44c29fb761b?feedback_type=great_response)
|
[Irrelevant](https://app.dosu.dev/response-feedback/eef4d2d7-2b92-4ecc-ba37-b44c29fb761b?feedback_type=irrelevant_answer)
|
[Incorrect](https://app.dosu.dev/response-feedback/eef4d2d7-2b92-4ecc-ba37-b44c29fb761b?feedback_type=incorrect_sources)
|
[Verbose](https://app.dosu.dev/response-feedback/eef4d2d7-2b92-4ecc-ba37-b44c29fb761b?feedback_type=too_verbose)
|
[Hallucination](https://app.dosu.dev/response-feedback/eef4d2d7-2b92-4ecc-ba37-b44c29fb761b?feedback_type=hallucination)
| [Report
🐛](https://app.dosu.dev/response-feedback/eef4d2d7-2b92-4ecc-ba37-b44c29fb761b?feedback_type=bug_report)
|
[Other](https://app.dosu.dev/response-feedback/eef4d2d7-2b92-4ecc-ba37-b44c29fb761b?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&
nbsp;[](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/35415)
GitHub link:
https://github.com/apache/superset/discussions/35415#discussioncomment-14580393
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
