villebro commented on code in PR #35621: URL: https://github.com/apache/superset/pull/35621#discussion_r2589858099
########## superset/config.py: ########## @@ -199,6 +199,32 @@ def _try_json_readsha(filepath: str, length: int) -> str | None: SUPERSET_DASHBOARD_POSITION_DATA_LIMIT = 65535 CUSTOM_SECURITY_MANAGER = None SQLALCHEMY_TRACK_MODIFICATIONS = False + +# --------------------------------------------------------- +# FedRAMP Cryptographic Compliance +# --------------------------------------------------------- + +# Hash algorithm used for non-cryptographic purposes (cache keys, thumbnails, etc.) +# Options: 'md5' (legacy), 'sha256' +# +# IMPORTANT: Changing this value will invalidate all existing cached content. +# Cache will re-warm naturally within 24-48 hours. +# +# For FedRAMP compliance, set to 'sha256' +# For backward compatibility with existing deployments, keep as 'md5' +HASH_ALGORITHM: Literal["md5", "sha256"] = "md5" + +# Fallback hash algorithms for UUID lookup (backward compatibility) +# When looking up entries by UUID, try these algorithms after the primary one fails. +# This enables gradual migration from MD5 to SHA-256 without breaking existing entries. +# +# Example: When HASH_ALGORITHM='sha256', lookups will try: +# 1. SHA-256 UUID (primary) +# 2. MD5 UUID (fallback for legacy entries) +# +# Set to empty list to disable fallback (strict mode - only use HASH_ALGORITHM) +HASH_ALGORITHM_FALLBACKS: list[Literal["md5", "sha256"]] = ["md5"] Review Comment: With fallback support now in place, shouldn't we default to `sha256`? With this change the new algo would gradually start rolling it out in existing deployments, and guarantee new deployments are on the state of the art. ```suggestion # For FedRAMP compliance, set to 'sha256' # For backward compatibility with existing deployments, keep as 'md5' HASH_ALGORITHM: Literal["md5", "sha256"] = "sha256" # Fallback hash algorithms for UUID lookup (backward compatibility) # When looking up entries by UUID, try these algorithms after the primary one fails. # This enables gradual migration from MD5 to SHA-256 without breaking existing entries. # # Example: When HASH_ALGORITHM='sha256', lookups will try: # 1. SHA-256 UUID (primary) # 2. MD5 UUID (fallback for legacy entries) # # Set to empty list to disable fallback (strict mode - only use HASH_ALGORITHM) HASH_ALGORITHM_FALLBACKS: list[Literal["md5", "sha256"]] = ["md5"] ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
