risingwave_frontend/handler/
alter_secret.rs

1// Copyright 2024 RisingWave Labs
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15use anyhow::anyhow;
16use pgwire::pg_response::StatementType;
17use prost::Message;
18use risingwave_common::license::Feature;
19use risingwave_common::secret::LocalSecretManager;
20use risingwave_pb::secret::secret;
21use risingwave_sqlparser::ast::{ObjectName, SqlOption, Value};
22
23use super::create_secret::{get_secret_payload, secret_to_str};
24use super::drop_secret::fetch_secret_catalog_with_db_schema_id;
25use crate::WithOptions;
26use crate::error::Result;
27use crate::handler::{HandlerArgs, RwPgResponse};
28
29pub async fn handle_alter_secret(
30    handler_args: HandlerArgs,
31    secret_name: ObjectName,
32    sql_options: Vec<SqlOption>,
33    credential: Value,
34) -> Result<RwPgResponse> {
35    Feature::SecretManagement.check_available()?;
36
37    let session = handler_args.session;
38
39    if let Some((secret_catalog, _, _)) =
40        fetch_secret_catalog_with_db_schema_id(&session, &secret_name, false)?
41    {
42        let secret_id = secret_catalog.id;
43        let secret_payload = if sql_options.is_empty() {
44            let original_pb_secret_bytes = LocalSecretManager::global()
45                .get_secret(secret_id)
46                .ok_or(anyhow!(
47                    "Failed to get secret in secret manager, secret_id: {}",
48                    secret_id
49                ))?;
50            let original_secret_backend =
51                LocalSecretManager::get_pb_secret_backend(&original_pb_secret_bytes)?;
52            match original_secret_backend {
53                secret::SecretBackend::Meta(_) => {
54                    let new_secret_value_bytes = secret_to_str(&credential)?.as_bytes().to_vec();
55                    let secret_payload = risingwave_pb::secret::Secret {
56                        secret_backend: Some(risingwave_pb::secret::secret::SecretBackend::Meta(
57                            risingwave_pb::secret::SecretMetaBackend {
58                                value: new_secret_value_bytes,
59                            },
60                        )),
61                    };
62                    secret_payload.encode_to_vec()
63                }
64                secret::SecretBackend::HashicorpVault(_vault_backend) => {
65                    return Err(crate::error::ErrorCode::InvalidParameterValue(
66                        "alter secret with hashicorp_vault backend is not supported".to_owned(),
67                    )
68                    .into());
69                }
70            }
71        } else {
72            let with_options = WithOptions::try_from(sql_options.as_ref() as &[SqlOption])?;
73            get_secret_payload(credential, with_options).await?
74        };
75
76        let catalog_writer = session.catalog_writer()?;
77
78        catalog_writer
79            .alter_secret(
80                secret_id,
81                secret_catalog.name.clone(),
82                secret_catalog.database_id,
83                secret_catalog.schema_id,
84                secret_catalog.owner,
85                secret_payload,
86            )
87            .await?;
88
89        Ok(RwPgResponse::empty_result(StatementType::ALTER_SECRET))
90    } else {
91        Ok(RwPgResponse::builder(StatementType::ALTER_SECRET)
92            .notice(format!(
93                "secret \"{}\" does not exist, skipping",
94                secret_name
95            ))
96            .into())
97    }
98}