risingwave_frontend/handler/
drop_secret.rs

1// Copyright 2025 RisingWave Labs
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15use std::sync::Arc;
16
17use pgwire::pg_response::StatementType;
18use risingwave_common::license::Feature;
19use risingwave_sqlparser::ast::ObjectName;
20
21use crate::Binder;
22use crate::catalog::root_catalog::SchemaPath;
23use crate::catalog::secret_catalog::SecretCatalog;
24use crate::catalog::{DatabaseId, SchemaId};
25use crate::error::Result;
26use crate::handler::{HandlerArgs, RwPgResponse};
27use crate::session::SessionImpl;
28
29pub async fn handle_drop_secret(
30    handler_args: HandlerArgs,
31    secret_name: ObjectName,
32    if_exists: bool,
33) -> Result<RwPgResponse> {
34    Feature::SecretManagement.check_available()?;
35
36    let session = handler_args.session;
37
38    if let Some((secret_catalog, _, _)) =
39        fetch_secret_catalog_with_db_schema_id(&session, &secret_name, if_exists)?
40    {
41        let catalog_writer = session.catalog_writer()?;
42        catalog_writer.drop_secret(secret_catalog.id).await?;
43
44        Ok(RwPgResponse::empty_result(StatementType::DROP_SECRET))
45    } else {
46        Ok(RwPgResponse::builder(StatementType::DROP_SECRET)
47            .notice(format!(
48                "secret \"{}\" does not exist, skipping",
49                secret_name
50            ))
51            .into())
52    }
53}
54
55/// Fetch the secret catalog and the `database/schema_id` of the source.
56pub fn fetch_secret_catalog_with_db_schema_id(
57    session: &SessionImpl,
58    secret_name: &ObjectName,
59    if_exists: bool,
60) -> Result<Option<(Arc<SecretCatalog>, DatabaseId, SchemaId)>> {
61    let db_name = &session.database();
62    let (schema_name, secret_name) = Binder::resolve_schema_qualified_name(db_name, secret_name)?;
63    let search_path = session.config().search_path();
64    let user_name = &session.user_name();
65
66    let schema_path = SchemaPath::new(schema_name.as_deref(), &search_path, user_name);
67
68    let reader = session.env().catalog_reader().read_guard();
69    match reader.get_secret_by_name(db_name, schema_path, &secret_name) {
70        Ok((catalog, schema_name)) => {
71            session.check_privilege_for_drop_alter(schema_name, &**catalog)?;
72
73            let db = reader.get_database_by_name(db_name)?;
74            let schema = db.get_schema_by_name(schema_name).unwrap();
75
76            Ok(Some((Arc::clone(catalog), db.id(), schema.id())))
77        }
78        Err(e) => {
79            if if_exists {
80                Ok(None)
81            } else {
82                Err(e.into())
83            }
84        }
85    }
86}