Ujjwaljain16 opened a new pull request, #37982:
URL: https://github.com/apache/superset/pull/37982
### SUMMARY
Fixes an issue where `superset re-encrypt-secrets` could silently fail to
rotate encrypted database secrets.
Previously, `EncryptedType` was initialized with a static string value of
`SECRET_KEY` at model definition time:
```python
EncryptedType(*args, app_config["SECRET_KEY"], **kwargs)
```
If configuration overrides (e.g., `SUPERSET_SECRET_KEY`, Helm updates, or
runtime changes) occurred after model import, the encryption engine could
remain bound to a stale key.
During key rotation:
* Decryption with `PREVIOUS_SECRET_KEY` succeeded.
* Re-encryption reused the model’s existing `EncryptedType`.
* If that instance still held the old key, data was written back unchanged.
* The command exited successfully but performed no effective rotation.
After restart with the new `SECRET_KEY`, Superset would fail with:
```
ValueError: Invalid decryption key
```
### Fix
Pass a callable instead of a static string to `EncryptedType`:
```diff
- return EncryptedType(*args, app_config["SECRET_KEY"], **kwargs)
+ return EncryptedType(*args, lambda: app_config["SECRET_KEY"], **kwargs)
```
`sqlalchemy-utils` supports callable keys and resolves them on every
encrypt/decrypt operation. This ensures the current `SECRET_KEY` is always used
at runtime.
No schema changes or data format changes are introduced.
### Tests
* Updated existing test to assert callable key behavior.
* Added `test_lazy_key_resolution` to verify key changes are reflected after
field creation.
* Added `test_secret_key_rotation` to simulate end-to-end key rotation
(KEY_A → KEY_B) and verify correct decryption behavior.
---
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
Not applicable (backend encryption fix).
---
### TESTING INSTRUCTIONS
Manual verification:
1. Start Superset with `SECRET_KEY = A`.
2. Create a database connection with a password.
3. Rotate keys:
```
PREVIOUS_SECRET_KEY = A
SECRET_KEY = B
superset re-encrypt-secrets
```
4. Restart Superset.
5. Confirm database connections decrypt successfully under `B`.
6. Confirm reverting to `A` causes decryption failure.
Unit tests cover lazy key resolution and full rotation behavior.
---
### ADDITIONAL INFORMATION
* [x] Has associated issue: Fixes #37842
* [ ] Required feature flags
* [ ] Changes UI
* [ ] Includes DB Migration
* [ ] Introduces new feature or API
* [ ] Removes existing feature or API
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
