allow no with

risingwavelabs · Nov 25, 2024 · c7b2c11 · c7b2c11
1 parent 90377f1
commit c7b2c11
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 13 deletions.
diff --git a/e2e_test/ddl/secret.slt b/e2e_test/ddl/secret.slt
@@ -45,6 +45,9 @@ alter secret secret_1 with (
   backend = 'meta'
 ) as 'demo_secret_altered';
 
+statement ok
+alter secret secret_1 as 'demo_secret_altered_again';
+
 statement error
 alter secret secret_2 with (
   backend = 'meta'

diff --git a/e2e_test/source_legacy/cdc/cdc.share_stream.slt b/e2e_test/source_legacy/cdc/cdc.share_stream.slt
@@ -46,9 +46,7 @@ create source mysql_mytest with (
 #   5: Internal error: Access denied for user 'rwcdc'@'172.17.0.1' (using password: YES)
 
 statement ok
-alter secret mysql_pwd with (
-  backend = 'meta'
-) as '${MYSQL_PWD:}';
+alter secret mysql_pwd as '${MYSQL_PWD:}';
 
 # create a cdc source job, which format fixed to `FORMAT PLAIN ENCODE JSON`
 statement ok
@@ -620,9 +618,7 @@ select * from upper_orders_shared order by id;
 ### BEGIN reset the password to the original one
 onlyif can-use-recover
 statement ok
-alter secret mysql_pwd with (
-  backend = 'meta'
-) as '${MYSQL_PWD:}';
+alter secret mysql_pwd as '${MYSQL_PWD:}';
 
 onlyif can-use-recover
 system ok

diff --git a/src/common/secret/src/secret_manager.rs b/src/common/secret/src/secret_manager.rs
@@ -201,7 +201,7 @@ impl LocalSecretManager {
 
     /// Get the secret backend from the given decrypted secret bytes.
     pub fn get_pb_secret_backend(
-        pb_secret_bytes: &[u8]
+        pb_secret_bytes: &[u8],
     ) -> SecretResult<risingwave_pb::secret::secret::SecretBackend> {
         let pb_secret = risingwave_pb::secret::Secret::decode(pb_secret_bytes)
             .context("failed to decode secret")?;

diff --git a/src/frontend/src/handler/alter_secret.rs b/src/frontend/src/handler/alter_secret.rs
@@ -12,11 +12,16 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+use anyhow::anyhow;
 use pgwire::pg_response::StatementType;
+use prost::Message;
+use risingwave_common::bail_not_implemented;
 use risingwave_common::license::Feature;
+use risingwave_common::secret::LocalSecretManager;
+use risingwave_pb::secret::secret;
 use risingwave_sqlparser::ast::{AlterSecretOperation, ObjectName, SqlOption};
 
-use super::create_secret::get_secret_payload;
+use super::create_secret::{get_secret_payload, secret_to_str};
 use super::drop_secret::fetch_secret_catalog_with_db_schema_id;
 use crate::error::Result;
 use crate::handler::{HandlerArgs, RwPgResponse};
@@ -39,15 +44,43 @@ pub async fn handle_alter_secret(
     {
         let AlterSecretOperation::ChangeCredential { new_credential } = operation;
 
-        let with_options = WithOptions::try_from(sql_options.as_ref() as &[SqlOption])?;
-
-        let secret_payload = get_secret_payload(new_credential, with_options)?;
+        let secret_id = secret_catalog.id.secret_id();
+        let secret_payload = if sql_options.is_empty() {
+            let original_pb_secret_bytes = LocalSecretManager::global()
+                .get_secret(secret_id)
+                .ok_or(anyhow!(
+                    "Failed to get secret in secret manager, secret_id: {}",
+                    secret_id
+                ))?;
+            let original_secret_backend =
+                LocalSecretManager::get_pb_secret_backend(&original_pb_secret_bytes)?;
+            match original_secret_backend {
+                secret::SecretBackend::Meta(_) => {
+                    let new_secret_value_bytes =
+                        secret_to_str(&new_credential)?.as_bytes().to_vec();
+                    let secret_payload = risingwave_pb::secret::Secret {
+                        secret_backend: Some(risingwave_pb::secret::secret::SecretBackend::Meta(
+                            risingwave_pb::secret::SecretMetaBackend {
+                                value: new_secret_value_bytes,
+                            },
+                        )),
+                    };
+                    secret_payload.encode_to_vec()
+                }
+                secret::SecretBackend::HashicorpVault(_) => {
+                    bail_not_implemented!("hashicorp_vault backend is not implemented yet")
+                }
+            }
+        } else {
+            let with_options = WithOptions::try_from(sql_options.as_ref() as &[SqlOption])?;
+            get_secret_payload(new_credential, with_options)?
+        };
 
         let catalog_writer = session.catalog_writer()?;
 
         catalog_writer
             .alter_secret(
-                secret_catalog.id.secret_id(),
+                secret_id,
                 secret_catalog.name.clone(),
                 secret_catalog.database_id,
                 secret_catalog.schema_id,

diff --git a/src/frontend/src/handler/create_secret.rs b/src/frontend/src/handler/create_secret.rs
@@ -69,7 +69,7 @@ pub async fn handle_create_secret(
     Ok(PgResponse::empty_result(StatementType::CREATE_SECRET))
 }
 
-fn secret_to_str(value: &Value) -> Result<String> {
+pub fn secret_to_str(value: &Value) -> Result<String> {
     match value {
         Value::DoubleQuotedString(s) | Value::SingleQuotedString(s) => Ok(s.to_string()),
         _ => Err(ErrorCode::InvalidInputSyntax(