risingwave_frontend/handler/
alter_secret.rs1use anyhow::anyhow;
16use pgwire::pg_response::StatementType;
17use prost::Message;
18use risingwave_common::bail_not_implemented;
19use risingwave_common::license::Feature;
20use risingwave_common::secret::LocalSecretManager;
21use risingwave_pb::secret::secret;
22use risingwave_sqlparser::ast::{AlterSecretOperation, ObjectName, SqlOption};
23
24use super::create_secret::{get_secret_payload, secret_to_str};
25use super::drop_secret::fetch_secret_catalog_with_db_schema_id;
26use crate::WithOptions;
27use crate::error::Result;
28use crate::handler::{HandlerArgs, RwPgResponse};
29
30pub async fn handle_alter_secret(
31 handler_args: HandlerArgs,
32 secret_name: ObjectName,
33 sql_options: Vec<SqlOption>,
34 operation: AlterSecretOperation,
35) -> Result<RwPgResponse> {
36 Feature::SecretManagement
37 .check_available()
38 .map_err(|e| anyhow::anyhow!(e))?;
39
40 let session = handler_args.session;
41
42 if let Some((secret_catalog, _, _)) =
43 fetch_secret_catalog_with_db_schema_id(&session, &secret_name, false)?
44 {
45 let AlterSecretOperation::ChangeCredential { new_credential } = operation;
46
47 let secret_id = secret_catalog.id.secret_id();
48 let secret_payload = if sql_options.is_empty() {
49 let original_pb_secret_bytes = LocalSecretManager::global()
50 .get_secret(secret_id)
51 .ok_or(anyhow!(
52 "Failed to get secret in secret manager, secret_id: {}",
53 secret_id
54 ))?;
55 let original_secret_backend =
56 LocalSecretManager::get_pb_secret_backend(&original_pb_secret_bytes)?;
57 match original_secret_backend {
58 secret::SecretBackend::Meta(_) => {
59 let new_secret_value_bytes =
60 secret_to_str(&new_credential)?.as_bytes().to_vec();
61 let secret_payload = risingwave_pb::secret::Secret {
62 secret_backend: Some(risingwave_pb::secret::secret::SecretBackend::Meta(
63 risingwave_pb::secret::SecretMetaBackend {
64 value: new_secret_value_bytes,
65 },
66 )),
67 };
68 secret_payload.encode_to_vec()
69 }
70 secret::SecretBackend::HashicorpVault(_) => {
71 bail_not_implemented!("hashicorp_vault backend is not implemented yet")
72 }
73 }
74 } else {
75 let with_options = WithOptions::try_from(sql_options.as_ref() as &[SqlOption])?;
76 get_secret_payload(new_credential, with_options)?
77 };
78
79 let catalog_writer = session.catalog_writer()?;
80
81 catalog_writer
82 .alter_secret(
83 secret_id,
84 secret_catalog.name.clone(),
85 secret_catalog.database_id,
86 secret_catalog.schema_id,
87 secret_catalog.owner,
88 secret_payload,
89 )
90 .await?;
91
92 Ok(RwPgResponse::empty_result(StatementType::ALTER_SECRET))
93 } else {
94 Ok(RwPgResponse::builder(StatementType::ALTER_SECRET)
95 .notice(format!(
96 "secret \"{}\" does not exist, skipping",
97 secret_name
98 ))
99 .into())
100 }
101}