lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Apache Superset

Apache Software Foundationother4 credentials

Credentials4 documented
01

Superset Administrator/User Password

apache-superset / admin-user-password

Apache Superset local users authenticate to the web UI and API through Flask AppBuilder security. Administrators are created during initialization or provisioning.

generated on installuser definedsecretusername/password

Location

public interface
Superset web UI, REST API, SQL Lab, and embedded dashboard flows
database

Superset metadata database user/security tables and password hashes

config file
superset_config.py

authentication, database, secret key, OAuth, LDAP, and feature configuration

secret store

Kubernetes Secrets, Docker secrets, vaults, and password managers

logs

webserver, worker, audit, and authentication logs

Notes

No universal Superset admin password is modeled; it is created by superset fab/create-admin or deployment automation.

02

SECRET_KEY / Encryption Secret

apache-superset / secret-key-and-fernet-key

Superset relies on SECRET_KEY and related encryption material to sign sessions and encrypt sensitive metadata such as database connection passwords.

generated on installuser definedsecretsecret value

Looks like

pattern
pattern

Superset Flask secret key assignment in Python/env configuration

^(SECRET_KEY|SUPERSET_SECRET_KEY)\s*=\s*[\'\"].+[\'\"]

Location

config file
superset_config.py

SECRET_KEY and security configuration

environment
SUPERSET_SECRET_KEY, SECRET_KEY
secret store

Kubernetes Secrets, Docker secrets, and external vaults

source code

committed config files, Helm values, and example deployments

artifact

metadata database backups and deployment bundles

03

Database Connection Password / SQLAlchemy URI

apache-superset / database-connection-secret

Superset stores database connection URIs and credentials for analytics databases and the metadata database.

user definedsecretusername/password

Location

database

Superset metadata database encrypted DB connection records

config file
superset_config.py, values.yaml

SQLALCHEMY_DATABASE_URI, examples database config, and datasource settings

environment
SQLALCHEMY_DATABASE_URI, DATABASE_URL, SUPERSET_DATABASE_PASSWORD
secret store

Kubernetes Secrets, Airflow/CI secrets, and database vault entries

logs

SQLAlchemy errors, worker logs, and connection test traces

04

OAuth, LDAP, and API Integration Secret

apache-superset / oauth-ldap-api-secret

Superset deployments may contain OAuth/OIDC client secrets, LDAP bind passwords, guest token signing config, and embedded analytics secrets.

user definedgenerated on installsecretsecret value

Location

http header
Authorization

Bearer/JWT/API tokens for Superset API clients

config file
superset_config.py

AUTH_TYPE, OAuth providers, LDAP, guest token, and feature config

environment
OAUTH_CLIENT_SECRET, LDAP_BIND_PASSWORD, SUPERSET_OAUTH_SECRET
secret store

vaults and deployment secret stores

logs

OAuth, LDAP, and API debug logs

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.