superset import_datasources does not encrypt DB password

[buschtoens]

Bug description

When using superset import_datasources the sqlalchemy_uri is imported as-is, without encrypting the password, keeping it as clear text.

Steps to Reproduce

1. Create /app/configs/import_datasources.yaml (e.g. using extraConfigs).
   Include the full sqlalchemy_uri with clear text password.

   databases:
     - database_name: Example
       sqlalchemy_uri: 'postgresql://user:secret-password@db.example.org:5432/superset_data'
       cache_timeout: null
       expose_in_sqllab: true
       allow_run_async: false
       allow_ctas: true
       allow_cvas: true
       allow_dml: true
       allow_csv_upload: false
       extra: |
         {
           "metadata_params": {},
           "engine_params": {},
           "metadata_cache_timeout": {},
           "schemas_allowed_for_csv_upload": []
         }

2. Import via init.initScript or manually:

   superset import_datasources -p /app/configs/import_datasources.yaml

Expectation

• The password in the sqlalchemy_uri field in the dbs table is redacted, as if editing via the web UI.
  Example: postgresql://user:XXXXXXXXXX@db.example.org:5432/superset_data
• The password field in the dbs table is set to the respective encrypted password.
• The DB connection works.

Actual

• The password in the sqlalchemy_uri field in the dbs table is kept as-is, readable in clear text, even in the web UI.
  Example: postgresql://user:secret-password@db.example.org:5432/superset_data
• The password field in the dbs table is kept as NULL.
• The DB connection works nevertheless. ✅

Screenshots/recordings

Superset version

4.1.1

Python version

Not applicable

Node version

Not applicable

Browser

Not applicable

Additional context

Use Case / Justification

Automatically setting up data sources as part of a Helm chart deployment.

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot]

Hey, @buschtoens! I'm here to help you with this issue. I can assist you with bugs, answer questions, and guide you to become a contributor. Let's tackle this together!

I found a similar unsolved discussion regarding the exposure of username and password when importing data sources using the import_datasource command. You can view the discussion here ^[1].

Regarding your issue, the superset import_datasources command currently does not encrypt the database password in the sqlalchemy_uri. The password remains in clear text, which is not the expected behavior if you want it to be redacted as it is when editing via the web UI. The current implementation does not include logic for handling or encrypting passwords in the sqlalchemy_uri during the import process ^[2].

The Superset web UI handles password encryption by masking the password in the API response, and similar logic could potentially be applied to the import process. However, this would require changes to the current implementation to ensure that passwords are encrypted or masked during import ^[2].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}