From c7b2c11aa0111182034534227efd4b6af0f79a25 Mon Sep 17 00:00:00 2001 From: Yuhao Su Date: Mon, 25 Nov 2024 15:54:36 -0600 Subject: [PATCH] allow no with --- e2e_test/ddl/secret.slt | 3 ++ .../source_legacy/cdc/cdc.share_stream.slt | 8 +--- src/common/secret/src/secret_manager.rs | 2 +- src/frontend/src/handler/alter_secret.rs | 43 ++++++++++++++++--- src/frontend/src/handler/create_secret.rs | 2 +- 5 files changed, 45 insertions(+), 13 deletions(-) diff --git a/e2e_test/ddl/secret.slt b/e2e_test/ddl/secret.slt index 889f6fad14e4..cf9d16214da3 100644 --- a/e2e_test/ddl/secret.slt +++ b/e2e_test/ddl/secret.slt @@ -45,6 +45,9 @@ alter secret secret_1 with ( backend = 'meta' ) as 'demo_secret_altered'; +statement ok +alter secret secret_1 as 'demo_secret_altered_again'; + statement error alter secret secret_2 with ( backend = 'meta' diff --git a/e2e_test/source_legacy/cdc/cdc.share_stream.slt b/e2e_test/source_legacy/cdc/cdc.share_stream.slt index 64eb7069a436..37840417fa7c 100644 --- a/e2e_test/source_legacy/cdc/cdc.share_stream.slt +++ b/e2e_test/source_legacy/cdc/cdc.share_stream.slt @@ -46,9 +46,7 @@ create source mysql_mytest with ( # 5: Internal error: Access denied for user 'rwcdc'@'172.17.0.1' (using password: YES) statement ok -alter secret mysql_pwd with ( - backend = 'meta' -) as '${MYSQL_PWD:}'; +alter secret mysql_pwd as '${MYSQL_PWD:}'; # create a cdc source job, which format fixed to `FORMAT PLAIN ENCODE JSON` statement ok @@ -620,9 +618,7 @@ select * from upper_orders_shared order by id; ### BEGIN reset the password to the original one onlyif can-use-recover statement ok -alter secret mysql_pwd with ( - backend = 'meta' -) as '${MYSQL_PWD:}'; +alter secret mysql_pwd as '${MYSQL_PWD:}'; onlyif can-use-recover system ok diff --git a/src/common/secret/src/secret_manager.rs b/src/common/secret/src/secret_manager.rs index 5f12433dbd93..723c0f5791d4 100644 --- a/src/common/secret/src/secret_manager.rs +++ b/src/common/secret/src/secret_manager.rs @@ -201,7 +201,7 @@ impl LocalSecretManager { /// Get the secret backend from the given decrypted secret bytes. pub fn get_pb_secret_backend( - pb_secret_bytes: &[u8] + pb_secret_bytes: &[u8], ) -> SecretResult { let pb_secret = risingwave_pb::secret::Secret::decode(pb_secret_bytes) .context("failed to decode secret")?; diff --git a/src/frontend/src/handler/alter_secret.rs b/src/frontend/src/handler/alter_secret.rs index 5ad25e84b0e6..3ab5ece2ee51 100644 --- a/src/frontend/src/handler/alter_secret.rs +++ b/src/frontend/src/handler/alter_secret.rs @@ -12,11 +12,16 @@ // See the License for the specific language governing permissions and // limitations under the License. +use anyhow::anyhow; use pgwire::pg_response::StatementType; +use prost::Message; +use risingwave_common::bail_not_implemented; use risingwave_common::license::Feature; +use risingwave_common::secret::LocalSecretManager; +use risingwave_pb::secret::secret; use risingwave_sqlparser::ast::{AlterSecretOperation, ObjectName, SqlOption}; -use super::create_secret::get_secret_payload; +use super::create_secret::{get_secret_payload, secret_to_str}; use super::drop_secret::fetch_secret_catalog_with_db_schema_id; use crate::error::Result; use crate::handler::{HandlerArgs, RwPgResponse}; @@ -39,15 +44,43 @@ pub async fn handle_alter_secret( { let AlterSecretOperation::ChangeCredential { new_credential } = operation; - let with_options = WithOptions::try_from(sql_options.as_ref() as &[SqlOption])?; - - let secret_payload = get_secret_payload(new_credential, with_options)?; + let secret_id = secret_catalog.id.secret_id(); + let secret_payload = if sql_options.is_empty() { + let original_pb_secret_bytes = LocalSecretManager::global() + .get_secret(secret_id) + .ok_or(anyhow!( + "Failed to get secret in secret manager, secret_id: {}", + secret_id + ))?; + let original_secret_backend = + LocalSecretManager::get_pb_secret_backend(&original_pb_secret_bytes)?; + match original_secret_backend { + secret::SecretBackend::Meta(_) => { + let new_secret_value_bytes = + secret_to_str(&new_credential)?.as_bytes().to_vec(); + let secret_payload = risingwave_pb::secret::Secret { + secret_backend: Some(risingwave_pb::secret::secret::SecretBackend::Meta( + risingwave_pb::secret::SecretMetaBackend { + value: new_secret_value_bytes, + }, + )), + }; + secret_payload.encode_to_vec() + } + secret::SecretBackend::HashicorpVault(_) => { + bail_not_implemented!("hashicorp_vault backend is not implemented yet") + } + } + } else { + let with_options = WithOptions::try_from(sql_options.as_ref() as &[SqlOption])?; + get_secret_payload(new_credential, with_options)? + }; let catalog_writer = session.catalog_writer()?; catalog_writer .alter_secret( - secret_catalog.id.secret_id(), + secret_id, secret_catalog.name.clone(), secret_catalog.database_id, secret_catalog.schema_id, diff --git a/src/frontend/src/handler/create_secret.rs b/src/frontend/src/handler/create_secret.rs index 4a347a0fb86f..6d5a6283e328 100644 --- a/src/frontend/src/handler/create_secret.rs +++ b/src/frontend/src/handler/create_secret.rs @@ -69,7 +69,7 @@ pub async fn handle_create_secret( Ok(PgResponse::empty_result(StatementType::CREATE_SECRET)) } -fn secret_to_str(value: &Value) -> Result { +pub fn secret_to_str(value: &Value) -> Result { match value { Value::DoubleQuotedString(s) | Value::SingleQuotedString(s) => Ok(s.to_string()), _ => Err(ErrorCode::InvalidInputSyntax(