Skip to content

Comments

feat: Labels for encrypted fields#38075

Merged
Vitor-Avila merged 4 commits intomasterfrom
feat/label-encrypted-fields
Feb 23, 2026
Merged

feat: Labels for encrypted fields#38075
Vitor-Avila merged 4 commits intomasterfrom
feat/label-encrypted-fields

Conversation

@Vitor-Avila
Copy link
Contributor

@Vitor-Avila Vitor-Avila commented Feb 18, 2026
edited
Loading

SUMMARY

This PR adds labels to encrypted_extra_sensitive_fields. This is needed to implement support for export/import including masked_encrypted_extra (#38077 and #38078).

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

No UI changes.

TESTING INSTRUCTIONS

N/A

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@Vitor-Avila Vitor-Avila marked this pull request as draft February 18, 2026 19:49
@dosubot dosubot bot added the data:connect Namespace | Anything related to db connections / integrations label Feb 18, 2026
@netlify
Copy link

netlify bot commented Feb 18, 2026
edited
Loading

Deploy Preview for superset-docs-preview ready!

Name Link
🔨 Latest commit 2e6d6b0
🔍 Latest deploy log https://app.netlify.com/projects/superset-docs-preview/deploys/69971bd6ead9c400080e385f
😎 Deploy Preview https://deploy-preview-38075--superset-docs-preview.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@Vitor-Avila Vitor-Avila mentioned this pull request Feb 18, 2026
Open
9 tasks
@Vitor-Avila Vitor-Avila marked this pull request as ready for review February 18, 2026 20:30
@Vitor-Avila Vitor-Avila mentioned this pull request Feb 18, 2026
Open
9 tasks
betodealmeida
betodealmeida reviewed Feb 18, 2026
View reviewed changes
superset/db_engine_specs/bigquery.py Outdated
Comment on lines 195 to 197
encrypted_extra_sensitive_field_labels = {
"$.credentials_info.private_key": "Service Account Private Key",
}
Copy link
Member

@betodealmeida betodealmeida Feb 18, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be better to just make encrypted_extra_sensitive_fields: set[str] | dict[str, str] for now, and where we consume it we do:

fields = (
    {field: field for field in encrypted_extra_sensitive_fields}
    if isinstance(encrypted_extra_sensitive_fields, set)
    else encrypted_extra_sensitive_fields
)

Then in 7.0 we make encrypted_extra_sensitive_fields: dict[str, str] only.

Otherwise we need to keep encrypted_extra_sensitive_fields and encrypted_extra_sensitive_field_labels in sync, ensuring they have the same keys.

We could also be fancy and try to autogenerate a label when encrypted_extra_sensitive_fields is a set, like:

def generate_field_label(key: str) -> str:
    return " ".join(part.title() for part in key[2:].replace("_", " ").split("."))

But it might not be worth the trouble.

Copy link
Contributor Author

@Vitor-Avila Vitor-Avila Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I actually thought at this at first, but thought that perhaps changing an existing property from the DB Engine Spec could be bad. Let me work on this

@bito-code-review
Copy link
Contributor

bito-code-review bot commented Feb 18, 2026

Your suggestion to change encrypted_extra_sensitive_fields to a union type set[str] | dict[str, str] provides backward compatibility and simplifies maintenance by avoiding the need to sync it with encrypted_extra_sensitive_field_labels. The handling code you provided converts a set to a dict when needed, which is a clean approach. For the autogeneration of labels, it could work but might introduce inconsistency if field names don't map well to readable labels.

superset/db_engine_specs/base.py

encrypted_extra_sensitive_fields: set[str] | dict[str, str] = {"$.*"}

@bito-code-review
Copy link
Contributor

bito-code-review bot commented Feb 18, 2026
edited
Loading

Code Review Agent Run #7163c6

Actionable Suggestions - 0
Review Details
  • Files reviewed - 8 · Commit Range: 7a78893..7a78893
    • superset/db_engine_specs/base.py
    • superset/db_engine_specs/bigquery.py
    • superset/db_engine_specs/gsheets.py
    • superset/db_engine_specs/mysql.py
    • superset/db_engine_specs/postgres.py
    • superset/db_engine_specs/redshift.py
    • superset/db_engine_specs/snowflake.py
    • superset/db_engine_specs/ydb.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

@betodealmeida
Copy link
Member

betodealmeida commented Feb 18, 2026

Your suggestion to change encrypted_extra_sensitive_fields to a union type set[str] | dict[str, str] provides backward compatibility and simplifies maintenance by avoiding the need to sync it with encrypted_extra_sensitive_field_labels. The handling code you provided converts a set to a dict when needed, which is a clean approach. For the autogeneration of labels, it could work but might introduce inconsistency if field names don't map well to readable labels.

superset/db_engine_specs/base.py

encrypted_extra_sensitive_fields: set[str] | dict[str, str] = {"$.*"}

It would generate the label *, which I'd argue is not bad, Mr. AI.

@codeant-ai-for-open-source
Copy link
Contributor

codeant-ai-for-open-source bot commented Feb 19, 2026

Sequence Diagram

Shows how encrypted_extra fields are masked/unmasked using configurable JSONPath paths (now supporting human-readable labels). The BaseEngineSpec centralizes path extraction and calls redaction/reveal utilities during edit and update flows.

sequenceDiagram
    participant Client
    participant Backend
    participant BaseEngineSpec
    participant RedactionUtil

    Client->>Backend: Submit database edit (encrypted_extra)
    Backend->>BaseEngineSpec: mask_encrypted_extra(encrypted_extra)
    BaseEngineSpec->>RedactionUtil: redact_sensitive(config, paths=encrypted_extra_sensitive_field_paths())
    RedactionUtil-->>BaseEngineSpec: masked_config
    BaseEngineSpec-->>Backend: masked_encrypted_extra (returned to client)

    Backend->>BaseEngineSpec: unmask_encrypted_extra(old_encrypted_extra, new_encrypted_extra)
    BaseEngineSpec->>RedactionUtil: reveal_sensitive(old_config, new_config, paths=encrypted_extra_sensitive_field_paths())
    RedactionUtil-->>BaseEngineSpec: merged_config
    BaseEngineSpec-->>Backend: new_encrypted_extra (with reused sensitive values)
Loading

Generated by CodeAnt AI

@Vitor-Avila Vitor-Avila force-pushed the feat/label-encrypted-fields branch from f384f67 to f0ccf8b Compare February 19, 2026 04:37
@pull-request-size pull-request-size bot added size/L and removed size/M labels Feb 19, 2026
bito-code-review[bot]
bito-code-review bot reviewed Feb 19, 2026
View reviewed changes
Copy link
Contributor

@bito-code-review bito-code-review bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #824288

Actionable Suggestions - 1
  • tests/unit_tests/db_engine_specs/test_base.py - 1
    • Parametrize decorator expects tuple not string · Line 363-364
Additional Suggestions - 1
  • superset/db_engine_specs/base.py - 1
    • Incomplete docstring in new method · Line 588-594
      The docstring for the new `encrypted_extra_sensitive_field_paths` method contains placeholder text ('Description') for the parameter and return value descriptions. According to repository guidelines requiring complete docstrings for new functions, these should be replaced with meaningful explanations.
      Code suggestion 
       @@ -589,3 +589,3 @@
-        :param cls: Description
-
-        :return: Description
+        :param cls: The database engine spec class.
+
+        :return: A set of field paths that should be masked.
Review Details
  • Files reviewed - 9 · Commit Range: 7a78893..f0ccf8b
    • superset/db_engine_specs/base.py
    • superset/db_engine_specs/bigquery.py
    • superset/db_engine_specs/gsheets.py
    • superset/db_engine_specs/mysql.py
    • superset/db_engine_specs/postgres.py
    • superset/db_engine_specs/redshift.py
    • superset/db_engine_specs/snowflake.py
    • superset/db_engine_specs/ydb.py
    • tests/unit_tests/db_engine_specs/test_base.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

tests/unit_tests/db_engine_specs/test_base.py
Comment on lines +363 to +364
@pytest.mark.parametrize(
"masked_encrypted_extra,expected_result",
Copy link
Contributor

@bito-code-review bito-code-review bot Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Parametrize decorator expects tuple not string

The @pytest.mark.parametrize decorator at line 364 uses a string for the first argument instead of a tuple. Change "masked_encrypted_extra,expected_result" to a tuple ("masked_encrypted_extra", "expected_result") to comply with pytest requirements.

Code suggestion
Check the AI-generated fix before applying
Suggested change
@pytest.mark.parametrize(
"masked_encrypted_extra,expected_result",
@pytest.mark.parametrize(
("masked_encrypted_extra", "expected_result"),

Code Review Run #824288

Should Bito avoid suggestions like this for future reviews? (Manage Rules)

  • Yes, avoid them

Vitor-Avila added a commit that referenced this pull request Feb 19, 2026
@Vitor-Avila
Addressing PR feedback + accomodating changes from #38075
c6258bb
@Vitor-Avila Vitor-Avila merged commit 228b598 into master Feb 23, 2026
61 checks passed
@Vitor-Avila Vitor-Avila deleted the feat/label-encrypted-fields branch February 23, 2026 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@betodealmeida betodealmeida betodealmeida approved these changes

+1 more reviewer

@bito-code-review bito-code-review[bot] bito-code-review[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

data:connect Namespace | Anything related to db connections / integrations size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Vitor-Avila @betodealmeida