feat: support for import/export masked_encrypted_extra (backend) (#38077)

2026-04-19 16:14:52 +00:00 · 2026-03-04 16:26:28 -03:00
parent 63e7ee70bf
commit 8c9efe5659
16 changed files with 799 additions and 2 deletions
--- a/superset/databases/api.py
+++ b/superset/databases/api.py
@@ -1591,6 +1591,14 @@ class DatabaseRestApi(BaseSupersetModelRestApi):
                        the private_key should be provided in the following format:
                        `{"databases/MyDatabase.yaml": "my_private_key_password"}`.
                      type: string
+                    encrypted_extra_secrets:
+                      description: >-
+                        JSON map of sensitive values for masked_encrypted_extra fields.
+                        Keys are file paths (e.g., "databases/db.yaml") and values
+                        are JSON objects mapping JSONPath expressions to secrets.
+                        (e.g., `{"databases/MyDatabase.yaml":
+                        {"$.credentials_info.private_key": "actual_key"}}`).
+                      type: string
          responses:
            200:
              description: Database import result
@@ -1642,6 +1650,11 @@ class DatabaseRestApi(BaseSupersetModelRestApi):
            if "ssh_tunnel_private_key_passwords" in request.form
            else None
        )
+        encrypted_extra_secrets = (
+            json.loads(request.form["encrypted_extra_secrets"])
+            if "encrypted_extra_secrets" in request.form
+            else None
+        )

        command = ImportDatabasesCommand(
            contents,
@@ -1650,6 +1663,7 @@ class DatabaseRestApi(BaseSupersetModelRestApi):
            ssh_tunnel_passwords=ssh_tunnel_passwords,
            ssh_tunnel_private_keys=ssh_tunnel_private_keys,
            ssh_tunnel_priv_key_passwords=ssh_tunnel_priv_key_passwords,
+            encrypted_extra_secrets=encrypted_extra_secrets,
        )
        command.run()
        return self.response(200, message="OK")